chore(lego): bash improvements in lego_run.sh

2024-09-12 08:22:30 +02:00
19 changed files with 71 additions and 295 deletions
--- a/README.md
+++ b/README.md
@ -5,21 +5,15 @@
 This ansible collection provides various roles for installing
 and configuring basic system utilities like gnupg, ssh etc
- DEPRECATED: [`elasticsearch`](roles/elasticsearch/README.md): Deploy [elasticsearch](https://www.docker.elastic.co/r/elasticsearch/elasticsearch-oss),
+- [`elasticsearch`](roles/elasticsearch/README.md): Deploy [elasticsearch](https://www.docker.elastic.co/r/elasticsearch/elasticsearch-oss),
  a popular (distributed) search and analytics engine, mostly known by it's
  letter "E" in the ELK-stack.
  This role has been moved to the `finallycoffee.databases.elasticsearch` ansible collection.
 - [`git`](roles/git/README.md): configures git on the target system
 - [`gnupg`](roles/gnupg/README.md): configures gnupg on the target system
- [`lego`](roles/lego/README.md): runs [lego (LetsEncrypt Go)](https://github.com/go-acme/lego),
+- [`mariadb`](roles/mariadb/README.md): runs [MariaDB Server](https://mariadb.org/), one of the world's most popular open source relational database
  a ACME client written in go, using systemd (timers). Multi-instance capable.
 - DEPRECATED: [`mariadb`](roles/mariadb/README.md): runs [MariaDB Server](https://mariadb.org/),
  one of the world's most popular open source relational database.
  Moved to `finallycoffee.databases.mariadb`.
 - [`minio`](roles/minio/README.md): Deploy [min.io](https://min.io), an
  s3-compatible object storage server, using docker containers.
@ -30,9 +24,6 @@ and configuring basic system utilities like gnupg, ssh etc
 - [`restic`](roles/restic/README.md): Manage backups using restic
  and persist them to a configurable backend.
 - [`powerdns_tsig_key`](roles/powerdns_tsig_key/README.md): Simple ansible role
  for generating TSIG keys in PowerDNS.
 ## License
 [CNPLv7+](LICENSE.md): Cooperative Nonviolent Public License
--- a/galaxy.yml
+++ b/galaxy.yml
@ -1,20 +1,12 @@
 namespace: finallycoffee
 name: base
-version: 0.1.3
+version: 0.0.2
 readme: README.md
 authors:
 - transcaffeine <transcaffeine@finally.coffee>
 description: Roles for base services which are common dependencies other services like databases
 dependencies:
  "community.docker": "^3.0.0"
 license_file: LICENSE.md
 build_ignore:
 - '*.tar.gz'
 repository: https://git.finally.coffee/finallycoffee/base
-issues: https://codeberg.org/finallycoffee/ansible-collection-base/issues
+issues: https://git.finally.coffee/finallycoffee/base/issues
 tags:
  - docker
  - lego
  - minio
  - nginx
  - restic
--- a/meta/runtime.yml
+++ b/meta/runtime.yml
@ -1,3 +1,3 @@
 ---
-requires_ansible: ">=2.15"
+requires_ansible: ">=2.12"
--- a/roles/dns/README.md
+++ b/roles/dns/README.md
@ -1,33 +0,0 @@
 # `finallycoffee.base.dns` ansible role
 Simple role for wrapping around the
 [`famedly.dns.update`](https://github.com/famedly/ansible-collection-dns/blob/main/plugins/modules/update.py)
 ansible module.
