A simple container for automating backups of a Vaultwarden installation to Restic
Go to file
2024-07-25 16:10:18 +01:00
.gitignore initial commit 2024-07-25 16:10:18 +01:00
.woodpecker.yml initial commit 2024-07-25 16:10:18 +01:00
backup.sh initial commit 2024-07-25 16:10:18 +01:00
Dockerfile initial commit 2024-07-25 16:10:18 +01:00
entry.sh initial commit 2024-07-25 16:10:18 +01:00
README.md initial commit 2024-07-25 16:10:18 +01:00

Vaultwarden Backup

A simple script for backing up a Vaultwarden installation periodically and securely using Restic.

This script backs-up a vault to any Restic backend that you can configure using environment variables. It creates a new snapshot once per hour.

The script:

  • Creates a backup of the SQLite database
  • Syncs this, along with the entire Vaultwarden data directory, to a Restic repository

It keeps 24 hourly, 10 daily, 6 weekly, and 6 monthly backups, and prunes the rest.

Usage

Simply write a docker-compose.yml along the following lines:

services:
  vaultwardenbackup:
    image: wilw/vaultwarden-backup
    restart: always
    volumes:
      - /path/to/vaultwarden:/data
    environment:
      # ... Your Restic configuration. E.g.:
      - AWS_ACCESS_KEY_ID=accesskey
      - AWS_SECRET_ACCESS_KEY=secretaccesskey
      - RESTIC_REPOSITORY=s3:endpoint/bucket
      - RESTIC_PASSWORD=complexstring
      - RESTIC_HOSTNAME=hostname

Before bringing the container up, please read the following:

Ensure that the root directory of the Vaultwarden installation is mounted to /data in the container. This is where the script will look for the SQLite database and other data to back up.

Be sure change the variables in the environment block to match what's needed for your chosen Restic backend. Refer to the documentation for more information.

At a minimum we recommend setting the following:

  • RESTIC_REPOSITORY: The repository name. For a Linode Object Storage bucket you can use s3:eu-central-1.linodeobjects.com/bucket-name. See below for other examples.
  • RESTIC_PASSWORD: The string used to encrypt/protect your data. Use a long complex string, and don't lose it (or you'll lose your backups)
  • RESTIC_HOSTNAME: Set this to an identifier for the machine. If you don't, the Docker container ID will be used, which changes on each startup, which isn't ideal.

You can now bring up the container: docker compose up -d.

Important

After the container is launched for the first time, you'll need to initialize the repository. You only need to do this once for each repository. To do so, run the following:

docker compose exec -it filebackup /usr/bin/restic init