From 38a89b05a3acbdaa3e02ed82498cc687bfc1d941 Mon Sep 17 00:00:00 2001
From: oddlama <oddlama@oddlama.org>
Date: Sat, 20 Jan 2024 03:23:37 +0100
Subject: [PATCH] fix: restic backups should run as root

---
 hosts/sire/guests/paperless.nix   |  1 -
 hosts/sire/guests/samba.nix       |  1 -
 hosts/ward/guests/radicale.nix    |  1 -
 hosts/ward/guests/vaultwarden.nix |  1 -
 modules/backups.nix               | 14 +++++++-------
 5 files changed, 7 insertions(+), 11 deletions(-)

diff --git a/hosts/sire/guests/paperless.nix b/hosts/sire/guests/paperless.nix
index d399398..9836600 100644
--- a/hosts/sire/guests/paperless.nix
+++ b/hosts/sire/guests/paperless.nix
@@ -116,7 +116,6 @@ in {
 
   backups.storageBoxes.dusk = {
     subuser = "paperless";
-    user = "paperless";
     paths = [paperlessBackupDir];
   };
 }
diff --git a/hosts/sire/guests/samba.nix b/hosts/sire/guests/samba.nix
index 9a618e3..20441cc 100644
--- a/hosts/sire/guests/samba.nix
+++ b/hosts/sire/guests/samba.nix
@@ -349,7 +349,6 @@ in {
 
   backups.storageBoxes.dusk = {
     subuser = "samba";
-    user = "root";
     paths = ["/bunker"];
   };
 }
diff --git a/hosts/ward/guests/radicale.nix b/hosts/ward/guests/radicale.nix
index 889e998..8e4afa9 100644
--- a/hosts/ward/guests/radicale.nix
+++ b/hosts/ward/guests/radicale.nix
@@ -85,7 +85,6 @@ in {
 
   backups.storageBoxes.dusk = {
     subuser = "radicale";
-    user = "radicale";
     paths = ["/var/lib/radicale"];
   };
 }
diff --git a/hosts/ward/guests/vaultwarden.nix b/hosts/ward/guests/vaultwarden.nix
index bfefd13..e14021f 100644
--- a/hosts/ward/guests/vaultwarden.nix
+++ b/hosts/ward/guests/vaultwarden.nix
@@ -86,7 +86,6 @@ in {
 
   backups.storageBoxes.dusk = {
     subuser = "vaultwarden";
-    user = "vaultwarden";
     paths = [config.services.vaultwarden.backupDir];
   };
 }
diff --git a/modules/backups.nix b/modules/backups.nix
index 3d8d7ef..9aed2f5 100644
--- a/modules/backups.nix
+++ b/modules/backups.nix
@@ -29,11 +29,6 @@ in {
           type = types.str;
         };
 
-        user = mkOption {
-          description = "The user as which restic should run.";
-          type = types.str;
-        };
-
         paths = mkOption {
           description = "The paths to backup.";
           type = types.listOf types.path;
@@ -58,8 +53,13 @@ in {
             sshAgeSecret = "restic-ssh-privkey";
           };
 
-          # We need to backup stuff from other users, so run as root.
-          inherit (boxCfg) user paths;
+          # A) We need to backup stuff from other users, so run as root.
+          # B) We also need to be root because the ssh key will only
+          #    be accessible to root so whatever service is running cannot
+          #    just access our backup server.
+          user = "root";
+
+          inherit (boxCfg) paths;
           timerConfig = {
             OnCalendar = "06:15";
             RandomizedDelaySec = "3h";