From bda62ea8ad3a0956af167987a7878c7a36304e2a Mon Sep 17 00:00:00 2001
From: Wolfgang Müller
Date: Fri, 30 Apr 2021 17:20:18 +0200
Subject: Add systemd service and timer

The service unit is based on lifeboat defaults and will make sure that
restic-priv can be invoked with CAP_DAC_READ_SEARCH whilst locking down
other forms of privilege escalation.

The timer is mostly for convenient overriding in lifeboat@.timer.d/. We
expect users to adjust this as necessary for their purposes.
---
 etc/systemd/lifeboat@.service | 41 +++++++++++++++++++++++++++++++++++++++++
 etc/systemd/lifeboat@.timer   |  8 ++++++++
 2 files changed, 49 insertions(+)
 create mode 100644 etc/systemd/lifeboat@.service
 create mode 100644 etc/systemd/lifeboat@.timer

(limited to 'etc')

diff --git a/etc/systemd/lifeboat@.service b/etc/systemd/lifeboat@.service
new file mode 100644
index 0000000..632669f
--- /dev/null
+++ b/etc/systemd/lifeboat@.service
@@ -0,0 +1,41 @@
+[Unit]
+Description=Lifeboat backup for %I
+AssertPathExists=/srv/backup/lifeboat/%i
+
+[Service]
+User=lifeboat
+Group=lifeboat
+Type=oneshot
+ExecStart=/usr/bin/lifeboat %i run-report
+
+AmbientCapabilities=CAP_DAC_READ_SEARCH
+CapabilityBoundingSet=CAP_DAC_READ_SEARCH
+
+DevicePolicy=closed
+LockPersonality=yes
+MemoryDenyWriteExecute=yes
+NoNewPrivileges=yes
+PrivateDevices=yes
+PrivateTmp=yes
+ProtectClock=yes
+ProtectControlGroups=yes
+ProtectHome=read-only
+ProtectHostname=yes
+ProtectKernelLogs=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+ProtectProc=invisible
+ProtectSystem=strict
+RemoveIPC=yes
+RestrictAddressFamilies=AF_INET AF_INET6
+RestrictNamespaces=yes
+RestrictRealtime=yes
+RestrictSUIDSGID=yes
+SystemCallFilter=@system-service
+
+ReadWritePaths=/srv/backup/lifeboat
+
+CPUSchedulingPolicy=batch
+IOSchedulingClass=idle
+IOSchedulingPriority=7
+Nice=19
diff --git a/etc/systemd/lifeboat@.timer b/etc/systemd/lifeboat@.timer
new file mode 100644
index 0000000..4ab415c
--- /dev/null
+++ b/etc/systemd/lifeboat@.timer
@@ -0,0 +1,8 @@
+[Unit]
+Description=Daily lifeboat backup for %i
+
+[Timer]
+OnCalendar=18:00
+
+[Install]
+WantedBy=timers.target
-- 
cgit v1.2.3-2-gb3c3