Add support for settings db encryption

Dockerfile

@@ -12,7 +12,12 @@ LABEL maintainer="aptalca"
 # environment settings
 ARG DEBIAN_FRONTEND="noninteractive"
 ENV HOME="/config" \
-  TMPDIR=/run/duplicati-temp
+  TMPDIR=/run/duplicati-temp \
+  DUPLICATI__REQUIRE_DB_ENCRYPTION_KEY=true \
+  DUPLICATI__SERVER_DATAFOLDER=/config \
+  DUPLICATI__WEBSERVICE_PORT=8200 \
+  DUPLICATI__WEBSERVICE_INTERFACE=any \
+  DUPLICATI__WEBSERVICE_ALLOWED_HOSTNAMES=*
 
 RUN \
   echo "**** install packages ****" && \

Dockerfile.aarch64

@@ -12,7 +12,12 @@ LABEL maintainer="aptalca"
 # environment settings
 ARG DEBIAN_FRONTEND="noninteractive"
 ENV HOME="/config" \
-  TMPDIR=/run/duplicati-temp
+  TMPDIR=/run/duplicati-temp \
+  DUPLICATI__REQUIRE_DB_ENCRYPTION_KEY=true \
+  DUPLICATI__SERVER_DATAFOLDER=/config \
+  DUPLICATI__WEBSERVICE_PORT=8200 \
+  DUPLICATI__WEBSERVICE_INTERFACE=any \
+  DUPLICATI__WEBSERVICE_ALLOWED_HOSTNAMES=*
 
 RUN \
   echo "**** install packages ****" && \

Jenkinsfile

@@ -35,9 +35,9 @@ pipeline {
     CI_PORT='8200'
     CI_SSL='false'
     CI_DELAY='120'
-    CI_DOCKERENV='TZ=US/Pacific'
-    CI_AUTH='user:password'
-    CI_WEBPATH=''
+    CI_DOCKERENV='SETTINGS_ENCRYPTION_KEY=abcde12345'
+    CI_AUTH=''
+    CI_WEBPATH='/login.html'
   }
   stages {
     stage("Set git config"){
@@ -543,7 +543,7 @@ pipeline {
           --label \"org.opencontainers.image.licenses=GPL-3.0-only\" \
           --label \"org.opencontainers.image.ref.name=${COMMIT_SHA}\" \
           --label \"org.opencontainers.image.title=Duplicati\" \
-          --label \"org.opencontainers.image.description=[Duplicati](https://www.duplicati.com/) works with standard protocols like FTP, SSH, WebDAV as well as popular services like Microsoft OneDrive, Amazon Cloud Drive & S3, Google Drive, box.com, Mega, hubiC and many others.\" \
+          --label \"org.opencontainers.image.description=[Duplicati](https://www.duplicati.com/) is a backup client that securely stores encrypted, incremental, compressed backups on local storage, cloud storage services and remote file servers. It works with standard protocols like FTP, SSH, WebDAV as well as popular services like Microsoft OneDrive, Amazon S3, Google Drive, box.com, Mega, B2, and many others.\" \
           --no-cache --pull -t ${IMAGE}:${META_TAG} --platform=linux/amd64 \
           --provenance=false --sbom=false \
           --build-arg ${BUILD_VERSION_ARG}=${EXT_RELEASE} --build-arg VERSION=\"${VERSION_TAG}\" --build-arg BUILD_DATE=${GITHUB_DATE} ."
@@ -575,7 +575,7 @@ pipeline {
               --label \"org.opencontainers.image.licenses=GPL-3.0-only\" \
               --label \"org.opencontainers.image.ref.name=${COMMIT_SHA}\" \
               --label \"org.opencontainers.image.title=Duplicati\" \
-              --label \"org.opencontainers.image.description=[Duplicati](https://www.duplicati.com/) works with standard protocols like FTP, SSH, WebDAV as well as popular services like Microsoft OneDrive, Amazon Cloud Drive & S3, Google Drive, box.com, Mega, hubiC and many others.\" \
+              --label \"org.opencontainers.image.description=[Duplicati](https://www.duplicati.com/) is a backup client that securely stores encrypted, incremental, compressed backups on local storage, cloud storage services and remote file servers. It works with standard protocols like FTP, SSH, WebDAV as well as popular services like Microsoft OneDrive, Amazon S3, Google Drive, box.com, Mega, B2, and many others.\" \
               --no-cache --pull -t ${IMAGE}:amd64-${META_TAG} --platform=linux/amd64 \
               --provenance=false --sbom=false \
               --build-arg ${BUILD_VERSION_ARG}=${EXT_RELEASE} --build-arg VERSION=\"${VERSION_TAG}\" --build-arg BUILD_DATE=${GITHUB_DATE} ."
@@ -604,7 +604,7 @@ pipeline {
               --label \"org.opencontainers.image.licenses=GPL-3.0-only\" \
               --label \"org.opencontainers.image.ref.name=${COMMIT_SHA}\" \
               --label \"org.opencontainers.image.title=Duplicati\" \
-              --label \"org.opencontainers.image.description=[Duplicati](https://www.duplicati.com/) works with standard protocols like FTP, SSH, WebDAV as well as popular services like Microsoft OneDrive, Amazon Cloud Drive & S3, Google Drive, box.com, Mega, hubiC and many others.\" \
+              --label \"org.opencontainers.image.description=[Duplicati](https://www.duplicati.com/) is a backup client that securely stores encrypted, incremental, compressed backups on local storage, cloud storage services and remote file servers. It works with standard protocols like FTP, SSH, WebDAV as well as popular services like Microsoft OneDrive, Amazon S3, Google Drive, box.com, Mega, B2, and many others.\" \
               --no-cache --pull -f Dockerfile.aarch64 -t ${IMAGE}:arm64v8-${META_TAG} --platform=linux/arm64 \
               --provenance=false --sbom=false \
               --build-arg ${BUILD_VERSION_ARG}=${EXT_RELEASE} --build-arg VERSION=\"${VERSION_TAG}\" --build-arg BUILD_DATE=${GITHUB_DATE} ."

