nixos/restic: correct location of cache directory

By default, restic determines the location of the cache based on the XDG base dir specification, which is `~/.cache/restic` when the environment variable `$XDG_CACHE_HOME` isn't set. As restic is executed as root by default, this resulted in the cache being written to `/root/.cache/restic`, which is not quite right for a system service and also meant, multiple backup services would use the same cache directory - potentially causing issues with locking, data corruption, etc. The goal was to ensure, restic uses the correct cache location for a system service - one cache per backup specification, using `/var/cache` as the base directory for it. systemd sets the environment variable `$CACHE_DIRECTORY` once `CacheDirectory=` is defined, but restic doesn't change its behavior based on the presence of this environment variable. Instead, the specifier [1] `%C` can be used to point restic explicitly towards the correct cache location using the `--cache-dir` argument. Furthermore, the `CacheDirectoryMode=` was set to `0700`, as the default of `0755` is far too open in this case, as the cache might contain sensitive data. [1] https://www.freedesktop.org/software/systemd/man/systemd.unit.html#Specifiers
2025-06-10 11:45:45 +03:00 · 2020-10-04 18:47:52 +02:00 · 2020-10-04 18:47:52 +02:00 · 27da11972d
commit 27da11972d
parent 1fb2d04c26
2 changed files with 8 additions and 1 deletions
--- a/nixos/doc/manual/release-notes/rl-2103.xml
+++ b/nixos/doc/manual/release-notes/rl-2103.xml
@ -653,6 +653,11 @@ self: super:
     The <varname>platform</varname> grouping of these things never meant anything, and was just a historial/implementation artifact that was overdue removal.
    </para>
   </listitem>
+   <listitem>
+    <para>
+     <varname>services.restic</varname> now uses a dedicated cache directory for every backup defined in <varname>services.restic.backups</varname>. The old global cache directory, <literal>/root/.cache/restic</literal>, is now unused and can be removed to free up disk space.
+    </para>
+   </listitem>
  </itemizedlist>
 </section>
 </section>
--- a/nixos/modules/services/backup/restic.nix
+++ b/nixos/modules/services/backup/restic.nix
@ -243,9 +243,11 @@ in
          restartIfChanged = false;
          serviceConfig = {
            Type = "oneshot";
-            ExecStart = [ "${resticCmd} backup ${concatStringsSep " " backup.extraBackupArgs} ${backupPaths}" ] ++ pruneCmd;
+            ExecStart = [ "${resticCmd} backup --cache-dir=%C/restic-backups-${name} ${concatStringsSep " " backup.extraBackupArgs} ${backupPaths}" ] ++ pruneCmd;
            User = backup.user;
            RuntimeDirectory = "restic-backups-${name}";
+            CacheDirectory = "restic-backups-${name}";
+            CacheDirectoryMode = "0700";
          } // optionalAttrs (backup.s3CredentialsFile != null) {
            EnvironmentFile = backup.s3CredentialsFile;
          };