aboutsummaryrefslogtreecommitdiffstats
path: root/etc/systemd/lifeboat@.service
diff options
context:
space:
mode:
Diffstat (limited to 'etc/systemd/lifeboat@.service')
-rw-r--r--etc/systemd/lifeboat@.service41
1 files changed, 41 insertions, 0 deletions
diff --git a/etc/systemd/lifeboat@.service b/etc/systemd/lifeboat@.service
new file mode 100644
index 0000000..632669f
--- /dev/null
+++ b/etc/systemd/lifeboat@.service
@@ -0,0 +1,41 @@
+[Unit]
+Description=Lifeboat backup for %I
+AssertPathExists=/srv/backup/lifeboat/%i
+
+[Service]
+User=lifeboat
+Group=lifeboat
+Type=oneshot
+ExecStart=/usr/bin/lifeboat %i run-report
+
+AmbientCapabilities=CAP_DAC_READ_SEARCH
+CapabilityBoundingSet=CAP_DAC_READ_SEARCH
+
+DevicePolicy=closed
+LockPersonality=yes
+MemoryDenyWriteExecute=yes
+NoNewPrivileges=yes
+PrivateDevices=yes
+PrivateTmp=yes
+ProtectClock=yes
+ProtectControlGroups=yes
+ProtectHome=read-only
+ProtectHostname=yes
+ProtectKernelLogs=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+ProtectProc=invisible
+ProtectSystem=strict
+RemoveIPC=yes
+RestrictAddressFamilies=AF_INET AF_INET6
+RestrictNamespaces=yes
+RestrictRealtime=yes
+RestrictSUIDSGID=yes
+SystemCallFilter=@system-service
+
+ReadWritePaths=/srv/backup/lifeboat
+
+CPUSchedulingPolicy=batch
+IOSchedulingClass=idle
+IOSchedulingPriority=7
+Nice=19