WikiWorks · TheDivine · Oct 26, 2024 · Oct 26, 2024 · vedmaka · Oct 27, 2024
diff --git a/compose.yml b/compose.yml
@@ -7,7 +7,7 @@ services:
         restart: unless-stopped
         environment:
             - MYSQL_ROOT_HOST=%
-            - MYSQL_ROOT_PASSWORD=$MW_DB_INSTALLDB_PASS
+            - MYSQL_ROOT_PASSWORD=/run/secrets/db_root_password
             - MYSQL_DATABASE=$MW_DB_NAME
         volumes:
             - ./__initdb:/docker-entrypoint-initdb.d
@@ -37,7 +37,7 @@ services:
             - MW_DB_INSTALLDB_USER=root
             - MW_DB_INSTALLDB_PASS
             - MW_DB_USER=root
-            - MW_DB_PASS=$MW_DB_INSTALLDB_PASS
+            - MW_DB_PASS=/run/secrets/db_root_password
             - MW_SECRET_KEY
             # - XDEBUG_CONFIG=remote_host=0.0.0.0 remote_enable=1 remote_autostart=Off remote_connect_back=On
             - MW_SITE_SERVER=${MW_SITE_SERVER:-https://bugsigdb.org}
@@ -118,7 +118,9 @@ services:
             - MATOMO_DATABASE_HOST=db
             - MATOMO_DATABASE_DBNAME=matomo
             - MATOMO_DATABASE_USERNAME=root
-            - MATOMO_DATABASE_PASSWORD=$MW_DB_INSTALLDB_PASS
+            - MATOMO_DATABASE_PASSWORD=/run/secrets/db_root_password
+        secrets:
+            - db_root_password    
         volumes:
             - ./_data/matomo:/var/www/html
             - ./_resources/matomo-bootstrap.php:/var/www/html/bootstrap.php
@@ -141,7 +143,6 @@ services:
             - traefik.http.middlewares.${COMPOSE_PROJECT_NAME}-matomo-headers.headers.customrequestheaders.X-Forwarded-Uri=/${MATOMO_FOLDER:-matomo}
             - traefik.http.routers.${COMPOSE_PROJECT_NAME}-matomo.middlewares=${COMPOSE_PROJECT_NAME}-matomo-stripprefix,${COMPOSE_PROJECT_NAME}-matomo-headers
 
-
     varnish:
         image: pastakhov/varnish:7.0
         restart: unless-stopped
@@ -197,21 +198,21 @@ services:
         entrypoint:
             - /updateEFO/updateEFO.sh
 
-    restic:
+    restic_s3:
         image: ghcr.io/wikiteq/restic-backup-docker:stream
-        env_file:
-            - ./.env
-            - ./.env.secret.restic
         profiles:
             - production
         restart: unless-stopped
         links:
             - db
         environment:
             - MW_DB_USER=root
-            - MW_DB_PASS=$MW_DB_INSTALLDB_PASS
+            - MW_DB_PASS=/run/secrets/db_root_password
             - MW_DB_NAME=$MW_DB_NAME
+            - RESTIC_REPOSITORY_FILE=/run/secrets/restic_s3_repository
+            - RESTIC_PASSWORD_FILE=/run/secrets/restic_password
             - RESTIC_TAG=backup_full
+            - AWS_SHARED_CREDENTIALS_FILE=/run/secrets/aws_credentials
             - BACKUP_CRON=0 1 * * 6
             - CHECK_CRON=0 23 * * 5
             - RESTIC_FORGET_ARGS=--prune --keep-weekly 1 --keep-monthly 2 --group-by paths
@@ -222,11 +223,53 @@ services:
             - RESTIC_STREAM=yes
             - RESTIC_STREAM_CMD=tar -cf - -C /data_mediawiki/ /data/database.sql.gz images
             - RESTIC_STREAM_FILENAME=full.images.database.tar
+        secrets:
+            - aws_credentials
+            - db_root_password
+            - restic_password
+            - restic_s3_repository
         volumes:
             # read-only mount of mediawiki data directory for images access
             - ./_data/mediawiki:/data_mediawiki:ro
             # logs
             - ./_logs/restic:/var/log
+
+    restic_gc:
+        image: ghcr.io/wikiteq/restic-backup-docker:stream
+        profiles:
+            - production
+        restart: unless-stopped
+        links:
+            - db
+        environment:
+            - MW_DB_USER=root
+            - MW_DB_PASS=/run/secrets/db_root_password
+            - MW_DB_NAME=$MW_DB_NAME
+            - RESTIC_REPOSITORY_FILE=/run/secrets/restic_gc_repository
+            - RESTIC_PASSWORD_FILE=/run/secrets/restic_password
+            - RESTIC_TAG=backup_full
+            - GOOGLE_APPLICATION_CREDENTIALS=/run/secrets/gcloud_credentials
+            - BACKUP_CRON=30 1 * * *
+            - CHECK_CRON=0 23 * * 5
+            - RESTIC_FORGET_ARGS=--prune --keep-weekly 1 --keep-monthly 2 --group-by paths
+            # pre-backup script
+            - RESTIC_PRE_BACKUP=if [ ! -d "/data" ]; then mkdir /data; fi && mysqldump -hdb -u$$MW_DB_USER -p$$MW_DB_PASS $$MW_DB_NAME | gzip -c > /data/database.sql.gz
+            # post-backup script
+            - RESTIC_POST_BACKUP=rm /data/database.sql.gz
+            - RESTIC_STREAM=yes
+            - RESTIC_STREAM_CMD=tar -cf - -C /data_mediawiki/ /data/database.sql.gz images
+            - RESTIC_STREAM_FILENAME=full.images.database.tar
+        secrets:
+            - gcloud_credentials
+            - db_root_password
+            - restic_password
+            - restic_gc_repository
+        volumes:
+            # read-only mount of mediawiki data directory for images access
+            - ./_data/mediawiki:/data_mediawiki:ro
+            # logs
+            - ./_logs/restic:/var/log   
+
 
     # https://github.com/mcuadros/ofelia
     ofelia:
@@ -250,6 +293,18 @@ services:
 secrets:
     matomo_password:
         file: ./secrets/matomo_password.txt
+    aws_credentials:
+        file: ./secrets/aws_credentials
+    db_root_password:
+        file: ./secrets/db_root_password
+    restic_password:
+        file: ./secrets/restic_password
+    restic_s3_repository:
+        file: ./secrets/restic_s3_repository
+    restic_gc_repository:
+        file: ./secrets/restic_gc_repository
+    gcloud_credentials:
+        file: ./secrets/gcloud_credentials
 
 networks:
     traefik-public: