To reduce the danger of accidentally exposing sensitive files processed
by a restic backup to other services/users, enable the `PrivateTmp=`
feature of restic service units, which provides a per service isolation
of `/tmp` and `/var/tmp`.
Co-authored-by: Daniel Nagy <danielnagy@posteo.de>
The restic repository cache location defaults to ~/.cache/restic when
not overwritten either by the --cache-dir command line parameter or the
universal RESTIC_CACHE_DIR environment variable.
Currently, the --cache-dir variable is set to only some restic commands,
but, e.g., not to the unit's preStart command for the module's
initialize option. This results in two distinct cache locations, one at
~/.cache/restic for the initialize commands and one at the configured
--cache-dir location for the restic backup command.
By explicitly setting RESTIC_CACHE_DIR for the unit, only one cache at
the correct location will be used.
https://restic.readthedocs.io/en/v0.15.1/manual_rest.html#caching
This provides an easy way to specify exclude patterns in config. It was
already possible via extraBackupOptions; this change creates a simpler,
similar to other backup services, way to specify them.
This commit also moves the indicator files out of the directory that's
being backed up, so that the directory remains static throughout the
backup operation.
Configures the `--cache-dir` parameter for the prune and check commands run after backing up. For `check`, also adds a `checkOpts` flag to enable using the cache, since that is disabled by default.
The backupPrepareCommand and backupCleanupCommand options offer a way to
run a script to prepare for backup and then cleanup it once finish.
Signed-off-by: Otavio Salvador <otavio@ossystems.com.br>
Allow providing the repository as a file, useful when we don't want it
being stored in the Git repository as plain text.
Signed-off-by: Otavio Salvador <otavio@ossystems.com.br>