Add more strict ProtectHome to systemd sample configuration.

Merge pull request #42 from VTimofeenko/systemd_protecthome
borgmatic-collective · Oct 11, 2021 · 0a8d4e5 · 0a8d4e5
2 parents 38e35bd + 6df6176
commit 0a8d4e5
Showing 1 changed file with 5 additions and 2 deletions.
diff --git a/sample/systemd/borgmatic.service b/sample/systemd/borgmatic.service
@@ -37,8 +37,11 @@ SystemCallErrorNumber=EPERM
 # system read-only be default and uncomment 'ReadWritePaths' for the required write access.
 # Add local repositroy paths to the list of 'ReadWritePaths' like '-/mnt/my_backup_drive'.
 ProtectSystem=full
-# ProtectHome=read-only
-# ReadWritePaths=-/root/.config/borg -/root/.cache/borg -/root/.borgmatic
+# ReadWritePaths=-/mnt/my_backup_drive
+# ReadOnlyPaths=-/var/lib/my_backup_source
+# This will mount a tmpfs on top of /root and pass through needed paths
+# ProtectHome=tmpfs
+# BindPaths=-/root/.cache/borg -/root/.cache/borg -/root/.borgmatic
 
 CapabilityBoundingSet=CAP_DAC_READ_SEARCH CAP_NET_RAW