Hi there,
I have borg backup jobs for the data and database of my Nextcloud service. The configs can be found here: https://git.sr.ht/~martinimoe/nixos-config/tree/main/item/nixos/caprica/nextcloud_backups.nix
These backup jobs used to work fine for quite some time. Since some update (maybe since nixos 25.05?) I get errors in these backup jobs:
Jul 14 08:45:04 caprica systemd[1]: Started BorgBackup job nextcloud_data.
Jul 14 08:45:04 caprica systemd-run[10368]: Failed to start transient service unit: Access denied
Jul 14 08:45:04 caprica systemd-run[10369]: Failed to start transient service unit: Access denied
Jul 14 08:45:04 caprica systemd[1]: borgbackup-job-nextcloud_data.service: Main process exited, code=exited, status=1/FAILURE
Jul 14 08:45:04 caprica systemd[1]: borgbackup-job-nextcloud_data.service: Failed with result 'exit-code'.
Jul 14 08:45:04 caprica systemd[1]: borgbackup-job-nextcloud_data.service: Triggering OnFailure= dependencies.
Same for the database backup job.
I tried to enable polkit to fix this. Then the errors slightly change to:
Jul 14 08:58:29 caprica systemd[1]: Started BorgBackup job nextcloud_data.
Jul 14 08:58:29 caprica systemd-run[13099]: Failed to start transient service unit: Interactive authentication required.
Jul 14 08:58:29 caprica systemd-run[13111]: Failed to start transient service unit: Interactive authentication required.
Jul 14 08:58:29 caprica systemd[1]: borgbackup-job-nextcloud_data.service: Main process exited, code=exited, status=1/FAILURE
Jul 14 08:58:29 caprica systemd[1]: borgbackup-job-nextcloud_data.service: Failed with result 'exit-code'.
Jul 14 08:58:29 caprica systemd[1]: borgbackup-job-nextcloud_data.service: Triggering OnFailure= dependencies.
I then tried to create a polkit rule to allow the Nextcloud user to manage this service and also enabled some debugging:
security.polkit.debug = true;
security.polkit.extraConfig = ''
polkit.addRule(function(action, subject) {
polkit.log("action=" + action);
polkit.log("subject=" + subject);
});
polkit.addRule(function (action, subject) {
if (
action.id == "org.freedesktop.systemd1.manage-units" &&
subject.user == "nextcloud" &&
(action.lookup("unit") == "borgbackup-job-nextcloud_data.service" || action.lookup("unit") == "borgbackup-job-nextcloud_database.service")
) {
return polkit.Result.YES;
}
});
'';
I still get Interactive authentication required and the backup does not work. polkit.service logs:
Jul 14 09:01:33 caprica polkitd[15435]: action=[Action id='org.freedesktop.systemd1.manage-units' verb='start' unit='run-p15656-i15657.service' polkit.message='Authentication is required to start transient uni>
Jul 14 09:01:33 caprica polkitd[15435]: subject=[Subject pid=15656 user='nextcloud' groups=nextcloud seat=null session=null system_unit=null local=false active=false]
Jul 14 09:01:33 caprica polkitd[15435]: action=[Action id='org.freedesktop.systemd1.manage-unit-files' verb='start' unit='run-p15656-i15657.service' polkit.message='Authentication is required to start transien>
Jul 14 09:01:33 caprica polkitd[15435]: subject=[Subject pid=15656 user='nextcloud' groups=nextcloud seat=null session=null system_unit=null local=false active=false]
Jul 14 09:01:33 caprica polkitd[15435]: action=[Action id='org.freedesktop.systemd1.manage-units' verb='start' unit='run-p15659-i15660.service' polkit.message='Authentication is required to start transient uni>
Jul 14 09:01:33 caprica polkitd[15435]: subject=[Subject pid=15659 user='nextcloud' groups=nextcloud seat=null session=null system_unit=null local=false active=false]
Jul 14 09:01:33 caprica polkitd[15435]: action=[Action id='org.freedesktop.systemd1.manage-unit-files' verb='start' unit='run-p15659-i15660.service' polkit.message='Authentication is required to start transien>
Jul 14 09:01:33 caprica polkitd[15435]: subject=[Subject pid=15659 user='nextcloud' groups=nextcloud seat=null session=null system_unit=null local=false active=false]
So of course my rules do not apply, because the unit name does not match (run-p15656-i15657.service and run-p15659-i15660.service ??). At this point I am lost and need help.
- Why does the backup service not work anymore, while other of my custom backup services still do (for example see paperless_backups.nix which still works)?
- Where do these strange unit names come from and how could I config a polkit rule for these?
Any help would be greatly appreciated 