 ## Usage
 ### Example playbook
 ```yaml
 - target: "{{ target_hosts }}"
  roles:
    - role: finallycoffee.base.dns
      vars:
        dns_server: "dns.example.org"
        dns_zone: "zone.example.org"
        dns_records: "{{ dns_records }}"
        dns_record_state: exact
        dns_tsig_name: "mykeyname"
        dns_tsig_algo: "hmac-sha256"
        dns_tsig_key: "mykeycontent"
  vars:
    dns_records:
      - type: A
        name: gitea
        content: "127.0.0.1"
      - type: AAAA
        name: gitea
        content: "fe80::1"
      - type: CNAME
        name: "_acme_challenge.gitea"
        content: "delegated-cname.challenge.example.org"
 ```
--- a/roles/elasticsearch/tasks/main.yml
+++ b/roles/elasticsearch/tasks/main.yml
@ -1,9 +1,4 @@
 ---
 - name: Warn about deprecation and move of role
  ansible.builtin.debug:
    msg: >-2
      This ansible role has been moved to the finallycoffee.databases
      ansible collection and will no longer be maintained here!
 - name: Ensure host directories are present
  file:
--- a/roles/lego/defaults/main.yml
+++ b/roles/lego/defaults/main.yml
@ -1,6 +1,6 @@
 ---
 lego_user: "lego"
-lego_version: "4.20.2"
+lego_version: "4.17.4"
 lego_instance: default
 lego_base_path: "/opt/lego"
 lego_cert_user: "acme-{{ lego_instance }}"
@ -58,7 +58,7 @@ lego_systemd_timer_name: "lego-{{ lego_instance }}.timer"
 lego_systemd_timer_template: lego.timer.j2
 lego_systemd_timer_calendar: "*-*-* *:00/15:00"
-lego_architecture: "{{ 'arm64' if ansible_architecture == 'aarch64' else 'amd64' }}"
+lego_architecture: "amd64"
 lego_os: "linux"
 lego_binary_allow_net_bind_service: false
--- a/roles/lego/files/lego_run.sh
+++ b/roles/lego/files/lego_run.sh
@ -1,8 +1,14 @@
 #!/usr/bin/env bash
 set -euo pipefail
 LEGO_BINARY=$(/usr/bin/env which lego)
 if [[ -n "$LEGO_HTTP_FALLBACK_PORT" ]]; then
  if ! nc_binary="$(type -p \"nc\")" || [[ -z $nc_binary ]]; then
    echo "nc not found (in PATH), exiting"
    exit 1
  fi
  nc -z 127.0.0.1 $LEGO_HTTP_PORT;
  if [[ $? -eq 0 ]]; then
      LEGO_HTTP_PORT=$LEGO_HTTP_FALLBACK_PORT
@ -11,12 +17,12 @@ fi
 LEGO_COMMAND_ARGS_EXPANDED=$(bash -c "echo $LEGO_COMMAND_ARGS") # This is a bit icky
-FILES_IN_DIR=$(find "$LEGO_CERT_STORE_PATH/certificates" | wc -l)
+FILES_IN_DIR=$(find "$LEGO_CERT_STORE_PATH/certificates" -type f | wc -l)
 if [[ $FILES_IN_DIR -gt 2 ]]; then
        $LEGO_BINARY $LEGO_COMMAND_ARGS_EXPANDED renew --days=$LEGO_CERT_DAYS_TO_RENEW
 else
        $LEGO_BINARY $LEGO_COMMAND_ARGS_EXPANDED run
 fi
-ls "$LEGO_CERT_STORE_PATH/certificates" | xargs -I{} -n 1 chmod "$LEGO_CERT_MODE" "$LEGO_CERT_STORE_PATH/certificates/{}"
+find "$LEGO_CERT_STORE_PATH/certificates/" -type f | xargs -I{} -n 1 chmod "$LEGO_CERT_MODE" "{}"
-ls "$LEGO_CERT_STORE_PATH/certificates" | xargs -I{} -n 1 chown "$LEGO_CERT_USER":"$LEGO_CERT_GROUP" "$LEGO_CERT_STORE_PATH/certificates/{}"
+find "$LEGO_CERT_STORE_PATH/certificates/" -type f | xargs -I{} -n 1 chown "${LEGO_CERT_USER}:${LEGO_CERT_GROUP}" "{}"
--- a/roles/mariadb/defaults/main.yml
+++ b/roles/mariadb/defaults/main.yml
@ -1,9 +1,8 @@
 ---
-mariadb_version: "10.11.9"
+
 mariadb_version: "10.11.6"
 mariadb_base_path: /var/lib/mariadb
-mariadb_data_path: >-2
+mariadb_data_path: "{{ mariadb_base_path }}/{{ mariadb_version }}"
  {{ mariadb_base_path }}/{{ mariadb_version | split('.') | first }}
 mariadb_state: present
 mariadb_root_password: ~
 mariadb_database: ~
@ -14,24 +13,10 @@ mariadb_container_base_environment:
