Run restic backups as non root users

2026-01-21 14:01:34 +01:00 · 2025-05-19 23:33:39 +02:00 · 2025-05-19 23:33:39 +02:00 · 87057d4b88
commit 87057d4b88
parent 4b91351954
3 changed files with 65 additions and 4 deletions
--- a/modules/system/actualbudget/backups.nix
+++ b/modules/system/actualbudget/backups.nix
@ -4,12 +4,32 @@
  lib,
  ...
 }:
+let
+  user = config.users.users.actual.name;
+in
 {
  options.myConfig.actualbudget.backups.enable = lib.mkEnableOption "";

  config = lib.mkIf config.myConfig.actualbudget.backups.enable {
-    myConfig.resticBackup.actual = {
+    security.polkit = {
      enable = true;
+      extraConfig =
+        let
+          service = "actual.service";
+        in
+        ''
+          polkit.addRule(function(action, subject) {
+            if (action.id == "org.freedesktop.systemd1.manage-units" &&
+              action.lookup("unit") == "${service}" &&
+              subject.user == "${user}") {
+              return polkit.Result.YES;
+            }
+          });
+        '';
+    };
+
+    myConfig.resticBackup.actual = {
+      inherit user;
      healthchecks.enable = true;

      extraConfig = {
@ -23,7 +43,7 @@
      (pkgs.writeShellApplication {
        name = "actual-restore";
        text = ''
-          sudo bash -c "
+          sudo --user=${user} bash -c "
            systemctl stop actual.service
            restic-actual restore latest --target /
            systemctl start actual.service
--- a/modules/system/hedgedoc/backups.nix
+++ b/modules/system/hedgedoc/backups.nix
@ -4,11 +4,32 @@
  lib,
  ...
 }:
+let
+  user = config.users.users.hedgedoc.name;
+in
 {
  options.myConfig.hedgedoc.backups.enable = lib.mkEnableOption "";

  config = lib.mkIf config.myConfig.hedgedoc.backups.enable {
+    security.polkit = {
+      enable = true;
+      extraConfig =
+        let
+          service = "hedgedoc.service";
+        in
+        ''
+          polkit.addRule(function(action, subject) {
+            if (action.id == "org.freedesktop.systemd1.manage-units" &&
+              action.lookup("unit") == "${service}" &&
+              subject.user == "${user}") {
+              return polkit.Result.YES;
+            }
+          });
+        '';
+    };
+
    myConfig.resticBackup.hedgedoc = {
+      inherit user;
      healthchecks.enable = true;

      extraConfig = {
@ -25,7 +46,7 @@
      (pkgs.writeShellApplication {
        name = "hedgedoc-restore";
        text = ''
-          sudo bash -c "
+          sudo --user=${user} bash -c "
            systemctl stop hedgedoc.service
            restic-hedgedoc restore latest --target /
            systemctl start hedgedoc.service
--- a/modules/system/syncthing/backups.nix
+++ b/modules/system/syncthing/backups.nix
@ -6,6 +6,8 @@
 }:
 let
  cfg = config.myConfig.syncthing;
+
+  user = config.users.users.syncthing.name;
 in
 {
  options.myConfig.syncthing.backups.enable = lib.mkEnableOption "";
@ -18,7 +20,25 @@ in
      }
    ];

+    security.polkit = {
+      enable = true;
+      extraConfig =
+        let
+          service = "syncthing.service";
+        in
+        ''
+          polkit.addRule(function(action, subject) {
+            if (action.id == "org.freedesktop.systemd1.manage-units" &&
+              action.lookup("unit") == "${service}" &&
+              subject.user == "${user}") {
+              return polkit.Result.YES;
+            }
+          });
+        '';
+    };
+
    myConfig.resticBackup.syncthing = {
+      inherit user;
      healthchecks.enable = true;

      extraConfig = {
@ -32,7 +52,7 @@ in
      (pkgs.writeShellApplication {
        name = "syncthing-restore";
        text = ''
-          sudo bash -c "
+          sudo --user=${user} bash -c "
            systemctl stop syncthing.service
            restic-syncthing restore latest --target /
            systemctl start syncthing.service