restic: separate db backup cleanup from main backup service, add umask, add capability wrapper

oops i made this one commit but im not pro git enough to know how to solve this in post
2025-11-02 13:41:23 -05:00 · 2025-11-02 13:41:23 -05:00 · 5fbae9dc20
commit 5fbae9dc20
parent d28d54c307
1 changed files with 55 additions and 24 deletions
--- a/modules/nixos/services/homeserver/restic.nix
+++ b/modules/nixos/services/homeserver/restic.nix
@ -6,8 +6,10 @@
  # for use as restic backend
 #  environment.systemPackages = [ pkgs.rclone ];

-  systemd.services.db-backup = {
-    wantedBy = [ "restic-backups-main.service" "restic-backups-offsite.service" ];
+  systemd.services = {
+    db-backup = {
+      wantedBy = [ "restic-backups-main.service" ];
+      before = [ "restic-backups-main.service" ];
      script = ''
        DB_BACKUP_DIR=/var/backups/db-backup

@ -19,24 +21,55 @@
            mkdir -p -m 600 $DB_BACKUP_DIR
        fi

+        umask 066
+
        $SQLITE_PATH /var/lib/vaultwarden/db.sqlite3 ".backup $DB_BACKUP_DIR/vaultwarden.sqlite3"
        $SQLITE_PATH /var/lib/uptime-kuma/kuma.db ".backup $DB_BACKUP_DIR/kuma.db"
        $SQLITE_PATH /var/lib/nextcloud/data/nextcloud.db ".backup $DB_BACKUP_DIR/nextcloud.db"
        $SQLITE_PATH /var/lib/ntfy-sh/user.db ".backup $DB_BACKUP_DIR/ntfy-user.db"
        $SQLITE_PATH /var/lib/kanidm/kanidm.db ".backup $DB_BACKUP_DIR/kanidm.db"

-      $SUDO_PATH -u onlyoffice -- $PGDUMP_PATH > /var/backups/db-backup/dump-onlyoffice
-      $SUDO_PATH -u zipline -- $PGDUMP_PATH > /var/backups/db-backup/dump-zipline
-      $SUDO_PATH -u postgres -- ${lib.getExe' pkgs.postgresql "pg_dumpall"} -g > /var/backups/db-backup/dump-globals      
+        $SUDO_PATH -u onlyoffice -- $PGDUMP_PATH > $DB_BACKUP_DIR/dump-onlyoffice
+        $SUDO_PATH -u zipline -- $PGDUMP_PATH > $DB_BACKUP_DIR/dump-zipline
+        $SUDO_PATH -u postgres -- ${lib.getExe' pkgs.postgresql "pg_dumpall"} -g > $DB_BACKUP_DIR/dump-globals
      '';
-    serviceConfig = {
-      Type = "oneshot";
-      User = "root";
+      serviceConfig.Type = "oneshot";
    };
+
+    db-backup-cleanup = {
+      wantedBy = [ "restic-backups-main.service" ];
+      after = [ "restic-backups-main.service" ];
+      script = "rm -r /var/backups/db-backup";
+      serviceConfig.Type = "oneshot";
+    };
+
+    restic-backups-main.serviceConfig.Type = "oneshot";
+  };
+
+  # make wrapper to run restic rootless
+  users = {
+    users.restic = {
+      group = "restic";
+      isSystemUser = true;
+    };
+    groups.restic = {};
+  };
+
+  security.wrappers.restic = {
+    source = lib.getExe pkgs.restic;
+    owner = "restic";
+    group = "restic";
+    permissions = "500";
+    capabilities = "cap_dac_read_search+ep";
  };

  services.restic.backups = {
    main = {
+      user = "restic";
+      package = pkgs.writeShellScriptBin "restic" ''
+         exec /run/wrappers/bin/restic "$@"
+      '';
+
      initialize = true;
      repository = "/mnt/external/backup/restic";
      passwordFile = config.sops.secrets."restic/password".path;
@ -60,8 +93,6 @@
        "*.sqlite3-shm"
        "*.sqlite3-wal"
      ];
-
-      backupCleanupCommand = "rm -r /var/backups/db-backup/*";
    };

 #    offsite = {