Merge #316: feat: [#315] Backup Support - Phases 1-4 Complete

36c5675 fix: Add blank line before code fence in run.md for markdown linting (Jose Celano)
44c2830 docs: Update Phase 4 completion notes (Jose Celano)
14b1d5e docs: Clarify that initial backups are not yet automatically created during run command (Jose Celano)
d0d024d docs: Update Phase 4 progress - Parts 1 & 2 nearly complete (Jose Celano)
a49e24a feat: [#315] Phase 4 Part 2 - E2E backup verification tests (Jose Celano)
97891c4 docs: Update backup-verification.md to document automatic crontab-based backups (Jose Celano)
99632b7 fix: Set correct Docker build context for provisioned-instance E2E tests (Jose Celano)
2ed37cf fix: Set correct Docker build context for provisioned-instance E2E tests (Jose Celano)
46a50ca fix: Fix provisioned-instance Dockerfile COPY paths for build context (Jose Celano)
ca0e883 fix: [#315] Fix markdown emphasis spacing errors in documentation (Jose Celano)
ad4ead6 feat: [#315] Step 3.2 & 3.3 - Crontab installation and wiring (Jose Celano)
9c366ab docs: [#315] Add backup container workflow badge to README (Jose Celano)
0e3cf3e fix: [#315] Use correct build context for backup image in security scan workflow (Jose Celano)
11c5b0d docs: [#315] Document Docker build context to prevent regression (Jose Celano)
22246dc fix: [#315] Properly fix Docker build context to avoid regression (Jose Celano)
1611b63 docs: [#315] Phase 3 - Update progress tracking with implementation completion (Jose Celano)
0e563fd feat: [#315] Step 3.1 - Add crontab templates and renderers for scheduled backups (Jose Celano)
5cecf69 docs: [#315] Update progress tracking - Step 2.4 complete (Jose Celano)
549fcaf feat: [#315] Step 2.4 - Update create template command to include backup with defaults (Jose Celano)
5cd5b4a docs: [#315] Update progress tracking with MySQL backup verification results (Jose Celano)
a4e7bd9 docs: [#315] Update backup verification guide with MySQL-specific learnings (Jose Celano)
237e64c fix: [#315] Simplify MySQL backup SSL configuration by embedding in Docker image (Jose Celano)
1594b4a fix: [#315] Correct SQLite database path in backup configuration (Jose Celano)
062f4dc feat: [#315] Add backup release workflow integration (Jose Celano)
832fc0e refactor: [#315] extract DependencyCondition and ServiceDependency to separate modules (Jose Celano)
d0ce37e docs: [#315] update Phase 2.2 completion status in issue spec (Jose Celano)
86773da fix: [#315] set Docker build context to repository root in backup workflow (Jose Celano)
61a3da3 feat: [#315] add backup template infrastructure with context and renderer (Jose Celano)
4f8fb4c feat: [#315] add backup configuration templates and docker-compose service (Jose Celano)
b935871 docs: [#315] update Phase 2.1 completion status in issue spec (Jose Celano)
6ff96cb docs: [#315] add backup section to environment config JSON example (Jose Celano)
9d297cc fix: [#315] correct Dockerfile COPY paths for CI build context (Jose Celano)
11651c9 fix: [#315] correct doc examples to include backup parameter (Jose Celano)
e88c2c8 feat: [#315] integrate backup configuration into environment creation config (Jose Celano)
cec6ca7 feat: [#315] add backup configuration DTO with comprehensive help messages (Jose Celano)
6cb633e feat: [#315] add backup domain layer with parametrized tests (Jose Celano)
7bdad2e fix: [#315] override entrypoint in container verification step (Jose Celano)
7da6fac docs: [#315] update security scan index with backup container (Jose Celano)
15c8d6c feat: [#315] upgrade backup container to Debian 13 (trixie) (Jose Celano)
da238ef fix: [#315] correct security scan results for tracker-backup (Jose Celano)
0b313ba docs: [#315] update image name in progress tracking (Jose Celano)
bb3d5ea feat: [#315] add GitHub workflows for tracker-backup container (Jose Celano)
b982214 docs: complete Phase 1.1b manual E2E testing for backup container (Jose Celano)
47ab60c docs: add deployed instance structure and Phase 1.1b manual testing guide (Jose Celano)
18ef367 feat: implement backup container with comprehensive tests and documentation (Jose Celano)

Pull request description:

  ## 🎯 Issue #315 Complete: Full Backup Support Implementation

  This PR implements all phases of issue #315 (backup support), delivering a production-ready backup feature with comprehensive documentation.

