aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorRyan Kavanagh <rak@rak.ac>2024-06-14 09:57:42 -0400
committerRyan Kavanagh <rak@rak.ac>2024-06-14 09:57:42 -0400
commit5e40b0f5e3bcfd6116f00b390c6d3ab990a6397c (patch)
tree5129f55cc1a7c3793c30af9ff9be1e5759ce31bd
parentfixup! f4867e876184651a09c02676d229d98e66261437 (diff)
Update borgmatic@.service to match upstream
-rw-r--r--dot_config/systemd/user/borgmatic@.service24
1 files changed, 15 insertions, 9 deletions
diff --git a/dot_config/systemd/user/borgmatic@.service b/dot_config/systemd/user/borgmatic@.service
index 5f553cf..a4ad31e 100644
--- a/dot_config/systemd/user/borgmatic@.service
+++ b/dot_config/systemd/user/borgmatic@.service
@@ -19,8 +19,14 @@ LockPersonality=true
# But you can try setting it to "yes" for improved security if you don't use those features.
MemoryDenyWriteExecute=no
NoNewPrivileges=yes
+PrivateDevices=yes
+PrivateTmp=yes
+ProtectClock=yes
ProtectControlGroups=yes
ProtectHostname=yes
+ProtectKernelLogs=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
RestrictNamespaces=yes
RestrictRealtime=yes
@@ -28,19 +34,19 @@ RestrictSUIDSGID=yes
SystemCallArchitectures=native
SystemCallFilter=@system-service
SystemCallErrorNumber=EPERM
-# To restrict write access further, change "ProtectSystem" to "strict" and uncomment
-# "ReadWritePaths", "ReadOnlyPaths", "ProtectHome", and "BindPaths". Then add any local repository
-# paths to the list of "ReadWritePaths" and local backup source paths to "ReadOnlyPaths". This
-# leaves most of the filesystem read-only to borgmatic.
+# To restrict write access further, change "ProtectSystem" to "strict" and
+# uncomment "ReadWritePaths", "TemporaryFileSystem", "BindPaths" and
+# "BindReadOnlyPaths". Then add any local repository paths to the list of
+# "ReadWritePaths". This leaves most of the filesystem read-only to borgmatic.
ProtectSystem=full
# ReadWritePaths=-/mnt/my_backup_drive
-# ReadOnlyPaths=-/var/lib/my_backup_source
# This will mount a tmpfs on top of /root and pass through needed paths
-# ProtectHome=tmpfs
+# TemporaryFileSystem=/root:ro
# BindPaths=-/root/.cache/borg -/root/.config/borg -/root/.borgmatic
+# BindReadOnlyPaths=-/root/.ssh
# May interfere with running external programs within borgmatic hooks.
-#CapabilityBoundingSet=CAP_DAC_READ_SEARCH CAP_NET_RAW
+CapabilityBoundingSet=CAP_DAC_READ_SEARCH CAP_NET_RAW
# Lower CPU and I/O priority.
Nice=19
@@ -56,5 +62,5 @@ LogRateLimitIntervalSec=0
# Delay start to prevent backups running during boot. Note that systemd-inhibit requires dbus and
# dbus-user-session to be installed.
-#ExecStartPre=sleep 1m
-ExecStart=systemd-inhibit --who="borgmatic" --what="sleep:shutdown" --why="Prevent interrupting scheduled backup" /usr/bin/borgmatic --verbosity -1 --syslog-verbosity 1 -c ${HOME}/.config/borgmatic/%I.yaml
+ExecStartPre=sleep 1m
+ExecStart=systemd-inhibit --who="borgmatic" --what="sleep:shutdown" --why="Prevent interrupting scheduled backup" /usr/bin/borgmatic --verbosity -2 --syslog-verbosity 1 -c ${HOME}/.config/borgmatic/%I.yaml