borgmatic/sample/systemd/borgmatic.service

[Unit]
Description=borgmatic backup
Wants=network-online.target
After=network-online.target
# Prevent borgmatic from running unless the machine is plugged into power. Remove this line if you
# want to allow borgmatic to run anytime.
ConditionACPower=true

[Service]
Type=oneshot

# Security settings for systemd running as root, optional but recommended to improve security. You
# can disable individual settings if they cause problems for your use case. For more details, see
# the systemd manual: https://www.freedesktop.org/software/systemd/man/systemd.exec.html
LockPersonality=true
# Certain borgmatic features like Healthchecks integration need MemoryDenyWriteExecute to be off.
# But you can try setting it to "yes" for improved security if you don't use those features.
MemoryDenyWriteExecute=no
NoNewPrivileges=yes
PrivateDevices=yes
PrivateTmp=yes
ProtectClock=yes
ProtectControlGroups=yes
ProtectHostname=yes
ProtectKernelLogs=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
RestrictNamespaces=yes
RestrictRealtime=yes
RestrictSUIDSGID=yes
SystemCallArchitectures=native
SystemCallFilter=@system-service
SystemCallErrorNumber=EPERM
# To restrict write access further, change "ProtectSystem" to "strict" and
# uncomment "ReadWritePaths", "TemporaryFileSystem", "BindPaths" and
# "BindReadOnlyPaths". Then add any local repository paths to the list of
# "ReadWritePaths". This leaves most of the filesystem read-only to borgmatic.
ProtectSystem=full
# ReadWritePaths=-/mnt/my_backup_drive
# This will mount a tmpfs on top of /root and pass through needed paths
# TemporaryFileSystem=/root:ro
# BindPaths=-/root/.cache/borg -/root/.config/borg -/root/.borgmatic
# BindReadOnlyPaths=-/root/.ssh

# May interfere with running external programs within borgmatic hooks.
CapabilityBoundingSet=CAP_DAC_READ_SEARCH CAP_NET_RAW

# Lower CPU and I/O priority.
Nice=19
CPUSchedulingPolicy=batch
IOSchedulingClass=best-effort
IOSchedulingPriority=7
IOWeight=100

Restart=no
# Prevent rate limiting of borgmatic log events. If you are using an older version of systemd that
# doesn't support this (pre-240 or so), you may have to remove this option.
LogRateLimitIntervalSec=0

