Add option to control NoNewPrivileges in borgmatic.service

[aphick]

When this option is set to the default yes it will cause database backups like below to error:

    postgresql_databases:
            pg_dump_command: sudo -u postgres pg_dump
            pg_restore_command: sudo -u postgres pg_restore
            psql_command: sudo -u postgres psql

This optional flag allows admins to disable this security feature if they wish.

[m3nu]

Have you looked into using lineinfile or the ini file module to make this change? I worry that we will get lots of options if we add one for each systemd option there is.

[agross]

I worry that we will get lots of options if we add one for each systemd option there is.

I think a systemd override will be even better in this case. In contrast to patching with lineinfile, it doesn't change the content of the files this role writes. Patching defeats immutability and idempotency (you'll get changed=2 on every application of borgbackup + the patch). In addition, overrides can (re-)define any systemd setting, not just the ones this role provides vars for.

[LoniasGR]

Hi, I would like to add my perspective on this matter.

I would say that having these editable inside the role makes the most sense. It does have the danger that a lot of options could potentially be added, but this provides the least overhead for the end user.

The lineinfile approach seems the second most sensible, but breaks idempotency as mentioned.

Creating a systemd override seems somewhat of an overkill for a user-defined systemd service. Now as a user I have another file that I need to maintain and remember it exists and how it works.