  MARIADB_ROOT_PASSWORD: "{{ mariadb_root_password }}"
 mariadb_container_extra_environment: {}
 mariadb_container_image_registry: docker.io
 mariadb_container_image_namespace: ~
 mariadb_container_image_name: mariadb
 mariadb_container_image_tag: ~
 mariadb_container_image: >-2
  {{
    ([
      mariadb_container_image_registry | default([], true),
      mariadb_container_image_namespace | default([], true),
      mariadb_container_image_name,
    ] | flatten | join('/'))
    + ':' + mariadb_container_image_tag | default(mariadb_version, true)
  }}
 mariadb_container_image_source: pull
 mariadb_container_image_force_source: >-2
  {{ mariadb_container_image_tag | default(false, true) | bool }}
 mariadb_container_name: mariadb
 mariadb_container_image_name: docker.io/mariadb
 mariadb_container_image_tag: ~
 mariadb_container_image: "{{ mariadb_container_image_name }}:{{ mariadb_container_image_tag | default(mariadb_version, true) }}"
 mariadb_container_base_volumes:
  - "{{ mariadb_data_path }}:{{ mariadb_container_data_path }}:z"
 mariadb_container_extra_volumes: []
@ -45,5 +30,3 @@ mariadb_container_environment: >-2
      if (mariadb_database and mariadb_username and mariadb_password)
      else {}, recursive=True)
  | combine(mariadb_container_extra_environment) }}
 mariadb_container_state: >-2
  {{ (mariadb_state == 'present') | ternary('started', 'absent') }}
--- a/roles/mariadb/tasks/main.yml
+++ b/roles/mariadb/tasks/main.yml
@ -1,27 +1,20 @@
 ---
- name: Warn about deprecation
+- name: Ensure mariaDB container image is present on host
  ansible.builtin.debug:
    msg: >-2
      This ansible role is moved to the finallycoffee.databases collection
      and will be removed soon!
 - name: Ensure mariadb container image '{{ mariadb_container_image }}' is {{ mariadb_state }}
  community.docker.docker_image:
    name: "{{ mariadb_container_image }}"
-    state: "{{ mariadb_state }}"
+    state: present
-    source: "{{ mariadb_container_image_source }}"
+    source: pull
    force_source: "{{ mariadb_container_image_force_source }}"
- name: Ensure mariadb container '{{ mariadb_container_name }}' is {{ mariadb_container_state }}
+- name: Ensure mariaDB {{ mariadb_version }} is running as '{{ mariadb_container_name }}'
  community.docker.docker_container:
    name: "{{ mariadb_container_name }}"
    image: "{{ mariadb_container_image }}"
    env: "{{ mariadb_container_environment }}"
-    ports: "{{ mariadb_container_ports | default(omit, true) }}"
+    ports: "{{ mariadb_container_ports }}"
-    labels: "{{ mariadb_container_labels | default(omit, true) }}"
+    labels: "{{ mariadb_container_labels }}"
    volumes: "{{ mariadb_container_volumes }}"
    networks: "{{ mariadb_container_networks | default(omit, true) }}"
    etc_hosts: "{{ mariadb_container_etc_hosts | default(omit, true) }}"
    purge_networks: "{{ mariadb_container_purge_networks | default(omit, true) }}"
    restart_policy: "{{ mariadb_container_restart_policy }}"
-    state: "{{ mariadb_container_state }}"
+    state: started
--- a/roles/nginx/README.md
+++ b/roles/nginx/README.md
@ -26,8 +26,3 @@ For exposing this server to the host and/or internet, the `nginx_container_ports
 from host to container), `nginx_container_networks` (docker networking) or `nginx_container_labels`
 (for label-based routing discovery like traefik) can be used. The options correspond to the arguments
 of the `community.docker.docker_container` module.