  ### ✅ What's Included

  #### **Phase 1: Backup Container Infrastructure** ✅
  - Production backup container (`docker/backup/`)
    - Multi-stage Dockerfile (base → test → production)
    - `backup.sh` with comprehensive Rust-style documentation
    - 44 unit tests (100% passing, run during build)
    - Non-root execution (UID 1000)
    - Base image: Debian 13 (trixie-slim)
  - Complete documentation (`docker/backup/README.md`)
  - GitHub publishing workflow (automated Docker Hub publishing)
  - Security scanning integration with Trivy

  #### **Phase 2: Deployer Integration** ✅
  - Backup service in docker-compose templates
  - Configuration schema for environment creation
  - Service deployment with proper Docker profiles
  - Database support: MySQL 8 (MariaDB client), SQLite3

  #### **Phase 3: Scheduled Backups** ✅
  - Crontab installation and configuration (3 AM daily)
  - Backup scheduling via maintenance script
  - Retention cleanup (configurable days)
  - Automated execution after `release` command

  #### **Phase 4: Documentation & Testing** ✅
  - Comprehensive user guide (`docs/user-guide/backup.md`)
  - Updated run command documentation
  - Accurate documentation of current automation state
  - **Note**: Initial backup invocation (during `run`) planned for Phase 4.2.2

  ### 📦 Feature Completeness

  **What's Fully Automated:**
  - ✅ Setup: Backup config deployment during environment creation
  - ✅ Installation: Ansible playbooks for backup infrastructure
  - ✅ Crontab: Automatic crontab installation during `release`
  - ✅ Scheduled Backups: Daily automatic backups via crontab
  - ✅ Retention: Automatic cleanup of old backups
  - ✅ Support: MySQL and SQLite databases

  **Manual Workaround (Until Phase 4.2.2):**
  - Initial backup must be triggered manually: `docker compose --profile backup run --rm backup`

  ### 🏗️ Architecture

  **Backup Workflow:**
  ```
  Create Environment → Release → Scheduled Backups
        ↓                ↓              ↓
    Deploy Config   Install Crontab   Run Daily @ 3AM
                                          ↓
                                    Create Backup
                                    Compress & Archive
                                    Cleanup Old Files
  ```

  **Supported Deployments:**
  - Docker containers (E2E testing)
  - LXD VMs (production deployment)
  - Cloud VMs (Hetzner, etc.)

  ### 🧪 Testing

  **Unit Tests**: 44 tests in `backup_test.bats` covering:
  - Configuration validation
  - MySQL dump operations
  - SQLite backup operations
  - Compression and retention
  - Error handling

  **Integration Testing**: Verified in:
  - Docker container environments (E2E)
  - LXD VM deployments (production)
  - Manual testing with MySQL/SQLite

  ### 📚 Documentation

  - **User Guide**: `docs/user-guide/backup.md` - Complete feature documentation
  - **Run Command**: `docs/user-guide/commands/run.md` - Updated with accurate automation status
  - **Phase 4 Progress**: `docs/issues/315-phase-4-documentation-and-testing-plan.md` - Implementation details
  - **Container README**: `docker/backup/README.md` - Technical documentation
  - **Security Report**: `docs/security/docker/scans/torrust-tracker-backup.md` - Vulnerability tracking

  ### 🔐 Security

  - **Base Image**: Debian 13 (latest security patches)
  - **Vulnerabilities**: 11 total (9 HIGH, 2 CRITICAL)
    - Debian 13 upgrade resolved 3 critical vulnerabilities
    - Remaining: OpenSSL, MariaDB/glibc with available fixes
  - **Non-root Execution**: Container runs as UID 1000
  - **Profile-based Access**: Backup service behind Docker profile