README.md

@@ -39,7 +39,7 @@ Find us at:
 [![Jenkins Build](https://img.shields.io/jenkins/build?labelColor=555555&logoColor=ffffff&style=for-the-badge&jobUrl=https%3A%2F%2Fci.linuxserver.io%2Fjob%2FDocker-Pipeline-Builders%2Fjob%2Fdocker-duplicati%2Fjob%2Fdevelopment%2F&logo=jenkins)](https://ci.linuxserver.io/job/Docker-Pipeline-Builders/job/docker-duplicati/job/development/)
 [![LSIO CI](https://img.shields.io/badge/dynamic/yaml?color=94398d&labelColor=555555&logoColor=ffffff&style=for-the-badge&label=CI&query=CI&url=https%3A%2F%2Fci-tests.linuxserver.io%2Flinuxserver%2Fduplicati%2Flatest%2Fci-status.yml)](https://ci-tests.linuxserver.io/linuxserver/duplicati/latest/index.html)
 
-[Duplicati](https://www.duplicati.com/) works with standard protocols like FTP, SSH, WebDAV as well as popular services like Microsoft OneDrive, Amazon Cloud Drive & S3, Google Drive, box.com, Mega, hubiC and many others.
+[Duplicati](https://www.duplicati.com/) is a backup client that securely stores encrypted, incremental, compressed backups on local storage, cloud storage services and remote file servers. It works with standard protocols like FTP, SSH, WebDAV as well as popular services like Microsoft OneDrive, Amazon S3, Google Drive, box.com, Mega, B2, and many others.
 
 [![duplicati](https://github.com/linuxserver/docker-templates/raw/master/linuxserver.io/img/duplicati-icon.png)](https://www.duplicati.com/)
 
@@ -68,7 +68,9 @@ This image provides various versions that are available via tags. Please read th
 
 ## Application Setup
 
-The webui is at `<your ip>:8200` , create backup jobs etc via the webui, for local backups select `/backups` as the destination. For more information see [Duplicati](https://www.duplicati.com/).
+The webui is at `<your ip>:8200`.
+
+For local backups select `/backups` as the destination. For more information see [Duplicati](https://www.duplicati.com/).
 
