diff options
| author | Nick Cao <nickcao@nichi.co> | 2023-04-30 20:37:07 +0800 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2023-04-30 20:37:07 +0800 |
| commit | 1acfbbb2e7ff1e4e34d8e86055f007b22644cc38 (patch) | |
| tree | b3efe3c78901341f2a8aa415b3dcc9d466543b1e | |
| parent | 5adc9aac2b8335b35037e63c012f0cd1bfa3b171 (diff) | |
| parent | 3bd1c64a5b17bbc89089e68a145c7cbfb494fa5b (diff) | |
| download | nixpkgs-1acfbbb2e7ff1e4e34d8e86055f007b22644cc38.tar nixpkgs-1acfbbb2e7ff1e4e34d8e86055f007b22644cc38.tar.gz nixpkgs-1acfbbb2e7ff1e4e34d8e86055f007b22644cc38.tar.bz2 nixpkgs-1acfbbb2e7ff1e4e34d8e86055f007b22644cc38.tar.lz nixpkgs-1acfbbb2e7ff1e4e34d8e86055f007b22644cc38.tar.xz nixpkgs-1acfbbb2e7ff1e4e34d8e86055f007b22644cc38.tar.zst nixpkgs-1acfbbb2e7ff1e4e34d8e86055f007b22644cc38.zip | |
Merge pull request #125865 from eliasp/restic-private-tmp
nixos/restic: use private tmp for service unit
| -rw-r--r-- | nixos/modules/services/backup/restic.nix | 1 | ||||
| -rw-r--r-- | nixos/tests/restic.nix | 36 |
2 files changed, 19 insertions, 18 deletions
diff --git a/nixos/modules/services/backup/restic.nix b/nixos/modules/services/backup/restic.nix index d19b98a3e4b..8cc0c084d65 100644 --- a/nixos/modules/services/backup/restic.nix +++ b/nixos/modules/services/backup/restic.nix @@ -339,6 +339,7 @@ in RuntimeDirectory = "restic-backups-${name}"; CacheDirectory = "restic-backups-${name}"; CacheDirectoryMode = "0700"; + PrivateTmp = true; } // optionalAttrs (backup.environmentFile != null) { EnvironmentFile = backup.environmentFile; }; diff --git a/nixos/tests/restic.nix b/nixos/tests/restic.nix index 1071fbada74..626049e7334 100644 --- a/nixos/tests/restic.nix +++ b/nixos/tests/restic.nix @@ -2,18 +2,18 @@ import ./make-test-python.nix ( { pkgs, ... }: let - remoteRepository = "/tmp/restic-backup"; - remoteFromFileRepository = "/tmp/restic-backup-from-file"; - rcloneRepository = "rclone:local:/tmp/restic-rclone-backup"; + remoteRepository = "/root/restic-backup"; + remoteFromFileRepository = "/root/restic-backup-from-file"; + rcloneRepository = "rclone:local:/root/restic-rclone-backup"; backupPrepareCommand = '' - touch /tmp/backupPrepareCommand - test ! -e /tmp/backupCleanupCommand + touch /root/backupPrepareCommand + test ! -e /root/backupCleanupCommand ''; backupCleanupCommand = '' - rm /tmp/backupPrepareCommand - touch /tmp/backupCleanupCommand + rm /root/backupPrepareCommand + touch /root/backupCleanupCommand ''; testDir = pkgs.stdenvNoCC.mkDerivation { @@ -81,7 +81,7 @@ import ./make-test-python.nix ( inherit passwordFile paths; repository = "some-fake-repository"; package = pkgs.writeShellScriptBin "restic" '' - echo "$@" >> /tmp/fake-restic.log; + echo "$@" >> /root/fake-restic.log; ''; pruneOpts = [ "--keep-last 1" ]; @@ -100,18 +100,18 @@ import ./make-test-python.nix ( "${pkgs.restic}/bin/restic -r ${remoteRepository} -p ${passwordFile} snapshots", '${pkgs.restic}/bin/restic -r ${remoteFromFileRepository} -p ${passwordFile} snapshots"', "${pkgs.restic}/bin/restic -r ${rcloneRepository} -p ${passwordFile} snapshots", - "grep 'backup.* /opt' /tmp/fake-restic.log", + "grep 'backup.* /opt' /root/fake-restic.log", ) server.succeed( # set up "cp -rT ${testDir} /opt", "touch /opt/excluded_file_1 /opt/excluded_file_2", - "mkdir -p /tmp/restic-rclone-backup", + "mkdir -p /root/restic-rclone-backup", # test that remotebackup runs custom commands and produces a snapshot "timedatectl set-time '2016-12-13 13:45'", "systemctl start restic-backups-remotebackup.service", - "rm /tmp/backupCleanupCommand", + "rm /root/backupCleanupCommand", '${pkgs.restic}/bin/restic -r ${remoteRepository} -p ${passwordFile} snapshots --json | ${pkgs.jq}/bin/jq "length | . == 1"', # test that restoring that snapshot produces the same directory @@ -129,33 +129,33 @@ import ./make-test-python.nix ( # test that custompackage runs both `restic backup` and `restic check` with reasonable commandlines "systemctl start restic-backups-custompackage.service", - "grep 'backup.* /opt' /tmp/fake-restic.log", - "grep 'check.* --some-check-option' /tmp/fake-restic.log", + "grep 'backup.* /opt' /root/fake-restic.log", + "grep 'check.* --some-check-option' /root/fake-restic.log", # test that we can create four snapshots in remotebackup and rclonebackup "timedatectl set-time '2017-12-13 13:45'", "systemctl start restic-backups-remotebackup.service", - "rm /tmp/backupCleanupCommand", + "rm /root/backupCleanupCommand", "systemctl start restic-backups-rclonebackup.service", "timedatectl set-time '2018-12-13 13:45'", "systemctl start restic-backups-remotebackup.service", - "rm /tmp/backupCleanupCommand", + "rm /root/backupCleanupCommand", "systemctl start restic-backups-rclonebackup.service", "timedatectl set-time '2018-12-14 13:45'", "systemctl start restic-backups-remotebackup.service", - "rm /tmp/backupCleanupCommand", + "rm /root/backupCleanupCommand", "systemctl start restic-backups-rclonebackup.service", "timedatectl set-time '2018-12-15 13:45'", "systemctl start restic-backups-remotebackup.service", - "rm /tmp/backupCleanupCommand", + "rm /root/backupCleanupCommand", "systemctl start restic-backups-rclonebackup.service", "timedatectl set-time '2018-12-16 13:45'", "systemctl start restic-backups-remotebackup.service", - "rm /tmp/backupCleanupCommand", + "rm /root/backupCleanupCommand", "systemctl start restic-backups-rclonebackup.service", '${pkgs.restic}/bin/restic -r ${remoteRepository} -p ${passwordFile} snapshots --json | ${pkgs.jq}/bin/jq "length | . == 4"', |