Skip to content
Snippets Groups Projects
Select Git revision
  • 31fa6e50eb6a722986c50ecbec40ca6fdaf7ff48
  • main default protected
  • renovate/django-5.x
  • koma/feature/preference-polling-form
4 results

views.py

Blame
  • Code owners
    Assign users and groups as approvers for specific file changes. Learn more.
    borgbackup.service 2.47 KiB
    [Unit]
    Description=borgmatic backup
    Wants=network-online.target
    After=network-online.target
    OnFailure=borgbackup-panic-email@%N.service
    # Do not try to start if check is already running
    After=borgbackup-check.service
    
    [Service]
    Type=oneshot
    # Security settings for systemd running as root, optional but recommended to improve security. You
    # can disable individual settings if they cause problems for your use case. For more details, see
    # the systemd manual: https://www.freedesktop.org/software/systemd/man/systemd.exec.html
    LockPersonality=true
    # Certain borgmatic features like Healthchecks integration need MemoryDenyWriteExecute to be off.
    # But you can try setting it to "yes" for improved security if you don't use those features.
    MemoryDenyWriteExecute=no
    NoNewPrivileges=yes
    PrivateDevices=yes
    PrivateTmp=yes
    ProtectClock=yes
    ProtectControlGroups=yes
    ProtectHostname=yes
    ProtectKernelLogs=yes
    ProtectKernelModules=yes
    ProtectKernelTunables=yes
    RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
    RestrictNamespaces=yes
    RestrictRealtime=yes
    RestrictSUIDSGID=yes
    SystemCallArchitectures=native
    SystemCallFilter=@system-service
    SystemCallErrorNumber=EPERM
    # To restrict write access further, change "ProtectSystem" to "strict" and uncomment
    # "ReadWritePaths", "ReadOnlyPaths", "ProtectHome", and "BindPaths". Then add any local repository
    # paths to the list of "ReadWritePaths" and local backup source paths to "ReadOnlyPaths". This
    # leaves most of the filesystem read-only to borgmatic.
    ProtectSystem=full
    # ReadWritePaths=-/mnt/my_backup_drive
    # ReadOnlyPaths=-/var/lib/my_backup_source
    # This will mount a tmpfs on top of /root and pass through needed paths
    # ProtectHome=tmpfs
    # BindPaths=-/root/.cache/borg -/root/.cache/borg -/root/.borgmatic
    
    # May interfere with running external programs within borgmatic hooks.
    CapabilityBoundingSet=CAP_DAC_READ_SEARCH CAP_NET_RAW
    
    # Lower CPU and I/O priority.
    Nice=19
    CPUSchedulingPolicy=batch
    IOSchedulingClass=best-effort
    IOSchedulingPriority=7
    IOWeight=100
    
    Restart=no
    # Prevent rate limiting of borgmatic log events. If you are using an older version of systemd that
    # doesn't support this (pre-240 or so), you may have to remove this option.
    LogRateLimitIntervalSec=0
    
    # Delay start to prevent backups running during boot. Note that systemd-inhibit requires dbus and
    # dbus-user-session to be installed.
    ExecStart=systemd-inhibit --who="borgmatic" --why="Prevent interrupting scheduled backup" /usr/local/bin/borgmatic create --verbosity -1 --syslog-verbosity 1