chore(lego): bash improvements in lego_run.sh

README.md

@@ -5,12 +5,15 @@
 This ansible collection provides various roles for installing
 and configuring basic system utilities like gnupg, ssh etc
 
+- [`elasticsearch`](roles/elasticsearch/README.md): Deploy [elasticsearch](https://www.docker.elastic.co/r/elasticsearch/elasticsearch-oss),
+  a popular (distributed) search and analytics engine, mostly known by it's
+  letter "E" in the ELK-stack.
+
 - [`git`](roles/git/README.md): configures git on the target system
 
 - [`gnupg`](roles/gnupg/README.md): configures gnupg on the target system
 
-- [`lego`](roles/lego/README.md): runs [lego (LetsEncrypt Go)](https://github.com/go-acme/lego),
-  a ACME client written in go, using systemd (timers). Multi-instance capable.
+- [`mariadb`](roles/mariadb/README.md): runs [MariaDB Server](https://mariadb.org/), one of the world's most popular open source relational database
 
 - [`minio`](roles/minio/README.md): Deploy [min.io](https://min.io), an
   s3-compatible object storage server, using docker containers.
@@ -21,9 +24,6 @@ and configuring basic system utilities like gnupg, ssh etc
 - [`restic`](roles/restic/README.md): Manage backups using restic
   and persist them to a configurable backend.
 
-- [`powerdns_tsig_key`](roles/powerdns_tsig_key/README.md): Simple ansible role
-  for generating TSIG keys in PowerDNS.
-
 ## License
 
 [CNPLv7+](LICENSE.md): Cooperative Nonviolent Public License

galaxy.yml

@@ -1,20 +1,12 @@
 namespace: finallycoffee
 name: base
-version: 0.2.0
+version: 0.0.2
 readme: README.md
 authors:
 - transcaffeine <transcaffeine@finally.coffee>
 description: Roles for base services which are common dependencies other services like databases
-dependencies:
-  "community.docker": "^3.0.0"
 license_file: LICENSE.md
 build_ignore:
 - '*.tar.gz'
 repository: https://git.finally.coffee/finallycoffee/base
-issues: https://codeberg.org/finallycoffee/ansible-collection-base/issues
-tags:
-  - docker
-  - lego
-  - minio
-  - nginx
-  - restic
+issues: https://git.finally.coffee/finallycoffee/base/issues

meta/runtime.yml

@@ -1,3 +1,3 @@
 ---
 
-requires_ansible: ">=2.15"
+requires_ansible: ">=2.12"

roles/dns/README.md

@@ -1,33 +0,0 @@
-# `finallycoffee.base.dns` ansible role
-
-Simple role for wrapping around the
-[`famedly.dns.update`](https://github.com/famedly/ansible-collection-dns/blob/main/plugins/modules/update.py)
-ansible module.
-
-## Usage
-
-### Example playbook
-```yaml
-- target: "{{ target_hosts }}"
-  roles:
-    - role: finallycoffee.base.dns
-      vars:
-        dns_server: "dns.example.org"
-        dns_zone: "zone.example.org"
-        dns_records: "{{ dns_records }}"
-        dns_record_state: exact
-        dns_tsig_name: "mykeyname"
-        dns_tsig_algo: "hmac-sha256"
-        dns_tsig_key: "mykeycontent"
-  vars:
-    dns_records:
-      - type: A
-        name: gitea
-        content: "127.0.0.1"
-      - type: AAAA
-        name: gitea
-        content: "fe80::1"
-      - type: CNAME
-        name: "_acme_challenge.gitea"
-        content: "delegated-cname.challenge.example.org"
-```

