diff options
author | Sandro <sandro.jaeckel@gmail.com> | 2022-01-18 20:50:28 +0100 |
---|---|---|
committer | GitHub <noreply@github.com> | 2022-01-18 20:50:28 +0100 |
commit | 5c4fa6964f76f32093d4ff93c66c1e57dbe86e22 (patch) | |
tree | 53c64f125f21090d36636ca0740641eae5196212 /nixos/modules/services/backup | |
parent | 66023aed5c8d47aa2bde39149c68ff047961a74b (diff) | |
parent | 756f45306b69ac4fe0a4cd4e2d42bb3d29162f43 (diff) | |
download | nixpkgs-5c4fa6964f76f32093d4ff93c66c1e57dbe86e22.tar nixpkgs-5c4fa6964f76f32093d4ff93c66c1e57dbe86e22.tar.gz nixpkgs-5c4fa6964f76f32093d4ff93c66c1e57dbe86e22.tar.bz2 nixpkgs-5c4fa6964f76f32093d4ff93c66c1e57dbe86e22.tar.lz nixpkgs-5c4fa6964f76f32093d4ff93c66c1e57dbe86e22.tar.xz nixpkgs-5c4fa6964f76f32093d4ff93c66c1e57dbe86e22.tar.zst nixpkgs-5c4fa6964f76f32093d4ff93c66c1e57dbe86e22.zip |
Merge pull request #138386 from Yarny0/tsm-client
Diffstat (limited to 'nixos/modules/services/backup')
-rw-r--r-- | nixos/modules/services/backup/tsm.nix | 47 |
1 files changed, 33 insertions, 14 deletions
diff --git a/nixos/modules/services/backup/tsm.nix b/nixos/modules/services/backup/tsm.nix index 6c238745797..4e690ac6ecd 100644 --- a/nixos/modules/services/backup/tsm.nix +++ b/nixos/modules/services/backup/tsm.nix @@ -5,7 +5,7 @@ let inherit (lib.attrsets) hasAttr; inherit (lib.modules) mkDefault mkIf; inherit (lib.options) mkEnableOption mkOption; - inherit (lib.types) nullOr strMatching; + inherit (lib.types) nonEmptyStr nullOr; options.services.tsmBackup = { enable = mkEnableOption '' @@ -15,7 +15,7 @@ let <option>programs.tsmClient.enable</option> ''; command = mkOption { - type = strMatching ".+"; + type = nonEmptyStr; default = "backup"; example = "incr"; description = '' @@ -24,7 +24,7 @@ let ''; }; servername = mkOption { - type = strMatching ".+"; + type = nonEmptyStr; example = "mainTsmServer"; description = '' Create a systemd system service @@ -41,7 +41,7 @@ let ''; }; autoTime = mkOption { - type = nullOr (strMatching ".+"); + type = nullOr nonEmptyStr; default = null; example = "12:00"; description = '' @@ -87,16 +87,35 @@ in environment.DSM_LOG = "/var/log/tsm-backup/"; # TSM needs a HOME dir to store certificates. environment.HOME = "/var/lib/tsm-backup"; - # for exit status description see - # https://www.ibm.com/support/knowledgecenter/en/SSEQVQ_8.1.8/client/c_sched_rtncode.html - serviceConfig.SuccessExitStatus = "4 8"; - # The `-se` option must come after the command. - # The `-optfile` option suppresses a `dsm.opt`-not-found warning. - serviceConfig.ExecStart = - "${cfgPrg.wrappedPackage}/bin/dsmc ${cfg.command} -se='${cfg.servername}' -optfile=/dev/null"; - serviceConfig.LogsDirectory = "tsm-backup"; - serviceConfig.StateDirectory = "tsm-backup"; - serviceConfig.StateDirectoryMode = "0750"; + serviceConfig = { + # for exit status description see + # https://www.ibm.com/docs/en/spectrum-protect/8.1.13?topic=clients-client-return-codes + SuccessExitStatus = "4 8"; + # The `-se` option must come after the command. + # The `-optfile` option suppresses a `dsm.opt`-not-found warning. + ExecStart = + "${cfgPrg.wrappedPackage}/bin/dsmc ${cfg.command} -se='${cfg.servername}' -optfile=/dev/null"; + LogsDirectory = "tsm-backup"; + StateDirectory = "tsm-backup"; + StateDirectoryMode = "0750"; + # systemd sandboxing + LockPersonality = true; + NoNewPrivileges = true; + PrivateDevices = true; + #PrivateTmp = true; # would break backup of {/var,}/tmp + #PrivateUsers = true; # would block backup of /home/* + ProtectClock = true; + ProtectControlGroups = true; + ProtectHome = "read-only"; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectProc = "noaccess"; + ProtectSystem = "strict"; + RestrictNamespaces = true; + RestrictSUIDSGID = true; + }; startAt = mkIf (cfg.autoTime!=null) cfg.autoTime; }; }; |