common-configs/borgmatic/borgmatic-weekly.service

[Unit]
Description=borgmatic backup
Wants=network-online.target
After=network-online.target
ConditionACPower=true

[Service]
Type=simple

# Security settings for systemd running as root
# For more details about this settings check the systemd manuals
# https://www.freedesktop.org/software/systemd/man/systemd.exec.html
LockPersonality=true
# Certain borgmatic features like Healthchecks integration need MemoryDenyWriteExecute to be off.
# But you can try setting it to "yes" for improved security if you don't use those features.
MemoryDenyWriteExecute=no
NoNewPrivileges=yes
PrivateDevices=yes
PrivateTmp=yes
ProtectClock=yes
ProtectControlGroups=yes
ProtectHostname=yes
ProtectKernelLogs=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
RestrictNamespaces=yes
RestrictRealtime=yes
RestrictSUIDSGID=yes
SystemCallArchitectures=native
SystemCallFilter=@system-service
# Restrict write access
# Change to 'ProtectSystem=strict' and uncomment 'ProtectHome' to make the whole file
# system read-only be default and uncomment 'ReadWritePaths' for the required write access.
# Add local repositroy paths to the list of 'ReadWritePaths' like '-/mnt/my_backup_drive'.
ProtectSystem=strict
ProtectHome=read-only
ReadWritePaths=-/root/.config/borg -/root/.cache/borg -/root/.borgmatic /var/backups/postgres -/mnt/backup-1/borg/gubal.borg -/mnt/backup-2/borg/gubal.borg -/mnt/backup-1/borg/goldsaucer.borg -/mnt/backup-2/borg/goldsaucer.borg

CapabilityBoundingSet=CAP_DAC_READ_SEARCH CAP_NET_RAW CAP_SETUID CAP_SETGID CAP_AUDIT_WRITE

# Lower CPU and I/O priority.
Nice=19
CPUSchedulingPolicy=batch
IOSchedulingClass=best-effort
IOSchedulingPriority=7
IOWeight=100

Restart=no
# Prevent rate limiting of borgmatic log events. If you are using an older version of systemd that
# doesn't support this (pre-240 or so), you may have to remove this option.
LogRateLimitIntervalSec=0

# Delay start to prevent backups running during boot. Note that systemd-inhibit requires dbus and
# dbus-user-session to be installed.
ExecStart=systemd-inhibit --who="borgmatic" --why="Prevent interrupting scheduled backup" /usr/bin/borgmatic -c /etc/borgmatic/configs-nightly /etc/borgmatic/configs-enabled --syslog-verbosity 1 prune create check --only repository --only archives --only extract
Updates for barista bar 3 years ago			`[Unit]`
			`Description=borgmatic backup`
			`Wants=network-online.target`
			`After=network-online.target`
			`ConditionACPower=true`

			`[Service]`
			`Type=simple`

			`# Security settings for systemd running as root`
			`# For more details about this settings check the systemd manuals`
			`# https://www.freedesktop.org/software/systemd/man/systemd.exec.html`
			`LockPersonality=true`
			`# Certain borgmatic features like Healthchecks integration need MemoryDenyWriteExecute to be off.`
			`# But you can try setting it to "yes" for improved security if you don't use those features.`
			`MemoryDenyWriteExecute=no`
			`NoNewPrivileges=yes`
			`PrivateDevices=yes`
			`PrivateTmp=yes`
			`ProtectClock=yes`
			`ProtectControlGroups=yes`
			`ProtectHostname=yes`
			`ProtectKernelLogs=yes`
			`ProtectKernelModules=yes`
			`ProtectKernelTunables=yes`
			`RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK`
			`RestrictNamespaces=yes`
			`RestrictRealtime=yes`
			`RestrictSUIDSGID=yes`
			`SystemCallArchitectures=native`
			`SystemCallFilter=@system-service`
			`# Restrict write access`
			`# Change to 'ProtectSystem=strict' and uncomment 'ProtectHome' to make the whole file`
			`# system read-only be default and uncomment 'ReadWritePaths' for the required write access.`
			`# Add local repositroy paths to the list of 'ReadWritePaths' like '-/mnt/my_backup_drive'.`
			`ProtectSystem=strict`
			`ProtectHome=read-only`
			`ReadWritePaths=-/root/.config/borg -/root/.cache/borg -/root/.borgmatic /var/backups/postgres -/mnt/backup-1/borg/gubal.borg -/mnt/backup-2/borg/gubal.borg -/mnt/backup-1/borg/goldsaucer.borg -/mnt/backup-2/borg/goldsaucer.borg`

			`CapabilityBoundingSet=CAP_DAC_READ_SEARCH CAP_NET_RAW CAP_SETUID CAP_SETGID CAP_AUDIT_WRITE`

			`# Lower CPU and I/O priority.`
			`Nice=19`
			`CPUSchedulingPolicy=batch`
			`IOSchedulingClass=best-effort`
			`IOSchedulingPriority=7`
			`IOWeight=100`

			`Restart=no`
			`# Prevent rate limiting of borgmatic log events. If you are using an older version of systemd that`
			`# doesn't support this (pre-240 or so), you may have to remove this option.`
			`LogRateLimitIntervalSec=0`

			`# Delay start to prevent backups running during boot. Note that systemd-inhibit requires dbus and`
			`# dbus-user-session to be installed.`
			`ExecStart=systemd-inhibit --who="borgmatic" --why="Prevent interrupting scheduled backup" /usr/bin/borgmatic -c /etc/borgmatic/configs-nightly /etc/borgmatic/configs-enabled --syslog-verbosity 1 prune create check --only repository --only archives --only extract`