YannBirba · January 9, 2024 13:51
diff --git a/borgmatic.service b/borgmatic.service
 [Unit]
 Description=borgmatic backup
 Wants=network-online.target
 After=network-online.target
 # Prevent borgmatic from running unless the machine is plugged into power. Remove this line if you
 # want to allow borgmatic to run anytime.
 ConditionACPower=true
 ConditionFileNotEmpty=/etc/borgmatic/config.yaml
 Documentation=https://torsion.org/borgmatic/

 [Service]
 Type=oneshot

 # Security settings for systemd running as root, optional but recommended to improve security. You
 # can disable individual settings if they cause problems for your use case. For more details, see
 # the systemd manual: https://www.freedesktop.org/software/systemd/man/systemd.exec.html
 LockPersonality=true
 # Certain borgmatic features like Healthchecks integration need MemoryDenyWriteExecute to be off.
 # But you can try setting it to "yes" for improved security if you don't use those features.
 MemoryDenyWriteExecute=no
 NoNewPrivileges=yes
 PrivateDevices=yes
 PrivateTmp=yes
 ProtectClock=yes
 ProtectControlGroups=yes
 ProtectHostname=yes
 ProtectKernelLogs=yes
 ProtectKernelModules=yes
 ProtectKernelTunables=yes
 RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
 RestrictNamespaces=yes
 RestrictRealtime=yes
 RestrictSUIDSGID=yes
 SystemCallArchitectures=native
 SystemCallFilter=@system-service
 SystemCallErrorNumber=EPERM
 # To restrict write access further, change "ProtectSystem" to "strict" and uncomment
 # "ReadWritePaths", "ReadOnlyPaths", "ProtectHome", and "BindPaths". Then add any local repository
 # paths to the list of "ReadWritePaths" and local backup source paths to "ReadOnlyPaths". This
 # leaves most of the filesystem read-only to borgmatic.
 ProtectSystem=full
 # ReadWritePaths=-/mnt/my_backup_drive
 # ReadOnlyPaths=-/var/lib/my_backup_source
 # This will mount a tmpfs on top of /root and pass through needed paths
 # ProtectHome=tmpfs
 # BindPaths=-/root/.cache/borg -/root/.cache/borg -/root/.borgmatic

 CapabilityBoundingSet=CAP_DAC_READ_SEARCH CAP_NET_RAW

 # Lower CPU and I/O priority.
 Nice=19
 CPUSchedulingPolicy=batch
 IOSchedulingClass=best-effort
 IOSchedulingPriority=7
 IOWeight=100

 Restart=no
 # Prevent rate limiting of borgmatic log events. If you are using an older version of systemd that
 # doesn't support this (pre-240 or so), you may have to remove this option.
 LogRateLimitIntervalSec=0

 User=root

 # Delay start to prevent backups running during boot. Note that systemd-inhibit requires dbus and
 # dbus-user-session to be installed.
 ExecStartPre=sleep 1m
 ExecStart=systemd-inhibit --who="borgmatic" --why="Prevent interrupting scheduled backup" /usr/bin/borgmatic --verbosity -1 --syslog-verbosity 1
 # ExecStop=Do what you want to do after backup
	[Unit]
	Description=borgmatic backup
	Wants=network-online.target
	After=network-online.target
	# Prevent borgmatic from running unless the machine is plugged into power. Remove this line if you
	# want to allow borgmatic to run anytime.
	ConditionACPower=true
	ConditionFileNotEmpty=/etc/borgmatic/config.yaml
	Documentation=https://torsion.org/borgmatic/

	[Service]
	Type=oneshot

	# Security settings for systemd running as root, optional but recommended to improve security. You
	# can disable individual settings if they cause problems for your use case. For more details, see
	# the systemd manual: https://www.freedesktop.org/software/systemd/man/systemd.exec.html
	LockPersonality=true
	# Certain borgmatic features like Healthchecks integration need MemoryDenyWriteExecute to be off.
	# But you can try setting it to "yes" for improved security if you don't use those features.
	MemoryDenyWriteExecute=no
	NoNewPrivileges=yes
	PrivateDevices=yes
	PrivateTmp=yes
	ProtectClock=yes
	ProtectControlGroups=yes
	ProtectHostname=yes
	ProtectKernelLogs=yes
	ProtectKernelModules=yes
	ProtectKernelTunables=yes
	RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
	RestrictNamespaces=yes
	RestrictRealtime=yes
	RestrictSUIDSGID=yes
	SystemCallArchitectures=native
	SystemCallFilter=@system-service
	SystemCallErrorNumber=EPERM
	# To restrict write access further, change "ProtectSystem" to "strict" and uncomment
	# "ReadWritePaths", "ReadOnlyPaths", "ProtectHome", and "BindPaths". Then add any local repository
	# paths to the list of "ReadWritePaths" and local backup source paths to "ReadOnlyPaths". This
	# leaves most of the filesystem read-only to borgmatic.
	ProtectSystem=full
	# ReadWritePaths=-/mnt/my_backup_drive
	# ReadOnlyPaths=-/var/lib/my_backup_source
	# This will mount a tmpfs on top of /root and pass through needed paths
	# ProtectHome=tmpfs
	# BindPaths=-/root/.cache/borg -/root/.cache/borg -/root/.borgmatic

	CapabilityBoundingSet=CAP_DAC_READ_SEARCH CAP_NET_RAW

	# Lower CPU and I/O priority.
	Nice=19
	CPUSchedulingPolicy=batch
	IOSchedulingClass=best-effort
	IOSchedulingPriority=7
	IOWeight=100

	Restart=no
	# Prevent rate limiting of borgmatic log events. If you are using an older version of systemd that
	# doesn't support this (pre-240 or so), you may have to remove this option.
	LogRateLimitIntervalSec=0

	User=root

	# Delay start to prevent backups running during boot. Note that systemd-inhibit requires dbus and
	# dbus-user-session to be installed.
	ExecStartPre=sleep 1m
	ExecStart=systemd-inhibit --who="borgmatic" --why="Prevent interrupting scheduled backup" /usr/bin/borgmatic --verbosity -1 --syslog-verbosity 1
	# ExecStop=Do what you want to do after backup