Ensure restic gets the correct permissions when it's updated

Yes it's weird to modify the system package like this, but it's very handy.

See also https://restic.readthedocs.io/en/stable/080_examples.html#backing-up-your-system-without-running-restic-as-root
This commit is contained in:
Jake Howard 2021-08-10 08:45:59 +01:00
parent ab46c30df2
commit e421657619
Signed by: jake
GPG key ID: 57AFB45680EDD477
3 changed files with 39 additions and 0 deletions

View file

@ -0,0 +1,9 @@
[Trigger]
Operation = Upgrade
Type = Package
Target = restic
[Action]
Description = Set restic binary permissions
When = PostTransaction
Exec = /usr/share/libalpm/scripts/restic-post.sh

View file

@ -0,0 +1,14 @@
#!/usr/bin/env bash
# See https://restic.readthedocs.io/en/stable/080_examples.html#backing-up-your-system-without-running-restic-as-root
set -e
RESTIC_BIN=$(which restic)
# Set owner
chown root:restic $RESTIC_BIN
chmod 750 $RESTIC_BIN
# Lest restic run root things
setcap cap_dac_read_search=+ep $RESTIC_BIN

View file

@ -58,3 +58,19 @@
dest: /etc/logrotate.d/backrest
mode: "0600"
become: true
- name: Install pacman post script
template:
src: files/restic-post.sh
dest: /usr/share/libalpm/scripts/restic-post.sh
mode: "0700"
become: true
when: ansible_os_family == 'Archlinux'
- name: Install pacman post hook
template:
src: files/restic-post.hook
dest: /usr/share/libalpm/hooks/restic-post.hook
mode: "0600"
become: true
when: ansible_os_family == 'Archlinux'