pyrox.dev / nixpkgs
lol
fork atom

nixos/borgmatic: automatically relax systemd hardening when sudo is required

Léo Gaspard cf4e9229 9cf73105

options
unified split
Changed files
+12 -1
nixos
modules
services
backup
borgmatic.nix
+12 -1
nixos/modules/services/backup/borgmatic.nix 
···

       
10

       
10

       
 

       



     

       
11

       
11

       
 

       
  postgresql = config.services.postgresql.package;


     

       
12

       
12

       
 

       
  mysql = config.services.mysql.package;


     

       

       
13

       
+

       
  requireSudo =


     

       

       
14

       
+

       
    s:


     

       

       
15

       
+

       
    s ? postgresql_databases


     

       

       
16

       
+

       
    && lib.any (d: d ? username && !(d ? password) && !(d ? pg_dump_command)) s.postgresql_databases;


     

       
13

       
17

       
 

       
  addRequiredBinaries =


     

       
14

       
18

       
 

       
    s:


     

       
15

       
19

       
 

       
    s


     
···

       
17

       
21

       
 

       
      postgresql_databases = map (


     

       
18

       
22

       
 

       
        d:


     

       
19

       
23

       
 

       
        let


     

       
20

       

       
-

       
          as_user = if d ? username then "${pkgs.sudo}/bin/sudo -u ${d.username} " else "";


     

       

       
24

       
+

       
          as_user = if d ? username && !(d ? password) then "${pkgs.sudo}/bin/sudo -u ${d.username} " else "";


     

       
21

       
25

       
 

       
        in


     

       
22

       
26

       
 

       
        {


     

       
23

       
27

       
 

       
          pg_dump_command =


     
···

       
113

       
117

       
 

       
    };


     

       
114

       
118

       
 

       



     

       
115

       
119

       
 

       
  cfgfile = settingsFormat.generate "config.yaml" (addRequiredBinaries cfg.settings);


     

       

       
120

       
+

       



     

       

       
121

       
+

       
  anycfgRequiresSudo =


     

       

       
122

       
+

       
    requireSudo cfg.settings || lib.any requireSudo (lib.attrValues cfg.configurations);


     

       
116

       
123

       
 

       
in


     

       
117

       
124

       
 

       
{


     

       
118

       
125

       
 

       
  options.services.borgmatic = {


     
···

       
173

       
180

       
 

       



     

       
174

       
181

       
 

       
      systemd.packages = [ pkgs.borgmatic ];


     

       
175

       
182

       
 

       
      systemd.services.borgmatic.path = [ pkgs.coreutils ];


     

       

       
183

       
+

       
      systemd.services.borgmatic.serviceConfig = lib.optionalAttrs anycfgRequiresSudo {


     

       

       
184

       
+

       
        NoNewPrivileges = false;


     

       

       
185

       
+

       
        CapabilityBoundingSet = "CAP_DAC_READ_SEARCH CAP_NET_RAW CAP_SETUID CAP_SETGID";


     

       

       
186

       
+

       
      };


     

       
176

       
187

       
 

       



     

       
177

       
188

       
 

       
      # Workaround: https://github.com/NixOS/nixpkgs/issues/81138


     

       
178

       
189

       
 

       
      systemd.timers.borgmatic.wantedBy = [ "timers.target" ];