feat(restic): Use RESTIC_PASSWORD_FILE instead of RESTIC_PASSWORD

roles/lego/defaults/main.yml

@@ -58,7 +58,7 @@ lego_systemd_timer_name: "lego-{{ lego_instance }}.timer"
 lego_systemd_timer_template: lego.timer.j2
 lego_systemd_timer_calendar: "*-*-* *:00/15:00"
 
-lego_architecture: "amd64"
+lego_architecture: "{{ 'arm64' if ansible_architecture == 'aarch64' else 'amd64' }}"
 lego_os: "linux"
 lego_binary_allow_net_bind_service: false
 

roles/restic/defaults/main.yml

@@ -51,6 +51,11 @@ restic_user: root
 restic_create_user: false
 restic_start_job_on_unit_change: false
 
+restic_base_path: /opt/restic
+resitc_credentials_base_path: "/var/lib/restic/{{ restic_job_name }}/"
+restic_password_file_path: "{{ resitc_credentials_base_path }}/restic-passwd"
+restic_password_file_mode: 0600 #should not be less restrictive
+
 restic_job_name: ~
 restic_job_description: "Restic backup job for {{ restic_job_name }}"
 restic_systemd_unit_naming_scheme: "restic.{{ restic_job_name }}"

roles/restic/tasks/main.yml

@@ -6,6 +6,23 @@
     state: present
     system: true
   when: restic_create_user
+  register: restic_user_res
+
+- name: Ensure base directory for restic is created
+  ansible.builtin.file:
+    path: "{{ restic_base_path }}"
+    state: directory
+    owner: "{{ restic_user_res.uid | default(root) }}"
+    group: "{{ restic_user_res.group | default(root) }}"
+    mode: "0755"
+
+- name: Ensure credentials directory for restic is created
+  ansible.builtin.file:
+    path: "{{ resitc_credentials_base_path }}"
+    state: directory
+    owner: "{{ restic_user_res.uid | default(root) }}"
+    group: "{{ restic_user_res.group | default(root) }}"
+    mode: "0700"
 
 - name: Ensure either backup_paths or backup_stdin_command is populated
   when: restic_backup_paths|length > 0 and restic_backup_stdin_command and false
@@ -42,6 +59,14 @@
         state: present
       when: ansible_os_family not in ['RedHat', 'Debian']
 
+- name: Ensure restic password file is created and uptodate
+  copy:
+    dest: "{{ restic_password_file_path }}"
+    mode: "{{ restic_password_file_mode }}"
+    owner: "{{ restic_user_res.uid | default(root) }}"
+    group: "{{ restic_user_res.group | default(root) }}"
+    content: "{{ restic_repo_password }}"
+
 - name: Ensure systemd service file for '{{ restic_job_name }}' is templated
   template:
     dest: "/etc/systemd/system/{{ restic_systemd_unit_naming_scheme }}.service"

roles/restic/templates/restic.service.j2

@@ -8,7 +8,7 @@ WorkingDirectory={{ restic_systemd_working_directory }}
 SyslogIdentifier={{ restic_systemd_syslog_identifier }}
 
 Environment=RESTIC_REPOSITORY={{ restic_repo_url }}
-Environment=RESTIC_PASSWORD={{ restic_repo_password }}
+Environment=RESTIC_PASSWORD_FILE={{ restic_password_file_path }}
 {% for kv in restic_complete_environment | dict2items %}
 Environment={{ kv.key }}={{ kv.value }}
 {% endfor %}