ariera
/
borgmatic
forked from witten/borgmatic
1
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
Browse Source

systemd security settings

master
Matthias 4 months ago
parent
79d4888e22
commit
631c3068a9
3 changed files with 36 additions and 0 deletions
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. +2
    -0
      borgmatic/config/schema.yaml
  2. +4
    -0
      docs/how-to/set-up-backups.md
  3. +30
    -0
      sample/systemd/borgmatic.service

+ 2
- 0
borgmatic/config/schema.yaml View File

@ -29,6 +29,8 @@ map:
expanded. Multiple repositories are backed up to in
sequence. See ssh_command for SSH options like identity file
or port.
If systemd service is used, then add local repository paths
in the systemd service file to the ReadWritePaths list.
example:
- user@backupserver:sourcehostname.borg
one_file_system:


+ 4
- 0
docs/how-to/set-up-backups.md View File

@ -268,6 +268,10 @@ sudo mv borgmatic.service borgmatic.timer /etc/systemd/system/
sudo systemctl enable --now borgmatic.timer
```
Review the security settings in the service file and update them as needed.
If `ProtectSystem=strict` is enabled and local repositories are used, then
the repository path must be added to the `ReadWritePaths` list.
Feel free to modify the timer file based on how frequently you'd like
borgmatic to run.


+ 30
- 0
sample/systemd/borgmatic.service View File

@ -7,6 +7,36 @@ ConditionACPower=true
[Service]
Type=oneshot
# Security settings for systemd running as root
# For more details about this settings check the systemd manuals
# https://www.freedesktop.org/software/systemd/man/systemd.exec.html
LockPersonality=true
MemoryDenyWriteExecute=yes
NoNewPrivileges=yes
PrivateDevices=yes
PrivateTmp=yes
ProtectClock=yes
ProtectControlGroups=yes
ProtectHostname=yes
ProtectKernelLogs=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
RestrictNamespaces=yes
RestrictRealtime=yes
RestrictSUIDSGID=yes
SystemCallArchitectures=native
SystemCallFilter=@system-service
# Restrict write access
# Change to 'ProtectSystem=strict' and uncomment 'ProtectHome' to make the whole file
# system read-only be default and uncomment 'ReadWritePaths' for the required write access.
# Add local repositroy paths to the list of 'ReadWritePaths' like '-/mnt/my_backup_drive'.
ProtectSystem=full
# ProtectHome=read-only
# ReadWritePaths=-/root/.config/borg -/root/.cache/borg -/root/.borgmatic
CapabilityBoundingSet=CAP_DAC_READ_SEARCH CAP_NET_RAW
# Lower CPU and I/O priority.
Nice=19
CPUSchedulingPolicy=batch


Write Preview
Loading…
Cancel
Save