  ### 🚀 Future Enhancements

  **Phase 4.2.2: Initial Backup Automation**
  - Add `InitialBackupStep` to run command handler
  - Automatically invoke backup during `run` command
  - No manual workaround needed post-implementation

  ### 📊 Changes Summary

  - **44 commits** with full history
  - **90 files changed** (8,671 additions, 59 deletions)
  - **Key additions**:
    - Docker backup service (production-ready)
    - GitHub publishing workflow
    - Ansible backup playbooks
    - Crontab installation and configuration
    - Comprehensive user documentation
    - Security documentation and scanning

  ### 🔗 Related Issues

  - Issue: #315 - Implement Backup Support
  - Epic: #309 - Add backup support
  - Research: #310 - Database backup strategies

  ### ✨ Ready for Production

  The backup feature is fully implemented and production-ready:
  - ✅ All infrastructure code tested and working
  - ✅ Scheduled backups automatically executed
  - ✅ Complete user documentation
  - ✅ Security scanning integrated
  - ✅ Published to Docker Hub (`torrust/tracker-backup`)

ACKs for top commit:
  josecelano:
    ACK 36c5675

Tree-SHA512: 5d731b62e3d4112158bc040fab9bdf1d1461807885756ad9f487670b9f91220b366181e2a2183f7f440b3a6d6043615e48f896a708bf2b8bddf87f01bd973306

