movefasta/nixpkgs
1
0
Fork 0
mirror of https://github.com/NixOS/nixpkgs.git synced 2025-06-12 04:35:41 +03:00
Code Issues Projects Releases Packages Wiki Activity

nixos/borgmatic: automatically relax systemd hardening when sudo is required

Browse source
This commit is contained in:
Léo Gaspard 2024-12-26 03:06:46 +01:00 committed by Léo Gaspard
parent 9cf7310594
commit cf4e9229f6
1 changed files with 12 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

13
nixos/modules/services/backup/borgmatic.nix
View file

@ -10,6 +10,10 @@ let
postgresql = config.services.postgresql.package;
mysql = config.services.mysql.package;
requireSudo =
s:
s ? postgresql_databases
&& lib.any (d: d ? username && !(d ? password) && !(d ? pg_dump_command)) s.postgresql_databases;
addRequiredBinaries =
s:
s
@ -17,7 +21,7 @@ let
postgresql_databases = map (
d:
let
as_user = if d ? username then "${pkgs.sudo}/bin/sudo -u ${d.username} " else "";
as_user = if d ? username && !(d ? password) then "${pkgs.sudo}/bin/sudo -u ${d.username} " else "";
in
{
pg_dump_command =
@ -113,6 +117,9 @@ let
};
cfgfile = settingsFormat.generate "config.yaml" (addRequiredBinaries cfg.settings);
anycfgRequiresSudo =
requireSudo cfg.settings || lib.any requireSudo (lib.attrValues cfg.configurations);
in
{
options.services.borgmatic = {
@ -173,6 +180,10 @@ in
systemd.packages = [ pkgs.borgmatic ];
systemd.services.borgmatic.path = [ pkgs.coreutils ];
systemd.services.borgmatic.serviceConfig = lib.optionalAttrs anycfgRequiresSudo {
NoNewPrivileges = false;
CapabilityBoundingSet = "CAP_DAC_READ_SEARCH CAP_NET_RAW CAP_SETUID CAP_SETGID";
};
# Workaround: https://github.com/NixOS/nixpkgs/issues/81138
systemd.timers.borgmatic.wantedBy = [ "timers.target" ];