From a0371d476115a8fab54186664c9cca3d19e9537f Mon Sep 17 00:00:00 2001
From: Markus Kowalewski <markus.kowalewski@gmail.com>
Date: Tue, 6 Nov 2018 21:59:29 +0100
Subject: [PATCH] nixos/postgresqlBackup: set to umask to 0077

* Ensure that the backup file is only readable by the owner
* Add file permission test to tests
---
 nixos/modules/services/backup/postgresql-backup.nix | 2 ++
 nixos/tests/postgresql.nix                          | 1 +
 2 files changed, 3 insertions(+)

diff --git a/nixos/modules/services/backup/postgresql-backup.nix b/nixos/modules/services/backup/postgresql-backup.nix
index 2ec78ce6f2cfa2..f9f9568faa5c4f 100644
--- a/nixos/modules/services/backup/postgresql-backup.nix
+++ b/nixos/modules/services/backup/postgresql-backup.nix
@@ -20,6 +20,8 @@ let
       '';
 
       script = ''
+        umask 0077 # ensure backup is only readable by postgres user
+
         if [ -e ${cfg.location}/${db}.sql.gz ]; then
           ${pkgs.coreutils}/bin/mv ${cfg.location}/${db}.sql.gz ${cfg.location}/${db}.prev.sql.gz
         fi
diff --git a/nixos/tests/postgresql.nix b/nixos/tests/postgresql.nix
index f1f09277f342a5..d2ea0aa899f8b2 100644
--- a/nixos/tests/postgresql.nix
+++ b/nixos/tests/postgresql.nix
@@ -53,6 +53,7 @@ let
       # Check backup service
       $machine->succeed("systemctl start postgresqlBackup-postgres.service");
       $machine->succeed("zcat /var/backup/postgresql/postgres.sql.gz | grep '<test>ok</test>'");
+      $machine->succeed("stat -c '%a' /var/backup/postgresql/postgres.sql.gz | grep 600");
       $machine->shutdown;
     '';