Skip to content
Snippets Groups Projects
Select Git revision
  • d084730fc0055c6c67ae651d1f1f954850eb3776
  • master default protected
  • renovate/configure
  • v3.x
  • separator-fix
  • v4.4.1
  • v4.4.0
  • v4.3.0
  • v4.2.0
  • v4.1.0
  • v4.0.1
  • v4.0.0
  • v3.1.4
  • v3.1.3
  • v3.1.2
  • v3.1.1
  • v3.1.0
  • v3.0.0
  • v2.0.1
  • v2.0.0
  • v1.6.0
  • v1.5.2
  • v1.5.1
  • v1.5
  • v1.5.0
25 results

borgbackup.service

Blame
  • Code owners
    Assign users and groups as approvers for specific file changes. Learn more.
    borgbackup.service 2.47 KiB
    [Unit]
    Description=borgmatic backup
    Wants=network-online.target
    After=network-online.target
    OnFailure=borgbackup-panic-email@%N.service
    # Do not try to start if check is already running
    After=borgbackup-check.service
    
    [Service]
    Type=oneshot
    # Security settings for systemd running as root, optional but recommended to improve security. You
    # can disable individual settings if they cause problems for your use case. For more details, see
    # the systemd manual: https://www.freedesktop.org/software/systemd/man/systemd.exec.html
    LockPersonality=true
    # Certain borgmatic features like Healthchecks integration need MemoryDenyWriteExecute to be off.
    # But you can try setting it to "yes" for improved security if you don't use those features.
    MemoryDenyWriteExecute=no
    NoNewPrivileges=yes
    PrivateDevices=yes
    PrivateTmp=yes
    ProtectClock=yes
    ProtectControlGroups=yes
    ProtectHostname=yes
    ProtectKernelLogs=yes
    ProtectKernelModules=yes
    ProtectKernelTunables=yes
    RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
    RestrictNamespaces=yes
    RestrictRealtime=yes
    RestrictSUIDSGID=yes
    SystemCallArchitectures=native
    SystemCallFilter=@system-service
    SystemCallErrorNumber=EPERM
    # To restrict write access further, change "ProtectSystem" to "strict" and uncomment
    # "ReadWritePaths", "ReadOnlyPaths", "ProtectHome", and "BindPaths". Then add any local repository
    # paths to the list of "ReadWritePaths" and local backup source paths to "ReadOnlyPaths". This
    # leaves most of the filesystem read-only to borgmatic.
    ProtectSystem=full
    # ReadWritePaths=-/mnt/my_backup_drive
    # ReadOnlyPaths=-/var/lib/my_backup_source
    # This will mount a tmpfs on top of /root and pass through needed paths
    # ProtectHome=tmpfs
    # BindPaths=-/root/.cache/borg -/root/.cache/borg -/root/.borgmatic
    
    # May interfere with running external programs within borgmatic hooks.
    CapabilityBoundingSet=CAP_DAC_READ_SEARCH CAP_NET_RAW
    
    # Lower CPU and I/O priority.
    Nice=19
    CPUSchedulingPolicy=batch
    IOSchedulingClass=best-effort
    IOSchedulingPriority=7
    IOWeight=100
    
    Restart=no
    # Prevent rate limiting of borgmatic log events. If you are using an older version of systemd that
    # doesn't support this (pre-240 or so), you may have to remove this option.
    LogRateLimitIntervalSec=0
    
    # Delay start to prevent backups running during boot. Note that systemd-inhibit requires dbus and
    # dbus-user-session to be installed.
    ExecStart=systemd-inhibit --who="borgmatic" --why="Prevent interrupting scheduled backup" /usr/local/bin/borgmatic create --verbosity -1 --syslog-verbosity 1