summary refs log tree commit diff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--nixos/modules/services/misc/snapper.nix39
1 files changed, 30 insertions, 9 deletions
diff --git a/nixos/modules/services/misc/snapper.nix b/nixos/modules/services/misc/snapper.nix
index a821b9b6bf6..7ab5e147335 100644
--- a/nixos/modules/services/misc/snapper.nix
+++ b/nixos/modules/services/misc/snapper.nix
@@ -9,6 +9,14 @@ in
 {
   options.services.snapper = {
 
+    snapshotRootOnBoot = mkOption {
+      type = types.bool;
+      default = false;
+      description = ''
+        Whether to snapshot root on boot
+      '';
+    };
+
     snapshotInterval = mkOption {
       type = types.str;
       default = "hourly";
@@ -130,20 +138,22 @@ in
         Type = "dbus";
         BusName = "org.opensuse.Snapper";
         ExecStart = "${pkgs.snapper}/bin/snapperd";
+        CapabilityBoundingSet = "CAP_DAC_OVERRIDE CAP_FOWNER CAP_CHOWN CAP_FSETID CAP_SETFCAP CAP_SYS_ADMIN CAP_SYS_MODULE CAP_IPC_LOCK CAP_SYS_NICE";
+        LockPersonality = true;
+        NoNewPrivileges = false;
+        PrivateNetwork = true;
+        ProtectHostname = true;
+        RestrictAddressFamilies = "AF_UNIX";
+        RestrictRealtime = true;
       };
     };
 
     systemd.services.snapper-timeline = {
       description = "Timeline of Snapper Snapshots";
       inherit documentation;
+      requires = [ "local-fs.target" ];
       serviceConfig.ExecStart = "${pkgs.snapper}/lib/snapper/systemd-helper --timeline";
-    };
-
-    systemd.timers.snapper-timeline = {
-      description = "Timeline of Snapper Snapshots";
-      inherit documentation;
-      wantedBy = [ "basic.target" ];
-      timerConfig.OnCalendar = cfg.snapshotInterval;
+      startAt = cfg.snapshotInterval;
     };
 
     systemd.services.snapper-cleanup = {
@@ -155,10 +165,21 @@ in
     systemd.timers.snapper-cleanup = {
       description = "Cleanup of Snapper Snapshots";
       inherit documentation;
-      wantedBy = [ "basic.target" ];
+      wantedBy = [ "timers.target" ];
+      requires = [ "local-fs.target" ];
       timerConfig.OnBootSec = "10m";
       timerConfig.OnUnitActiveSec = cfg.cleanupInterval;
     };
+
+    systemd.services.snapper-boot = lib.optionalAttrs cfg.snapshotRootOnBoot {
+      description = "Take snapper snapshot of root on boot";
+      inherit documentation;
+      serviceConfig.ExecStart = "${pkgs.snapper}/bin/snapper --config root create --cleanup-algorithm number --description boot";
+      serviceConfig.type = "oneshot";
+      requires = [ "local-fs.target" ];
+      wantedBy = [ "multi-user.target" ];
+      unitConfig.ConditionPathExists = "/etc/snapper/configs/root";
+    };
+
   });
 }
-
generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-05-24 16:45:21 +0000