roles/elasticsearch/README.md

@@ -0,0 +1,22 @@
+# `finallycoffee.base.elastiscsearch`
+
+A simple ansible role which deploys a single-node elastic container to provide
+an easy way to do some indexing.
+
+## Usage
+
+Per default, `/opt/elasticsearch/data` is used to persist data, it is
+customizable by using either `elasticsearch_base_path` or `elasticsearch_data_path`.
+
+As elasticsearch be can be quite memory heavy, the maximum amount of allowed RAM
+can be configured using `elasticsearch_allocated_ram_mb`, defaulting to 512 (mb).
+
+The cluster name and discovery type can be overridden using
+`elasticsearch_config_cluster_name` (default: elastic) and
+`elasticsearch_config_discovery_type` (default: single-node), should one
+need a multi-node elasticsearch deployment.
+
+Per default, no ports or networks are mapped, and explizit mapping using
+either ports (`elasticsearch_container_ports`) or networks
+(`elasticsearch_container_networks`) is required in order for other services
+to use elastic.

roles/elasticsearch/defaults/main.yml

@@ -0,0 +1,35 @@
+---
+
+elasticsearch_version: 7.17.7
+
+elasticsearch_base_path: /opt/elasticsearch
+elasticsearch_data_path: "{{ elasticsearch_base_path }}/data"
+
+elasticsearch_config_cluster_name: elastic
+elasticsearch_config_discovery_type: single-node
+elasticsearch_config_boostrap_memory_lock: true
+elasticsearch_allocated_ram_mb: 512
+
+elasticsearch_container_image_name: docker.elastic.co/elasticsearch/elasticsearch-oss
+elasticsearch_container_image_tag: ~
+elasticsearch_container_image: >-
+  {{ elasticsearch_container_image_name }}:{{ elasticsearch_container_image_tag | default(elasticsearch_version, true) }}
+
+elasticsearch_container_name: elasticsearch
+elasticsearch_container_env:
+  "ES_JAVA_OPTS": "-Xms{{ elasticsearch_allocated_ram_mb }}m -Xmx{{ elasticsearch_allocated_ram_mb }}m"
+  "cluster.name": "{{ elasticsearch_config_cluster_name }}"
+  "discovery.type": "{{ elasticsearch_config_discovery_type }}"
+  "bootstrap.memory_lock": "{{ 'true' if elasticsearch_config_boostrap_memory_lock else 'false' }}"
+elasticsearch_container_user: ~
+elasticsearch_container_ports: ~
+elasticsearch_container_labels:
+  version: "{{ elasticsearch_version }}"
+elasticsearch_container_ulimits:
+#  - "memlock:{{ (1.5 * 1024 * elasticsearch_allocated_ram_mb) | int }}:{{ (1.5 * 1024 * elasticsearch_allocated_ram_mb) | int }}"
+  - "memlock:-1:-1"
+elasticsearch_container_volumes:
+  - "{{ elasticsearch_data_path }}:/usr/share/elasticsearch/data:z"
+elasticsearch_container_networks: ~
+elasticsearch_container_purge_networks: ~
+elasticsearch_container_restart_policy: unless-stopped

roles/elasticsearch/tasks/main.yml

@@ -0,0 +1,32 @@
+---
+
+- name: Ensure host directories are present
+  file:
+    path: "{{ item }}"
+    state: directory
+    mode: "0777"
+  loop:
+    - "{{ elasticsearch_base_path }}"
+    - "{{ elasticsearch_data_path }}"
+
+- name: Ensure elastic container image is present
+  docker_image:
+    name: "{{ elasticsearch_container_image }}"
+    state: present
+    source: pull
+    force_source: "{{ elasticsearch_container_image_tag|default(false, true)|bool }}"
+
+- name: Ensure elastic container is running
+  docker_container:
+    name: "{{ elasticsearch_container_name }}"
+    image: "{{ elasticsearch_container_image }}"
+    env: "{{ elasticsearch_container_env | default(omit, True) }}"
+    user: "{{ elasticsearch_container_user | default(omit, True) }}"
+    ports: "{{ elasticsearch_container_ports | default(omit, True) }}"
+    labels: "{{ elasticsearch_container_labels | default(omit, True) }}"
+    volumes: "{{ elasticsearch_container_volumes }}"
+    ulimits: "{{ elasticsearch_container_ulimits }}"
+    networks: "{{ elasticsearch_container_networks | default(omit, True) }}"
+    purge_networks: "{{ elasticsearch_container_purge_networks | default(omit, True) }}"
+    restart_policy: "{{ elasticsearch_container_restart_policy }}"
+    state: started