Author: josecelano

.github/workflows/backup-container.yaml

@@ -0,0 +1,219 @@
+# Backup Container workflow for Torrust Tracker Deployer
+#
+# This workflow builds, tests, and publishes the backup Docker image.
+# Following patterns from container.yaml workflow.
+#
+# Triggers:
+#   - Push to main/develop branches (only when backup container files change)
+#   - Pull requests to main/develop (only when backup container files change)
+#   - Manual dispatch
+#
+# Publishing:
+#   - Images are pushed to Docker Hub on push to main/develop (not PRs)
+#   - Requires Docker Hub credentials in repository secrets (dockerhub-torrust-backup environment)
+
+name: Backup Container
+
+on:
+  push:
+    branches:
+      - "develop"
+      - "main"
+    paths:
+      - "docker/backup/**"
+      - ".github/workflows/backup-container.yaml"
+
+  pull_request:
+    branches:
+      - "develop"
+      - "main"
+    paths:
+      - "docker/backup/**"
+      - ".github/workflows/backup-container.yaml"
+
+  workflow_dispatch:
+
+env:
+  CARGO_TERM_COLOR: always
+  DOCKER_HUB_USERNAME: torrust
+
+jobs:
+  test:
+    name: Build & Test
+    runs-on: ubuntu-latest
+    timeout-minutes: 30
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Build Image
+        uses: docker/build-push-action@v6
+        with:
+          # CRITICAL: Context must be ./docker/backup (not ./)
+          # Docker COPY/ADD commands resolve paths RELATIVE TO BUILD CONTEXT, not Dockerfile location.
+          # Setting context: ./docker/backup allows the Dockerfile to use simple relative paths like:
+          #   COPY backup.sh /scripts/backup.sh
+          # This creates consistency between local builds and CI builds.
+          #
+          # Regression History: commit 9d297cc5 used context: . with full paths in Dockerfile
+          # (e.g., COPY docker/backup/backup.sh). This worked but was confusing and error-prone
+          # for future changes. The current approach is cleaner and prevents regression.
+          #
+          # See docker/backup/README.md "Building the Container" section for details.
+          context: ./docker/backup
+          file: ./docker/backup/Dockerfile
+          target: production
+          push: false
+          load: true
+          tags: torrust/tracker-backup:local
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+
+      - name: Inspect Image
+        run: docker image inspect torrust/tracker-backup:local
+
+      - name: Verify Container Structure
+        run: |
+          echo "=== Verifying backup container structure ==="
+
+          echo "=== Checking backup script exists ==="
+          docker run --rm --entrypoint ls torrust/tracker-backup:local -lh /scripts/backup.sh
+
+          echo "=== Checking backup directories ==="
+          docker run --rm --entrypoint ls torrust/tracker-backup:local -ld /backups/mysql /backups/sqlite /backups/config
+
+          echo "=== Verifying tools installed ==="
+          docker run --rm --entrypoint which torrust/tracker-backup:local bash
+          docker run --rm --entrypoint which torrust/tracker-backup:local mysql
+          docker run --rm --entrypoint which torrust/tracker-backup:local sqlite3
+          docker run --rm --entrypoint which torrust/tracker-backup:local gzip
+          docker run --rm --entrypoint which torrust/tracker-backup:local tar
+
+          echo "=== Checking entrypoint ==="
+          docker inspect --format='{{.Config.Entrypoint}}' torrust/tracker-backup:local
+
+      - name: Test Container Execution
+        run: |
+          echo "=== Testing backup container without config (should fail gracefully) ==="
+          docker run --rm torrust/tracker-backup:local || true
+
+  context:
+    name: Context
+    needs: test
+    runs-on: ubuntu-latest
+
+    outputs:
+      continue: ${{ steps.check.outputs.continue }}
+      type: ${{ steps.check.outputs.type }}
+
+    steps:
+      - name: Check Context
+        id: check
+        run: |
+          if [[ "${{ github.repository }}" == "torrust/torrust-tracker-deployer" ]]; then
+            if [[ "${{ github.event_name }}" == "push" ]]; then
+              if [[ "${{ github.ref }}" == "refs/heads/main" ]]; then
+                echo "type=production" >> $GITHUB_OUTPUT
+                echo "continue=true" >> $GITHUB_OUTPUT
+              elif [[ "${{ github.ref }}" == "refs/heads/develop" ]]; then
+                echo "type=development" >> $GITHUB_OUTPUT
+                echo "continue=true" >> $GITHUB_OUTPUT
+              fi
+            fi
+          fi
+
+          # Default: don't continue
+          if [[ -z "$(cat $GITHUB_OUTPUT 2>/dev/null)" ]]; then
+            echo "continue=false" >> $GITHUB_OUTPUT
+          fi
+
+  publish_development:
+    name: Publish (Development)
+    environment: dockerhub-torrust-backup
+    needs: context
+    if: needs.context.outputs.continue == 'true' && needs.context.outputs.type == 'development'
+    runs-on: ubuntu-latest
+    timeout-minutes: 30
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Docker Meta
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: |
+            ${{ env.DOCKER_HUB_USERNAME }}/tracker-backup
+          tags: |
+            type=ref,event=branch
+            type=sha,prefix=dev-
+
+      - name: Login to Docker Hub
+        uses: docker/login-action@v3
+        with:
+          username: ${{ env.DOCKER_HUB_USERNAME }}
+          password: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }}
+
+      - name: Setup Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Build and Push
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          file: ./docker/backup/Dockerfile
+          target: production
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+
+  publish_production:
+    name: Publish (Production)
+    environment: dockerhub-torrust-backup
+    needs: context
+    if: needs.context.outputs.continue == 'true' && needs.context.outputs.type == 'production'
+    runs-on: ubuntu-latest
+    timeout-minutes: 30
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Docker Meta
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: |
+            ${{ env.DOCKER_HUB_USERNAME }}/tracker-backup
+          tags: |
+            type=raw,value=latest
+            type=ref,event=branch
+            type=sha
+
+      - name: Login to Docker Hub
+        uses: docker/login-action@v3
+        with:
+          username: ${{ env.DOCKER_HUB_USERNAME }}
+          password: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }}
+
+      - name: Setup Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Build and Push
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          file: ./docker/backup/Dockerfile
+          target: production
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max

