From 5d1c9803b53ec1a0a5a2e6dd3dcc2feae6bc39f2 Mon Sep 17 00:00:00 2001
From: Ludwig Behm <ludwig@behm.me>
Date: Sat, 17 Feb 2024 18:56:58 +0100
Subject: [PATCH] exec_borg.sh: cleanup and set ConfigurationDirectory ro

---
 exec_borg.sh | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/exec_borg.sh b/exec_borg.sh
index 3d1048c..d58ada3 100755
--- a/exec_borg.sh
+++ b/exec_borg.sh
@@ -22,11 +22,11 @@ exec systemd-run --quiet --collect --unit=temp-borg-init-sandbox.service \
 	--pipe < /etc/borg/$NAME/borg_passphrase \
 	--working-directory=/tmp \
 	-p "ConfigurationDirectory=borg/$NAME" \
-	-p "CacheDirectory=borg/$NAME" \
 	-p "ConfigurationDirectoryMode=550" \
+	-p "CacheDirectory=borg/$NAME" \
 	-p "CacheDirectoryMode=550" \
 	-p "PrivateTmp=yes" \
-	-p "ReadOnlyDirectories=/" \
+	-p "ReadOnlyPaths=/ /etc/borg/$NAME" \
 	-p "ReadWritePaths=/root/.ssh/known_hosts" \
 	-p "EnvironmentFile=/etc/borg/$NAME/config.env" \
 	--setenv=BORG_PASSPHRASE_FD=0 \