From 5e40b0f5e3bcfd6116f00b390c6d3ab990a6397c Mon Sep 17 00:00:00 2001 From: Ryan Kavanagh Date: Fri, 14 Jun 2024 09:57:42 -0400 Subject: Update borgmatic@.service to match upstream --- dot_config/systemd/user/borgmatic@.service | 24 +++++++++++++++--------- 1 file changed, 15 insertions(+), 9 deletions(-) (limited to 'dot_config') diff --git a/dot_config/systemd/user/borgmatic@.service b/dot_config/systemd/user/borgmatic@.service index 5f553cf..a4ad31e 100644 --- a/dot_config/systemd/user/borgmatic@.service +++ b/dot_config/systemd/user/borgmatic@.service @@ -19,8 +19,14 @@ LockPersonality=true # But you can try setting it to "yes" for improved security if you don't use those features. MemoryDenyWriteExecute=no NoNewPrivileges=yes +PrivateDevices=yes +PrivateTmp=yes +ProtectClock=yes ProtectControlGroups=yes ProtectHostname=yes +ProtectKernelLogs=yes +ProtectKernelModules=yes +ProtectKernelTunables=yes RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK RestrictNamespaces=yes RestrictRealtime=yes @@ -28,19 +34,19 @@ RestrictSUIDSGID=yes SystemCallArchitectures=native SystemCallFilter=@system-service SystemCallErrorNumber=EPERM -# To restrict write access further, change "ProtectSystem" to "strict" and uncomment -# "ReadWritePaths", "ReadOnlyPaths", "ProtectHome", and "BindPaths". Then add any local repository -# paths to the list of "ReadWritePaths" and local backup source paths to "ReadOnlyPaths". This -# leaves most of the filesystem read-only to borgmatic. +# To restrict write access further, change "ProtectSystem" to "strict" and +# uncomment "ReadWritePaths", "TemporaryFileSystem", "BindPaths" and +# "BindReadOnlyPaths". Then add any local repository paths to the list of +# "ReadWritePaths". This leaves most of the filesystem read-only to borgmatic. ProtectSystem=full # ReadWritePaths=-/mnt/my_backup_drive -# ReadOnlyPaths=-/var/lib/my_backup_source # This will mount a tmpfs on top of /root and pass through needed paths -# ProtectHome=tmpfs +# TemporaryFileSystem=/root:ro # BindPaths=-/root/.cache/borg -/root/.config/borg -/root/.borgmatic +# BindReadOnlyPaths=-/root/.ssh # May interfere with running external programs within borgmatic hooks. -#CapabilityBoundingSet=CAP_DAC_READ_SEARCH CAP_NET_RAW +CapabilityBoundingSet=CAP_DAC_READ_SEARCH CAP_NET_RAW # Lower CPU and I/O priority. Nice=19 @@ -56,5 +62,5 @@ LogRateLimitIntervalSec=0 # Delay start to prevent backups running during boot. Note that systemd-inhibit requires dbus and # dbus-user-session to be installed. -#ExecStartPre=sleep 1m -ExecStart=systemd-inhibit --who="borgmatic" --what="sleep:shutdown" --why="Prevent interrupting scheduled backup" /usr/bin/borgmatic --verbosity -1 --syslog-verbosity 1 -c ${HOME}/.config/borgmatic/%I.yaml +ExecStartPre=sleep 1m +ExecStart=systemd-inhibit --who="borgmatic" --what="sleep:shutdown" --why="Prevent interrupting scheduled backup" /usr/bin/borgmatic --verbosity -2 --syslog-verbosity 1 -c ${HOME}/.config/borgmatic/%I.yaml -- cgit v1.2.3