 ## Deployment methods
 Set `nginx_deployment_method` to either `docker` or `podman` to use the respective ansible modules for
 creating and managing the container and its image. See all supported methods in `nginx_deployment_methods`.
--- a/roles/nginx/defaults/main.yml
+++ b/roles/nginx/defaults/main.yml
@ -1,10 +1,9 @@
 ---
-nginx_version: "1.27.2"
+
 nginx_version: "1.25.3"
 nginx_flavour: alpine
 nginx_base_path: /opt/nginx
 nginx_config_file: "{{ nginx_base_path }}/nginx.conf"
 nginx_state: present
 nginx_deployment_method: docker
 nginx_container_name: nginx
 nginx_container_image_reference: >-
@ -27,9 +26,6 @@ nginx_container_image_repository: >-
 nginx_container_image_registry: "docker.io"
 nginx_container_image_name: "nginx"
 nginx_container_image_tag: ~
 nginx_container_image_source: pull
 nginx_container_state: >-2
  {{ (nginx_state == 'present') | ternary('started', 'absent') }}
 nginx_container_restart_policy: "unless-stopped"
 nginx_container_volumes:
--- a/roles/nginx/meta/main.yml
+++ b/roles/nginx/meta/main.yml
@ -1,12 +0,0 @@
 ---
 allow_duplicates: true
 dependencies: []
 galaxy_info:
  role_name: nginx
  description: Deploy nginx, a webserver
  galaxy_tags:
    - nginx
    - http
    - webserver
    - docker
    - podman
--- a/roles/nginx/tasks/deploy-docker.yml
+++ b/roles/nginx/tasks/deploy-docker.yml
@ -1,28 +0,0 @@
 ---
 - name: Ensure docker container image '{{ nginx_container_image_reference }}' is {{ nginx_state }}
  community.docker.docker_image:
    name: "{{ nginx_container_image_reference }}"
    state: "{{ nginx_state }}"
    source: "{{ nginx_container_image_source }}"
    force_source: >-2
      {{ nginx_container_image_force_source
        | default(nginx_container_image_tag | default(false, true)) }}
  register: nginx_container_image_info
  until: nginx_container_image_info is success
  retries: 5
  delay: 3
 - name: Ensure docker container '{{ nginx_container_name }}' is {{ nginx_container_state }}
  community.docker.docker_container:
    name: "{{ nginx_container_name }}"
    image: "{{ nginx_container_image_reference }}"
    env: "{{ nginx_container_env | default(omit, true) }}"
    user: "{{ nginx_container_user | default(omit, true) }}"
    ports: "{{ nginx_container_ports | default(omit, true) }}"
    labels: "{{ nginx_container_labels | default(omit, true) }}"
    volumes: "{{ nginx_container_volumes | default(omit, true) }}"
    etc_hosts: "{{ nginx_container_etc_hosts | default(omit, true) }}"
    networks: "{{ nginx_container_networks | default(omit, true) }}"
    purge_networks: "{{ nginx_container_purge_networks | default(omit, true) }}"
    restart_policy: "{{ nginx_container_restart_policy }}"
    state: "{{ nginx_container_state }}"
--- a/roles/nginx/tasks/deploy-podman.yml
+++ b/roles/nginx/tasks/deploy-podman.yml
@ -1,27 +0,0 @@
 ---
 - name: Ensure container image '{{ nginx_container_image_reference }}' is {{ nginx_state }}
  containers.podman.podman_image:
    name: "{{ nginx_container_image_reference }}"
    state: "{{ nginx_state }}"
    pull: "{{ nginx_container_image_source == 'pull' }}"
    force: >-2
      {{ nginx_container_image_force_source
        | default(nginx_container_image_tag | default(false, true)) }}
  register: nginx_container_image_info
  until: nginx_container_image_info is success
  retries: 5
  delay: 3
 - name: Ensure container '{{ nginx_container_name }}' is {{ nginx_container_state }}
  containers.podman.podman_container:
    name: "{{ nginx_container_name }}"
