cafkafk/nixpkgs
cafkafk/nixpkgs
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 2

Merge pull request #125865 from eliasp/restic-private-tmp

Browse source 
nixos/restic: use private tmp for service unit
This commit is contained in:
Nick Cao 2023-04-30 20:37:07 +08:00 committed by GitHub
commit 1acfbbb2e7
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 19 additions and 18 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
nixos/modules/services/backup/restic.nix
View file

@ -339,6 +339,7 @@ in
RuntimeDirectory = "restic-backups-${name}"; RuntimeDirectory = "restic-backups-${name}";
CacheDirectory = "restic-backups-${name}"; CacheDirectory = "restic-backups-${name}";
CacheDirectoryMode = "0700"; CacheDirectoryMode = "0700";
PrivateTmp = true;
} // optionalAttrs (backup.environmentFile != null) { } // optionalAttrs (backup.environmentFile != null) {
EnvironmentFile = backup.environmentFile; EnvironmentFile = backup.environmentFile;
}; };

36
nixos/tests/restic.nix
View file

@ -2,18 +2,18 @@ import ./make-test-python.nix (
{ pkgs, ... }: { pkgs, ... }:
let let
remoteRepository = "/tmp/restic-backup"; remoteRepository = "/root/restic-backup";
remoteFromFileRepository = "/tmp/restic-backup-from-file"; remoteFromFileRepository = "/root/restic-backup-from-file";
rcloneRepository = "rclone:local:/tmp/restic-rclone-backup"; rcloneRepository = "rclone:local:/root/restic-rclone-backup";
backupPrepareCommand = '' backupPrepareCommand = ''
touch /tmp/backupPrepareCommand touch /root/backupPrepareCommand
test ! -e /tmp/backupCleanupCommand test ! -e /root/backupCleanupCommand
''; '';
backupCleanupCommand = '' backupCleanupCommand = ''
rm /tmp/backupPrepareCommand rm /root/backupPrepareCommand
touch /tmp/backupCleanupCommand touch /root/backupCleanupCommand
''; '';
testDir = pkgs.stdenvNoCC.mkDerivation { testDir = pkgs.stdenvNoCC.mkDerivation {
@ -81,7 +81,7 @@ import ./make-test-python.nix (
inherit passwordFile paths; inherit passwordFile paths;
repository = "some-fake-repository"; repository = "some-fake-repository";
package = pkgs.writeShellScriptBin "restic" '' package = pkgs.writeShellScriptBin "restic" ''
echo "$@" >> /tmp/fake-restic.log; echo "$@" >> /root/fake-restic.log;
''; '';
pruneOpts = [ "--keep-last 1" ]; pruneOpts = [ "--keep-last 1" ];
@ -100,18 +100,18 @@ import ./make-test-python.nix (
"${pkgs.restic}/bin/restic -r ${remoteRepository} -p ${passwordFile} snapshots", "${pkgs.restic}/bin/restic -r ${remoteRepository} -p ${passwordFile} snapshots",
'${pkgs.restic}/bin/restic -r ${remoteFromFileRepository} -p ${passwordFile} snapshots"', '${pkgs.restic}/bin/restic -r ${remoteFromFileRepository} -p ${passwordFile} snapshots"',
"${pkgs.restic}/bin/restic -r ${rcloneRepository} -p ${passwordFile} snapshots", "${pkgs.restic}/bin/restic -r ${rcloneRepository} -p ${passwordFile} snapshots",
"grep 'backup.* /opt' /tmp/fake-restic.log", "grep 'backup.* /opt' /root/fake-restic.log",
) )
server.succeed( server.succeed(
# set up # set up
"cp -rT ${testDir} /opt", "cp -rT ${testDir} /opt",
"touch /opt/excluded_file_1 /opt/excluded_file_2", "touch /opt/excluded_file_1 /opt/excluded_file_2",
"mkdir -p /tmp/restic-rclone-backup", "mkdir -p /root/restic-rclone-backup",
# test that remotebackup runs custom commands and produces a snapshot # test that remotebackup runs custom commands and produces a snapshot
"timedatectl set-time '2016-12-13 13:45'", "timedatectl set-time '2016-12-13 13:45'",
