4 years ago · 631c3068a9
--- a/borgmatic/config/schema.yaml
+++ b/borgmatic/config/schema.yaml
@@ -29,6 +29,8 @@ map:
 
															                     expanded. Multiple repositories are backed up to in
														
 
															                     sequence. See ssh_command for SSH options like identity file
														
 
															                     or port.
														
 
															+                    If systemd service is used, then add local repository paths
														
 
															+                    in the systemd service file to the ReadWritePaths list.
														
 
															                 example:
														
 
															                     - user@backupserver:sourcehostname.borg
														
 
															             one_file_system:
														
--- a/docs/how-to/set-up-backups.md
+++ b/docs/how-to/set-up-backups.md
@@ -268,6 +268,10 @@ sudo mv borgmatic.service borgmatic.timer /etc/systemd/system/
 
															 sudo systemctl enable --now borgmatic.timer
														
 
															 ```
														
 
															+Review the security settings in the service file and update them as needed.
														
 
															+If `ProtectSystem=strict` is enabled and local repositories are used, then
														
 
															+the repository path must be added to the `ReadWritePaths` list.
														
 
															+
														
 
															 Feel free to modify the timer file based on how frequently you'd like
														
 
															 borgmatic to run.
														
--- a/sample/systemd/borgmatic.service
+++ b/sample/systemd/borgmatic.service
@@ -7,6 +7,36 @@ ConditionACPower=true
 
															 [Service]
														
 
															 Type=oneshot
														
 
															+# Security settings for systemd running as root
														
 
															+# For more details about this settings check the systemd manuals
														
 
															+# https://www.freedesktop.org/software/systemd/man/systemd.exec.html
														
 
															+LockPersonality=true
														
 
															+MemoryDenyWriteExecute=yes
														
 
															+NoNewPrivileges=yes
														
 
															+PrivateDevices=yes
														
 
															+PrivateTmp=yes
														
 
															+ProtectClock=yes
														
 
															+ProtectControlGroups=yes
														
 
															+ProtectHostname=yes
														
 
															+ProtectKernelLogs=yes
														
 
															+ProtectKernelModules=yes
														
 
															+ProtectKernelTunables=yes
														
 
															+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
														
 
															+RestrictNamespaces=yes
														
 
															+RestrictRealtime=yes
														
 
															+RestrictSUIDSGID=yes
														
 
															+SystemCallArchitectures=native
														
 
															+SystemCallFilter=@system-service
														
 
															+# Restrict write access
														
 
															+# Change to 'ProtectSystem=strict' and uncomment 'ProtectHome' to make the whole file
														
 
															+# system read-only be default and uncomment 'ReadWritePaths' for the required write access.
														
 
															+# Add local repositroy paths to the list of 'ReadWritePaths' like '-/mnt/my_backup_drive'.
														
 
															+ProtectSystem=full
														
 
															+# ProtectHome=read-only
														
 
															+# ReadWritePaths=-/root/.config/borg -/root/.cache/borg -/root/.borgmatic
														
 
															+
														
 
															+CapabilityBoundingSet=CAP_DAC_READ_SEARCH CAP_NET_RAW
														
 
															+
														
 
															 # Lower CPU and I/O priority.
														
 
															 Nice=19
														
 
															 CPUSchedulingPolicy=batch