diff options
| author | Elias Probst <mail@eliasprobst.eu> | 2020-10-06 13:32:58 +0200 |
|---|---|---|
| committer | Elias Probst <mail@eliasprobst.eu> | 2023-04-30 10:39:29 +0200 |
| commit | 3bd1c64a5b17bbc89089e68a145c7cbfb494fa5b (patch) | |
| tree | 7e75d3115d021c4b42daf8d39f66e35fbf974198 /nixos/modules/services/backup | |
| parent | 468356287fe4ce68f58fa5cf16e8ed6fc40a1a7f (diff) | |
| download | nixlib-3bd1c64a5b17bbc89089e68a145c7cbfb494fa5b.tar nixlib-3bd1c64a5b17bbc89089e68a145c7cbfb494fa5b.tar.gz nixlib-3bd1c64a5b17bbc89089e68a145c7cbfb494fa5b.tar.bz2 nixlib-3bd1c64a5b17bbc89089e68a145c7cbfb494fa5b.tar.lz nixlib-3bd1c64a5b17bbc89089e68a145c7cbfb494fa5b.tar.xz nixlib-3bd1c64a5b17bbc89089e68a145c7cbfb494fa5b.tar.zst nixlib-3bd1c64a5b17bbc89089e68a145c7cbfb494fa5b.zip | |
nixos/restic: use private tmp for service unit
To reduce the danger of accidentally exposing sensitive files processed by a restic backup to other services/users, enable the `PrivateTmp=` feature of restic service units, which provides a per service isolation of `/tmp` and `/var/tmp`. Co-authored-by: Daniel Nagy <danielnagy@posteo.de>
Diffstat (limited to 'nixos/modules/services/backup')
| -rw-r--r-- | nixos/modules/services/backup/restic.nix | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/nixos/modules/services/backup/restic.nix b/nixos/modules/services/backup/restic.nix index d19b98a3e4bb..8cc0c084d659 100644 --- a/nixos/modules/services/backup/restic.nix +++ b/nixos/modules/services/backup/restic.nix @@ -339,6 +339,7 @@ in RuntimeDirectory = "restic-backups-${name}"; CacheDirectory = "restic-backups-${name}"; CacheDirectoryMode = "0700"; + PrivateTmp = true; } // optionalAttrs (backup.environmentFile != null) { EnvironmentFile = backup.environmentFile; }; |