https://github.com/chappio/docker-postgres-backup-transip-stack
A simple docker container to backup a postgres server to TransIP Stack
https://github.com/chappio/docker-postgres-backup-transip-stack
Last synced: 9 months ago
JSON representation
A simple docker container to backup a postgres server to TransIP Stack
- Host: GitHub
- URL: https://github.com/chappio/docker-postgres-backup-transip-stack
- Owner: ChappIO
- Created: 2025-09-09T05:30:01.000Z (9 months ago)
- Default Branch: main
- Last Pushed: 2025-09-09T05:45:34.000Z (9 months ago)
- Last Synced: 2025-09-09T08:30:50.223Z (9 months ago)
- Language: Shell
- Size: 3.91 KB
- Stars: 0
- Watchers: 0
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
README
# postgres-transip-backup
Container that dumps a PostgreSQL database and uploads the compressed dump to **TransIP STACK** (WebDAV) using `rclone`.
It also prunes old backups using a configurable retention period.
* **Image:** `ghcr.io/chappio/postgres-transip-backup`
* **Base:** `alpine:3.22`
* **Tools inside:** `pg_dump` (PostgreSQL 17 client), `rclone`, `openssh-client`
* **Run mode:** one-shot (run it on a schedule with cron/Kubernetes/GitHub Actions/etc.)
---
## How it works
1. Configures an in-memory `rclone` remote named `stack` from the provided STACK env vars.
2. Dumps **one** database using `pg_dump -Fp` (plain SQL) and gzips it.
3. Uploads to `stack:${TRANSIP_STACK_FOLDER}/`.
4. Deletes remote files older than `BACKUP_RETENTION_TIME`.
5. Cleans up the temp dir and exits.
**Filename pattern:**
`${PGDATABASE}-${YYYY-MM-DD}.sql.gz` (e.g., `appdb-2025-09-09.sql.gz`)
---
## Quick start
```bash
docker run --rm \
-e PGHOST=db.example.internal \
-e PGPORT=5432 \
-e PGUSER=app \
-e PGPASSWORD=secret \
-e PGDATABASE=appdb \
-e TRANSIP_STACK_HOSTNAME=stack.example.com \
-e TRANSIP_STACK_USERNAME=my-stack-user \
-e TRANSIP_STACK_PASSWORD=my-stack-password \
-e TRANSIP_STACK_FOLDER=/postgres_backup \
-e BACKUP_RETENTION_TIME=30d \
ghcr.io/chappio/postgres-transip-backup:latest
```
This creates (or reuses) `/postgres_backup` on STACK, uploads today’s dump, prunes files older than the configured
retention, and exits.
---
## Environment variables
### PostgreSQL (required unless defaults apply)
Standard libpq variables used by `pg_dump`:
* `PGHOST` – Hostname or IP of your PostgreSQL server
* `PGPORT` – Port (default: `5432`)
* `PGUSER` – Database user with dump privileges
* `PGPASSWORD` – Password for `PGUSER`
* `PGDATABASE` – Name of the database to dump
Optional passthrough: `PGSSLMODE`, `PGSSLROOTCERT`, `PGSSLCERT`, `PGSSLKEY`, etc.
> `pg_dump` version is **17** in the image. Keep client/server majors close when possible.
### TransIP STACK (required)
* `TRANSIP_STACK_HOSTNAME` – e.g. `example.stackstorage.com`
* `TRANSIP_STACK_USERNAME` – STACK username
* `TRANSIP_STACK_PASSWORD` – STACK password
* `TRANSIP_STACK_FOLDER` – Folder path on STACK (default: `/postgres_backup`)
### Retention
* `BACKUP_RETENTION_TIME` – How long to **keep** backups remotely (default: `30d`).
Examples: `7d`, `14d`, `8w`, `90d`. Internally used as:
```sh
rclone delete --min-age "$BACKUP_RETENTION_TIME" stack:${TRANSIP_STACK_FOLDER}/
```
---
## Scheduling examples
### Host cron (nightly at 02:15)
```
15 2 * * * docker run --rm \
-e PGHOST=db \
-e PGPORT=5432 \
-e PGUSER=app \
-e PGPASSWORD=secret \
-e PGDATABASE=appdb \
-e TRANSIP_STACK_HOSTNAME=stack.example.com \
-e TRANSIP_STACK_USERNAME=my-stack-user \
-e TRANSIP_STACK_PASSWORD=my-stack-password \
-e TRANSIP_STACK_FOLDER=/postgres_backup \
-e BACKUP_RETENTION_TIME=30d \
ghcr.io/chappio/postgres-transip-backup:latest
```
### Docker Compose (trigger via external scheduler)
```yaml
services:
pg-backup:
image: ghcr.io/chappio/postgres-transip-backup:latest
restart: "no"
environment:
PGHOST: db
PGPORT: "5432"
PGUSER: app
PGPASSWORD: ${PGPASSWORD}
PGDATABASE: appdb
TRANSIP_STACK_HOSTNAME: stack.example.com
TRANSIP_STACK_USERNAME: ${STACK_USER}
TRANSIP_STACK_PASSWORD: ${STACK_PASS}
TRANSIP_STACK_FOLDER: /postgres_backup
BACKUP_RETENTION_TIME: 30d
```
### Kubernetes CronJob
```yaml
apiVersion: batch/v1
kind: CronJob
metadata:
name: postgres-transip-backup
spec:
schedule: "15 2 * * *" # 02:15 every day
jobTemplate:
spec:
template:
spec:
restartPolicy: Never
containers:
- name: backup
image: ghcr.io/chappio/postgres-transip-backup:latest
env:
- name: PGHOST
value: "postgres.default.svc.cluster.local"
- name: PGPORT
value: "5432"
- name: PGUSER
valueFrom: { secretKeyRef: { name: db-secrets, key: user } }
- name: PGPASSWORD
valueFrom: { secretKeyRef: { name: db-secrets, key: password } }
- name: PGDATABASE
value: "appdb"
- name: TRANSIP_STACK_HOSTNAME
value: "stack.example.com"
- name: TRANSIP_STACK_USERNAME
valueFrom: { secretKeyRef: { name: stack-secrets, key: user } }
- name: TRANSIP_STACK_PASSWORD
valueFrom: { secretKeyRef: { name: stack-secrets, key: password } }
- name: TRANSIP_STACK_FOLDER
value: "/postgres_backup"
- name: BACKUP_RETENTION_TIME
value: "30d"
```
---
## Restoring a backup
Dumps are **plain SQL** compressed with gzip.
```bash
# 1) Decompress
gunzip appdb-2025-09-09.sql.gz
# 2) Restore into an existing (empty) DB
psql -h PGHOST -p 5432 -U app -d appdb -f appdb-2025-09-09.sql
# (optional) Create the database first
createdb -h PGHOST -p 5432 -U app appdb
```
> `-Fp` does **not** include cluster-wide objects (roles, tablespaces). Use `pg_dumpall -g` separately if you need
> globals.
---
## Notes & tips
* **Single database per run.** Run the container multiple times to back up multiple DBs.
* **Compression:** gzip; no parallel compression.
* **Encryption at rest:** Not performed by the container. Consider an `rclone crypt` remote or server-side encryption.
* **Networking:** Container must reach both your PostgreSQL host and the STACK WebDAV endpoint.
* **Version skew:** Prefer matching `pg_dump` major to your server for best results.
---
## Troubleshooting
**STACK auth fails**
```bash
# Start a debug shell and list remotes/dirs
docker run --rm -it \
-e TRANSIP_STACK_HOSTNAME=... \
-e TRANSIP_STACK_USERNAME=... \
-e TRANSIP_STACK_PASSWORD=... \
-e TRANSIP_STACK_FOLDER=/postgres_backup \
--entrypoint sh \
ghcr.io/chappio/postgres-transip-backup:latest
# inside the container
rclone lsd stack:/ # should list root
rclone lsd stack:/postgres_backup
```
**`pg_dump` errors**
* Check connectivity (`PGHOST`, port, firewall).
* Verify credentials and privileges.
* Add SSL envs (e.g., `PGSSLMODE=require`) if your server enforces TLS.
**No pruning occurs**
* Ensure `BACKUP_RETENTION_TIME` is set (e.g., `30d`).
* Files newer than the retention period won’t be deleted.
---
## Build & publish (maintainers)
```bash
# build
docker build -t ghcr.io/chappio/postgres-transip-backup:latest .
# login (GitHub Container Registry)
echo "${GHCR_TOKEN}" | docker login ghcr.io -u chappio --password-stdin
# push
docker push ghcr.io/chappio/postgres-transip-backup:latest
```
---
## License
Copyright 2025 Thomas Biesaart
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated
documentation files (the “Software”), to deal in the Software without restriction, including without limitation the
rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit
persons to whom the Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the
Software.
THE SOFTWARE IS PROVIDED “AS IS”, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE
WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR
OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.