| Commit message (Collapse) | Author | Age |
|---|
| |
|
|
|
|
|
|
| |
fixes #158802
Sets the mysql backup systemd service type to "oneshot" to ensure the
service is marked as started after the backup script fully proceeds. This
allows to reliably depend on completing of this service by other services.
|
| | |
|
| |\ |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The module option type `nonEmptyStr` was introduced in commit
https://github.com/NixOS/nixpkgs/commit/a3c5f0cba8fa9c4d9782ef83757be6e4028f54b7
The tsm modules previously simply used
`strMatching ".+"` to prevent empty option strings,
but the new type is more thorough as
it also catches space-only strings.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This enables some systemd sandboxing
options for the `tsm-backup.service`.
Those settings have been determined by expermentation.
This commit tries hard to protect the filesystem from
write access, but not to hide anything from read access,
so users can backup all files they choose to backup.
An exception are API filesystems (`/dev`, `/proc`, `/sys`):
As their "files" are not stored on persistent storage,
they are sandboxed away as much as possible.
Note that the service still has to run with root
privileges to reach files with limited access permissions.
The obvious alternative to use a dedicated user account and
the `CAP_DAC_READ_SEARCH` capability to permit system-wide
read access while blocking write access does not work.
Experiments have shown that `dsmc` verifies access permissions
for each file before attempting to open it for reading.
Hence `dsmc` refuses to copy files where the file permission
mode blocks read access -- even if process capabilities
would allow it to proceed irrespective of permissions.
|
| | |
| |
| |
| |
| |
| | |
IBM has changed the URL structures of their support web pages.
The commit at hand updates URLs in two comments
so they follow the new structure.
|
| | | |
|
| | | |
|
| | |
| |
| |
| |
| | |
Persistent starts the backup service on power on if it was missed while
the system was powered down, for example.
|
| |/ |
|
| |\
| |
| | |
nixos/*: split docs build
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
most modules can be evaluated for their documentation in a very
restricted environment that doesn't include all of nixpkgs. this
evaluation can then be cached and reused for subsequent builds, merging
only documentation that has changed into the cached set. since nixos
ships with a large number of modules of which only a few are used in any
given config this can save evaluation a huge percentage of nixos
options available in any given config.
in tests of this caching, despite having to copy most of nixos/, saves
about 80% of the time needed to build the system manual, or about two
second on the machine used for testing. build time for a full system
config shrank from 9.4s to 7.4s, while turning documentation off
entirely shortened the build to 7.1s.
|
| | |
| |
| |
| |
| |
| |
| |
| | |
When `privateRepos = true`, the service will not start if the `.htpasswd` does not exist.
Use `systemd-tmpfiles` to autocreate an (empty) file to ensure the service can boot
before actual `htpasswd` contents are registered.
This is safe as restic-rest-server will deny all entry if the file is empty.
|
| |/
|
|
|
|
|
|
| |
Other services such as minecraft-server and plex allow configuration of
the dataDir option, allowing the files stored by each service to be in a
custom location.
Co-authored-by: Aaron Andersen <aaron@fosslib.net>
|
| |\
| |
| | |
treewide: more defaultText for options
|
| | |
| |
| |
| |
| |
| |
| | |
unfortunately we don't have a good way to represent defaults that
reference other values of the current submodule, so we just use the
relative path of the referenced value and assume that the submodule was
declared as `rec`.
|
| | | |
|
| | | |
|
| |\ \
| | |
| | | |
Move systemd-lib.nix and systemd-unit-options.nix into utils
|
| | | | |
|
| |\ \ \
| | | |
| | | | |
nixos/*: add trivial defaultText to options where applicable
|
| | | |/
| |/| |
|
| |/ /
| |
| |
| |
| |
| |
| | |
This reverts commit 62ab77a322514cfcd24d7cfd41c7e00c9a20f0b8.
This broke nixosTests.borgbackup:
https://github.com/NixOS/nixpkgs/pull/143995#issuecomment-985136152
|
| |/ |
|
| |
|
|
|
|
|
| |
This is done as the s3CredentialsFile specifies the environmentFile
for the systemd service, which can be used for more than just s3.
Co-authored-by: Cole Helbling <cole.e.helbling@outlook.com>
|
| |
|
|
|
|
| |
borg is able to process stdin during backups when backing up the special path -,
which can be very useful for backing up things that can be streamed (eg database
dumps, zfs snapshots).
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is to address a regression introduced in #131118.
When syncing the first dataset, syncoid expects that the target
dataset doesn't exist to have a clean slate to work with. So during
runtime we'll check if the target dataset does exist and if it doesn't
- delegate the permissions to the parent dataset instead.
But then, on unallow, we do the unallow on both the target and the
parent since the target dataset should have been created at this
point, so the unallow can't know which dataset that got permissions
just by which datasets exists.
|
| |\ |
|
| | |\
| | |
| | | |
Don't default to nogroup for the primary group of users.
|
| | | | |
|
| |\| | |
|
| | |\ \
| | | |
| | | | |
nixos/sanoid: allow zfs value for recursive
|
| | | |/ |
|
| |\| | |
|
| | |/
| |
| |
| |
| |
| |
| | |
I noticed this minor grammar mistake when running update.nix, and then
while grepping to find the source I noticed we had it a few times in
Nixpkgs. Just as easy to fix treewide as it was to fix the one
occurrence I noticed.
|
| |\ \
| |/
|/| |
mariadb: 10.5.11 -> 10.6.3, mariadb-galera: 26.4.8 -> 26.4.9, libmysqlclient: 3.1.13 -> 3.2.3
|
| | |
| |
| |
| | |
client tries to connect over TCP, which failes because this uses socket auth
|
| |\ \
| | |
| | | |
nixos/syncoid: add global and per-dataset permissions options
|
| | |/ |
|
| |/
|
|
| |
This has been synonymous for ~5y.
|
| |
|
|
|
|
| |
This option allows basic configuration of the compression technique
used in the backup script. Specifically it adds `none` and `zstd` as
new alternatives, keeping `gzip` as the default.
|
| |\ |
|
| | | |
|
| | | |
|
| | | |
|
| | | |
|
| | | |
|
| | | |
|