steve/restic-manager
1
0
Fork 0
Code Issues Pull Requests Actions Projects Releases 1 Wiki Activity

phase 1: agent install path — systemd unit, install.sh, asset endpoints

Browse Source 
P1-14 deploy/install/restic-manager-agent.service: standard systemd
  unit with the usual hardening switches (NoNewPrivileges, Protect*,
  RestrictRealtime, MemoryDenyWriteExecute). Restart=always with a
  5s backoff. Runs as a dedicated unprivileged restic-manager-agent
  user; the install script creates it.

P1-29 deploy/install/install.sh: arch detection (amd64/arm64), pulls
  the agent binary from /agent/binary, creates the service user
  + dirs (/etc/restic-manager, /var/lib/restic-manager), runs
  enrollment via `agent -enroll-server -enroll-token`, lays down
  the systemd unit, enables and starts it.

  Honours the spec's "detect, don't auto-disable" rule for existing
  schedulers: scans systemd timers, /etc/cron.d/*, /etc/cron.daily/*,
  root crontab for restic-named entries and prints them with the
  exact disable command — operator decides.

P1-31 server endpoints to ship the agent installation payload:
  GET /agent/binary?os=linux&arch=amd64 → serves
    <DataDir>/agent-binaries/restic-manager-agent-linux-amd64
  GET /install/<file>                   → serves
    <DataDir>/install/<file>
  Both endpoints reject path traversal and return 404 if the file
  isn't published. Operators drop the binaries + service unit into
  these directories at release time. Signed-bundle verification is
  deferred to Phase 5 OSS readiness.

All tests still pass.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
Steve Cliff
2026-05-01 00:40:36 +01:00
parent 9cc0caff1e
commit 24ab071702
4 changed files with 296 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
deploy/install/restic-manager-agent.service
+42
View File
@@ -0,0 +1,42 @@
[Unit]
Description=restic-manager agent
Documentation=https://gitea.dcglab.co.uk/steve/restic-manager
After=network-online.target
Wants=network-online.target
[Service]
Type=simple
ExecStart=/usr/local/bin/restic-manager-agent -config /etc/restic-manager/agent.yaml
Restart=always
RestartSec=5
# Run as a dedicated unprivileged user; the install script creates it.
User=restic-manager-agent
Group=restic-manager-agent
# The agent reads its config and writes a small state file there.
# Anything else is read-only.
ReadWritePaths=/etc/restic-manager /var/lib/restic-manager
# Hardening — restic itself needs filesystem read access to whatever
# paths it's backing up; we don't lock that down here. But everything
# else gets the standard systemd sandboxing toggles.
NoNewPrivileges=true
PrivateTmp=true
ProtectSystem=strict
ProtectHome=read-only
ProtectHostname=true
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectKernelLogs=true
ProtectControlGroups=true
ProtectClock=true
RestrictRealtime=true
RestrictSUIDSGID=true
RestrictNamespaces=true
LockPersonality=true
MemoryDenyWriteExecute=true
SystemCallArchitectures=native
[Install]
WantedBy=multi-user.target