Merge pull request #296459 from MinerSebas/restic-rest-server-hardening

nixos/restic-rest-server: Add additional service hardening
author: Pascal Bach <pascal.bach@nextrem.ch> 2024-04-10 23:33:34 +0200
committer: GitHub <noreply@github.com> 2024-04-10 23:33:34 +0200
commit: a8eaee11a972189aabd763a337e27925d2778e3d (patch)
tree: 4dc1287a905aeaacab062226dc8c403f81368301 /nixos/tests
parent: 0057749884f87a7c095cf2ed1bfa0a407a3d602f (diff)
parent: 9e1fe5cddd5c786c0fcceff37a90d9837dc68bcb (diff)
2 files changed, 123 insertions, 0 deletions
diff --git a/nixos/tests/all-tests.nix b/nixos/tests/all-tests.nix
index 6f78d68730c91..7d120d6bc09e8 100644
--- a/nixos/tests/all-tests.nix
+++ b/nixos/tests/all-tests.nix
@@ -777,6 +777,7 @@ in {
   redis = handleTest ./redis.nix {};
   redmine = handleTest ./redmine.nix {};
   restartByActivationScript = handleTest ./restart-by-activation-script.nix {};
+  restic-rest-server = handleTest ./restic-rest-server.nix {};
   restic = handleTest ./restic.nix {};
   retroarch = handleTest ./retroarch.nix {};
   rkvm = handleTest ./rkvm {};
diff --git a/nixos/tests/restic-rest-server.nix b/nixos/tests/restic-rest-server.nix
new file mode 100644
index 0000000000000..1d38ddbe513c9
--- /dev/null
+++ b/nixos/tests/restic-rest-server.nix
@@ -0,0 +1,122 @@
+import ./make-test-python.nix (
+  { pkgs, ... }:
+
+  let
+    remoteRepository = "rest:http://restic_rest_server:8001/";
+
+    backupPrepareCommand = ''
+      touch /root/backupPrepareCommand
+      test ! -e /root/backupCleanupCommand
+    '';
+
+    backupCleanupCommand = ''
+      rm /root/backupPrepareCommand
+      touch /root/backupCleanupCommand
+    '';
+
+    testDir = pkgs.stdenvNoCC.mkDerivation {
+      name = "test-files-to-backup";
+      unpackPhase = "true";
+      installPhase = ''
+        mkdir $out
+        echo some_file > $out/some_file
+        echo some_other_file > $out/some_other_file
+        mkdir $out/a_dir
+        echo a_file > $out/a_dir/a_file
+      '';
+    };
+
+    passwordFile = "${pkgs.writeText "password" "correcthorsebatterystaple"}";
+    paths = [ "/opt" ];
+    exclude = [ "/opt/excluded_file_*" ];
+    pruneOpts = [
+      "--keep-daily 2"
+      "--keep-weekly 1"
+      "--keep-monthly 1"
+      "--keep-yearly 99"
+    ];
+  in
+  {
+    name = "restic-rest-server";
+
+    nodes = {
+      restic_rest_server = {
+        services.restic.server = {
+          enable = true;
+          extraFlags = [ "--no-auth" ];
+          listenAddress = "8001";
+        };
+        networking.firewall.allowedTCPPorts = [ 8001 ];
+      };
+      server = {
+        services.restic.backups = {
+          remotebackup = {
+            inherit passwordFile paths exclude pruneOpts backupPrepareCommand backupCleanupCommand;
+            repository = remoteRepository;
+            initialize = true;
+            timerConfig = null; # has no effect here, just checking that it doesn't break the service
+          };
+          remoteprune = {
+            inherit passwordFile;
+            repository = remoteRepository;
+            pruneOpts = [ "--keep-last 1" ];
+          };
+        };
+      };
+    };
+
+    testScript = ''
+      restic_rest_server.start()
+      server.start()
+      restic_rest_server.wait_for_unit("restic-rest-server.socket")
+      restic_rest_server.wait_for_open_port(8001)
+      server.wait_for_unit("dbus.socket")
+      server.fail(
+          "restic-remotebackup snapshots",
+      )
+      server.succeed(
+          # set up
+          "cp -rT ${testDir} /opt",
+          "touch /opt/excluded_file_1 /opt/excluded_file_2",
+
+          # test that remotebackup runs custom commands and produces a snapshot
+          "timedatectl set-time '2016-12-13 13:45'",
+          "systemctl start restic-backups-remotebackup.service",
+          "rm /root/backupCleanupCommand",
+          'restic-remotebackup snapshots --json | ${pkgs.jq}/bin/jq "length | . == 1"',
+
+          # test that restoring that snapshot produces the same directory
+          "mkdir /tmp/restore-1",
+          "restic-remotebackup restore latest -t /tmp/restore-1",
+          "diff -ru ${testDir} /tmp/restore-1/opt",
+
+          # test that we can create four snapshots in remotebackup and rclonebackup
+          "timedatectl set-time '2017-12-13 13:45'",
+          "systemctl start restic-backups-remotebackup.service",
+          "rm /root/backupCleanupCommand",
+
+          "timedatectl set-time '2018-12-13 13:45'",
+          "systemctl start restic-backups-remotebackup.service",
+          "rm /root/backupCleanupCommand",
+
+          "timedatectl set-time '2018-12-14 13:45'",
+          "systemctl start restic-backups-remotebackup.service",
+          "rm /root/backupCleanupCommand",
+
+          "timedatectl set-time '2018-12-15 13:45'",
+          "systemctl start restic-backups-remotebackup.service",
+          "rm /root/backupCleanupCommand",
+
+          "timedatectl set-time '2018-12-16 13:45'",
+          "systemctl start restic-backups-remotebackup.service",
+          "rm /root/backupCleanupCommand",
+
+          'restic-remotebackup snapshots --json | ${pkgs.jq}/bin/jq "length | . == 4"',
+
+          # test that remoteprune brings us back to 1 snapshot in remotebackup
+          "systemctl start restic-backups-remoteprune.service",
+          'restic-remotebackup snapshots --json | ${pkgs.jq}/bin/jq "length | . == 1"',
+      )
+    '';
+  }
+)
author	Pascal Bach <pascal.bach@nextrem.ch>	2024-04-10 23:33:34 +0200
committer	GitHub <noreply@github.com>	2024-04-10 23:33:34 +0200
commit	a8eaee11a972189aabd763a337e27925d2778e3d (patch)
tree	4dc1287a905aeaacab062226dc8c403f81368301 /nixos/tests
parent	0057749884f87a7c095cf2ed1bfa0a407a3d602f (diff)
parent	9e1fe5cddd5c786c0fcceff37a90d9837dc68bcb (diff)