From 7f36d0aee455bde898166d39080867b59ed15ce3 Mon Sep 17 00:00:00 2001
From: Fabian Hausmann <fabian.hausmann@cssb-hamburg.de>
Date: Tue, 26 Nov 2024 12:38:58 +0100
Subject: [PATCH 1/2] Fix systemd units not running as root

---
 templates/borgmatic.service.j2 | 4 ++--
 templates/config.yaml.j2       | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/templates/borgmatic.service.j2 b/templates/borgmatic.service.j2
index 4e4406c..8d5803b 100644
--- a/templates/borgmatic.service.j2
+++ b/templates/borgmatic.service.j2
@@ -12,7 +12,7 @@ ConditionACPower=true
 [Service]
 Type=oneshot
 User={{ borg_user }}
-ExecStart=borgmatic -c /etc/borgmatic/{{ borgmatic_config_name }}
+ExecStart={{ 'sudo ' if borg_user != 'root'}}borgmatic -c /etc/borgmatic/{{ borgmatic_config_name }}
 
 # Source: https://projects.torsion.org/borgmatic-collective/borgmatic/raw/branch/master/sample/systemd/borgmatic.service
 # Security settings for systemd running as root, optional but recommended to improve security. You
@@ -22,7 +22,7 @@ LockPersonality=true
 # Certain borgmatic features like Healthchecks integration need MemoryDenyWriteExecute to be off.
 # But you can try setting it to "yes" for improved security if you don't use those features.
 MemoryDenyWriteExecute=no
-NoNewPrivileges=yes
+NoNewPrivileges={{ 'no' if borg_user != 'root' else 'yes'}}
 PrivateDevices=yes
 PrivateTmp=yes
 ProtectClock=yes
diff --git a/templates/config.yaml.j2 b/templates/config.yaml.j2
index 9cd692b..cec3fdf 100644
--- a/templates/config.yaml.j2
+++ b/templates/config.yaml.j2
@@ -177,6 +177,6 @@ consistency:
 # prevent potential shell injection or privilege escalation.
 hooks:
 {% for hook in borgmatic_hooks %}
-{{ hook }}:
-{{ borgmatic_hooks[hook] | to_nice_yaml(indent=4) | indent(4, first=true) }}
+    {{ hook }}:
+    {{ borgmatic_hooks[hook] | to_nice_yaml(indent=4) | indent(4, first=true) }}
 {% endfor %}

From abc50afac193b8fe2006ab1bca71fdb4d8433f47 Mon Sep 17 00:00:00 2001
From: Fabian Hausmann <fabian.hausmann@cssb-hamburg.de>
Date: Tue, 26 Nov 2024 13:02:57 +0100
Subject: [PATCH 2/2] Add user flag for decision

---
 defaults/main.yml              | 1 +
 meta/argument_specs.yml        | 4 ++++
 templates/borgmatic.service.j2 | 4 ++--
 3 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/defaults/main.yml b/defaults/main.yml
index a928993..c78cc76 100755
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -48,4 +48,5 @@ borg_user: "root"
 borg_group: "root"
 backup_user_info:
   home: "/home/{{ borg_user }}"
+borgmatic_run_as_root: false
 ...
diff --git a/meta/argument_specs.yml b/meta/argument_specs.yml
index bfb8226..f546d9b 100644
--- a/meta/argument_specs.yml
+++ b/meta/argument_specs.yml
@@ -192,3 +192,7 @@ argument_specs:
         type: str
         required: false
         description: Name of the SSH public and private key
+      borgmatic_run_as_root:
+        type: bool
+        required: false
+        description: If the variable is set, systemd will run borgmatic using sudo.
diff --git a/templates/borgmatic.service.j2 b/templates/borgmatic.service.j2
index 8d5803b..3339e98 100644
--- a/templates/borgmatic.service.j2
+++ b/templates/borgmatic.service.j2
@@ -12,7 +12,7 @@ ConditionACPower=true
 [Service]
 Type=oneshot
 User={{ borg_user }}
-ExecStart={{ 'sudo ' if borg_user != 'root'}}borgmatic -c /etc/borgmatic/{{ borgmatic_config_name }}
+ExecStart={{ 'sudo ' if borgmatic_run_as_root}}borgmatic -c /etc/borgmatic/{{ borgmatic_config_name }}
 
 # Source: https://projects.torsion.org/borgmatic-collective/borgmatic/raw/branch/master/sample/systemd/borgmatic.service
 # Security settings for systemd running as root, optional but recommended to improve security. You
@@ -22,7 +22,7 @@ LockPersonality=true
 # Certain borgmatic features like Healthchecks integration need MemoryDenyWriteExecute to be off.
 # But you can try setting it to "yes" for improved security if you don't use those features.
 MemoryDenyWriteExecute=no
-NoNewPrivileges={{ 'no' if borg_user != 'root' else 'yes'}}
+NoNewPrivileges={{ 'no' if borgmatic_run_as_root else 'yes'}}
 PrivateDevices=yes
 PrivateTmp=yes
 ProtectClock=yes