diff options
author | Ryan Kavanagh <rak@rak.ac> | 2023-01-03 12:48:12 -0500 |
---|---|---|
committer | Ryan Kavanagh <rak@rak.ac> | 2023-01-03 12:48:12 -0500 |
commit | 69df7da2b150158b6b67fed8034ffdfdc2c6542c (patch) | |
tree | d7e151f9946d9a0dd735961a5ce9eba593fe7ac6 /dot_config/systemd | |
parent | gbp.conf (diff) |
backup services/timers
Diffstat (limited to 'dot_config/systemd')
-rw-r--r-- | dot_config/systemd/user/backup-email.service | 38 | ||||
-rw-r--r-- | dot_config/systemd/user/backup-email.timer | 10 | ||||
-rw-r--r-- | dot_config/systemd/user/backup-irclogs.service | 37 | ||||
-rw-r--r-- | dot_config/systemd/user/backup-irclogs.timer | 10 | ||||
-rw-r--r-- | dot_config/systemd/user/borgmatic@.service | 61 | ||||
-rw-r--r-- | dot_config/systemd/user/borgmatic@.timer | 10 |
6 files changed, 166 insertions, 0 deletions
diff --git a/dot_config/systemd/user/backup-email.service b/dot_config/systemd/user/backup-email.service new file mode 100644 index 0000000..47260f1 --- /dev/null +++ b/dot_config/systemd/user/backup-email.service @@ -0,0 +1,38 @@ +[Unit] +Description=backup dovecot +Wants=network-online.target +BindsTo=dovecot.service +After=network-online.target +ConditionFileNotEmpty=/media/t/Archives/email/rak.ac/backup.sh +Before=borgmatic@tosh.service + +[Install] +WantedBy=borgmatic@tosh.service + +[Service] +Type=oneshot +LockPersonality=true +MemoryDenyWriteExecute=no +NoNewPrivileges=yes +PrivateTmp=yes +ProtectControlGroups=yes +ProtectHostname=yes +RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK +RestrictNamespaces=yes +RestrictRealtime=yes +RestrictSUIDSGID=yes +SystemCallArchitectures=native +SystemCallFilter=@system-service +SystemCallErrorNumber=EPERM +ProtectSystem=full + +Nice=19 +CPUSchedulingPolicy=batch +IOSchedulingClass=best-effort +IOSchedulingPriority=7 +IOWeight=100 + +Restart=no +LogRateLimitIntervalSec=0 + +ExecStart=/media/t/Archives/email/rak.ac/backup.sh diff --git a/dot_config/systemd/user/backup-email.timer b/dot_config/systemd/user/backup-email.timer new file mode 100644 index 0000000..bf49a60 --- /dev/null +++ b/dot_config/systemd/user/backup-email.timer @@ -0,0 +1,10 @@ +[Unit] +Description=Backup email + +[Timer] +OnCalendar=daily +Persistent=true +RandomizedDelaySec=3h + +[Install] +WantedBy=timers.target diff --git a/dot_config/systemd/user/backup-irclogs.service b/dot_config/systemd/user/backup-irclogs.service new file mode 100644 index 0000000..424073a --- /dev/null +++ b/dot_config/systemd/user/backup-irclogs.service @@ -0,0 +1,37 @@ +[Unit] +Description=backup IRC logs +Wants=network-online.target +After=network-online.target +ConditionFileNotEmpty=/media/t/Archives/irc-logs/backup.sh +Before=borgmatic@tosh.service + +[Install] +WantedBy=borgmatic@tosh.service + +[Service] +Type=oneshot +LockPersonality=true +MemoryDenyWriteExecute=no +NoNewPrivileges=yes +PrivateTmp=yes +ProtectControlGroups=yes +ProtectHostname=yes +RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK +RestrictNamespaces=yes +RestrictRealtime=yes +RestrictSUIDSGID=yes +SystemCallArchitectures=native +SystemCallFilter=@system-service +SystemCallErrorNumber=EPERM +ProtectSystem=full + +Nice=19 +CPUSchedulingPolicy=batch +IOSchedulingClass=best-effort +IOSchedulingPriority=7 +IOWeight=100 + +Restart=no +LogRateLimitIntervalSec=0 + +ExecStart=/media/t/Archives/irc-logs/backup.sh diff --git a/dot_config/systemd/user/backup-irclogs.timer b/dot_config/systemd/user/backup-irclogs.timer new file mode 100644 index 0000000..c074ecb --- /dev/null +++ b/dot_config/systemd/user/backup-irclogs.timer @@ -0,0 +1,10 @@ +[Unit] +Description=Backup irc logs + +[Timer] +OnCalendar=weekly +Persistent=true +RandomizedDelaySec=1h + +[Install] +WantedBy=timers.target diff --git a/dot_config/systemd/user/borgmatic@.service b/dot_config/systemd/user/borgmatic@.service new file mode 100644 index 0000000..0a2b3e7 --- /dev/null +++ b/dot_config/systemd/user/borgmatic@.service @@ -0,0 +1,61 @@ +[Unit] +Description=borgmatic backup +Wants=network-online.target +After=network-online.target +# Prevent borgmatic from running unless the machine is plugged into power. Remove this line if you +# want to allow borgmatic to run anytime. +ConditionACPower=true +ConditionFileNotEmpty=/home/rak/.config/borgmatic/%I.yaml +Documentation=https://torsion.org/borgmatic/ + +[Service] +Type=oneshot + +# Security settings for systemd running as root, optional but recommended to improve security. You +# can disable individual settings if they cause problems for your use case. For more details, see +# the systemd manual: https://www.freedesktop.org/software/systemd/man/systemd.exec.html +LockPersonality=true +# Certain borgmatic features like Healthchecks integration need MemoryDenyWriteExecute to be off. +# But you can try setting it to "yes" for improved security if you don't use those features. +MemoryDenyWriteExecute=no +NoNewPrivileges=yes +PrivateTmp=yes +ProtectControlGroups=yes +ProtectHostname=yes +RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK +RestrictNamespaces=yes +RestrictRealtime=yes +RestrictSUIDSGID=yes +SystemCallArchitectures=native +SystemCallFilter=@system-service +SystemCallErrorNumber=EPERM +# To restrict write access further, change "ProtectSystem" to "strict" and uncomment +# "ReadWritePaths", "ReadOnlyPaths", "ProtectHome", and "BindPaths". Then add any local repository +# paths to the list of "ReadWritePaths" and local backup source paths to "ReadOnlyPaths". This +# leaves most of the filesystem read-only to borgmatic. +ProtectSystem=full +# ReadWritePaths=-/mnt/my_backup_drive +# ReadOnlyPaths=-/var/lib/my_backup_source +# This will mount a tmpfs on top of /root and pass through needed paths +# ProtectHome=tmpfs +# BindPaths=-/root/.cache/borg -/root/.config/borg -/root/.borgmatic + +# May interfere with running external programs within borgmatic hooks. +#CapabilityBoundingSet=CAP_DAC_READ_SEARCH CAP_NET_RAW + +# Lower CPU and I/O priority. +Nice=19 +CPUSchedulingPolicy=batch +IOSchedulingClass=best-effort +IOSchedulingPriority=7 +IOWeight=100 + +Restart=no +# Prevent rate limiting of borgmatic log events. If you are using an older version of systemd that +# doesn't support this (pre-240 or so), you may have to remove this option. +LogRateLimitIntervalSec=0 + +# Delay start to prevent backups running during boot. Note that systemd-inhibit requires dbus and +# dbus-user-session to be installed. +#ExecStartPre=sleep 1m +ExecStart=systemd-inhibit --who="borgmatic" --what="sleep:shutdown" --why="Prevent interrupting scheduled backup" /usr/bin/borgmatic --verbosity -1 --syslog-verbosity 1 -c ${HOME}/.config/borgmatic/%I.yaml diff --git a/dot_config/systemd/user/borgmatic@.timer b/dot_config/systemd/user/borgmatic@.timer new file mode 100644 index 0000000..d51c9b2 --- /dev/null +++ b/dot_config/systemd/user/borgmatic@.timer @@ -0,0 +1,10 @@ +[Unit] +Description=Run borgmatic backup + +[Timer] +OnCalendar=daily +Persistent=true +RandomizedDelaySec=3h + +[Install] +WantedBy=timers.target |