.github/workflows/docker-security-scan.yml

@@ -42,6 +42,9 @@ jobs:
           - dockerfile: docker/ssh-server/Dockerfile
             context: docker/ssh-server
             name: ssh-server
+          - dockerfile: docker/backup/Dockerfile
+            context: docker/backup
+            name: tracker-backup
 
     steps:
       - name: Checkout code
@@ -54,7 +57,7 @@ jobs:
           docker build \
             -t torrust-tracker-deployer/${{ matrix.image.name }}:latest \
             -f ${{ matrix.image.dockerfile }} \
-            .
+            ${{ matrix.image.context }}
 
       # Human-readable output in logs
       # This NEVER fails the job; it’s only for visibility

AGENTS.md

@@ -121,9 +121,9 @@ These principles should guide all development decisions, code reviews, and featu
 7. **Before working with Tera templates**: Read [`docs/contributing/templates/tera.md`](docs/contributing/templates/tera.md) for correct variable syntax - use `{{ variable }}` not `{ { variable } }`. Tera template files have the `.tera` extension.
 
 8. **When adding new Ansible playbooks**: Read [`docs/contributing/templates/ansible.md`](docs/contributing/templates/ansible.md) and the ADR [`atomic-ansible-playbooks.md`](docs/decisions/atomic-ansible-playbooks.md).
-    - **CRITICAL: One playbook = one responsibility** (atomic playbook rule)
-    - Conditional enablement belongs in Rust commands/steps, not in Ansible `when:` clauses (use `when:` only for host facts)
-    - Static playbooks must be registered in `src/infrastructure/external_tools/ansible/template/renderer/project_generator.rs` under `copy_static_templates()` so they are copied into the build directory
+   - **CRITICAL: One playbook = one responsibility** (atomic playbook rule)
+   - Conditional enablement belongs in Rust commands/steps, not in Ansible `when:` clauses (use `when:` only for host facts)
+   - Static playbooks must be registered in `src/infrastructure/external_tools/ansible/template/renderer/project_generator.rs` under `copy_static_templates()` so they are copied into the build directory
 
 9. **When handling errors in code**: Read [`docs/contributing/error-handling.md`](docs/contributing/error-handling.md) for error handling principles. Prefer explicit enum errors over anyhow for better pattern matching and user experience. Make errors clear, include sufficient context for traceability, and ensure they are actionable with specific fix instructions.
 
@@ -151,6 +151,36 @@ These principles should guide all development decisions, code reviews, and featu
 
 20. **When generating environment configurations** (for AI agents): Reference the Rust types in [`src/application/command_handlers/create/config/`](src/application/command_handlers/create/config/) for accurate constraint information. These types express richer validation rules than the JSON schema alone (e.g., `NonZeroU32`, tagged enums, newtype wrappers). Read the [README](src/application/command_handlers/create/config/README.md) in that folder for the full guide. The JSON schema (`schemas/environment-config.json`) provides basic structure, but the Rust types are authoritative for constraints. See the [ADR](docs/decisions/configuration-dto-layer-placement.md) for why these types are in the application layer.
 
+## 🏗️ Deployed Instance Structure
+
+After running the complete deployment workflow (`create → provision → configure → release → run`), the virtual machine has the following structure:
+
+```text
+/opt/torrust/                          # Application root directory
+├── docker-compose.yml                 # Main orchestration file
+├── .env                               # Environment variables
+└── storage/                           # Persistent data volumes
+    ├── tracker/
+    │   ├── lib/                       # Database files (tracker.db for SQLite)
+    │   ├── log/                       # Tracker logs
+    │   └── etc/                       # Configuration (tracker.toml)
+    ├── prometheus/
+    │   └── etc/                       # Prometheus configuration
+    └── grafana/
+        ├── data/                      # Grafana database
+        └── provisioning/              # Dashboards and datasources
+```
+
+**Key commands inside the VM**:
+
+```bash
+cd /opt/torrust                        # Application root
+docker compose ps                      # Check services
+docker compose logs tracker            # View logs
+```
+
+For detailed information about working with deployed instances, see [`docs/user-guide/`](docs/user-guide/README.md).
+
 ## 🧪 Build & Test
 
 - **Setup Dependencies**: `cargo run --bin dependency-installer install` (sets up required development tools)

