aboutsummaryrefslogtreecommitdiff
path: root/dot_config/systemd
diff options
context:
space:
mode:
authorRyan Kavanagh <rak@rak.ac>2023-01-03 12:48:12 -0500
committerRyan Kavanagh <rak@rak.ac>2023-01-03 12:48:12 -0500
commit69df7da2b150158b6b67fed8034ffdfdc2c6542c (patch)
treed7e151f9946d9a0dd735961a5ce9eba593fe7ac6 /dot_config/systemd
parentgbp.conf (diff)
backup services/timers
Diffstat (limited to 'dot_config/systemd')
-rw-r--r--dot_config/systemd/user/backup-email.service38
-rw-r--r--dot_config/systemd/user/backup-email.timer10
-rw-r--r--dot_config/systemd/user/backup-irclogs.service37
-rw-r--r--dot_config/systemd/user/backup-irclogs.timer10
-rw-r--r--dot_config/systemd/user/borgmatic@.service61
-rw-r--r--dot_config/systemd/user/borgmatic@.timer10
6 files changed, 166 insertions, 0 deletions
diff --git a/dot_config/systemd/user/backup-email.service b/dot_config/systemd/user/backup-email.service
new file mode 100644
index 0000000..47260f1
--- /dev/null
+++ b/dot_config/systemd/user/backup-email.service
@@ -0,0 +1,38 @@
+[Unit]
+Description=backup dovecot
+Wants=network-online.target
+BindsTo=dovecot.service
+After=network-online.target
+ConditionFileNotEmpty=/media/t/Archives/email/rak.ac/backup.sh
+Before=borgmatic@tosh.service
+
+[Install]
+WantedBy=borgmatic@tosh.service
+
+[Service]
+Type=oneshot
+LockPersonality=true
+MemoryDenyWriteExecute=no
+NoNewPrivileges=yes
+PrivateTmp=yes
+ProtectControlGroups=yes
+ProtectHostname=yes
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
+RestrictNamespaces=yes
+RestrictRealtime=yes
+RestrictSUIDSGID=yes
+SystemCallArchitectures=native
+SystemCallFilter=@system-service
+SystemCallErrorNumber=EPERM
+ProtectSystem=full
+
+Nice=19
+CPUSchedulingPolicy=batch
+IOSchedulingClass=best-effort
+IOSchedulingPriority=7
+IOWeight=100
+
+Restart=no
+LogRateLimitIntervalSec=0
+
+ExecStart=/media/t/Archives/email/rak.ac/backup.sh
diff --git a/dot_config/systemd/user/backup-email.timer b/dot_config/systemd/user/backup-email.timer
new file mode 100644
index 0000000..bf49a60
--- /dev/null
+++ b/dot_config/systemd/user/backup-email.timer
@@ -0,0 +1,10 @@
+[Unit]
+Description=Backup email
+
+[Timer]
+OnCalendar=daily
+Persistent=true
+RandomizedDelaySec=3h
+
+[Install]
+WantedBy=timers.target
diff --git a/dot_config/systemd/user/backup-irclogs.service b/dot_config/systemd/user/backup-irclogs.service
new file mode 100644
index 0000000..424073a
--- /dev/null
+++ b/dot_config/systemd/user/backup-irclogs.service
@@ -0,0 +1,37 @@
+[Unit]
+Description=backup IRC logs
+Wants=network-online.target
+After=network-online.target
+ConditionFileNotEmpty=/media/t/Archives/irc-logs/backup.sh
+Before=borgmatic@tosh.service
+
+[Install]
+WantedBy=borgmatic@tosh.service
+
+[Service]
+Type=oneshot
+LockPersonality=true
+MemoryDenyWriteExecute=no
+NoNewPrivileges=yes
+PrivateTmp=yes
+ProtectControlGroups=yes
+ProtectHostname=yes
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
+RestrictNamespaces=yes
+RestrictRealtime=yes
+RestrictSUIDSGID=yes
+SystemCallArchitectures=native
+SystemCallFilter=@system-service
+SystemCallErrorNumber=EPERM
+ProtectSystem=full
+
+Nice=19
+CPUSchedulingPolicy=batch
+IOSchedulingClass=best-effort
+IOSchedulingPriority=7
+IOWeight=100
+
+Restart=no
+LogRateLimitIntervalSec=0
+
+ExecStart=/media/t/Archives/irc-logs/backup.sh
diff --git a/dot_config/systemd/user/backup-irclogs.timer b/dot_config/systemd/user/backup-irclogs.timer
new file mode 100644
index 0000000..c074ecb
--- /dev/null
+++ b/dot_config/systemd/user/backup-irclogs.timer
@@ -0,0 +1,10 @@
+[Unit]
+Description=Backup irc logs
+
+[Timer]
+OnCalendar=weekly
+Persistent=true
+RandomizedDelaySec=1h
+
+[Install]
+WantedBy=timers.target
diff --git a/dot_config/systemd/user/borgmatic@.service b/dot_config/systemd/user/borgmatic@.service
new file mode 100644
index 0000000..0a2b3e7
--- /dev/null
+++ b/dot_config/systemd/user/borgmatic@.service
@@ -0,0 +1,61 @@
+[Unit]
+Description=borgmatic backup
+Wants=network-online.target
+After=network-online.target
+# Prevent borgmatic from running unless the machine is plugged into power. Remove this line if you
+# want to allow borgmatic to run anytime.
