From e239867ce39fc7ef4bae22dffabd09a8b70215fb Mon Sep 17 00:00:00 2001
From: Joachim Friberg <joachim.friberg@ip-solutions.se>
Date: Wed, 1 Apr 2026 14:55:14 +0200
Subject: [PATCH] Added timemachine

---
 Apps/timemachine/README.md           | 73 +++++++++++++++++++++
 Apps/timemachine/docker-compose.yaml | 96 ++++++++++++++++++++++++++++
 2 files changed, 169 insertions(+)
 create mode 100644 Apps/timemachine/README.md
 create mode 100644 Apps/timemachine/docker-compose.yaml

diff --git a/Apps/timemachine/README.md b/Apps/timemachine/README.md
new file mode 100644
index 0000000..5260f22
--- /dev/null
+++ b/Apps/timemachine/README.md
@@ -0,0 +1,73 @@
+# Time Machine
+
+Denna app kör en SMB-baserad Time Machine-target för macOS med image `mbentley/timemachine`.
+
+Imagepinning i denna app:
+
+- Compose använder explicit daterad tag: `mbentley/timemachine:smb-20260329`
+- `latest` används inte enligt repo-policy.
+- Taggen verifierades mot Docker Hub innan införande.
+
+## Syfte
+
+- Ge en dedikerad backup-destination för macOS Time Machine i ZimaOS.
+- Hålla konfigureringen enkel och reviewbar.
+- Prioritera minst möjliga privilegier som fortfarande fungerar utan host network.
+
+## Portar
+
+- `137/udp` (NetBIOS name service)
+- `138/udp` (NetBIOS datagram service)
+- `139/tcp` (NetBIOS session service)
+- `445/tcp` (SMB)
+
+## Volymer
+
+- `/DATA/AppData/$AppID/backup -> /opt/timemachine`
+
+Backupdata lagras isolerat under appens AppData-sökväg.
+
+## Miljövariabler
+
+- `TZ` (default `Europe/Stockholm`)
+- `TM_USERNAME` (default `timemachine`)
+- `TM_GROUPNAME` (default `timemachine`)
+- `PASSWORD` (MUST ändras från `CHANGE_ME` före drift)
+- `TM_UID` (default `1000`)
+- `TM_GID` (default `1000`)
+- `SET_PERMISSIONS` (default `false`)
+- `VOLUME_SIZE_LIMIT` (default `0`, dvs obegränsad)
+
+## Säkerhetsmodell
+
+Aktiva skydd:
+
+- Ingen `privileged: true`
+- Ingen `network_mode: host`
+- Ingen mount av `/var/run/docker.sock`
+- `security_opt: ["no-new-privileges:true"]`
+- Snäv bind-mount till appens egna data under `/DATA/AppData/$AppID/...`
+
+Tradeoff:
+
+- Utan host network fungerar inte alltid automatisk Bonjour/Avahi-discovery över alla nät.
+- Fallback är manuell anslutning i Finder: `smb://<server-ip>/TimeMachine`.
+
+## Högrisk-inställningar
+
+Inga högrisk-inställningar används i default-config.
+
+Alternativ som utvärderats men inte valts som default:
+
+- `network_mode: host` för bättre auto-discovery.
+
+Varför inte default:
+
+- Host network ökar attackytan och isoleringen minskar.
+- Manuell SMB-anslutning ger fungerande backupflöde med lägre risk.
+
+## Drift och underhåll
+
+- Uppdatera till nyare `smb-YYYYMMDD`-taggar regelbundet för säkerhetsfixar.
+- Rotera Time Machine-lösenord enligt normal credential-policy.
+- Verifiera återläsning periodiskt, inte bara backup-jobb.
diff --git a/Apps/timemachine/docker-compose.yaml b/Apps/timemachine/docker-compose.yaml
new file mode 100644
index 0000000..16f6dda
--- /dev/null
+++ b/Apps/timemachine/docker-compose.yaml
@@ -0,0 +1,96 @@
+name: timemachine
+
+services:
+  timemachine:
+    # Setting this will allow the Zima webui to display the field "REQUIRE MEMORY"
+    deploy:
+      resources:
+        reservations:
+          memory: 128M
+    image: mbentley/timemachine:smb-20260329
+    container_name: timemachine
+    restart: unless-stopped
+
+    environment:
+      TZ: Europe/Stockholm
+      TM_USERNAME: timemachine
+      TM_GROUPNAME: timemachine
+      PASSWORD: CHANGE_ME
+      TM_UID: "1000"
+      TM_GID: "1000"
+      SET_PERMISSIONS: "false"
+      VOLUME_SIZE_LIMIT: "0"
+
+    ports:
+      - target: 137
+        published: "137"
+        protocol: udp
+      - target: 138
+        published: "138"
+        protocol: udp
+      - target: 139
+        published: "139"
+        protocol: tcp
+      - target: 445
+        published: "445"
+        protocol: tcp
+
+    tmpfs:
+      - /run/samba
+
+    volumes:
+      - type: bind
+        source: /DATA/AppData/$AppID/backup
+        target: /opt/timemachine
+
+    security_opt:
+      - no-new-privileges:true
+
+    x-casaos:
+      envs:
+        - container: TZ
+          description:
+            en_us: Timezone, for example Europe/Stockholm
+        - container: TM_USERNAME
+          description:
+            en_us: Time Machine username
+        - container: PASSWORD
+          description:
+            en_us: Time Machine password
+        - container: TM_UID
+          description:
+            en_us: User ID for filesystem permissions
+        - container: TM_GID
+          description:
+            en_us: Group ID for filesystem permissions
+        - container: VOLUME_SIZE_LIMIT
+          description:
+            en_us: Size limit in MB (0 means unlimited)
+      ports:
+        - container: "445"
+          description:
+            en_us: SMB service port for Time Machine backups
+      volumes:
+        - container: /opt/timemachine
+          description:
+            en_us: Time Machine backup data
+
+x-casaos:
+  architectures:
+    - amd64
+    - arm64
+  main: timemachine
+  category: phirna
+  author: Joachim Friberg
+  developer: Joachim Friberg
+  icon: https://cdn.simpleicons.org/apple
+  tagline:
+    en_us: Network Time Machine target for macOS over SMB
+  description:
+    en_us: >-
+      Runs a Samba-based Time Machine target for macOS backups.
+      Uses explicit image pinning, scoped app data storage, and no-new-privileges.
+  title:
+    en_us: Time Machine
+  index: /
+  port_map: "445"