Update sample systemd service file comments about more granular read-…

…only filesystem settings.
borgmatic-collective · Oct 11, 2021 · 1004500 · 1004500
1 parent 0a8d4e5
commit 1004500
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 4 deletions.
diff --git a/NEWS b/NEWS
@@ -1,4 +1,5 @@
 1.5.19.dev0
+ * Update sample systemd service file with more granular read-only filesystem settings.
  * Move Gitea and GitHub hosting from a personal namespace to an organization for better
    collaboration with related projects.
  * 1k ★s on GitHub!

diff --git a/sample/systemd/borgmatic.service b/sample/systemd/borgmatic.service
@@ -32,10 +32,10 @@ RestrictSUIDSGID=yes
 SystemCallArchitectures=native
 SystemCallFilter=@system-service
 SystemCallErrorNumber=EPERM
-# Restrict write access
-# Change to 'ProtectSystem=strict' and uncomment 'ProtectHome' to make the whole file
-# system read-only be default and uncomment 'ReadWritePaths' for the required write access.
-# Add local repositroy paths to the list of 'ReadWritePaths' like '-/mnt/my_backup_drive'.
+# To restrict write access further, change "ProtectSystem" to "strict" and uncomment
+# "ReadWritePaths", "ReadOnlyPaths", "ProtectHome", and "BindPaths". Then add any local repository
+# paths to the list of "ReadWritePaths" and local backup source paths to "ReadOnlyPaths". This
+# leaves most of the filesystem read-only to borgmatic.
 ProtectSystem=full
 # ReadWritePaths=-/mnt/my_backup_drive
 # ReadOnlyPaths=-/var/lib/my_backup_source