fix(lego): quoting issues leading to wrongful error

roles/lego/files/lego_run.sh

@@ -3,8 +3,8 @@ set -euo pipefail
 
 LEGO_BINARY=$(/usr/bin/env which lego)
 
-if [[ -n "$LEGO_HTTP_FALLBACK_PORT" ]]; then
+if [[ -n "${LEGO_HTTP_FALLBACK_PORT:-}" ]]; then
-  if ! nc_binary="$(type -p \"nc\")" || [[ -z $nc_binary ]]; then
+  if ! nc_binary="$(type -p 'nc')" || [[ -z $nc_binary ]]; then
     echo "nc not found (in PATH), exiting"
     exit 1
   fi
@@ -14,7 +14,7 @@ if [[ -n "$LEGO_HTTP_FALLBACK_PORT" ]]; then
   fi
 fi
 
-if [[ -n "$LEGO_PRE_RENEWAL_HOOK" ]]; then
+if [[ -n "${LEGO_PRE_RENEWAL_HOOK:-}" ]]; then
   $LEGO_PRE_RENEWAL_HOOK
 fi
 
@@ -30,6 +30,6 @@ fi
 find "$LEGO_CERT_STORE_PATH/certificates" -type f | xargs -I{} -n 1 chmod "$LEGO_CERT_MODE" "{}"
 find "$LEGO_CERT_STORE_PATH/certificates" -type f | xargs -I{} -n 1 chown "${LEGO_CERT_USER}:${LEGO_CERT_GROUP}" "{}"
 
-if [[ -n "$LEGO_POST_RENEWAL_HOOK" ]]; then
+if [[ -n "${LEGO_POST_RENEWAL_HOOK:-}" ]]; then
   $LEGO_POST_RENEWAL_HOOK
 fi

roles/nginx/defaults/main.yml

@@ -1,5 +1,5 @@
 ---
-nginx_version: "1.27.3"
+nginx_version: "1.27.4"
 nginx_flavour: alpine
 nginx_base_path: /opt/nginx
 nginx_config_file: "{{ nginx_base_path }}/nginx.conf"

roles/restic/defaults/main/config.yml

@@ -20,8 +20,8 @@ restic_policy_backup_frequency: hourly
 
 restic_base_environment:
   RESTIC_REPOSITORY: "{{ restic_repo_url }}"
-  RESTIC_PASSWORD: "{{ restic_password }}"
+  RESTIC_PASSWORD: "{{ restic_repo_password }}"
-  RESTIC_JOBNAME: "{{ restic_job_name | default('unknown') }}"
+  RESTIC_JOBNAME: "{{ restic_job_name }}"
   RESTIC_FORGET_KEEP_WITHIN: "{{ restic_policy_keep_all_within }}"
   RESTIC_FORGET_KEEP_HOURLY: "{{ restic_policy_keep_hourly }}"
   RESTIC_FORGET_KEEP_DAILY: "{{ restic_policy_keep_daily }}"

roles/restic/defaults/main/main.yml

@@ -13,3 +13,4 @@ restic_job_directory: "/etc/restic"
 
 restic_package_name: restic
 restic_script_generate_snapshot_metrics: "/opt/restic-generate-snapshot-metrics.sh"
+restic_start_job_on_unit_change: true

roles/restic/defaults/main/systemd.yml

@@ -1,7 +1,16 @@
 ---
-restic_systemd_job_name: ~
+restic_systemd_job_description: "Restic backup service"
-restic_systemd_job_description: "Restic backup job for {{ restic_job_name }}"
+restic_systemd_unit_naming_scheme: "restic-{{ restic_job_name }}"
+restic_systemd_timer_naming_scheme: >-2
+  {{ restic_systemd_unit_naming_scheme }}.timer
+restic_systemd_timer_state_map:
+  present: "started"
+  absent: "stopped"
+  masked: "started"
+restic_systemd_timer_state: >-2
+  {{ restic_systemd_timer_state_map[restic_job_state] }}
 
+restic_systemd_syslog_identifier: "restic@%i"
 restic_systemd_working_directory: /tmp
 restic_systemd_install_wanted_by: "basic.target"
 restic_systemd_install_default_instance: "default"

roles/restic/files/restic-snapshot-metrics.sh

@@ -6,7 +6,7 @@ echo $RESTIC_JSON | jq -r '.[]
     | {
         "hostname": .hostname,
         "username": .username,
-	"short_id": .short_id,
+        "short_id": .short_id,
         "time": ((((.time | split(".")[0]) + "Z") | fromdate) - (3600 * (.time | split("+")[1] | split(":")[0] | tonumber + 1))),
         "paths": .paths[]
     } | "restic_snapshots{hostname=\"\(.hostname)\",username=\"\(.username)\",short_id=\"\(.short_id)\",paths=\"\(.paths)\"} \(.time)"'

roles/restic/handlers/main.yml

@@ -1,13 +1,12 @@
 ---
-
 - name: Ensure system daemon is reloaded
   listen: reload-systemd
-  systemd:
+  ansible.builtin.systemd:
     daemon_reload: true
 
 - name: Ensure systemd service for '{{ restic_job_name }}' is started immediately
   listen: trigger-restic
-  systemd:
+  ansible.builtin.systemd:
-    name: "{{ restic_systemd_unit_naming_scheme }}.service"
+    name: "{{ restic_systemd_timer_naming_scheme }}"
     state: started
-  when: restic_start_job_on_unit_change
+  when: (not ansible_check_mode) and restic_start_job_on_unit_change

roles/restic/tasks/configure.yml

@@ -1,12 +1,13 @@
 ---
 - name: Ensure systemd timer file for '{{ restic_job_name }}' is {{ restic_state }}'
-  template:
+  ansible.builtin.template:
     dest: "/etc/systemd/system/{{ restic_systemd_unit_naming_scheme }}.timer"
     src: restic.timer.j2
     owner: root
     group: root
     mode: "0640"
   when: restic_state == 'present'
+  register: restic_systemd_timer_info
   notify:
     - reload-systemd
 
@@ -27,5 +28,3 @@
 
 - name: Flush handlers to ensure systemd knows about '{{ restic_job_name }}'
   meta: flush_handlers
-
-

roles/restic/tasks/main.yml

@@ -21,10 +21,19 @@
 
 - name: Ensure systemd timer for '{{ restic_job_name }}' is activated
   ansible.builtin.systemd:
-    name: "{{ restic_systemd_unit_naming_scheme }}.timer"
+    name: "{{ restic_systemd_timer_naming_scheme }}"
     enabled: true
+  when:
+    - restic_systemd_timer_info.changed
+    - not restic_systemd_timer_info.failed
+    - not ansible_check_mode
 
 - name: Ensure systemd timer for '{{ restic_job_name }}' is {{ restic_job_state }}
   ansible.builtin.systemd:
-    name: "{{ restic_systemd_unit_naming_scheme }}.timer"
+    name: "{{ restic_systemd_timer_naming_scheme }}"
-    state: started # TODO: mask a timer?
+    state: "{{ restic_job_state }}"
+    masked: "{{ (restic_job_state == 'masked') | ternary('true', omit) }}"
+  when:
+    - restic_systemd_timer_info.changed
+    - not restic_systemd_timer_info.failed
+    - not ansible_check_mode