Initial commit of general borgmatic configuration, scripts, and systemd files

post-backup-all-docker-compose-up.sh

@@ -0,0 +1,22 @@
+#!/bin/bash
+
+# Collect exclusions passed as arguments
+exclusions=("$@")
+
+for dir in /docker/*/
+do
+    # Get the base folder name from path
+    folder=$(basename "$dir")
+
+    # Skip if folder is in the exclusions array
+    if [[ " ${exclusions[@]} " =~ " $folder " ]]; then
+        continue
+    fi
+
+    cd "$dir" || {
+        echo "Failed to enter directory: $dir"
+        continue
+    }
+
+    docker compose up
+done

pre-backup-all-docker-compose-down.sh

@@ -0,0 +1,22 @@
+#!/bin/bash
+
+# Collect exclusions passed as arguments
+exclusions=("$@")
+
+for dir in /docker/*/
+do
+    # Get the base folder name from path
+    folder=$(basename "$dir")
+
+    # Skip if folder is in the exclusions array
+    if [[ " ${exclusions[@]} " =~ " $folder " ]]; then
+        continue
+    fi
+
+    cd "$dir" || {
+        echo "Failed to enter directory: $dir"
+        continue
+    }
+
+    docker compose down
+done

systemd/borgmatic.service

@@ -0,0 +1,70 @@
+[Unit]
+Description=borgmatic backup
+Wants=network-online.target
+After=network-online.target
+Documentation=https://torsion.org/borgmatic/
+
+[Service]
+Type=oneshot
+RuntimeDirectory=borgmatic
+StateDirectory=borgmatic
+
+# Load single encrypted credential.
+#LoadCredentialEncrypted=borgmatic.pw
+
+# Load multiple encrypted credentials.
+# LoadCredentialEncrypted=borgmatic:/etc/credstore.encrypted/borgmatic/
+
+# Security settings for systemd running as root, optional but recommended to improve security. You
+# can disable individual settings if they cause problems for your use case. For more details, see
+# the systemd manual: https://www.freedesktop.org/software/systemd/man/systemd.exec.html
+LockPersonality=true
+# Certain borgmatic features like Healthchecks integration need MemoryDenyWriteExecute to be off.
+# But you can try setting it to "yes" for improved security if you don't use those features.
+MemoryDenyWriteExecute=no
+NoNewPrivileges=yes
+PrivateDevices=yes
+PrivateTmp=yes
+ProtectClock=yes
+ProtectControlGroups=yes
+ProtectHostname=yes
+ProtectKernelLogs=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
+RestrictNamespaces=yes
+RestrictRealtime=yes
+RestrictSUIDSGID=yes
+SystemCallArchitectures=native
+SystemCallFilter=@system-service
+SystemCallErrorNumber=EPERM
+# To restrict write access further, change "ProtectSystem" to "strict" and
+# uncomment "ReadWritePaths", "TemporaryFileSystem", "BindPaths" and
+# "BindReadOnlyPaths". Then add any local repository paths to the list of
+# "ReadWritePaths". This leaves most of the filesystem read-only to borgmatic.
+ProtectSystem=full
+# ReadWritePaths=-/mnt/my_backup_drive
+# This will mount a tmpfs on top of /root and pass through needed paths
+# TemporaryFileSystem=/root:ro
+# BindPaths=-/root/.cache/borg -/root/.config/borg -/root/.borgmatic
+# BindReadOnlyPaths=-/root/.ssh
+
+# May interfere with running external programs within borgmatic hooks.
+#CapabilityBoundingSet=CAP_DAC_READ_SEARCH CAP_NET_RAW
+
+# Lower CPU and I/O priority.
+Nice=19
+CPUSchedulingPolicy=batch
+IOSchedulingClass=best-effort
+IOSchedulingPriority=7
+IOWeight=100
+
+Restart=no
+# Prevent rate limiting of borgmatic log events. If you are using an older version of systemd that
+# doesn't support this (pre-240 or so), you may have to remove this option.
+LogRateLimitIntervalSec=0
+
+# Delay start to prevent backups running during boot. Note that systemd-inhibit requires dbus and
+# dbus-user-session to be installed.
+ExecStartPre=sleep 1m
+ExecStart=systemd-inhibit --who="borgmatic" --what="sleep:shutdown" --why="Prevent interrupting scheduled backup" /root/.local/bin/borgmatic --verbosity -2 --syslog-verbosity 1

systemd/borgmatic.timer

@@ -0,0 +1,9 @@
+[Unit]
+Description=Run borgmatic backup
+
+[Timer]
+OnCalendar=*-*-* 5:00:00
+Persistent=true
+
+[Install]
+WantedBy=timers.target