roles/lego/defaults/main.yml

@@ -1,6 +1,6 @@
 ---
 lego_user: "lego"
-lego_version: "4.22.2"
+lego_version: "4.17.4"
 lego_instance: default
 lego_base_path: "/opt/lego"
 lego_cert_user: "acme-{{ lego_instance }}"
@@ -58,7 +58,7 @@ lego_systemd_timer_name: "lego-{{ lego_instance }}.timer"
 lego_systemd_timer_template: lego.timer.j2
 lego_systemd_timer_calendar: "*-*-* *:00/15:00"
 
-lego_architecture: "{{ 'arm64' if ansible_architecture == 'aarch64' else 'amd64' }}"
+lego_architecture: "amd64"
 lego_os: "linux"
 lego_binary_allow_net_bind_service: false
 

roles/lego/files/lego_run.sh

@@ -1,4 +1,5 @@
 #!/usr/bin/env bash
+
 set -euo pipefail
 
 LEGO_BINARY=$(/usr/bin/env which lego)
@@ -14,10 +15,6 @@ if [[ -n "$LEGO_HTTP_FALLBACK_PORT" ]]; then
   fi
 fi
 
-if [[ -n "$LEGO_PRE_RENEWAL_HOOK" ]]; then
-  $LEGO_PRE_RENEWAL_HOOK
-fi
-
 LEGO_COMMAND_ARGS_EXPANDED=$(bash -c "echo $LEGO_COMMAND_ARGS") # This is a bit icky
 
 FILES_IN_DIR=$(find "$LEGO_CERT_STORE_PATH/certificates" -type f | wc -l)
@@ -27,9 +24,5 @@ else
         $LEGO_BINARY $LEGO_COMMAND_ARGS_EXPANDED run
 fi
 
-find "$LEGO_CERT_STORE_PATH/certificates" -type f | xargs -I{} -n 1 chmod "$LEGO_CERT_MODE" "{}"
-find "$LEGO_CERT_STORE_PATH/certificates" -type f | xargs -I{} -n 1 chown "${LEGO_CERT_USER}:${LEGO_CERT_GROUP}" "{}"
-
-if [[ -n "$LEGO_POST_RENEWAL_HOOK" ]]; then
-  $LEGO_POST_RENEWAL_HOOK
-fi
+find "$LEGO_CERT_STORE_PATH/certificates/" -type f | xargs -I{} -n 1 chmod "$LEGO_CERT_MODE" "{}"
+find "$LEGO_CERT_STORE_PATH/certificates/" -type f | xargs -I{} -n 1 chown "${LEGO_CERT_USER}:${LEGO_CERT_GROUP}" "{}"

roles/mariadb/README.md

@@ -0,0 +1,19 @@
+# `finallycoffee.base.mariadb` ansible role
+
+This role deploys a MariaDB instance in a docker container.
+
+## Usage
+
+The role expects the following variables to be populated with values and/or secrets:
+
+```yaml
+mariadb_root_password: #mariadb root password
+mariadb_database: # name of the database to create
+mariadb_username: # name of a user to auto-create and assign permission on the mariadb_database
+mariadb_password: # password of the user in mariadb_username
+```
+
+## Requirements
+
+- Docker installed
+- python-docker present on target system for ansible to be able to talk with the docker API.

