Using restic service with the security wrapper

mirosval · October 24, 2023, 6:03pm

Looking at Restic - NixOS Wiki, the security wrapper seems to produce a new binary and put it in $PATH. However when I’m using services.restic.backups, all I can configure is package.

How do I connect the two things?

What I would like is to use the security patched restic binary in the restic service.

wamserma · October 26, 2023, 6:38am

When running restic as service, it is probably better to define one backup set per user and use services.restic.backups.<name>.user. The security wrapper is mainly to avoid running restic with sudo and is a middle ground between running with regular user permissions and full root access.

inquirer · September 15, 2024, 7:41am

I‘m having the same problem and can’t find a solution.
Since some of my files I want to backup are owned by the root user or some other privileged user I would have to run the restic service as root which is a security risk.
The wrapper would be a great solution to this but, same as you, I don’t see any possibility of using the wrapper bin for the service.
Can someone confirm that, please? I will open a GitHub issue then.

ceedubs · January 22, 2025, 3:48pm

I ended up hitting the same issue when switched from a user service to a system service because I wanted to back up paths in /var/lib. I’m not sure how dodgy this is, but it seems to be working just fine for me:

package = pkgs.writeTextFile {
  name = "restic-security-wrapper";
  text = ''
    #!${pkgs.runtimeShell}
    exec /run/wrappers/bin/restic "$@"
  '';
  checkPhase = ''
    ${pkgs.stdenv.shellDryRun} "$target"
  '';
  executable = true;
  destination = "/bin/restic";
};

waffle8946 · January 22, 2025, 4:33pm

There’s dedicated build helpers to make scripts, I’d use one of those. (Usually writeShellApplication since I don’t trust bash.)
https://nixos.org/manual/nixpkgs/unstable/#chap-trivial-builders

I also prefer not to hardcode paths if possible, but I don’t exactly see where the wrapper is defined… If you’ve defined the wrapper in your own config, then ${config.security.wrapperDir}/${config.security.wrappers.restic.program} should work to build the absolute path string.

Also, the NixOS restic module should be using getExe, not hardcoding /bin/restic…

github.com

NixOS/nixpkgs/blob/ae584d90cbd0396a422289ee3efb1f1c9d141dc3/nixos/modules/services/backup/restic.nix#L315


      
          (name: backup:
            let
              extraOptions = lib.concatMapStrings (arg: " -o ${arg}") backup.extraOptions;
              inhibitCmd = lib.concatStringsSep " " [
                "${pkgs.systemd}/bin/systemd-inhibit"
                "--mode='block'"
                "--who='restic'"
                "--what='sleep'"
                "--why=${lib.escapeShellArg "Scheduled backup ${name}"} "
              ];
              resticCmd = "${lib.optionalString backup.inhibitsSleep inhibitCmd}${backup.package}/bin/restic${extraOptions}";
              excludeFlags = lib.optional (backup.exclude != []) "--exclude-file=${pkgs.writeText "exclude-patterns" (lib.concatStringsSep "\n" backup.exclude)}";
              filesFromTmpFile = "/run/restic-backups-${name}/includes";
              doBackup = (backup.dynamicFilesFrom != null) || (backup.paths != null && backup.paths != []);
              pruneCmd = lib.optionals (builtins.length backup.pruneOpts > 0) [
                (resticCmd + " forget --prune " + (lib.concatStringsSep " " backup.pruneOpts))
              ];
              checkCmd = lib.optionals backup.runCheck [
                  (resticCmd + " check " + (lib.concatStringsSep " " backup.checkOpts))
              ];
              # Helper functions for rclone remotes

ceedubs · January 24, 2025, 1:54pm

There’s dedicated build helpers to make scripts, I’d use one of those.

The reason that I didn’t use one of those is because they use the name as the executable name, and the restic derivation is looking specifically for bin/restic, so bin/restic-wrapper would have been problematic. I guess that I could have just made the name restic, but I thought that might be confusing.

Ah but now that I look at getExe it seems like if the restic derivation were using getExe instead of bin/restic then this would work even with a different executable name? That seems like a worthwhile change. Maybe I can submit a PR for that.

Thanks for the tip for avoiding hard-coding the path. I’ll use that as well.

waffle8946 · January 24, 2025, 1:58pm

Right.

ceedubs · January 24, 2025, 2:19pm

Gotcha.

That seems like the right solution, but at this point could be a breaking change. For example if someone is doing what I’ve done above then getExe will return .../bin/restic-security-wrapper since meta.mainProgram is not set. It looks like writeShellScriptBin sets meta.mainProgram but not other helpers like writeShellApplication. I doubt that this would mess many people up, but I have no way of knowing and am not sure whether to go forward with it.

waffle8946 · January 24, 2025, 2:32pm

Breaking changes are fine on unstable, but wouldn’t be ported back to stable.

(Although the build helpers probably should set it too.)

ceedubs · January 24, 2025, 3:33pm

I’ve submitted a PR for the getExe change. I accidentally hit submit before I had gone through local testing, but I guess Hydra is doing some of that for me, and it’s a pretty straightforward change.