 ## Read-Only Operation
 
@@ -91,7 +93,9 @@ services:
       - PUID=1000
       - PGID=1000
       - TZ=Etc/UTC
+      - SETTINGS_ENCRYPTION_KEY=
       - CLI_ARGS= #optional
+      - DUPLICATI__WEBSERVICE_PASSWORD= #optional
     volumes:
       - /path/to/duplicati/config:/config
       - /path/to/backups:/backups
@@ -109,7 +113,9 @@ docker run -d \
   -e PUID=1000 \
   -e PGID=1000 \
   -e TZ=Etc/UTC \
+  -e SETTINGS_ENCRYPTION_KEY= \
   -e CLI_ARGS= `#optional` \
+  -e DUPLICATI__WEBSERVICE_PASSWORD= `#optional` \
   -p 8200:8200 \
   -v /path/to/duplicati/config:/config \
   -v /path/to/backups:/backups \
@@ -128,7 +134,9 @@ Containers are configured using parameters passed at runtime (such as those abov
 | `-e PUID=1000` | for UserID - see below for explanation |
 | `-e PGID=1000` | for GroupID - see below for explanation |
 | `-e TZ=Etc/UTC` | specify a timezone to use, see this [list](https://en.wikipedia.org/wiki/List_of_tz_database_time_zones#List). |
+| `-e SETTINGS_ENCRYPTION_KEY=` | Encryption key for settings database. Minimum 8 characters, alphanumeric. |
 | `-e CLI_ARGS=` | Optionally specify any [CLI variables](https://duplicati.readthedocs.io/en/latest/07-other-command-line-utilities/) you want to launch the app with |
+| `-e DUPLICATI__WEBSERVICE_PASSWORD=` | Password for the webui. If left unset will default to `changeme` and can be changed from the webui settings. |
 | `-v /config` | Contains all relevant configuration files. |
 | `-v /backups` | Path to store local backups. |
 | `-v /source` | Path to source for files to backup. |
@@ -295,7 +303,8 @@ Once registered you can define the dockerfile to use with `-f Dockerfile.aarch64
 
 ## Versions
 
-* **30.05.23:** - Rebase to Noble, switch to net core.
+* **29.08.24:** - Add support for settings DB encryption.
+* **30.05.24:** - Rebase to Noble, switch to net core.
 * **15.02.23:** - Rebase to Jammy.
 * **03.08.22:** - Deprecate armhf.
 * **13.03.22:** - Fix artifact link.

jenkins-vars.yml

@@ -6,7 +6,6 @@ external_type: custom_json
 release_type: prerelease
 release_tag: development
 ls_branch: development
-build_armhf: false
 repo_vars:
   - JSON_URL = 'https://api.github.com/repos/duplicati/duplicati/releases'
   - JSON_PATH = 'first(.[] | select(.tag_name | contains("canary"))) | .tag_name'
@@ -24,6 +23,6 @@ repo_vars:
   - CI_PORT='8200'
   - CI_SSL='false'
   - CI_DELAY='120'
-  - CI_DOCKERENV='TZ=US/Pacific'
-  - CI_AUTH='user:password'
-  - CI_WEBPATH=''
+  - CI_DOCKERENV='SETTINGS_ENCRYPTION_KEY=abcde12345'
+  - CI_AUTH=''
+  - CI_WEBPATH='/login.html'

readme-vars.yml

@@ -4,7 +4,7 @@
 project_name: duplicati
 project_url: "https://www.duplicati.com/"
 project_logo: "https://github.com/linuxserver/docker-templates/raw/master/linuxserver.io/img/duplicati-icon.png"
-project_blurb: "[{{ project_name|capitalize }}]({{ project_url }}) works with standard protocols like FTP, SSH, WebDAV as well as popular services like Microsoft OneDrive, Amazon Cloud Drive & S3, Google Drive, box.com, Mega, hubiC and many others."
+project_blurb: "[{{ project_name|capitalize }}]({{ project_url }}) is a backup client that securely stores encrypted, incremental, compressed backups on local storage, cloud storage services and remote file servers. It works with standard protocols like FTP, SSH, WebDAV as well as popular services like Microsoft OneDrive, Amazon S3, Google Drive, box.com, Mega, B2, and many others."
 project_lsio_github_repo_url: "https://github.com/linuxserver/docker-{{ project_name }}"
 