    image: "{{ nginx_container_image_reference }}"
    env: "{{ nginx_container_env | default(omit, true) }}"
    user: "{{ nginx_container_user | default(omit, true) }}"
    ports: "{{ nginx_container_ports | default(omit, true) }}"
    labels: "{{ nginx_container_labels | default(omit, true) }}"
    volumes: "{{ nginx_container_volumes | default(omit, true) }}"
    etc_hosts: "{{ nginx_container_etc_hosts | default(omit, true) }}"
    network: "{{ nginx_container_networks | default(omit, true) }}"
    restart_policy: "{{ nginx_container_restart_policy }}"
    state: "{{ nginx_container_state }}"
--- a/roles/nginx/tasks/main.yml
+++ b/roles/nginx/tasks/main.yml
@ -1,30 +1,10 @@
 ---
 - name: Check if state is supported
  ansible.builtin.fail:
    msg: >-2
      Unsupported state '{{ nginx_state }}'. Supported
      states are {{ nginx_states | join(', ') }}.
  when: nginx_state not in nginx_states
- name: Check if deployment_method is supported
+- name: Ensure base path '{{ nginx_base_path }}' exists
  ansible.builtin.fail:
    msg: >-2
      Unsupported state '{{ nginx_deployment_method }}'. Supported
      states are {{ nginx_deployment_methods | join(', ') }}.
  when: nginx_deployment_method not in nginx_deployment_methods
 - name: Ensure nginx config file is {{ nginx_state }}
  ansible.builtin.file:
    path: "{{ nginx_config_file }}"
    state: "{{ nginx_state }}"
  when: nginx_state == 'absent'
 - name: Ensure base path '{{ nginx_base_path }}' is {{ nginx_state }}
  ansible.builtin.file:
    path: "{{ nginx_base_path }}"
-    mode: "0755"
+    state: directory
-    state: >-2
+    mode: 0755
      {{ (nginx_state == 'present') | ternary('directory', 'absent') }}
 - name: Ensure nginx config file is templated
  ansible.builtin.copy:
@ -33,8 +13,25 @@
    mode: 0640
  notify:
    - restart-nginx
  when: nginx_state == 'present'
- name: Deploy using {{ nginx_deployment_method }}
+- name: Ensure docker container image is present
-  ansible.builtin.include_tasks:
+  community.docker.docker_image:
-    file: "deploy-{{ nginx_deployment_method }}.yml"
+    name: "{{ nginx_container_image_reference }}"
    state: present
    source: pull
    force_source: "{{ nginx_container_image_tag is defined and nginx_container_image_tag | string != '' }}"
 - name: Ensure docker container '{{ nginx_container_name }}' is running
  community.docker.docker_container:
    name: "{{ nginx_container_name }}"
    image: "{{ nginx_container_image_reference }}"
    env: "{{ nginx_container_env | default(omit, true) }}"
    user: "{{ nginx_container_user | default(omit, true) }}"
    ports: "{{ nginx_container_ports | default(omit, true) }}"
    labels: "{{ nginx_container_labels | default(omit, true) }}"
    volumes: "{{ nginx_container_volumes | default(omit, true) }}"
    etc_hosts: "{{ nginx_container_etc_hosts | default(omit, true) }}"
    networks: "{{ nginx_container_networks | default(omit, true) }}"
    purge_networks: "{{ nginx_container_purge_networks | default(omit, true) }}"
    restart_policy: "{{ nginx_container_restart_policy }}"
    state: started
--- a/roles/nginx/vars/main.yml
+++ b/roles/nginx/vars/main.yml
@ -1,7 +0,0 @@
 ---
 nginx_states:
  - present
  - absent
 nginx_deployment_methods:
  - docker
  - podman
--- a/roles/powerdns_tsig_key/README.md
+++ b/roles/powerdns_tsig_key/README.md
@ -1,25 +0,0 @@
 # `finallycoffee.base.powerdns_tsig_key`
 Simple ansible role for ensuring a TSIG key is present in a given PowerDNS-
 instance.
