Dustin C. Hatch
7d93ba836e
Since `restic` needs to run as root in order to back up files regardless of their permissions, we need to restrict it to doing only that. Using systemd sandbox features, especially the capability bounding set, we can remove all of _root_'s powers except the ability to read all files.
32 lines
870 B
Desktop File
32 lines
870 B
Desktop File
[Unit]
|
|
Description=Back up filesystem with restic
|
|
|
|
[Service]
|
|
Type=oneshot
|
|
LoadCredential=restic.aws.credentials
|
|
LoadCredential=restic.password
|
|
Environment=AWS_SHARED_CREDENTIALS_FILE=%d/restic.aws.credentials
|
|
Environment=RESTIC_PASSWORD_FILE=%d/restic.password
|
|
Environment=XDG_CACHE_HOME=%C
|
|
EnvironmentFile=-%E/restic/environment
|
|
ExecStart=/usr/bin/restic backup --files-from %E/restic/include --exclude-file %E/restic/exclude --exclude-if-present .nobackup
|
|
CacheDirectory=restic
|
|
CapabilityBoundingSet=CAP_DAC_READ_SEARCH
|
|
MemoryDenyWriteExecute=yes
|
|
PrivateDevices=yes
|
|
PrivateTmp=yes
|
|
ProtectClock=yes
|
|
ProtectControlGroups=yes
|
|
ProtectHome=read-only
|
|
ProtectKernelLogs=yes
|
|
ProtectKernelModules=yes
|
|
ProtectKernelTunables=yes
|
|
ProtectProc=invisible
|
|
ProtectSystem=strict
|
|
ReadWritePaths=%t
|
|
ReadWritePaths=%T
|
|
ReadWritePaths=%V
|
|
RestrictRealtime=yes
|
|
RestrictSUIDSGID=yes
|
|
UMask=0077
|