nixos/borgmatic: automatically relax systemd hardening when sudo is required

2025-06-15 14:09:17 +03:00 · 2024-12-26 03:06:46 +01:00 · 2024-12-26 03:06:46 +01:00 · cf4e9229f6
commit cf4e9229f6
parent 9cf7310594
1 changed files with 12 additions and 1 deletions
--- a/nixos/modules/services/backup/borgmatic.nix
+++ b/nixos/modules/services/backup/borgmatic.nix
@ -10,6 +10,10 @@ let
  postgresql = config.services.postgresql.package;
  mysql = config.services.mysql.package;
  requireSudo =
    s:
    s ? postgresql_databases
    && lib.any (d: d ? username && !(d ? password) && !(d ? pg_dump_command)) s.postgresql_databases;
  addRequiredBinaries =
    s:
    s
@ -17,7 +21,7 @@ let
      postgresql_databases = map (
        d:
        let
-          as_user = if d ? username then "${pkgs.sudo}/bin/sudo -u ${d.username} " else "";
+          as_user = if d ? username && !(d ? password) then "${pkgs.sudo}/bin/sudo -u ${d.username} " else "";
        in
        {
          pg_dump_command =
@ -113,6 +117,9 @@ let
    };
  cfgfile = settingsFormat.generate "config.yaml" (addRequiredBinaries cfg.settings);
  anycfgRequiresSudo =
    requireSudo cfg.settings || lib.any requireSudo (lib.attrValues cfg.configurations);
 in
 {
  options.services.borgmatic = {
@ -173,6 +180,10 @@ in
      systemd.packages = [ pkgs.borgmatic ];
      systemd.services.borgmatic.path = [ pkgs.coreutils ];
      systemd.services.borgmatic.serviceConfig = lib.optionalAttrs anycfgRequiresSudo {
        NoNewPrivileges = false;
        CapabilityBoundingSet = "CAP_DAC_READ_SEARCH CAP_NET_RAW CAP_SETUID CAP_SETGID";
      };
      # Workaround: https://github.com/NixOS/nixpkgs/issues/81138
      systemd.timers.borgmatic.wantedBy = [ "timers.target" ];