feat(borgmatic): disable hardening and add flag (#8)

maxhoesel-ansible · Apr 18, 2021 · a7fb928 · a7fb928
1 parent 3fc8681
commit a7fb928
Show file tree

Hide file tree

Showing 3 changed files with 4 additions and 2 deletions.
diff --git a/roles/borgmatic/README.md b/roles/borgmatic/README.md
@@ -131,6 +131,7 @@ The prefix for all variables in this section is: `borgmatic_schedule_`
 | `backup_time` | Schedule at which the backup should be run. Can be any valid [systemd time expression](https://www.freedesktop.org/software/systemd/man/systemd.time.html#). | X | `daily` |
 | `max_random_delay` | To prevent several hosts pegging your backup server at once, systemd can delay execution within a random period. This balances the load out over a longer time period and helps to prevent load spikes. You can set the maximum delay in seconds with this variable | | `1800` (30 minutes) |
 | `require_ac_power` | If set to `true`, skip the backup when the host is not connected to AC power. | | `false` |
+| `harden` | Whether to tighten security on the systemd service to prevent exploits as root. Can cause issues with hooks and other integrations | | `false` |
 | `persistent` | Whether to immoderately run the backup job if the host "missed" its last run (the random delay still applies) | | `false` |
 | `wakeup` | Whether to wake the system for the backup job if it is in standby. May or may not be supported | | `false` |
 

diff --git a/roles/borgmatic/defaults/main.yml b/roles/borgmatic/defaults/main.yml
@@ -18,6 +18,7 @@ borgmatic_ssh_known_hosts_file: "{{ borgmatic_config_path }}/known_hosts"
 
 borgmatic_schedule_on: daily
 borgmatic_schedule_max_random_delay: 1800
+borgmatic_schedule_harden: no
 borgmatic_schedule_require_ac_power: no
 borgmatic_schedule_persistent: no
 borgmatic_schedule_wakeup: no

diff --git a/roles/borgmatic/templates/borgmatic.service.j2 b/roles/borgmatic/templates/borgmatic.service.j2
@@ -8,17 +8,16 @@ ConditionACPower=true
 
 [Service]
 Type=oneshot
+{% if borgmatic_schedule_harden %}
 
 # Security settings for systemd running as root, optional but recommended to improve security. You
 # can disable individual settings if they cause problems for your use case. For more details, see
 # the systemd manual: https://www.freedesktop.org/software/systemd/man/systemd.exec.html
 LockPersonality=true
 # Certain borgmatic features like Healthchecks integration need MemoryDenyWriteExecute to be off.
 # But you can try setting it to "yes" for improved security if you don't use those features.
-MemoryDenyWriteExecute=no
 NoNewPrivileges=yes
 PrivateDevices=yes
-PrivateTmp=no
 ProtectClock=yes
 ProtectControlGroups=yes
 ProtectHostname=yes
@@ -33,6 +32,7 @@ SystemCallArchitectures=native
 SystemCallFilter=@system-service
 SystemCallErrorNumber=EPERM
 CapabilityBoundingSet=CAP_DAC_READ_SEARCH CAP_NET_RAW
+{% endif %}
 
 # Lower CPU and I/O priority.
 Nice=19