Update systemd service example with better filesystem protection options.

Merge pull request #78 from Alphix/update-systemd-service
2023-10-15 08:59:39 -07:00 · 2023-10-15 08:59:39 -07:00 · dccaa4014b
parent 487d8ffd32 2f3c0bec5b
commit dccaa4014b
1 changed files with 6 additions and 6 deletions
--- a/sample/systemd/borgmatic.service
+++ b/sample/systemd/borgmatic.service
@ -32,16 +32,16 @@ RestrictSUIDSGID=yes
 SystemCallArchitectures=native
 SystemCallFilter=@system-service
 SystemCallErrorNumber=EPERM
-# To restrict write access further, change "ProtectSystem" to "strict" and uncomment
+# To restrict write access further, change "ProtectSystem" to "strict" and
-# "ReadWritePaths", "ReadOnlyPaths", "ProtectHome", and "BindPaths". Then add any local repository
+# uncomment "ReadWritePaths", "TemporaryFileSystem", "BindPaths" and
-# paths to the list of "ReadWritePaths" and local backup source paths to "ReadOnlyPaths". This
+# "BindReadOnlyPaths". Then add any local repository paths to the list of
-# leaves most of the filesystem read-only to borgmatic.
+# "ReadWritePaths". This leaves most of the filesystem read-only to borgmatic.
 ProtectSystem=full
 # ReadWritePaths=-/mnt/my_backup_drive
 # ReadOnlyPaths=-/var/lib/my_backup_source
 # This will mount a tmpfs on top of /root and pass through needed paths
-# ProtectHome=tmpfs
+# TemporaryFileSystem=/root:ro
 # BindPaths=-/root/.cache/borg -/root/.config/borg -/root/.borgmatic
 # BindReadOnlyPaths=-/root/.ssh
 # May interfere with running external programs within borgmatic hooks.
 CapabilityBoundingSet=CAP_DAC_READ_SEARCH CAP_NET_RAW