Run restic backups as non root users

modules/system/actualbudget/backups.nix

@@ -4,12 +4,32 @@
   lib,
   ...
 }:
+let
+  user = config.users.users.actual.name;
+in
 {
   options.myConfig.actualbudget.backups.enable = lib.mkEnableOption "";
 
   config = lib.mkIf config.myConfig.actualbudget.backups.enable {
-    myConfig.resticBackup.actual = {
+    security.polkit = {
       enable = true;
+      extraConfig =
+        let
+          service = "actual.service";
+        in
+        ''
+          polkit.addRule(function(action, subject) {
+            if (action.id == "org.freedesktop.systemd1.manage-units" &&
+              action.lookup("unit") == "${service}" &&
+              subject.user == "${user}") {
+              return polkit.Result.YES;
+            }
+          });
+        '';
+    };
+
+    myConfig.resticBackup.actual = {
+      inherit user;
       healthchecks.enable = true;
 
       extraConfig = {
@@ -23,7 +43,7 @@
       (pkgs.writeShellApplication {
         name = "actual-restore";
         text = ''
-          sudo bash -c "
+          sudo --user=${user} bash -c "
             systemctl stop actual.service
             restic-actual restore latest --target /
             systemctl start actual.service

modules/system/hedgedoc/backups.nix

@@ -4,11 +4,32 @@
   lib,
   ...
 }:
+let
+  user = config.users.users.hedgedoc.name;
+in
 {
   options.myConfig.hedgedoc.backups.enable = lib.mkEnableOption "";
 
   config = lib.mkIf config.myConfig.hedgedoc.backups.enable {
+    security.polkit = {
+      enable = true;
+      extraConfig =
+        let
+          service = "hedgedoc.service";
+        in
+        ''
+          polkit.addRule(function(action, subject) {
+            if (action.id == "org.freedesktop.systemd1.manage-units" &&
+              action.lookup("unit") == "${service}" &&
+              subject.user == "${user}") {
+              return polkit.Result.YES;
+            }
+          });
+        '';
+    };
+
     myConfig.resticBackup.hedgedoc = {
+      inherit user;
       healthchecks.enable = true;
 
       extraConfig = {
@@ -25,7 +46,7 @@
       (pkgs.writeShellApplication {
         name = "hedgedoc-restore";
         text = ''
-          sudo bash -c "
+          sudo --user=${user} bash -c "
             systemctl stop hedgedoc.service
             restic-hedgedoc restore latest --target /
             systemctl start hedgedoc.service

modules/system/syncthing/backups.nix

@@ -6,6 +6,8 @@
 }:
 let
   cfg = config.myConfig.syncthing;
+
+  user = config.users.users.syncthing.name;
 in
 {
   options.myConfig.syncthing.backups.enable = lib.mkEnableOption "";
@@ -18,7 +20,25 @@ in
       }
     ];
 
+    security.polkit = {
+      enable = true;
+      extraConfig =
+        let
+          service = "syncthing.service";
+        in
+        ''
+          polkit.addRule(function(action, subject) {
+            if (action.id == "org.freedesktop.systemd1.manage-units" &&
+              action.lookup("unit") == "${service}" &&
+              subject.user == "${user}") {
+              return polkit.Result.YES;
+            }
+          });
+        '';
+    };
+
     myConfig.resticBackup.syncthing = {
+      inherit user;
       healthchecks.enable = true;
 
       extraConfig = {
@@ -32,7 +52,7 @@ in
       (pkgs.writeShellApplication {
         name = "syncthing-restore";
         text = ''
-          sudo bash -c "
+          sudo --user=${user} bash -c "
             systemctl stop syncthing.service
             restic-syncthing restore latest --target /
             systemctl start syncthing.service