Update systemd service example with better filesystem protection options.
Merge pull request #78 from Alphix/update-systemd-service
This commit is contained in:
commit
dccaa4014b
1 changed files with 6 additions and 6 deletions
|
@ -32,16 +32,16 @@ RestrictSUIDSGID=yes
|
||||||
SystemCallArchitectures=native
|
SystemCallArchitectures=native
|
||||||
SystemCallFilter=@system-service
|
SystemCallFilter=@system-service
|
||||||
SystemCallErrorNumber=EPERM
|
SystemCallErrorNumber=EPERM
|
||||||
# To restrict write access further, change "ProtectSystem" to "strict" and uncomment
|
# To restrict write access further, change "ProtectSystem" to "strict" and
|
||||||
# "ReadWritePaths", "ReadOnlyPaths", "ProtectHome", and "BindPaths". Then add any local repository
|
# uncomment "ReadWritePaths", "TemporaryFileSystem", "BindPaths" and
|
||||||
# paths to the list of "ReadWritePaths" and local backup source paths to "ReadOnlyPaths". This
|
# "BindReadOnlyPaths". Then add any local repository paths to the list of
|
||||||
# leaves most of the filesystem read-only to borgmatic.
|
# "ReadWritePaths". This leaves most of the filesystem read-only to borgmatic.
|
||||||
ProtectSystem=full
|
ProtectSystem=full
|
||||||
# ReadWritePaths=-/mnt/my_backup_drive
|
# ReadWritePaths=-/mnt/my_backup_drive
|
||||||
# ReadOnlyPaths=-/var/lib/my_backup_source
|
|
||||||
# This will mount a tmpfs on top of /root and pass through needed paths
|
# This will mount a tmpfs on top of /root and pass through needed paths
|
||||||
# ProtectHome=tmpfs
|
# TemporaryFileSystem=/root:ro
|
||||||
# BindPaths=-/root/.cache/borg -/root/.config/borg -/root/.borgmatic
|
# BindPaths=-/root/.cache/borg -/root/.config/borg -/root/.borgmatic
|
||||||
|
# BindReadOnlyPaths=-/root/.ssh
|
||||||
|
|
||||||
# May interfere with running external programs within borgmatic hooks.
|
# May interfere with running external programs within borgmatic hooks.
|
||||||
CapabilityBoundingSet=CAP_DAC_READ_SEARCH CAP_NET_RAW
|
CapabilityBoundingSet=CAP_DAC_READ_SEARCH CAP_NET_RAW
|
||||||
|
|
Loading…
Reference in a new issue