README.md

@@ -1,4 +1,4 @@
-[![Linting](https://github.com/torrust/torrust-tracker-deployer/actions/workflows/linting.yml/badge.svg)](https://github.com/torrust/torrust-tracker-deployer/actions/workflows/linting.yml) [![Testing](https://github.com/torrust/torrust-tracker-deployer/actions/workflows/testing.yml/badge.svg)](https://github.com/torrust/torrust-tracker-deployer/actions/workflows/testing.yml) [![E2E Infrastructure Tests](https://github.com/torrust/torrust-tracker-deployer/actions/workflows/test-e2e-infrastructure.yml/badge.svg)](https://github.com/torrust/torrust-tracker-deployer/actions/workflows/test-e2e-infrastructure.yml) [![E2E Deployment Tests](https://github.com/torrust/torrust-tracker-deployer/actions/workflows/test-e2e-deployment.yml/badge.svg)](https://github.com/torrust/torrust-tracker-deployer/actions/workflows/test-e2e-deployment.yml) [![Test LXD Container Provisioning](https://github.com/torrust/torrust-tracker-deployer/actions/workflows/test-lxd-provision.yml/badge.svg)](https://github.com/torrust/torrust-tracker-deployer/actions/workflows/test-lxd-provision.yml) [![Coverage](https://github.com/torrust/torrust-tracker-deployer/actions/workflows/coverage.yml/badge.svg)](https://github.com/torrust/torrust-tracker-deployer/actions/workflows/coverage.yml) [![Container](https://github.com/torrust/torrust-tracker-deployer/actions/workflows/container.yaml/badge.svg)](https://github.com/torrust/torrust-tracker-deployer/actions/workflows/container.yaml) [![Docker Security Scan](https://github.com/torrust/torrust-tracker-deployer/actions/workflows/docker-security-scan.yml/badge.svg)](https://github.com/torrust/torrust-tracker-deployer/actions/workflows/docker-security-scan.yml)
+[![Linting](https://github.com/torrust/torrust-tracker-deployer/actions/workflows/linting.yml/badge.svg)](https://github.com/torrust/torrust-tracker-deployer/actions/workflows/linting.yml) [![Testing](https://github.com/torrust/torrust-tracker-deployer/actions/workflows/testing.yml/badge.svg)](https://github.com/torrust/torrust-tracker-deployer/actions/workflows/testing.yml) [![E2E Infrastructure Tests](https://github.com/torrust/torrust-tracker-deployer/actions/workflows/test-e2e-infrastructure.yml/badge.svg)](https://github.com/torrust/torrust-tracker-deployer/actions/workflows/test-e2e-infrastructure.yml) [![E2E Deployment Tests](https://github.com/torrust/torrust-tracker-deployer/actions/workflows/test-e2e-deployment.yml/badge.svg)](https://github.com/torrust/torrust-tracker-deployer/actions/workflows/test-e2e-deployment.yml) [![Test LXD Container Provisioning](https://github.com/torrust/torrust-tracker-deployer/actions/workflows/test-lxd-provision.yml/badge.svg)](https://github.com/torrust/torrust-tracker-deployer/actions/workflows/test-lxd-provision.yml) [![Coverage](https://github.com/torrust/torrust-tracker-deployer/actions/workflows/coverage.yml/badge.svg)](https://github.com/torrust/torrust-tracker-deployer/actions/workflows/coverage.yml) [![Container](https://github.com/torrust/torrust-tracker-deployer/actions/workflows/container.yaml/badge.svg)](https://github.com/torrust/torrust-tracker-deployer/actions/workflows/container.yaml) [![Backup Container](https://github.com/torrust/torrust-tracker-deployer/actions/workflows/backup-container.yaml/badge.svg)](https://github.com/torrust/torrust-tracker-deployer/actions/workflows/backup-container.yaml) [![Docker Security Scan](https://github.com/torrust/torrust-tracker-deployer/actions/workflows/docker-security-scan.yml/badge.svg)](https://github.com/torrust/torrust-tracker-deployer/actions/workflows/docker-security-scan.yml)
 