roles/mariadb/defaults/main.yml

@@ -0,0 +1,32 @@
+---
+
+mariadb_version: "10.11.6"
+mariadb_base_path: /var/lib/mariadb
+mariadb_data_path: "{{ mariadb_base_path }}/{{ mariadb_version }}"
+
+mariadb_root_password: ~
+mariadb_database: ~
+mariadb_username: ~
+mariadb_password: ~
+
+mariadb_container_base_environment:
+  MARIADB_ROOT_PASSWORD: "{{ mariadb_root_password }}"
+mariadb_container_extra_environment: {}
+
+mariadb_container_name: mariadb
+mariadb_container_image_name: docker.io/mariadb
+mariadb_container_image_tag: ~
+mariadb_container_image: "{{ mariadb_container_image_name }}:{{ mariadb_container_image_tag | default(mariadb_version, true) }}"
+mariadb_container_base_volumes:
+  - "{{ mariadb_data_path }}:{{ mariadb_container_data_path }}:z"
+mariadb_container_extra_volumes: []
+mariadb_container_base_labels:
+  version: "{{ mariadb_version }}"
+mariadb_container_extra_labels: {}
+mariadb_container_restart_policy: "unless-stopped"
+mariadb_container_environment: >-2
+  {{ mariadb_container_base_environment
+  | combine(mariadb_container_database_environment
+      if (mariadb_database and mariadb_username and mariadb_password)
+      else {}, recursive=True)
+  | combine(mariadb_container_extra_environment) }}

roles/mariadb/tasks/main.yml

@@ -0,0 +1,20 @@
+---
+- name: Ensure mariaDB container image is present on host
+  community.docker.docker_image:
+    name: "{{ mariadb_container_image }}"
+    state: present
+    source: pull
+
+- name: Ensure mariaDB {{ mariadb_version }} is running as '{{ mariadb_container_name }}'
+  community.docker.docker_container:
+    name: "{{ mariadb_container_name }}"
+    image: "{{ mariadb_container_image }}"
+    env: "{{ mariadb_container_environment }}"
+    ports: "{{ mariadb_container_ports }}"
+    labels: "{{ mariadb_container_labels }}"
+    volumes: "{{ mariadb_container_volumes }}"
+    networks: "{{ mariadb_container_networks | default(omit, true) }}"
+    etc_hosts: "{{ mariadb_container_etc_hosts | default(omit, true) }}"
+    purge_networks: "{{ mariadb_container_purge_networks | default(omit, true) }}"
+    restart_policy: "{{ mariadb_container_restart_policy }}"
+    state: started

roles/mariadb/vars/main.yml

@@ -0,0 +1,10 @@
+---
+
+mariadb_container_database_environment:
+  MARIADB_DATABASE: "{{ mariadb_database }}"
+  MARIADB_USER: "{{ mariadb_username }}"
+  MARIADB_PASSWORD: "{{ mariadb_password }}"
+
+mariadb_container_data_path: /var/lib/mysql
+mariadb_container_volumes: "{{ mariadb_container_base_volumes + mariadb_container_extra_volumes }}"
+mariadb_container_labels: "{{ mariadb_container_base_labels | combine(mariadb_container_extra_labels, recursive=True) }}"

roles/nginx/README.md

@@ -26,8 +26,3 @@ For exposing this server to the host and/or internet, the `nginx_container_ports
 from host to container), `nginx_container_networks` (docker networking) or `nginx_container_labels`
 (for label-based routing discovery like traefik) can be used. The options correspond to the arguments
 of the `community.docker.docker_container` module.
-
-## Deployment methods
-
-Set `nginx_deployment_method` to either `docker` or `podman` to use the respective ansible modules for
-creating and managing the container and its image. See all supported methods in `nginx_deployment_methods`.