 ## Usage
 The usage example below assumes `powerdns` is running in a container named `powerdns` (as supplied to `powerdns_tsig_key_container_name`.
 ```yaml
 - hosts: "{{ target_hosts }}"
  become: true
  roles:
    - role: finallycoffee.base.powerdns_tsig_key
      vars:
        powerdns_tsig_key_name: "nameofmykey"
        powerdns_tsig_key_path: "/var/lib/myapp/tsig.key"
        powernds_tsig_key_algo: "hmac-sha512"
        powerdns_tsig_key_path_owner: "myappuser"
        powerdns_tsig_key_path_group: "myappgroup"
        powerdns_tsig_key_container_name: 'powerdns'
 ```
 > [!NOTE]
 > Support for non-docker deployments is pending.
--- a/roles/restic/defaults/main.yml
+++ b/roles/restic/defaults/main.yml
@ -10,41 +10,18 @@ restic_backup_stdin_command: ~
 restic_backup_stdin_command_filename: ~
 restic_policy_keep_all_within: 1d
-restic_policy_keep_hourly: 12
+restic_policy_keep_hourly: 6
-restic_policy_keep_daily: 7
+restic_policy_keep_daily: 2
-restic_policy_keep_weekly: 6
+restic_policy_keep_weekly: 7
-restic_policy_keep_monthly: 6
+restic_policy_keep_monthly: 4
 restic_policy_keep_yearly: 5
 restic_policy_backup_frequency: hourly
 restic_base_environment:
  RESTIC_JOBNAME: "{{ restic_job_name | default('unknown') }}"
  RESTIC_FORGET_KEEP_WITHIN: "{{ restic_policy_keep_all_within }}"
  RESTIC_FORGET_KEEP_HOURLY: "{{ restic_policy_keep_hourly }}"
  RESTIC_FORGET_KEEP_DAILY: "{{ restic_policy_keep_daily }}"
  RESTIC_FORGET_KEEP_WEEKLY: "{{ restic_policy_keep_weekly }}"
  RESTIC_FORGET_KEEP_MONTHLY: "{{ restic_policy_keep_monthly }}"
  RESTIC_FORGET_KEEP_YEARLY: "{{ restic_policy_keep_yearly }}"
 restic_s3_environment:
  AWS_ACCESS_KEY_ID: "{{ restic_s3_key_id }}"
  AWS_SECRET_ACCESS_KEY: "{{ restic_s3_access_key }}"
 restic_complete_environment: >-
  {{
    restic_base_environment
    | combine((restic_s3_environment
      if (restic_s3_key_id and restic_s3_access_key) else {}) | default({}))
    | combine(restic_environment | default({}))
  }}
 restic_policy:
  keep_within: "{{ restic_policy_keep_all_within }}"
  hourly: "{{ restic_policy_keep_hourly }}"
  daily: "{{ restic_policy_keep_daily }}"
  weekly: "{{ restic_policy_keep_weekly }}"
  monthly: "{{ restic_policy_keep_monthly }}"
  yearly: "{{ restic_policy_keep_yearly }}"
  frequency: "{{ restic_policy_backup_frequency }}"
 restic_user: root
--- a/roles/restic/templates/restic.service.j2
+++ b/roles/restic/templates/restic.service.j2
@ -9,43 +9,26 @@ SyslogIdentifier={{ restic_systemd_syslog_identifier }}
 Environment=RESTIC_REPOSITORY={{ restic_repo_url }}
 Environment=RESTIC_PASSWORD={{ restic_repo_password }}
-{% for kv in restic_complete_environment | dict2items %}