 # Torrust Tracker Deployer
 

docker/backup/Dockerfile

@@ -0,0 +1,98 @@
+# ============================================================================
+# Torrust Backup Container
+# ============================================================================
+# Production backup container for Torrust Tracker deployments.
+# Configuration is provided via mounted config files - no environment variables.
+#
+# Configuration Files:
+#   /etc/backup/backup.conf      - Main configuration (sourced by backup.sh)
+#   /etc/backup/backup-paths.txt - List of files/directories to backup
+#
+# Mount Points:
+#   /backups  - Output directory for all backups (read-write)
+#   /data     - Source data directory (read-only, app storage mounted here)
+#
+# Output Structure:
+#   /backups/mysql/mysql_YYYYMMDD_HHMMSS.sql.gz   - MySQL dumps (compressed)
+#   /backups/sqlite/sqlite_YYYYMMDD_HHMMSS.db.gz  - SQLite backups (compressed)
+#   /backups/config/config_YYYYMMDD_HHMMSS.tar.gz - Config archives (compressed)
+#
+# Security:
+#   Container runs as uid 1000 (torrust user) to match app file ownership.
+#   This ensures backup files have correct ownership on host.
+#
+# Testing:
+#   Tests run during build using bats-core. Build fails if tests fail.
+# ============================================================================
+
+FROM debian:trixie-slim AS base
+
+# Install required utilities
+# - bash: for scripting
+# - default-mysql-client: MariaDB client (compatible with MySQL 8)
+# - sqlite3: SQLite client for .backup command
+# - gzip: for compression
+# - tar: for config file archiving
+RUN apt-get update && apt-get install -y --no-install-recommends \
+    bash \
+    default-mysql-client \
+    sqlite3 \
+    gzip \
+    tar \
+    && rm -rf /var/lib/apt/lists/*
+
+# =============================================================================
+# Test Stage - Run unit tests during build
+# =============================================================================
+FROM base AS test
+
+# Install bats-core for testing
+RUN apt-get update && apt-get install -y --no-install-recommends \
+    bats \
+    && rm -rf /var/lib/apt/lists/*
+
+# Copy test files
+COPY backup.sh /scripts/backup.sh
+COPY backup_test.bats /scripts/backup_test.bats
+RUN chmod +x /scripts/backup.sh
+
+# Run tests - build fails if tests fail
+# Create a marker file to prove tests passed
+RUN cd /scripts && bats backup_test.bats && touch /scripts/.tests_passed
+
+# =============================================================================
+# Production Stage
+# =============================================================================
+FROM base AS production
+
+# Require tests to have passed by copying marker from test stage
+# This ensures test stage is always executed before production stage
+COPY --from=test /scripts/.tests_passed /tmp/.tests_passed
+
+# Create backup user with same UID as torrust app user
+# This ensures backup files have correct ownership on host
+# Using 'torrust' as the username to match the app user
+ARG BACKUP_UID=1000
+ARG BACKUP_GID=1000
+RUN groupadd -g ${BACKUP_GID} torrust 2>/dev/null || true && \
+    useradd -u ${BACKUP_UID} -g ${BACKUP_GID} -s /bin/bash torrust 2>/dev/null || true
+
+# Create directories with correct ownership
+RUN mkdir -p /scripts /backups/mysql /backups/sqlite /backups/config /etc/mysql && \
+    chown -R ${BACKUP_UID}:${BACKUP_GID} /backups
+
+# Create MySQL client configuration (disable SSL verification for Docker connections)
+RUN cat > /etc/mysql/mysql-client.cnf <<'EOF' && \
+chmod 644 /etc/mysql/mysql-client.cnf
+[mysqldump]
+ssl=FALSE
+EOF
+
+# Copy backup script (tests already passed in test stage)
+COPY backup.sh /scripts/backup.sh
+RUN chmod +x /scripts/backup.sh
+
+# Run as non-root user (torrust, uid 1000)
+USER torrust
+
+ENTRYPOINT ["/scripts/backup.sh"]