steve/restic-manager
1
0
Fork 0
Code Issues Pull Requests Actions Projects Releases 1 Wiki Activity
Files
1cf9cb752ff47fa4d3e6d76843165d3e1c5b20ca
restic-manager/deploy/install/restic-manager-agent.service
T
steve a781e95c94 P3 follow-up: editable target dir, conditional --no-ownership, UK lint 
Three small follow-ups from review:

1. Restore target is now operator-editable. Default value is the
   literal '\$HOME/rm-restore/<job-id>/' (agent expands \$HOME at
   run time using os.UserHomeDir(); also handles \${HOME} and ~/
   prefixes). Operator can replace with any absolute path.
   - ui_restore.go validates the input is either absolute or starts
     with one of the recognised prefixes; other env-var refs (\$PATH
     etc.) are deliberately rejected so operator paths can't pick up
     arbitrary agent env values.
   - host_restore.html replaces the read-only mono-text display with
     a real <input>; help text spells out that \$HOME resolves
     agent-side and <job-id> is substituted on dispatch.
   - install.sh + the systemd unit prep /root/rm-restore so the
     default works under the sandbox: ReadWritePaths gains a soft
     '-/root/rm-restore' entry (the '-' makes the bind-mount soft-fail
     if missing, but install.sh pre-creates it root-owned 0700).

2. --no-ownership flag now gated on restic version. The flag was
   added in restic 0.17 and 0.16 rejects it. Previously dropped it
   wholesale — that meant new-dir restores silently preserved
   ownership against design intent on 0.17+. Now the agent threads
   its detected restic version (sysinfo already collects it) through
   runner.Config -> restic.Env, and RunRestore appends --no-ownership
   only when AtLeastVersion(0, 17) returns true. 0.16 hosts still
   restore with original uid/gid; help text in the wizard explicitly
   notes this. The previous 'Original ownership is preserved' copy
   was wrong for new-dir mode and is corrected.

3. golangci-lint misspell locale switched US -> UK and the codebase
   swept (73 corrections, mostly behaviour/serialise/recognise/honour).
   Wire-format ErrorCode 'unauthorized' -> 'unauthorised' is a tiny
   contract change but the agent doesn't parse those codes today and
   no external API consumers exist yet. Tests passed before + after.

Tests:
- internal/restic/version_test.go covers Env.AtLeastVersion across
  edge cases (empty, exact match, patch above, minor below, non-
  numeric) and expandHome on \$HOME / \${HOME} / ~/, plus
  pass-through for absolute paths and refusal of other env vars.
- ui_restore_test updated: TargetDir now starts '\$HOME/rm-restore/'
  with the job_id substituted into the placeholder.

Live verified on the smoke env: default target restored to
/root/rm-restore/<job-id>/ as the agent's expanded \$HOME (2 files,
14 bytes); custom override '/tmp/custom-restore/<job-id>/' restored
into the agent's PrivateTmp namespace (1 file, 6 bytes); both jobs
'succeeded', exit 0.
2026-05-04 17:27:52 +01:00

69 lines
2.8 KiB
Desktop File
Raw Blame History

[Unit]
Description=restic-manager agent
Documentation=https://gitea.dcglab.co.uk/steve/restic-manager
After=network-online.target
Wants=network-online.target
[Service]
Type=simple
ExecStart=/usr/local/bin/restic-manager-agent -config /etc/restic-manager/agent.yaml
Restart=always
RestartSec=5
# The agent runs as root. A fleet-backup tool needs to read every
# file on the system regardless of DAC permissions; running as a
# dedicated unprivileged user means either silent skips on /home,
# /root, /var/lib/<other-daemons>, or operators having to add the
# service user to every group whose files they want backed up. Both
# are worse than the threat model already implies (the agent holds
# repo credentials, executes arbitrary restic, and runs operator-
# defined hooks — its blast radius is already large).
#
# The mitigation is aggressive systemd sandboxing of the root
# process: drop all capabilities except the few we need, deny
# writes outside our state dirs, and forbid privilege escalation.
User=root
Group=root
# CAP_DAC_READ_SEARCH lets us read any file regardless of DAC perms
# (the "backup everything" capability). CAP_DAC_OVERRIDE is needed
# during restore for chown/chmod to recreate ownership. Drop the
# rest — root in this process means "can read", not "can do".
CapabilityBoundingSet=CAP_DAC_READ_SEARCH CAP_DAC_OVERRIDE CAP_FOWNER CAP_CHOWN
AmbientCapabilities=CAP_DAC_READ_SEARCH CAP_DAC_OVERRIDE CAP_FOWNER CAP_CHOWN
# Hardening — blocks privilege escalation even from root, and
# confines writes / network / kernel access to what restic actually
# needs. Filesystem reads stay open: that's the whole job.
NoNewPrivileges=true
ProtectSystem=strict
# /etc/restic-manager: agent.yaml + secrets.enc.
# /var/lib/restic-manager: agent state (currently unused but reserved).
# /root/rm-restore: default target for new-directory restores
# ($HOME/rm-restore/<job-id>/ resolves here for User=root).
# ReadWritePaths overrides ProtectHome=read-only on this subdir only.
ReadWritePaths=/etc/restic-manager /var/lib/restic-manager -/root/rm-restore
ProtectHome=read-only
ProtectHostname=true
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectKernelLogs=true
ProtectControlGroups=true
ProtectClock=true
PrivateTmp=true
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
RestrictRealtime=true
RestrictSUIDSGID=true
RestrictNamespaces=true
LockPersonality=true
MemoryDenyWriteExecute=true
SystemCallArchitectures=native
# (No SystemCallFilter — the cap drop above already constrains what
# root can do; an allow-list filter killed restic with SIGSYS during
# init because @system-service excludes some of the syscalls Go's
# runtime + restic's file scanner reach for. The Protect*/Restrict*
# toggles still cover network / kernel / mount / namespace.)
[Install]
WantedBy=multi-user.target
Reference in New Issue View Git Blame Copy Permalink