Accueil Explorer Aide
Connexion
mirrors
/
borgmatic
miroir de https://github.com/witten/borgmatic
2
0
Fork 0
Fichiers Tickets 0 Wiki
Aborescence: 717c90a7d0
Branches Tags
borgmatic
/
sample
/
systemd
/
borgmatic.service

borgmatic.service 2.1 KB
Historique Raw

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758 
  1. [Unit]
    2. 

  2. Description=borgmatic backup
    3. 

  3. Wants=network-online.target
    4. 

  4. After=network-online.target
    5. 

  5. ConditionACPower=true
    6. 

  6. 

  7. [Service]
    8. 

  8. Type=oneshot
    9. 

  9. 

  10. # Security settings for systemd running as root, optional but recommended to improve security. You
    11. 

  11. # can disable individual settings if they cause problems for your use case. For more details, see
    12. 

  12. # the systemd manual: https://www.freedesktop.org/software/systemd/man/systemd.exec.html
    13. 

  13. LockPersonality=true
    14. 

  14. # Certain borgmatic features like Healthchecks integration need MemoryDenyWriteExecute to be off.
    15. 

  15. # But you can try setting it to "yes" for improved security if you don't use those features.
    16. 

  16. MemoryDenyWriteExecute=no
    17. 

  17. NoNewPrivileges=yes
    18. 

  18. PrivateDevices=yes
    19. 

  19. PrivateTmp=yes
    20. 

  20. ProtectClock=yes
    21. 

  21. ProtectControlGroups=yes
    22. 

  22. ProtectHostname=yes
    23. 

  23. ProtectKernelLogs=yes
    24. 

  24. ProtectKernelModules=yes
    25. 

  25. ProtectKernelTunables=yes
    26. 

  26. RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
    27. 

  27. RestrictNamespaces=yes
    28. 

  28. RestrictRealtime=yes
    29. 

  29. RestrictSUIDSGID=yes
    30. 

  30. SystemCallArchitectures=native
    31. 

  31. SystemCallFilter=@system-service
    32. 

  32. SystemCallErrorNumber=EPERM
    33. 

  33. # Restrict write access
    34. 

  34. # Change to 'ProtectSystem=strict' and uncomment 'ProtectHome' to make the whole file
    35. 

  35. # system read-only be default and uncomment 'ReadWritePaths' for the required write access.
    36. 

  36. # Add local repositroy paths to the list of 'ReadWritePaths' like '-/mnt/my_backup_drive'.
    37. 

  37. ProtectSystem=full
    38. 

  38. # ProtectHome=read-only
    39. 

  39. # ReadWritePaths=-/root/.config/borg -/root/.cache/borg -/root/.borgmatic
    40. 

  40. 

  41. CapabilityBoundingSet=CAP_DAC_READ_SEARCH CAP_NET_RAW
    42. 

  42. 

  43. # Lower CPU and I/O priority.
    44. 

  44. Nice=19
    45. 

  45. CPUSchedulingPolicy=batch
    46. 

  46. IOSchedulingClass=best-effort
    47. 

  47. IOSchedulingPriority=7
    48. 

  48. IOWeight=100
    49. 

  49. 

  50. Restart=no
    51. 

  51. # Prevent rate limiting of borgmatic log events. If you are using an older version of systemd that
    52. 

  52. # doesn't support this (pre-240 or so), you may have to remove this option.
    53. 

  53. LogRateLimitIntervalSec=0
    54. 

  54. 

  55. # Delay start to prevent backups running during boot. Note that systemd-inhibit requires dbus and
    56. 

  56. # dbus-user-session to be installed.
    57. 

  57. ExecStartPre=sleep 1m
    58. 

  58. ExecStart=systemd-inhibit --who="borgmatic" --why="Prevent interrupting scheduled backup" /root/.local/bin/borgmatic --syslog-verbosity 1
    59.