[Unit]
Description=Borg Backup Service
After=network.target

[Service]
Type=oneshot
User=root
Group=root
ExecStart={{ borg_config_dir }}/backup.sh
StandardOutput=journal
StandardError=journal
Environment="BORG_PASSPHRASE={{ borg_passphrase }}"
Environment="BORG_REPO={{ borg_repo_dir }}"
Environment="BORG_CACHE_DIR={{ borg_config_dir }}/cache"
Environment="BORG_CONFIG_DIR={{ borg_config_dir }}/config"
Environment="BORG_SECURITY_DIR={{ borg_config_dir }}/security"
Environment="BORG_KEYS_DIR={{ borg_config_dir }}/keys"

# Security settings
NoNewPrivileges=true
PrivateTmp=true
ProtectSystem=strict
ReadWritePaths=/mnt/services /mnt/object_storage /var/log {{ borg_config_dir }}
ProtectHome=read-only
ProtectControlGroups=true
RestrictRealtime=true
SystemCallFilter=@system-service
SystemCallErrorNumber=EPERM

[Install]
WantedBy=multi-user.target