 # supported architectures
@@ -30,21 +30,29 @@ param_usage_include_ports: true
 param_ports:
   - { external_port: "8200", internal_port: "8200", port_desc: "http gui" }
 
+param_usage_include_env: true
+param_env_vars:
+  - { env_var: "SETTINGS_ENCRYPTION_KEY", env_value: "", desc: "Encryption key for settings database. Minimum 8 characters, alphanumeric."}
+
 # optional container parameters
 opt_param_usage_include_env: true
 opt_param_env_vars:
   - { env_var: "CLI_ARGS", env_value: "", desc: "Optionally specify any [CLI variables](https://duplicati.readthedocs.io/en/latest/07-other-command-line-utilities/) you want to launch the app with" }
+  - { env_var: "DUPLICATI__WEBSERVICE_PASSWORD", env_value: "", desc: "Password for the webui. If left unset will default to `changeme` and can be changed from the webui settings."}
 
 readonly_supported: true
 
 # application setup block
 app_setup_block_enabled: true
 app_setup_block: |
-  The webui is at `<your ip>:8200` , create backup jobs etc via the webui, for local backups select `/backups` as the destination. For more information see [Duplicati]({{project_url}}).
+  The webui is at `<your ip>:8200`.
+
+  For local backups select `/backups` as the destination. For more information see [Duplicati]({{project_url}}).
 
 # changelog
 changelogs:
-  - { date: "30.05.23:", desc: "Rebase to Noble, switch to net core." }
+  - { date: "29.08.24:", desc: "Add support for settings DB encryption." }
+  - { date: "30.05.24:", desc: "Rebase to Noble, switch to net core." }
   - { date: "15.02.23:", desc: "Rebase to Jammy." }
   - { date: "03.08.22:", desc: "Deprecate armhf." }
   - { date: "13.03.22:", desc: "Fix artifact link." }

root/etc/s6-overlay/s6-rc.d/init-duplicati-config/run

@@ -3,6 +3,33 @@
 
 mkdir -p /run/duplicati-temp
 
+if [[ -f "/config/Duplicati-server.sqlite" ]]; then
+    # Existing install
+    if [[ -n ${SETTINGS_ENCRYPTION_KEY} ]]; then
+        # Enable settings encryption
+        true
+    else
+        # Disable settings encryption
+        printf "true" > /run/s6/container_environment/DUPLICATI__DISABLE_DB_ENCRYPTION
+        echo "***      Missing encryption key, unable to encrypt your settings database     ***"
+        echo "*** Please set a value for SETTINGS_ENCRYPTION_KEY and recreate the container ***"
+    fi
+else
+    # New install
+    if [[ -z ${DUPLICATI__WEBSERVICE_PASSWORD} ]]; then
+        printf "changeme" > /run/s6/container_environment/DUPLICATI__WEBSERVICE_PASSWORD
+    fi
+    if [[ -n ${SETTINGS_ENCRYPTION_KEY} ]]; then
+        # Enable settings encryption
+        true
+    else
+        # Halt init
+        echo "***      Missing encryption key, unable to encrypt your settings database     ***"
+        echo "*** Please set a value for SETTINGS_ENCRYPTION_KEY and recreate the container ***"
+        sleep infinity
+    fi
+fi
+
 # permissions
 lsiown -R abc:abc \
     /config \

root/etc/s6-overlay/s6-rc.d/svc-duplicati/run

@@ -3,5 +3,4 @@
 
 exec \
     s6-notifyoncheck -d -n 300 -w 1000 -c "nc -z localhost 8200" \
-        cd /app/duplicati s6-setuidgid abc ./duplicati-server \
-        --webservice-interface=any --server-datafolder=/config --webservice-allowed-hostnames=* $CLI_ARGS
+        cd /app/duplicati s6-setuidgid abc ./duplicati-server $CLI_ARGS