"systemctl start restic-backups-remotebackup.service", "systemctl start restic-backups-remotebackup.service",
"rm /tmp/backupCleanupCommand", "rm /root/backupCleanupCommand",
'${pkgs.restic}/bin/restic -r ${remoteRepository} -p ${passwordFile} snapshots --json | ${pkgs.jq}/bin/jq "length | . == 1"', '${pkgs.restic}/bin/restic -r ${remoteRepository} -p ${passwordFile} snapshots --json | ${pkgs.jq}/bin/jq "length | . == 1"',
# test that restoring that snapshot produces the same directory # test that restoring that snapshot produces the same directory
@ -129,33 +129,33 @@ import ./make-test-python.nix (
# test that custompackage runs both `restic backup` and `restic check` with reasonable commandlines # test that custompackage runs both `restic backup` and `restic check` with reasonable commandlines
"systemctl start restic-backups-custompackage.service", "systemctl start restic-backups-custompackage.service",
"grep 'backup.* /opt' /tmp/fake-restic.log", "grep 'backup.* /opt' /root/fake-restic.log",
"grep 'check.* --some-check-option' /tmp/fake-restic.log", "grep 'check.* --some-check-option' /root/fake-restic.log",
# test that we can create four snapshots in remotebackup and rclonebackup # test that we can create four snapshots in remotebackup and rclonebackup
"timedatectl set-time '2017-12-13 13:45'", "timedatectl set-time '2017-12-13 13:45'",
"systemctl start restic-backups-remotebackup.service", "systemctl start restic-backups-remotebackup.service",
"rm /tmp/backupCleanupCommand", "rm /root/backupCleanupCommand",
"systemctl start restic-backups-rclonebackup.service", "systemctl start restic-backups-rclonebackup.service",
"timedatectl set-time '2018-12-13 13:45'", "timedatectl set-time '2018-12-13 13:45'",
"systemctl start restic-backups-remotebackup.service", "systemctl start restic-backups-remotebackup.service",
"rm /tmp/backupCleanupCommand", "rm /root/backupCleanupCommand",
"systemctl start restic-backups-rclonebackup.service", "systemctl start restic-backups-rclonebackup.service",
"timedatectl set-time '2018-12-14 13:45'", "timedatectl set-time '2018-12-14 13:45'",
"systemctl start restic-backups-remotebackup.service", "systemctl start restic-backups-remotebackup.service",
"rm /tmp/backupCleanupCommand", "rm /root/backupCleanupCommand",
"systemctl start restic-backups-rclonebackup.service", "systemctl start restic-backups-rclonebackup.service",
"timedatectl set-time '2018-12-15 13:45'", "timedatectl set-time '2018-12-15 13:45'",
"systemctl start restic-backups-remotebackup.service", "systemctl start restic-backups-remotebackup.service",
"rm /tmp/backupCleanupCommand", "rm /root/backupCleanupCommand",
"systemctl start restic-backups-rclonebackup.service", "systemctl start restic-backups-rclonebackup.service",
"timedatectl set-time '2018-12-16 13:45'", "timedatectl set-time '2018-12-16 13:45'",
"systemctl start restic-backups-remotebackup.service", "systemctl start restic-backups-remotebackup.service",
"rm /tmp/backupCleanupCommand", "rm /root/backupCleanupCommand",
"systemctl start restic-backups-rclonebackup.service", "systemctl start restic-backups-rclonebackup.service",
'${pkgs.restic}/bin/restic -r ${remoteRepository} -p ${passwordFile} snapshots --json | ${pkgs.jq}/bin/jq "length | . == 4"', '${pkgs.restic}/bin/restic -r ${remoteRepository} -p ${passwordFile} snapshots --json | ${pkgs.jq}/bin/jq "length | . == 4"',