IaC/compose/backup.yaml

name: backup

networks:
  backup:
    attachable: true
    driver: macvlan
    driver_opts:
      macvlan_mode: bridge
      parent: enp1s0
    enable_ipv6: false
    external: false
    internal: false
    ipam:
      config:
        - subnet: "10.96.30.0/24"
          ip_range: "10.96.30.224/28"
          gateway: "10.96.30.254"
    name: backup

services:

  certbot:
    container_name: certbot
    image: certbot/dns-cloudflare
    pull_policy: always
    restart: "no"
    networks:
      backup:
        ipv4_address: 10.96.30.11
        link_local_ips: []
    command: >-
      certonly --dns-cloudflare
      --dns-cloudflare-credentials /etc/letsencrypt/credentials.ini
      --dns-cloudflare-propagation-seconds 20
      --email certbot-backup@balsillie.email
      --non-interactive
      --expand
      --no-eff-email
      --agree-tos
      -d backup.balsillie.house      
    volumes:
      - /mnt/md/backup/letsencrypt/etc:/etc/letsencrypt
      - /mnt/md/backup/letsencrypt/var:/var/lib/letsencrypt

  backup:
    container_name: backup
    image: restic/rest-server:latest
    pull_policy: always
    depends_on:
      certbot:
        condition: service_completed_successfully
        required: true
        restart: true
    hostname: backup
    domainname: balsillie.house
    restart: unless-stopped
    networks:
      backup:
        ipv4_address: 10.96.30.12
        link_local_ips: []
    entrypoint: /usr/bin/rest-server
    command:
      - --htpasswd-file "/htpasswd"
      - --path "/backup"
      - --listen "10.96.30.12:443"
      - --tls
      - --tls-cert "/etc/letsencrypt/live/backup.balsillie.house/fullchain.pem"
      - --tls-key "/etc/letsencrypt/live/backup.balsillie.house/privkey.pem"
    volumes:
      - /mnt/md/backup/letsencrypt/etc:/etc/letsencrypt
      - /mnt/md/backup/restic:/backup
      - /mnt/md/backup/restic.htpasswd:/htpasswd