diff options
Diffstat (limited to '')
-rw-r--r-- | dot_config/systemd/user/tmpreaper@.service | 38 |
1 files changed, 38 insertions, 0 deletions
diff --git a/dot_config/systemd/user/tmpreaper@.service b/dot_config/systemd/user/tmpreaper@.service new file mode 100644 index 0000000..200dd69 --- /dev/null +++ b/dot_config/systemd/user/tmpreaper@.service @@ -0,0 +1,38 @@ +[Unit] +Description=tmpreaper cleanup + +[Service] +Type=oneshot +LockPersonality=true +MemoryDenyWriteExecute=yes +NoNewPrivileges=yes +ProtectControlGroups=yes +ProtectHostname=yes +RestrictAddressFamilies= +RestrictNamespaces=yes +RestrictRealtime=yes +RestrictSUIDSGID=yes +SystemCallArchitectures=native +SystemCallFilter=@system-service +SystemCallErrorNumber=EPERM +# To restrict write access further, change "ProtectSystem" to "strict" and uncomment +# "ReadWritePaths", "ReadOnlyPaths", "ProtectHome", and "BindPaths". Then add any local repository +# paths to the list of "ReadWritePaths" and local backup source paths to "ReadOnlyPaths". This +# leaves most of the filesystem read-only to borgmatic. +ProtectSystem=strict +ReadWritePaths=%I + +# Lower CPU and I/O priority. +Nice=19 +CPUSchedulingPolicy=batch +IOSchedulingClass=best-effort +IOSchedulingPriority=7 +IOWeight=100 + +Restart=no +LogRateLimitIntervalSec=0 + +# Delay start to prevent backups running during boot. Note that systemd-inhibit requires dbus and +# dbus-user-session to be installed. +#ExecStartPre=sleep 1m +ExecStart=/usr/sbin/tmpreaper --test --mtime-dir 60d %I |