Merge 9a2c0272ab into a960af0cf4

2025-08-30 13:46:48 +02:00 · 2025-08-21 15:04:47 +00:00 · 2025-08-21 15:04:47 +00:00 · 654c8e961a
commit 654c8e961a
parent a960af0cf4 9a2c0272ab
3 changed files with 7 additions and 2 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -51,4 +51,5 @@ borg_user: "root"
 borg_group: "root"
 backup_user_info:
  home: "/home/{{ borg_user }}"
+borgmatic_run_as_root: false
 ...
--- a/meta/argument_specs.yml
+++ b/meta/argument_specs.yml
@ -207,3 +207,7 @@ argument_specs:
        type: str
        required: false
        description: Comment added to the SSH public key.
+      borgmatic_run_as_root:
+        type: bool
+        required: false
+        description: If the variable is set, systemd will run borgmatic using sudo.
--- a/templates/borgmatic.service.j2
+++ b/templates/borgmatic.service.j2
@ -12,7 +12,7 @@ ConditionACPower=true
 [Service]
 Type=oneshot
 User={{ borg_user }}
-ExecStart=borgmatic -c /etc/borgmatic/{{ borgmatic_config_name }} {{ borgmatic_timer_flags }}
+ExecStart={{ 'sudo ' if borgmatic_run_as_root}}borgmatic -c /etc/borgmatic/{{ borgmatic_config_name }} {{ borgmatic_timer_flags }}

 # Source: https://projects.torsion.org/borgmatic-collective/borgmatic/raw/branch/master/sample/systemd/borgmatic.service
 # Security settings for systemd running as root, optional but recommended to improve security. You
@ -22,7 +22,7 @@ LockPersonality=true
 # Certain borgmatic features like Healthchecks integration need MemoryDenyWriteExecute to be off.
 # But you can try setting it to "yes" for improved security if you don't use those features.
 MemoryDenyWriteExecute=no
-NoNewPrivileges=yes
+NoNewPrivileges={{ 'no' if borgmatic_run_as_root else 'yes'}}
 PrivateDevices=yes
 PrivateTmp=yes
 ProtectClock=yes