diff options
author | Wolfgang Müller | 2021-04-30 17:20:18 +0200 |
---|---|---|
committer | Wolfgang Müller | 2021-04-30 17:20:18 +0200 |
commit | bda62ea8ad3a0956af167987a7878c7a36304e2a (patch) | |
tree | 0a52d7e334acd21e0c8f3e23831aeb72f06373d0 /etc/systemd/lifeboat@.service | |
parent | 15442e278022a377931774e311e257dc75f1df4c (diff) | |
download | lifeboat-0.3.0.tar.gz |
Add systemd service and timer0.3.0
The service unit is based on lifeboat defaults and will make sure that
restic-priv can be invoked with CAP_DAC_READ_SEARCH whilst locking down
other forms of privilege escalation.
The timer is mostly for convenient overriding in lifeboat@.timer.d/. We
expect users to adjust this as necessary for their purposes.
Diffstat (limited to '')
-rw-r--r-- | etc/systemd/lifeboat@.service | 41 |
1 files changed, 41 insertions, 0 deletions
diff --git a/etc/systemd/lifeboat@.service b/etc/systemd/lifeboat@.service new file mode 100644 index 0000000..632669f --- /dev/null +++ b/etc/systemd/lifeboat@.service @@ -0,0 +1,41 @@ +[Unit] +Description=Lifeboat backup for %I +AssertPathExists=/srv/backup/lifeboat/%i + +[Service] +User=lifeboat +Group=lifeboat +Type=oneshot +ExecStart=/usr/bin/lifeboat %i run-report + +AmbientCapabilities=CAP_DAC_READ_SEARCH +CapabilityBoundingSet=CAP_DAC_READ_SEARCH + +DevicePolicy=closed +LockPersonality=yes +MemoryDenyWriteExecute=yes +NoNewPrivileges=yes +PrivateDevices=yes +PrivateTmp=yes +ProtectClock=yes +ProtectControlGroups=yes +ProtectHome=read-only +ProtectHostname=yes +ProtectKernelLogs=yes +ProtectKernelModules=yes +ProtectKernelTunables=yes +ProtectProc=invisible +ProtectSystem=strict +RemoveIPC=yes +RestrictAddressFamilies=AF_INET AF_INET6 +RestrictNamespaces=yes +RestrictRealtime=yes +RestrictSUIDSGID=yes +SystemCallFilter=@system-service + +ReadWritePaths=/srv/backup/lifeboat + +CPUSchedulingPolicy=batch +IOSchedulingClass=idle +IOSchedulingPriority=7 +Nice=19 |