# Delay start to prevent backups running during boot. Note that systemd-inhibit requires dbus and
# dbus-user-session to be installed.
ExecStartPre=sleep 1m
ExecStart=systemd-inhibit --who="borgmatic" --what="sleep:shutdown" --why="Prevent interrupting scheduled backup" /root/.local/bin/borgmatic --verbosity -2 --syslog-verbosity 1
Sample files for triggering borgmatic from a systemd timer. 2016-07-04 18:19:34 +02:00			`[Unit]`
			`Description=borgmatic backup`
More robust sample systemd service: boot delay, network dependency, lowered CPU/IO priority, etc (#205). 2019-09-24 19:16:30 +02:00			`Wants=network-online.target`
			`After=network-online.target`
Document use case of running backups conditionally based on laptop power level (#419). 2021-06-09 19:03:35 +02:00			`# Prevent borgmatic from running unless the machine is plugged into power. Remove this line if you`
			`# want to allow borgmatic to run anytime.`
Add AC power condition for systemd service (#205). 2019-09-24 19:43:30 +02:00			`ConditionACPower=true`
Sample files for triggering borgmatic from a systemd timer. 2016-07-04 18:19:34 +02:00
			`[Service]`
			`Type=oneshot`
More robust sample systemd service: boot delay, network dependency, lowered CPU/IO priority, etc (#205). 2019-09-24 19:16:30 +02:00
Clarify in systemd service file comment that security settings are optional. 2020-12-09 19:08:07 +01:00			`# Security settings for systemd running as root, optional but recommended to improve security. You`
			`# can disable individual settings if they cause problems for your use case. For more details, see`
			`# the systemd manual: https://www.freedesktop.org/software/systemd/man/systemd.exec.html`
systemd security settings 2020-08-22 15:41:25 +02:00			`LockPersonality=true`
Add comment about MemoryDenyWriteExecute value and the tradeoffs thereof. 2020-08-23 23:11:19 +02:00			`# Certain borgmatic features like Healthchecks integration need MemoryDenyWriteExecute to be off.`
			`# But you can try setting it to "yes" for improved security if you don't use those features.`
Loosen systemd memory security setting to allow Healthchecks ping. 2020-08-22 22:37:34 +02:00			`MemoryDenyWriteExecute=no`
systemd security settings 2020-08-22 15:41:25 +02:00			`NoNewPrivileges=yes`
			`PrivateDevices=yes`
			`PrivateTmp=yes`
			`ProtectClock=yes`
			`ProtectControlGroups=yes`
			`ProtectHostname=yes`
			`ProtectKernelLogs=yes`
			`ProtectKernelModules=yes`
			`ProtectKernelTunables=yes`
			`RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK`
			`RestrictNamespaces=yes`
			`RestrictRealtime=yes`
			`RestrictSUIDSGID=yes`
			`SystemCallArchitectures=native`
			`SystemCallFilter=@system-service`
Update systemd service example to return a permission error when a system call isn't permitted. 2020-12-01 07:14:28 +01:00			`SystemCallErrorNumber=EPERM`
Update systemd .service example First, ProtectSystem=strict will make the entire file system hierarchy (except /dev, /proc/ and /sys) read-only, so separate ReadOnlyPaths= is not necessary. Second, ProtectHome=tmpfs will not just mount an empty tmpfs on /root, but also on /home and /run/user. As it's likely quite common to want to backup /home, this seems like a footgun. Finally, it's quite likely that borgbackup will want access to root's SSH keys in order to connect to remote backup servers. Note that all these options are commented out by default, so this is more of a documentation change than any real change in functionality. 2023-10-15 11:30:11 +02:00			`# To restrict write access further, change "ProtectSystem" to "strict" and`
			`# uncomment "ReadWritePaths", "TemporaryFileSystem", "BindPaths" and`
			`# "BindReadOnlyPaths". Then add any local repository paths to the list of`
			`# "ReadWritePaths". This leaves most of the filesystem read-only to borgmatic.`
systemd security settings 2020-08-22 15:41:25 +02:00			`ProtectSystem=full`
Added more strict ProtectHome to systemd unit This commit changes the comment in sample systemd service. Using a combination of 'ProtectHome' and 'BindPaths' it's possible to hide the irrelevant paths inside /root from borgmatic service when it is run. ReadWritePaths are suggested to be used only for paths that contain borg repositories and the backup sources can be specified as ReadOnlyPaths. 2021-08-30 20:20:34 +02:00			`# ReadWritePaths=-/mnt/my_backup_drive`
			`# This will mount a tmpfs on top of /root and pass through needed paths`
Update systemd .service example First, ProtectSystem=strict will make the entire file system hierarchy (except /dev, /proc/ and /sys) read-only, so separate ReadOnlyPaths= is not necessary. Second, ProtectHome=tmpfs will not just mount an empty tmpfs on /root, but also on /home and /run/user. As it's likely quite common to want to backup /home, this seems like a footgun. Finally, it's quite likely that borgbackup will want access to root's SSH keys in order to connect to remote backup servers. Note that all these options are commented out by default, so this is more of a documentation change than any real change in functionality. 2023-10-15 11:30:11 +02:00			`# TemporaryFileSystem=/root:ro`
Fix duplicate bind path in sample systemd service. 2022-08-28 23:49:23 +02:00			`# BindPaths=-/root/.cache/borg -/root/.config/borg -/root/.borgmatic`
Update systemd .service example First, ProtectSystem=strict will make the entire file system hierarchy (except /dev, /proc/ and /sys) read-only, so separate ReadOnlyPaths= is not necessary. Second, ProtectHome=tmpfs will not just mount an empty tmpfs on /root, but also on /home and /run/user. As it's likely quite common to want to backup /home, this seems like a footgun. Finally, it's quite likely that borgbackup will want access to root's SSH keys in order to connect to remote backup servers. Note that all these options are commented out by default, so this is more of a documentation change than any real change in functionality. 2023-10-15 11:30:11 +02:00			`# BindReadOnlyPaths=-/root/.ssh`
systemd security settings 2020-08-22 15:41:25 +02:00
Add comment about systemd service setting that may interfere with external commands in hooks (#492). 2022-01-25 18:26:11 +01:00			`# May interfere with running external programs within borgmatic hooks.`
systemd security settings 2020-08-22 15:41:25 +02:00			`CapabilityBoundingSet=CAP_DAC_READ_SEARCH CAP_NET_RAW`

More robust sample systemd service: boot delay, network dependency, lowered CPU/IO priority, etc (#205). 2019-09-24 19:16:30 +02:00			`# Lower CPU and I/O priority.`
			`Nice=19`
			`CPUSchedulingPolicy=batch`
			`IOSchedulingClass=best-effort`
			`IOSchedulingPriority=7`
			`IOWeight=100`

			`Restart=no`
Add comment about old versions of systemd and option compatibility (#275). 2020-01-02 19:05:32 +01:00			`# Prevent rate limiting of borgmatic log events. If you are using an older version of systemd that`
			`# doesn't support this (pre-240 or so), you may have to remove this option.`
Add docs/default about systemd journald rate limiting. 2019-06-12 02:03:40 +02:00			`LogRateLimitIntervalSec=0`
More robust sample systemd service: boot delay, network dependency, lowered CPU/IO priority, etc (#205). 2019-09-24 19:16:30 +02:00
Add note about indirect dbus dependency. 2020-05-22 04:56:32 +02:00			`# Delay start to prevent backups running during boot. Note that systemd-inhibit requires dbus and`
			`# dbus-user-session to be installed.`
Revert "Use absolute paths in systemd commands." This reverts commit 24e1516ec50b73df7612862f95f4bff956268445. 2020-01-22 01:03:24 +01:00			`ExecStartPre=sleep 1m`
add verbosity level -2 Signed-off-by: Soumik Dutta <shalearkane@gmail.com> 2023-05-01 00:01:45 +02:00			`ExecStart=systemd-inhibit --who="borgmatic" --what="sleep:shutdown" --why="Prevent interrupting scheduled backup" /root/.local/bin/borgmatic --verbosity -2 --syslog-verbosity 1`