diff options
Diffstat (limited to 'nixpkgs/nixos/modules/services/backup/restic-rest-server.nix')
| -rw-r--r-- | nixpkgs/nixos/modules/services/backup/restic-rest-server.nix | 51 |
1 files changed, 40 insertions, 11 deletions
diff --git a/nixpkgs/nixos/modules/services/backup/restic-rest-server.nix b/nixpkgs/nixos/modules/services/backup/restic-rest-server.nix index 105a05caf304..935907643bd2 100644 --- a/nixpkgs/nixos/modules/services/backup/restic-rest-server.nix +++ b/nixpkgs/nixos/modules/services/backup/restic-rest-server.nix @@ -9,25 +9,25 @@ in meta.maintainers = [ maintainers.bachp ]; options.services.restic.server = { - enable = mkEnableOption (lib.mdDoc "Restic REST Server"); + enable = mkEnableOption "Restic REST Server"; listenAddress = mkOption { - default = ":8000"; + default = "8000"; example = "127.0.0.1:8080"; type = types.str; - description = lib.mdDoc "Listen on a specific IP address and port."; + description = "Listen on a specific IP address and port."; }; dataDir = mkOption { default = "/var/lib/restic"; type = types.path; - description = lib.mdDoc "The directory for storing the restic repository."; + description = "The directory for storing the restic repository."; }; appendOnly = mkOption { default = false; type = types.bool; - description = lib.mdDoc '' + description = '' Enable append only mode. This mode allows creation of new backups but prevents deletion and modification of existing backups. This can be useful when backing up systems that have a potential of being hacked. @@ -37,7 +37,7 @@ in privateRepos = mkOption { default = false; type = types.bool; - description = lib.mdDoc '' + description = '' Enable private repos. Grants access only when a subdirectory with the same name as the user is specified in the repository URL. ''; @@ -46,13 +46,13 @@ in prometheus = mkOption { default = false; type = types.bool; - description = lib.mdDoc "Enable Prometheus metrics at /metrics."; + description = "Enable Prometheus metrics at /metrics."; }; extraFlags = mkOption { type = types.listOf types.str; default = []; - description = lib.mdDoc '' + description = '' Extra commandline options to pass to Restic REST server. ''; }; @@ -61,14 +61,19 @@ in }; config = mkIf cfg.enable { + assertions = [{ + assertion = lib.substring 0 1 cfg.listenAddress != ":"; + message = "The restic-rest-server now uses systemd socket activation, which expects only the Port number: services.restic.server.listenAddress = \"${lib.substring 1 6 cfg.listenAddress}\";"; + }]; + systemd.services.restic-rest-server = { description = "Restic REST Server"; - after = [ "network.target" ]; + after = [ "network.target" "restic-rest-server.socket" ]; + requires = [ "restic-rest-server.socket" ]; wantedBy = [ "multi-user.target" ]; serviceConfig = { ExecStart = '' ${cfg.package}/bin/rest-server \ - --listen ${cfg.listenAddress} \ --path ${cfg.dataDir} \ ${optionalString cfg.appendOnly "--append-only"} \ ${optionalString cfg.privateRepos "--private-repos"} \ @@ -80,16 +85,40 @@ in Group = "restic"; # Security hardening - ReadWritePaths = [ cfg.dataDir ]; + CapabilityBoundingSet = ""; + LockPersonality = true; + MemoryDenyWriteExecute = true; + NoNewPrivileges = true; + PrivateNetwork = true; PrivateTmp = true; + PrivateUsers = true; + ProtectClock = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectProc = "invisible"; ProtectSystem = "strict"; ProtectKernelTunables = true; ProtectKernelModules = true; ProtectControlGroups = true; PrivateDevices = true; + ReadWritePaths = [ cfg.dataDir ]; + RemoveIPC = true; + RestrictAddressFamilies = "none"; + RestrictNamespaces = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + SystemCallArchitectures = "native"; + SystemCallFilter = "@system-service"; + UMask = 027; }; }; + systemd.sockets.restic-rest-server = { + listenStreams = [ cfg.listenAddress ]; + wantedBy = [ "sockets.target" ]; + }; + systemd.tmpfiles.rules = mkIf cfg.privateRepos [ "f ${cfg.dataDir}/.htpasswd 0700 restic restic -" ]; |