2f3c0bec5b
First, ProtectSystem=strict will make the entire file system hierarchy (except /dev, /proc/ and /sys) read-only, so separate ReadOnlyPaths= is not necessary. Second, ProtectHome=tmpfs will not just mount an empty tmpfs on /root, but also on /home and /run/user. As it's likely quite common to want to backup /home, this seems like a footgun. Finally, it's quite likely that borgbackup will want access to root's SSH keys in order to connect to remote backup servers. Note that all these options are commented out by default, so this is more of a documentation change than any real change in functionality.
64 lines
2.5 KiB
Desktop File
64 lines
2.5 KiB
Desktop File
[Unit]
|
|
Description=borgmatic backup
|
|
Wants=network-online.target
|
|
After=network-online.target
|
|
# Prevent borgmatic from running unless the machine is plugged into power. Remove this line if you
|
|
# want to allow borgmatic to run anytime.
|
|
ConditionACPower=true
|
|
|
|
[Service]
|
|
Type=oneshot
|
|
|
|
# Security settings for systemd running as root, optional but recommended to improve security. You
|
|
# can disable individual settings if they cause problems for your use case. For more details, see
|
|
# the systemd manual: https://www.freedesktop.org/software/systemd/man/systemd.exec.html
|
|
LockPersonality=true
|
|
# Certain borgmatic features like Healthchecks integration need MemoryDenyWriteExecute to be off.
|
|
# But you can try setting it to "yes" for improved security if you don't use those features.
|
|
MemoryDenyWriteExecute=no
|
|
NoNewPrivileges=yes
|
|
PrivateDevices=yes
|
|
PrivateTmp=yes
|
|
ProtectClock=yes
|
|
ProtectControlGroups=yes
|
|
ProtectHostname=yes
|
|
ProtectKernelLogs=yes
|
|
ProtectKernelModules=yes
|
|
ProtectKernelTunables=yes
|
|
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
|
|
RestrictNamespaces=yes
|
|
RestrictRealtime=yes
|
|
RestrictSUIDSGID=yes
|
|
SystemCallArchitectures=native
|
|
SystemCallFilter=@system-service
|
|
SystemCallErrorNumber=EPERM
|
|
# To restrict write access further, change "ProtectSystem" to "strict" and
|
|
# uncomment "ReadWritePaths", "TemporaryFileSystem", "BindPaths" and
|
|
# "BindReadOnlyPaths". Then add any local repository paths to the list of
|
|
# "ReadWritePaths". This leaves most of the filesystem read-only to borgmatic.
|
|
ProtectSystem=full
|
|
# ReadWritePaths=-/mnt/my_backup_drive
|
|
# This will mount a tmpfs on top of /root and pass through needed paths
|
|
# TemporaryFileSystem=/root:ro
|
|
# BindPaths=-/root/.cache/borg -/root/.config/borg -/root/.borgmatic
|
|
# BindReadOnlyPaths=-/root/.ssh
|
|
|
|
# May interfere with running external programs within borgmatic hooks.
|
|
CapabilityBoundingSet=CAP_DAC_READ_SEARCH CAP_NET_RAW
|
|
|
|
# Lower CPU and I/O priority.
|
|
Nice=19
|
|
CPUSchedulingPolicy=batch
|
|
IOSchedulingClass=best-effort
|
|
IOSchedulingPriority=7
|
|
IOWeight=100
|
|
|
|
Restart=no
|
|
# Prevent rate limiting of borgmatic log events. If you are using an older version of systemd that
|
|
# doesn't support this (pre-240 or so), you may have to remove this option.
|
|
LogRateLimitIntervalSec=0
|
|
|
|
# Delay start to prevent backups running during boot. Note that systemd-inhibit requires dbus and
|
|
# dbus-user-session to be installed.
|
|
ExecStartPre=sleep 1m
|
|
ExecStart=systemd-inhibit --who="borgmatic" --what="sleep:shutdown" --why="Prevent interrupting scheduled backup" /root/.local/bin/borgmatic --verbosity -2 --syslog-verbosity 1
|