colin/nix-files
1
0
Fork 1
Code Issues Pull Requests Projects Releases Wiki Activity

rsync-net: temporarily use only RestrictNetworkInterfaces option and disable the internal sane-vpn logic

Browse Source 
this is temporary, until i can fix sane-vpn to preserve linux capabilities
This commit is contained in:
Colin
2024-08-02 22:10:44 +00:00
parent dae8481176
commit 1c26674da7
2 changed files with 13 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
hosts/modules/services/rsync-net/sane-backup-rsync-net
View File

@@ -26,9 +26,9 @@ for dir in "$@"; do
echo "syncing '$dir' to '$remote_dir'"
echo "$now" > "$dir"/zzz-rsync-net/last-attempted
# N.B.: manual flags instead of `-a -> -rlptgoD` because device files have a max path length which is too restricted
# if SANEBOX_PREPEND="--sanebox-disable" \
if SANEBOX_PREPEND="--sanebox-cap dac_read_search --sanebox-path $RN_ID" \
sane-vpn do unmetered -- \
# TODO: add `sane-vpn do unmetered --`, after fixing pasta/sane-vpn to preserve capabilities + not create a new user namespace unconditionally.
# until then, don't run over cellular!
if SANEBOX_PREPEND="--sanebox-method landlock --sanebox-cap dac_read_search --sanebox-path $RN_ID" \
rsync --exclude="$RN_ID" -e "ssh -i $RN_ID" --mkpath -rlptgov --delete "$dir" "$remote_dir"; \
then
echo "$now" > "$dir"/zzz-rsync-net/last-completed