From 6df6176f3a0de22d497b983df2f732c2e10cf9ea Mon Sep 17 00:00:00 2001
From: Vladimir Timofeenko <id@vtimofeenko.com>
Date: Mon, 30 Aug 2021 11:20:34 -0700
Subject: [PATCH] Added more strict ProtectHome to systemd unit

This commit changes the comment in sample systemd service.

Using a combination of 'ProtectHome' and 'BindPaths' it's possible to
hide the irrelevant paths inside /root from borgmatic service when it is
run.

ReadWritePaths are suggested to be used only for paths that contain borg
repositories and the backup sources can be specified as ReadOnlyPaths.
---
 sample/systemd/borgmatic.service | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/sample/systemd/borgmatic.service b/sample/systemd/borgmatic.service
index 4fc88957d..b6adda964 100644
--- a/sample/systemd/borgmatic.service
+++ b/sample/systemd/borgmatic.service
@@ -37,8 +37,11 @@ SystemCallErrorNumber=EPERM
 # system read-only be default and uncomment 'ReadWritePaths' for the required write access.
 # Add local repositroy paths to the list of 'ReadWritePaths' like '-/mnt/my_backup_drive'.
 ProtectSystem=full
-# ProtectHome=read-only
-# ReadWritePaths=-/root/.config/borg -/root/.cache/borg -/root/.borgmatic
+# ReadWritePaths=-/mnt/my_backup_drive
+# ReadOnlyPaths=-/var/lib/my_backup_source
+# This will mount a tmpfs on top of /root and pass through needed paths
+# ProtectHome=tmpfs
+# BindPaths=-/root/.cache/borg -/root/.cache/borg -/root/.borgmatic
 
 CapabilityBoundingSet=CAP_DAC_READ_SEARCH CAP_NET_RAW