borg-backup-scripts/exec_borg.sh

#!/bin/bash

SELF="$0"
NAME="$1"
shift

die() {
	echo -e $1 | sed -e 's-^-! -' >&2
	exit 1
}
usage() {
	echo "usage: $SELF PROFILE_NAME [-h] <borg command> ..." >&2
	exit 1
}

[ "x$NAME" == "x" ] && usage
[ -d /etc/borg/$NAME ] || die "Profile '$NAME' isn't initialized! See init.sh and README.md."
[ $# == 0 ] && usage

# do some sandboxinng
exec systemd-run --quiet --collect --unit=temp-borg-init-sandbox.service \
	--pipe < /etc/borg/$NAME/borg_passphrase \
	--working-directory=/tmp \
	-p "ConfigurationDirectory=borg/$NAME" \
	-p "ConfigurationDirectoryMode=750" \
	-p "CacheDirectory=borg/$NAME" \
	-p "CacheDirectoryMode=750" \
	-p "PrivateTmp=yes" \
	-p "ReadOnlyPaths=/" \
	-p "ReadWritePaths=/root/.ssh/known_hosts" \
	-p "EnvironmentFile=/etc/borg/$NAME/config.env" \
	--setenv=BORG_PASSPHRASE_FD=0 \
	--setenv=BORG_BASE_DIR=/tmp/ \
	--setenv=BORG_CONFIG_DIR=/etc/borg/$NAME \
	--setenv=BORG_CACHE_DIR=/var/cache/borg/$NAME \
	/usr/bin/borg $@