Fix systemd units not running as root

2024-12-21 19:09:37 +01:00 · 2024-11-26 12:38:58 +01:00 · 2024-11-26 12:38:58 +01:00 · 7f36d0aee4
commit 7f36d0aee4
parent efa8e5ec7f
2 changed files with 4 additions and 4 deletions
--- a/templates/borgmatic.service.j2
+++ b/templates/borgmatic.service.j2
@ -12,7 +12,7 @@ ConditionACPower=true
 [Service]
 Type=oneshot
 User={{ borg_user }}
-ExecStart=borgmatic -c /etc/borgmatic/{{ borgmatic_config_name }}
+ExecStart={{ 'sudo ' if borg_user != 'root'}}borgmatic -c /etc/borgmatic/{{ borgmatic_config_name }}

 # Source: https://projects.torsion.org/borgmatic-collective/borgmatic/raw/branch/master/sample/systemd/borgmatic.service
 # Security settings for systemd running as root, optional but recommended to improve security. You
@ -22,7 +22,7 @@ LockPersonality=true
 # Certain borgmatic features like Healthchecks integration need MemoryDenyWriteExecute to be off.
 # But you can try setting it to "yes" for improved security if you don't use those features.
 MemoryDenyWriteExecute=no
-NoNewPrivileges=yes
+NoNewPrivileges={{ 'no' if borg_user != 'root' else 'yes'}}
 PrivateDevices=yes
 PrivateTmp=yes
 ProtectClock=yes
--- a/templates/config.yaml.j2
+++ b/templates/config.yaml.j2
@ -177,6 +177,6 @@ consistency:
 # prevent potential shell injection or privilege escalation.
 hooks:
 {% for hook in borgmatic_hooks %}
-{{ hook }}:
-{{ borgmatic_hooks[hook] | to_nice_yaml(indent=4) | indent(4, first=true) }}
+    {{ hook }}:
+    {{ borgmatic_hooks[hook] | to_nice_yaml(indent=4) | indent(4, first=true) }}
 {% endfor %}