+{% if restic_s3_key_id and restic_s3_access_key %}
-Environment={{ kv.key }}={{ kv.value }}
+Environment=AWS_ACCESS_KEY_ID={{ restic_s3_key_id }}
-{% endfor %}
+Environment=AWS_SECRET_ACCESS_KEY={{ restic_s3_access_key }}
 {% if restic_init | default(true) %}
 ExecStartPre=-/bin/sh -c '/usr/bin/restic snapshots || /usr/bin/restic init'
 {% endif %}
 {% if restic_unlock_before_backup | default(false) %}
-ExecStartPre=-/bin/sh -c 'sleep 3 && /usr/bin/restic unlock'
+ExecStartPre=-/bin/sh -c '/usr/bin/restic unlock'
 {% endif %}
 ExecStartPre=-/bin/sh -c '/usr/bin/restic snapshots || /usr/bin/restic init'
 {% if restic_backup_pre_hook | default(false) %}
-ExecStartPre=-{{ restic_backup_pre_hook }}
+ExecStart=-{{ restic_backup_pre_hook }}
 {% endif %}
 {% if restic_backup_stdin_command %}
-ExecStart=/bin/sh -c '{{ restic_backup_stdin_command }} | /usr/bin/restic backup \
+ExecStart=/bin/sh -c '{{ restic_backup_stdin_command }} | /usr/bin/restic backup --verbose --stdin --stdin-filename {{ restic_backup_stdin_command_filename }}'
 	--retry-lock {{ restic_retry_lock | default('5m') }} \
 	--verbose --stdin \
 	--stdin-filename {{ restic_backup_stdin_command_filename }}'
 {% else %}
-ExecStart=/opt/restic-backup-directories.sh {{ restic_backup_paths | join(' ') }}
+ExecStart=/usr/bin/restic --verbose backup {{ restic_backup_paths | join(' ') }}
 {% endif %}
 {% if restic_forget_prune | default(true) %}
 ExecStartPost=/usr/bin/restic forget --prune \
 	--retry-lock {{ restic_retry_lock | default('5m') }} \
 	--keep-within={{ restic_policy.keep_within }} \
 	--keep-hourly={{ restic_policy.hourly }} \
 	--keep-daily={{ restic_policy.daily }} \
 	--keep-weekly={{ restic_policy.weekly }} \
 	--keep-monthly={{ restic_policy.monthly }} \
 	--keep-yearly={{ restic_policy.yearly }}
 {% endif %}
 {% if restic_list_snapshots | default(true) %}
 ExecStartPost=-/usr/bin/restic snapshots --retry-lock {{ restic_retry_lock | default('5m') }}
 {% endif %}
 ExecStartPost=/usr/bin/restic forget --prune --keep-within={{ restic_policy.keep_within }} --keep-hourly={{ restic_policy.hourly }} --keep-daily={{ restic_policy.daily }} --keep-weekly={{ restic_policy.weekly }} --keep-monthly={{ restic_policy.monthly }}
 ExecStartPost=-/usr/bin/restic snapshots
 {% if restic_backup_post_hook | default(false) %}
 ExecStartPost=-{{ restic_backup_post_hook }}
 {% endif %}
-{% if restic_check | default(true) %}
+ExecStartPost=/usr/bin/restic check
 ExecStartPost=/usr/bin/restic check --retry-lock {{ restic_retry_lock | default('5m') }}
 {% endif %}
`@ -1,3 +1,3 @@`
	`---`	`---`

	`requires_ansible: ">=2.15"`	`requires_ansible: ">=2.12"`