Drone CI Workflows for Encrypted Backups to AWS S3

Nick Rondeau

3 min read
Drone CI Workflows for Encrypted Backups to AWS S3

Recently I started self hosting Vaultwarden and wanted a nice automated way to run backups, but also encrypt them. I was already using Gitea , and after some research Drone CI seemed like an excellent fit to get me started.

I want to configure a pipeline to grab the docker config directories on my server, compress them, encrypt them, and then upload to S3. This would ensure I always have a cloud backup for all of my containers - especially important services like Vaultwarden. I need to always have a backup of my personal vault. What better place than s3?

First, I need to set up a little infrastructure. I want to have my Terraform state file also saved to s3, with Dynamodb handling state locking. This is a pretty simple set up.

You will need to create the bucket part of the code first, then bring in the state and dynamodb sections. When you run terraform init -migrate-state it will move it over to s3.

A successfully uploaded state to s3

Create an IAM role for drone with s3 access and kms access if you plan to use SSE.

Authorize Drone CI in the Gitea settings, so it can access the repo we will run the pipeline from.

Here is the docker compose file I used, configured for gitea.

In this compose file, we are creating the drone container, as well as a runner which is required to run our pipeline.

A quick refresher to load the compose file:
To start your application (in the background or detached mode):

docker compose up -d
  • To stop your application and remove containers, networks, etc.:
docker compose down
  • To build or rebuild services:
docker compose build

All of the important pieces are in place. Next, create a repository and place a .drone.yml file which is places in the root of the repo.

Add a few secrets to the repo.

AWS access keys, default region, as well as the encryption key which can be any 16+ digit string you like. This will be the key to decrypt your archive.

The pipeline is pretty simple, it compresses and encrypts the config folder, creating a .7z file. Then, uploads to your s3 bucket of choice.

It's time to run it! Log into DroneCI, you will now see the list of your repos. Choose the repo you placed the .drone.yml file.

Activate the repository

After the repository is activated, select it. Now create a build with the pipeline.

Choose branch and create

You should now have a working pipeline.

Let's verify in S3.

All of our encrypted archives placed neatly in our bucket.

I hope this helps you with your own homelabs and servers. It's no use hosting services like Vaultwarden if your whole password vault could be corrupted or lost on a local machine. This is a simple and effective to securely backup these services. Not to mention cheap. This costs less than 25 cents a month in s3 charges, if you use KMS for SSE that will cost an extra $1.

Thank you for reading!