From af10c3349fe495108bd80a963423a10bfefdff31 Mon Sep 17 00:00:00 2001
From: Fabian Hausmann <fabian.hausmann@cssb-hamburg.de>
Date: Tue, 26 Nov 2024 12:38:58 +0100
Subject: [PATCH] Fix systemd units not running as root

---
 templates/borgmatic.service.j2 | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/templates/borgmatic.service.j2 b/templates/borgmatic.service.j2
index 51da9f4..9504916 100644
--- a/templates/borgmatic.service.j2
+++ b/templates/borgmatic.service.j2
@@ -12,7 +12,7 @@ ConditionACPower=true
 [Service]
 Type=oneshot
 User={{ borg_user }}
-ExecStart=borgmatic -c /etc/borgmatic/{{ borgmatic_config_name }} {{ borgmatic_timer_flags }}
+ExecStart={{ 'sudo ' if borg_user != 'root'}}borgmatic -c /etc/borgmatic/{{ borgmatic_config_name }} {{ borgmatic_timer_flags }}
 
 # Source: https://projects.torsion.org/borgmatic-collective/borgmatic/raw/branch/master/sample/systemd/borgmatic.service
 # Security settings for systemd running as root, optional but recommended to improve security. You
@@ -22,7 +22,7 @@ LockPersonality=true
 # Certain borgmatic features like Healthchecks integration need MemoryDenyWriteExecute to be off.
 # But you can try setting it to "yes" for improved security if you don't use those features.
 MemoryDenyWriteExecute=no
-NoNewPrivileges=yes
+NoNewPrivileges={{ 'no' if borg_user != 'root' else 'yes'}}
 PrivateDevices=yes
 PrivateTmp=yes
 ProtectClock=yes