From 2e53bdb015c1d685241c23364b2281bcb95a5e49 Mon Sep 17 00:00:00 2001 From: SebastianStork Date: Wed, 11 Jun 2025 21:09:08 +0200 Subject: [PATCH] Run all restic backups as root --- .../system/services/actualbudget/backups.nix | 4 --- modules/system/services/forgejo/backups.nix | 4 --- modules/system/services/hedgedoc/backups.nix | 4 --- modules/system/services/nextcloud/backups.nix | 2 -- .../services/restic-backups/default.nix | 25 +++++-------------- .../services/restic-backups/restore.nix | 12 ++++----- modules/system/services/syncthing/backups.nix | 3 --- 7 files changed, 11 insertions(+), 43 deletions(-) diff --git a/modules/system/services/actualbudget/backups.nix b/modules/system/services/actualbudget/backups.nix index 7dee40d..6f25d22 100644 --- a/modules/system/services/actualbudget/backups.nix +++ b/modules/system/services/actualbudget/backups.nix @@ -1,13 +1,9 @@ { config, lib, ... }: -let - user = config.users.users.actual.name; -in { options.custom.services.actualbudget.backups.enable = lib.mkEnableOption ""; config = lib.mkIf config.custom.services.actualbudget.backups.enable { custom.services.resticBackups.actual = { - inherit user; dependentService = "actual.service"; extraConfig.paths = [ config.services.actual.settings.dataDir ]; }; diff --git a/modules/system/services/forgejo/backups.nix b/modules/system/services/forgejo/backups.nix index a979b6b..3a5e8d8 100644 --- a/modules/system/services/forgejo/backups.nix +++ b/modules/system/services/forgejo/backups.nix @@ -1,13 +1,9 @@ { config, lib, ... }: -let - user = config.users.users.forgejo.name; -in { options.custom.services.forgejo.backups.enable = lib.mkEnableOption ""; config = lib.mkIf config.custom.services.forgejo.backups.enable { custom.services.resticBackups.forgejo = { - inherit user; dependentService = "forgejo.service"; extraConfig.paths = [ config.services.forgejo.stateDir ]; }; diff --git a/modules/system/services/hedgedoc/backups.nix b/modules/system/services/hedgedoc/backups.nix index b8f1ea2..8b21280 100644 --- a/modules/system/services/hedgedoc/backups.nix +++ b/modules/system/services/hedgedoc/backups.nix @@ -1,13 +1,9 @@ { config, lib, ... }: -let - user = config.users.users.hedgedoc.name; -in { options.custom.services.hedgedoc.backups.enable = lib.mkEnableOption ""; config = lib.mkIf config.custom.services.hedgedoc.backups.enable { custom.services.resticBackups.hedgedoc = { - inherit user; dependentService = "hedgedoc.service"; extraConfig.paths = with config.services.hedgedoc.settings; [ uploadsPath diff --git a/modules/system/services/nextcloud/backups.nix b/modules/system/services/nextcloud/backups.nix index ba10269..e1d1b7b 100644 --- a/modules/system/services/nextcloud/backups.nix +++ b/modules/system/services/nextcloud/backups.nix @@ -3,14 +3,12 @@ let cfg = config.custom.services.nextcloud; dataDir = config.services.nextcloud.home; - user = config.users.users.nextcloud.name; in { options.custom.services.nextcloud.backups.enable = lib.mkEnableOption ""; config = lib.mkIf cfg.backups.enable { custom.services.resticBackups.nextcloud = { - inherit user; extraConfig = { backupPrepareCommand = '' ${lib.getExe' config.services.nextcloud.occ "nextcloud-occ"} maintenance:mode --on diff --git a/modules/system/services/restic-backups/default.nix b/modules/system/services/restic-backups/default.nix index 005d7f2..f013609 100644 --- a/modules/system/services/restic-backups/default.nix +++ b/modules/system/services/restic-backups/default.nix @@ -2,7 +2,7 @@ let resticBackups = lib.filterAttrs (_: value: value.enable) config.custom.services.resticBackups; - backupUsers = lib.mapAttrsToList (_: value: value.user) resticBackups; + # user = config.users.users.restic.name; in { options.custom.services.resticBackups = lib.mkOption { @@ -12,10 +12,6 @@ in enable = lib.mkEnableOption "" // { default = true; }; - user = lib.mkOption { - type = lib.types.str; - default = config.users.users.root.name; - }; dependentService = lib.mkOption { type = lib.types.nullOr lib.types.nonEmptyStr; default = null; @@ -31,19 +27,10 @@ in }; config = lib.mkIf (resticBackups != { }) { - users.groups.backup.members = backupUsers; - - sops.secrets = - let - resticPermissions = { - mode = "440"; - group = config.users.groups.backup.name; - }; - in - { - "restic/environment" = resticPermissions; - "restic/password" = resticPermissions; - }; + sops.secrets = { + "restic/environment" = { }; + "restic/password" = { }; + }; services.restic.backups = resticBackups @@ -51,7 +38,7 @@ in name: value: lib.mkMerge [ { - inherit (value) user; + #inherit user; initialize = true; repository = "s3:https://s3.eu-central-003.backblazeb2.com/stork-atlas/${name}"; environmentFile = config.sops.secrets."restic/environment".path; diff --git a/modules/system/services/restic-backups/restore.nix b/modules/system/services/restic-backups/restore.nix index 21b40e4..ed59c73 100644 --- a/modules/system/services/restic-backups/restore.nix +++ b/modules/system/services/restic-backups/restore.nix @@ -44,13 +44,11 @@ in hasDependentService = dependentService != null; in '' - ${lib.optionalString hasDependentService "sudo systemctl stop ${dependentService}"} - sudo --user=${value.user} bash -c " - ${value.restoreCommand.preRestore} - restic-${name} restore latest --target / - ${value.restoreCommand.postRestore} - " - ${lib.optionalString hasDependentService "sudo systemctl start ${dependentService}"} + ${lib.optionalString hasDependentService "systemctl stop ${dependentService}"} + ${value.restoreCommand.preRestore} + restic-${name} restore latest --target / + ${value.restoreCommand.postRestore} + ${lib.optionalString hasDependentService "systemctl start ${dependentService}"} ''; } ); diff --git a/modules/system/services/syncthing/backups.nix b/modules/system/services/syncthing/backups.nix index 68a490d..b741035 100644 --- a/modules/system/services/syncthing/backups.nix +++ b/modules/system/services/syncthing/backups.nix @@ -1,8 +1,6 @@ { config, lib, ... }: let cfg = config.custom.services.syncthing; - - user = config.users.users.syncthing.name; in { options.custom.services.syncthing.backups.enable = lib.mkEnableOption ""; @@ -16,7 +14,6 @@ in ]; custom.services.resticBackups.syncthing = { - inherit user; dependentService = "syncthing.service"; extraConfig.paths = [ config.services.syncthing.dataDir ]; };