Commit 9e1fe5cd authored by MinerSebas's avatar MinerSebas
Browse files

nixos/restic-rest-server: Make the service socket activated

parent 7762c223

nixos/modules/services/backup/restic-rest-server.nix

+15 −3
Original line number Diff line number Diff line
@@ -12,7 +12,7 @@ in 
    enable = mkEnableOption (lib.mdDoc "Restic REST Server");



    listenAddress = mkOption {

      default = ":8000";

      default = "8000";

      example = "127.0.0.1:8080";

      type = types.str;

      description = lib.mdDoc "Listen on a specific IP address and port.";
@@ -61,14 +61,19 @@ in 
  };



  config = mkIf cfg.enable {

    assertions = [{

      assertion = lib.substring 0 1 cfg.listenAddress != ":";

      message = "The restic-rest-server now uses systemd socket activation, which expects only the Port number: services.restic.server.listenAddress = \"${lib.substring 1 6 cfg.listenAddress}\";";

    }];



    systemd.services.restic-rest-server = {

      description = "Restic REST Server";

      after = [ "network.target" ];

      after = [ "network.target" "restic-rest-server.socket" ];

      requires = [ "restic-rest-server.socket" ];

      wantedBy = [ "multi-user.target" ];

      serviceConfig = {

        ExecStart = ''

          ${cfg.package}/bin/rest-server \

          --listen ${cfg.listenAddress} \

          --path ${cfg.dataDir} \

          ${optionalString cfg.appendOnly "--append-only"} \

          ${optionalString cfg.privateRepos "--private-repos"} \
@@ -84,6 +89,7 @@ in 
        LockPersonality = true;

        MemoryDenyWriteExecute = true;

        NoNewPrivileges = true;

        PrivateNetwork = true;

        PrivateTmp = true;

        PrivateUsers = true;

        ProtectClock = true;
@@ -98,6 +104,7 @@ in 
        PrivateDevices = true;

        ReadWritePaths = [ cfg.dataDir ];

        RemoveIPC = true;

        RestrictAddressFamilies = "none";

        RestrictNamespaces = true;

        RestrictRealtime = true;

        RestrictSUIDSGID = true;
@@ -107,6 +114,11 @@ in 
      };

    };



    systemd.sockets.restic-rest-server = {

      listenStreams = [ cfg.listenAddress ];

      wantedBy = [ "sockets.target" ];

    };



    systemd.tmpfiles.rules = mkIf cfg.privateRepos [

        "f ${cfg.dataDir}/.htpasswd 0700 restic restic -"

    ];

nixos/tests/restic-rest-server.nix

+2 −2
Original line number Diff line number Diff line
@@ -44,7 +44,7 @@ import ./make-test-python.nix ( 
        services.restic.server = {

          enable = true;

          extraFlags = [ "--no-auth" ];

          listenAddress = ":8001";

          listenAddress = "8001";

        };

        networking.firewall.allowedTCPPorts = [ 8001 ];

      };
@@ -68,7 +68,7 @@ import ./make-test-python.nix ( 
    testScript = ''

      restic_rest_server.start()

      server.start()

      restic_rest_server.wait_for_unit("restic-rest-server.service")

      restic_rest_server.wait_for_unit("restic-rest-server.socket")

      restic_rest_server.wait_for_open_port(8001)

      server.wait_for_unit("dbus.socket")

      server.fail(