From 9b83fcbf0642d8ca41bf7513f4c5fb03126a3b51 Mon Sep 17 00:00:00 2001
From: Dan Helfman <witten@torsion.org>
Date: Sun, 23 Aug 2020 14:11:19 -0700
Subject: [PATCH] Add comment about MemoryDenyWriteExecute value and the
 tradeoffs thereof.

---
 sample/systemd/borgmatic.service | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/sample/systemd/borgmatic.service b/sample/systemd/borgmatic.service
index 5356400a..89807b48 100644
--- a/sample/systemd/borgmatic.service
+++ b/sample/systemd/borgmatic.service
@@ -11,6 +11,8 @@ Type=oneshot
 # For more details about this settings check the systemd manuals
 # https://www.freedesktop.org/software/systemd/man/systemd.exec.html
 LockPersonality=true
+# Certain borgmatic features like Healthchecks integration need MemoryDenyWriteExecute to be off.
+# But you can try setting it to "yes" for improved security if you don't use those features.
 MemoryDenyWriteExecute=no
 NoNewPrivileges=yes
 PrivateDevices=yes