aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorWolfgang Müller2021-04-30 17:20:18 +0200
committerWolfgang Müller2021-04-30 17:20:18 +0200
commitbda62ea8ad3a0956af167987a7878c7a36304e2a (patch)
tree0a52d7e334acd21e0c8f3e23831aeb72f06373d0
parent15442e278022a377931774e311e257dc75f1df4c (diff)
downloadlifeboat-0.3.0.tar.gz
Add systemd service and timer0.3.0
The service unit is based on lifeboat defaults and will make sure that restic-priv can be invoked with CAP_DAC_READ_SEARCH whilst locking down other forms of privilege escalation. The timer is mostly for convenient overriding in lifeboat@.timer.d/. We expect users to adjust this as necessary for their purposes.
-rw-r--r--etc/systemd/lifeboat@.service41
-rw-r--r--etc/systemd/lifeboat@.timer8
2 files changed, 49 insertions, 0 deletions
diff --git a/etc/systemd/lifeboat@.service b/etc/systemd/lifeboat@.service
new file mode 100644
index 0000000..632669f
--- /dev/null
+++ b/etc/systemd/lifeboat@.service
@@ -0,0 +1,41 @@
+[Unit]
+Description=Lifeboat backup for %I
+AssertPathExists=/srv/backup/lifeboat/%i
+
+[Service]
+User=lifeboat
+Group=lifeboat
+Type=oneshot
+ExecStart=/usr/bin/lifeboat %i run-report
+
+AmbientCapabilities=CAP_DAC_READ_SEARCH
+CapabilityBoundingSet=CAP_DAC_READ_SEARCH
+
+DevicePolicy=closed
+LockPersonality=yes
+MemoryDenyWriteExecute=yes
+NoNewPrivileges=yes
+PrivateDevices=yes
+PrivateTmp=yes
+ProtectClock=yes
+ProtectControlGroups=yes
+ProtectHome=read-only
+ProtectHostname=yes
+ProtectKernelLogs=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+ProtectProc=invisible
+ProtectSystem=strict
+RemoveIPC=yes
+RestrictAddressFamilies=AF_INET AF_INET6
+RestrictNamespaces=yes
+RestrictRealtime=yes
+RestrictSUIDSGID=yes
+SystemCallFilter=@system-service
+
+ReadWritePaths=/srv/backup/lifeboat
+
+CPUSchedulingPolicy=batch
+IOSchedulingClass=idle
+IOSchedulingPriority=7
+Nice=19
diff --git a/etc/systemd/lifeboat@.timer b/etc/systemd/lifeboat@.timer
new file mode 100644
index 0000000..4ab415c
--- /dev/null
+++ b/etc/systemd/lifeboat@.timer
@@ -0,0 +1,8 @@
+[Unit]
+Description=Daily lifeboat backup for %i
+
+[Timer]
+OnCalendar=18:00
+
+[Install]
+WantedBy=timers.target