+ConditionACPower=true
+ConditionFileNotEmpty=/home/rak/.config/borgmatic/%I.yaml
+Documentation=https://torsion.org/borgmatic/
+
+[Service]
+Type=oneshot
+
+# Security settings for systemd running as root, optional but recommended to improve security. You
+# can disable individual settings if they cause problems for your use case. For more details, see
+# the systemd manual: https://www.freedesktop.org/software/systemd/man/systemd.exec.html
+LockPersonality=true
+# Certain borgmatic features like Healthchecks integration need MemoryDenyWriteExecute to be off.
+# But you can try setting it to "yes" for improved security if you don't use those features.
+MemoryDenyWriteExecute=no
+NoNewPrivileges=yes
+PrivateTmp=yes
+ProtectControlGroups=yes
+ProtectHostname=yes
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
+RestrictNamespaces=yes
+RestrictRealtime=yes
+RestrictSUIDSGID=yes
+SystemCallArchitectures=native
+SystemCallFilter=@system-service
+SystemCallErrorNumber=EPERM
+# To restrict write access further, change "ProtectSystem" to "strict" and uncomment
+# "ReadWritePaths", "ReadOnlyPaths", "ProtectHome", and "BindPaths". Then add any local repository
+# paths to the list of "ReadWritePaths" and local backup source paths to "ReadOnlyPaths". This
+# leaves most of the filesystem read-only to borgmatic.
+ProtectSystem=full
+# ReadWritePaths=-/mnt/my_backup_drive
+# ReadOnlyPaths=-/var/lib/my_backup_source
+# This will mount a tmpfs on top of /root and pass through needed paths
+# ProtectHome=tmpfs
+# BindPaths=-/root/.cache/borg -/root/.config/borg -/root/.borgmatic
+
+# May interfere with running external programs within borgmatic hooks.
+#CapabilityBoundingSet=CAP_DAC_READ_SEARCH CAP_NET_RAW
+
+# Lower CPU and I/O priority.
+Nice=19
+CPUSchedulingPolicy=batch
+IOSchedulingClass=best-effort
+IOSchedulingPriority=7
+IOWeight=100
+
+Restart=no
+# Prevent rate limiting of borgmatic log events. If you are using an older version of systemd that
+# doesn't support this (pre-240 or so), you may have to remove this option.
+LogRateLimitIntervalSec=0
+
+# Delay start to prevent backups running during boot. Note that systemd-inhibit requires dbus and
+# dbus-user-session to be installed.
+#ExecStartPre=sleep 1m
+ExecStart=systemd-inhibit --who="borgmatic" --what="sleep:shutdown" --why="Prevent interrupting scheduled backup" /usr/bin/borgmatic --verbosity -1 --syslog-verbosity 1 -c ${HOME}/.config/borgmatic/%I.yaml
diff --git a/dot_config/systemd/user/borgmatic@.timer b/dot_config/systemd/user/borgmatic@.timer
new file mode 100644
index 0000000..d51c9b2
--- /dev/null
+++ b/dot_config/systemd/user/borgmatic@.timer
@@ -0,0 +1,10 @@
+[Unit]
+Description=Run borgmatic backup
+
+[Timer]
+OnCalendar=daily
+Persistent=true
+RandomizedDelaySec=3h
+
+[Install]
+WantedBy=timers.target