diff --git a/nixos/modules/services/backup/borgmatic.nix b/nixos/modules/services/backup/borgmatic.nix
index ced1383193b0..f2f35f97d0dd 100644
--- a/nixos/modules/services/backup/borgmatic.nix
+++ b/nixos/modules/services/backup/borgmatic.nix
@@ -10,6 +10,10 @@ let
 
   postgresql = config.services.postgresql.package;
   mysql = config.services.mysql.package;
+  requireSudo =
+    s:
+    s ? postgresql_databases
+    && lib.any (d: d ? username && !(d ? password) && !(d ? pg_dump_command)) s.postgresql_databases;
   addRequiredBinaries =
     s:
     s
@@ -17,7 +21,7 @@ let
       postgresql_databases = map (
         d:
         let
-          as_user = if d ? username then "${pkgs.sudo}/bin/sudo -u ${d.username} " else "";
+          as_user = if d ? username && !(d ? password) then "${pkgs.sudo}/bin/sudo -u ${d.username} " else "";
         in
         {
           pg_dump_command =
@@ -113,6 +117,9 @@ let
     };
 
   cfgfile = settingsFormat.generate "config.yaml" (addRequiredBinaries cfg.settings);
+
+  anycfgRequiresSudo =
+    requireSudo cfg.settings || lib.any requireSudo (lib.attrValues cfg.configurations);
 in
 {
   options.services.borgmatic = {
@@ -173,6 +180,10 @@ in
 
       systemd.packages = [ pkgs.borgmatic ];
       systemd.services.borgmatic.path = [ pkgs.coreutils ];
+      systemd.services.borgmatic.serviceConfig = lib.optionalAttrs anycfgRequiresSudo {
+        NoNewPrivileges = false;
+        CapabilityBoundingSet = "CAP_DAC_READ_SEARCH CAP_NET_RAW CAP_SETUID CAP_SETGID";
+      };
 
       # Workaround: https://github.com/NixOS/nixpkgs/issues/81138
       systemd.timers.borgmatic.wantedBy = [ "timers.target" ];