Borgbackup Service suddenly has permission problems and I am struggling with polkit

Hi there,

I have borg backup jobs for the data and database of my Nextcloud service. The configs can be found here: https://git.sr.ht/~martinimoe/nixos-config/tree/main/item/nixos/caprica/nextcloud_backups.nix

These backup jobs used to work fine for quite some time. Since some update (maybe since nixos 25.05?) I get errors in these backup jobs:

Jul 14 08:45:04 caprica systemd[1]: Started BorgBackup job nextcloud_data.
Jul 14 08:45:04 caprica systemd-run[10368]: Failed to start transient service unit: Access denied
Jul 14 08:45:04 caprica systemd-run[10369]: Failed to start transient service unit: Access denied
Jul 14 08:45:04 caprica systemd[1]: borgbackup-job-nextcloud_data.service: Main process exited, code=exited, status=1/FAILURE
Jul 14 08:45:04 caprica systemd[1]: borgbackup-job-nextcloud_data.service: Failed with result 'exit-code'.
Jul 14 08:45:04 caprica systemd[1]: borgbackup-job-nextcloud_data.service: Triggering OnFailure= dependencies.

Same for the database backup job.

I tried to enable polkit to fix this. Then the errors slightly change to:

Jul 14 08:58:29 caprica systemd[1]: Started BorgBackup job nextcloud_data.
Jul 14 08:58:29 caprica systemd-run[13099]: Failed to start transient service unit: Interactive authentication required.
Jul 14 08:58:29 caprica systemd-run[13111]: Failed to start transient service unit: Interactive authentication required.
Jul 14 08:58:29 caprica systemd[1]: borgbackup-job-nextcloud_data.service: Main process exited, code=exited, status=1/FAILURE
Jul 14 08:58:29 caprica systemd[1]: borgbackup-job-nextcloud_data.service: Failed with result 'exit-code'.
Jul 14 08:58:29 caprica systemd[1]: borgbackup-job-nextcloud_data.service: Triggering OnFailure= dependencies.

I then tried to create a polkit rule to allow the Nextcloud user to manage this service and also enabled some debugging:

  security.polkit.debug = true;
  security.polkit.extraConfig = ''
    polkit.addRule(function(action, subject) {
      polkit.log("action=" + action);
      polkit.log("subject=" + subject);
    });
    polkit.addRule(function (action, subject) {
      if (
        action.id == "org.freedesktop.systemd1.manage-units" &&
        subject.user == "nextcloud" &&
        (action.lookup("unit") == "borgbackup-job-nextcloud_data.service" || action.lookup("unit") == "borgbackup-job-nextcloud_database.service")
      ) {
        return polkit.Result.YES;
      }
    });
  '';

I still get Interactive authentication required and the backup does not work. polkit.service logs:

Jul 14 09:01:33 caprica polkitd[15435]: action=[Action id='org.freedesktop.systemd1.manage-units' verb='start' unit='run-p15656-i15657.service' polkit.message='Authentication is required to start transient uni>
Jul 14 09:01:33 caprica polkitd[15435]: subject=[Subject pid=15656 user='nextcloud' groups=nextcloud seat=null session=null system_unit=null local=false active=false]
Jul 14 09:01:33 caprica polkitd[15435]: action=[Action id='org.freedesktop.systemd1.manage-unit-files' verb='start' unit='run-p15656-i15657.service' polkit.message='Authentication is required to start transien>
Jul 14 09:01:33 caprica polkitd[15435]: subject=[Subject pid=15656 user='nextcloud' groups=nextcloud seat=null session=null system_unit=null local=false active=false]
Jul 14 09:01:33 caprica polkitd[15435]: action=[Action id='org.freedesktop.systemd1.manage-units' verb='start' unit='run-p15659-i15660.service' polkit.message='Authentication is required to start transient uni>
Jul 14 09:01:33 caprica polkitd[15435]: subject=[Subject pid=15659 user='nextcloud' groups=nextcloud seat=null session=null system_unit=null local=false active=false]
Jul 14 09:01:33 caprica polkitd[15435]: action=[Action id='org.freedesktop.systemd1.manage-unit-files' verb='start' unit='run-p15659-i15660.service' polkit.message='Authentication is required to start transien>
Jul 14 09:01:33 caprica polkitd[15435]: subject=[Subject pid=15659 user='nextcloud' groups=nextcloud seat=null session=null system_unit=null local=false active=false]

So of course my rules do not apply, because the unit name does not match (run-p15656-i15657.service and run-p15659-i15660.service ??). At this point I am lost and need help.

  1. Why does the backup service not work anymore, while other of my custom backup services still do (for example see paperless_backups.nix which still works)?
  2. Where do these strange unit names come from and how could I config a polkit rule for these?

Any help would be greatly appreciated :bowing_man: