Restic: Difference between revisions

Line 27:

If you want to back up your system [https://restic.readthedocs.io/en/latest/080_examples.html#backing-up-your-system-without-running-restic-as-root without running restic as root], you can create a user and security wrapper to give restic the capability to read anything on the filesystem as if it were running as root. The following will create the wrapper at <code>/run/wrappers/bin/restic</code>

<~~syntaxHighlight~~ lang=nix>

users.users.restic = {

users = {

~~isNormalUser~~ = ~~true~~;

users.restic = {

group = "restic";

isSystemUser = true;

};

groups.restic = {};

};

security.wrappers.restic = {

source = ~~"${~~pkgs.restic~~.out}/bin/restic"~~;

source = lib.getExe pkgs.restic;

owner = "restic";

group = "~~users~~";

group = "restic";

permissions = "u=~~rwx~~,g=,o=";

permissions = "500"; # or u=rx,g=,o=

capabilities = "cap_dac_read_search=+ep";

capabilities = "cap_dac_read_search+ep";

};

</~~syntaxHighlight~~>

</syntaxhighlight>

Note that you will have to set your Restic configuration to use the wrapper using the [https://search.nixos.org/options?channel=unstable&show=services.restic.backups.%3Cname%3E.package&from=0&size=50&sort=relevance&type=packages&query=services.restic.backups services.restic.backups.<name>.package] option, for example <ref>https://github.com/NixOS/nixpkgs/issues/341999#issuecomment-2558504576</ref>,

@@ Line 27: / Line 27: @@
 If you want to back up your system [https://restic.readthedocs.io/en/latest/080_examples.html#backing-up-your-system-without-running-restic-as-root without running restic as root], you can create a user and security wrapper to give restic the capability to read anything on the filesystem as if it were running as root. The following will create the wrapper at <code>/run/wrappers/bin/restic</code>
-<syntaxHighlight lang=nix>
+<syntaxhighlight lang="nix">
-users.users.restic = {
+users = {
-   isNormalUser = true;
+  users.restic = {
+    group = "restic";
+    isSystemUser = true;
+  };
+   groups.restic = {};
 };
 security.wrappers.restic = {
-   source = "${pkgs.restic.out}/bin/restic";
+   source = lib.getExe pkgs.restic;
    owner = "restic";
-   group = "users";
+   group = "restic";
-   permissions = "u=rwx,g=,o=";
+   permissions = "500"; # or u=rx,g=,o=
-   capabilities = "cap_dac_read_search=+ep";
+   capabilities = "cap_dac_read_search+ep";
 };
-</syntaxHighlight>
+</syntaxhighlight>
 Note that you will have to set your Restic configuration to use the wrapper using the [https://search.nixos.org/options?channel=unstable&show=services.restic.backups.%3Cname%3E.package&from=0&size=50&sort=relevance&type=packages&query=services.restic.backups services.restic.backups.<name>.package] option, for example <ref>https://github.com/NixOS/nixpkgs/issues/341999#issuecomment-2558504576</ref>,