Ensure restic gets the correct permissions when it's updated
Yes it's weird to modify the system package like this, but it's very handy. See also https://restic.readthedocs.io/en/stable/080_examples.html#backing-up-your-system-without-running-restic-as-root
This commit is contained in:
parent
ab46c30df2
commit
e421657619
3 changed files with 39 additions and 0 deletions
9
ansible/roles/restic/files/restic-post.hook
Normal file
9
ansible/roles/restic/files/restic-post.hook
Normal file
|
@ -0,0 +1,9 @@
|
|||
[Trigger]
|
||||
Operation = Upgrade
|
||||
Type = Package
|
||||
Target = restic
|
||||
|
||||
[Action]
|
||||
Description = Set restic binary permissions
|
||||
When = PostTransaction
|
||||
Exec = /usr/share/libalpm/scripts/restic-post.sh
|
14
ansible/roles/restic/files/restic-post.sh
Normal file
14
ansible/roles/restic/files/restic-post.sh
Normal file
|
@ -0,0 +1,14 @@
|
|||
#!/usr/bin/env bash
|
||||
|
||||
# See https://restic.readthedocs.io/en/stable/080_examples.html#backing-up-your-system-without-running-restic-as-root
|
||||
|
||||
set -e
|
||||
|
||||
RESTIC_BIN=$(which restic)
|
||||
|
||||
# Set owner
|
||||
chown root:restic $RESTIC_BIN
|
||||
chmod 750 $RESTIC_BIN
|
||||
|
||||
# Lest restic run root things
|
||||
setcap cap_dac_read_search=+ep $RESTIC_BIN
|
|
@ -58,3 +58,19 @@
|
|||
dest: /etc/logrotate.d/backrest
|
||||
mode: "0600"
|
||||
become: true
|
||||
|
||||
- name: Install pacman post script
|
||||
template:
|
||||
src: files/restic-post.sh
|
||||
dest: /usr/share/libalpm/scripts/restic-post.sh
|
||||
mode: "0700"
|
||||
become: true
|
||||
when: ansible_os_family == 'Archlinux'
|
||||
|
||||
- name: Install pacman post hook
|
||||
template:
|
||||
src: files/restic-post.hook
|
||||
dest: /usr/share/libalpm/hooks/restic-post.hook
|
||||
mode: "0600"
|
||||
become: true
|
||||
when: ansible_os_family == 'Archlinux'
|
||||
|
|
Loading…
Reference in a new issue