[Unit] Description=borgmatic backup Wants=network-online.target After=network-online.target # Prevent borgmatic from running unless the machine is plugged into power. Remove this line if you # want to allow borgmatic to run anytime. ConditionACPower=true ConditionFileNotEmpty=/home/rak/.config/borgmatic/%I.yaml Documentation=https://torsion.org/borgmatic/ [Service] Type=oneshot # Security settings for systemd running as root, optional but recommended to improve security. You # can disable individual settings if they cause problems for your use case. For more details, see # the systemd manual: https://www.freedesktop.org/software/systemd/man/systemd.exec.html LockPersonality=true # Certain borgmatic features like Healthchecks integration need MemoryDenyWriteExecute to be off. # But you can try setting it to "yes" for improved security if you don't use those features. MemoryDenyWriteExecute=no NoNewPrivileges=yes PrivateTmp=yes ProtectControlGroups=yes ProtectHostname=yes RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK RestrictNamespaces=yes RestrictRealtime=yes RestrictSUIDSGID=yes SystemCallArchitectures=native SystemCallFilter=@system-service SystemCallErrorNumber=EPERM # To restrict write access further, change "ProtectSystem" to "strict" and uncomment # "ReadWritePaths", "ReadOnlyPaths", "ProtectHome", and "BindPaths". Then add any local repository # paths to the list of "ReadWritePaths" and local backup source paths to "ReadOnlyPaths". This # leaves most of the filesystem read-only to borgmatic. ProtectSystem=full # ReadWritePaths=-/mnt/my_backup_drive # ReadOnlyPaths=-/var/lib/my_backup_source # This will mount a tmpfs on top of /root and pass through needed paths # ProtectHome=tmpfs # BindPaths=-/root/.cache/borg -/root/.config/borg -/root/.borgmatic # May interfere with running external programs within borgmatic hooks. #CapabilityBoundingSet=CAP_DAC_READ_SEARCH CAP_NET_RAW # Lower CPU and I/O priority. Nice=19 CPUSchedulingPolicy=batch IOSchedulingClass=best-effort IOSchedulingPriority=7 IOWeight=100 Restart=no # Prevent rate limiting of borgmatic log events. If you are using an older version of systemd that # doesn't support this (pre-240 or so), you may have to remove this option. LogRateLimitIntervalSec=0 # Delay start to prevent backups running during boot. Note that systemd-inhibit requires dbus and # dbus-user-session to be installed. #ExecStartPre=sleep 1m ExecStart=systemd-inhibit --who="borgmatic" --what="sleep:shutdown" --why="Prevent interrupting scheduled backup" /usr/bin/borgmatic --verbosity -1 --syslog-verbosity 1 -c ${HOME}/.config/borgmatic/%I.yaml