Skip to content

Commit

Permalink
Add user flag for decision
Browse files Browse the repository at this point in the history
  • Loading branch information
Fabian Hausmann committed Nov 26, 2024
1 parent 7f36d0a commit abc50af
Show file tree
Hide file tree
Showing 3 changed files with 7 additions and 2 deletions.
1 change: 1 addition & 0 deletions defaults/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -48,4 +48,5 @@ borg_user: "root"
borg_group: "root"
backup_user_info:
home: "/home/{{ borg_user }}"
borgmatic_run_as_root: false
...
4 changes: 4 additions & 0 deletions meta/argument_specs.yml
Original file line number Diff line number Diff line change
Expand Up @@ -192,3 +192,7 @@ argument_specs:
type: str
required: false
description: Name of the SSH public and private key
borgmatic_run_as_root:
type: bool
required: false
description: If the variable is set, systemd will run borgmatic using sudo.
4 changes: 2 additions & 2 deletions templates/borgmatic.service.j2
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@ ConditionACPower=true
[Service]
Type=oneshot
User={{ borg_user }}
ExecStart={{ 'sudo ' if borg_user != 'root'}}borgmatic -c /etc/borgmatic/{{ borgmatic_config_name }}
ExecStart={{ 'sudo ' if borgmatic_run_as_root}}borgmatic -c /etc/borgmatic/{{ borgmatic_config_name }}

# Source: https://projects.torsion.org/borgmatic-collective/borgmatic/raw/branch/master/sample/systemd/borgmatic.service
# Security settings for systemd running as root, optional but recommended to improve security. You
Expand All @@ -22,7 +22,7 @@ LockPersonality=true
# Certain borgmatic features like Healthchecks integration need MemoryDenyWriteExecute to be off.
# But you can try setting it to "yes" for improved security if you don't use those features.
MemoryDenyWriteExecute=no
NoNewPrivileges={{ 'no' if borg_user != 'root' else 'yes'}}
NoNewPrivileges={{ 'no' if borgmatic_run_as_root else 'yes'}}
PrivateDevices=yes
PrivateTmp=yes
ProtectClock=yes
Expand Down

0 comments on commit abc50af

Please sign in to comment.