roles/nginx/defaults/main.yml

@@ -1,10 +1,9 @@
 ---
-nginx_version: "1.27.4"
+
+nginx_version: "1.25.3"
 nginx_flavour: alpine
 nginx_base_path: /opt/nginx
 nginx_config_file: "{{ nginx_base_path }}/nginx.conf"
-nginx_state: present
-nginx_deployment_method: docker
 
 nginx_container_name: nginx
 nginx_container_image_reference: >-
@@ -27,9 +26,6 @@ nginx_container_image_repository: >-
 nginx_container_image_registry: "docker.io"
 nginx_container_image_name: "nginx"
 nginx_container_image_tag: ~
-nginx_container_image_source: pull
-nginx_container_state: >-2
-  {{ (nginx_state == 'present') | ternary('started', 'absent') }}
 
 nginx_container_restart_policy: "unless-stopped"
 nginx_container_volumes:

roles/nginx/meta/main.yml

@@ -1,12 +0,0 @@
----
-allow_duplicates: true
-dependencies: []
-galaxy_info:
-  role_name: nginx
-  description: Deploy nginx, a webserver
-  galaxy_tags:
-    - nginx
-    - http
-    - webserver
-    - docker
-    - podman

roles/nginx/tasks/deploy-docker.yml

@@ -1,28 +0,0 @@
----
-- name: Ensure docker container image '{{ nginx_container_image_reference }}' is {{ nginx_state }}
-  community.docker.docker_image:
-    name: "{{ nginx_container_image_reference }}"
-    state: "{{ nginx_state }}"
-    source: "{{ nginx_container_image_source }}"
-    force_source: >-2
-      {{ nginx_container_image_force_source
-        | default(nginx_container_image_tag | default(false, true)) }}
-  register: nginx_container_image_info
-  until: nginx_container_image_info is success
-  retries: 5
-  delay: 3
-
-- name: Ensure docker container '{{ nginx_container_name }}' is {{ nginx_container_state }}
-  community.docker.docker_container:
-    name: "{{ nginx_container_name }}"
-    image: "{{ nginx_container_image_reference }}"
-    env: "{{ nginx_container_env | default(omit, true) }}"
-    user: "{{ nginx_container_user | default(omit, true) }}"
-    ports: "{{ nginx_container_ports | default(omit, true) }}"
-    labels: "{{ nginx_container_labels | default(omit, true) }}"
-    volumes: "{{ nginx_container_volumes | default(omit, true) }}"
-    etc_hosts: "{{ nginx_container_etc_hosts | default(omit, true) }}"
-    networks: "{{ nginx_container_networks | default(omit, true) }}"
-    purge_networks: "{{ nginx_container_purge_networks | default(omit, true) }}"
-    restart_policy: "{{ nginx_container_restart_policy }}"
-    state: "{{ nginx_container_state }}"

roles/nginx/tasks/deploy-podman.yml

@@ -1,27 +0,0 @@
----
-- name: Ensure container image '{{ nginx_container_image_reference }}' is {{ nginx_state }}
-  containers.podman.podman_image:
-    name: "{{ nginx_container_image_reference }}"
-    state: "{{ nginx_state }}"
-    pull: "{{ nginx_container_image_source == 'pull' }}"
-    force: >-2
-      {{ nginx_container_image_force_source
-        | default(nginx_container_image_tag | default(false, true)) }}
-  register: nginx_container_image_info
-  until: nginx_container_image_info is success
-  retries: 5
-  delay: 3
-
-- name: Ensure container '{{ nginx_container_name }}' is {{ nginx_container_state }}
-  containers.podman.podman_container:
-    name: "{{ nginx_container_name }}"
-    image: "{{ nginx_container_image_reference }}"
-    env: "{{ nginx_container_env | default(omit, true) }}"
-    user: "{{ nginx_container_user | default(omit, true) }}"
-    ports: "{{ nginx_container_ports | default(omit, true) }}"
-    labels: "{{ nginx_container_labels | default(omit, true) }}"
-    volumes: "{{ nginx_container_volumes | default(omit, true) }}"
-    etc_hosts: "{{ nginx_container_etc_hosts | default(omit, true) }}"
-    network: "{{ nginx_container_networks | default(omit, true) }}"
-    restart_policy: "{{ nginx_container_restart_policy }}"
-    state: "{{ nginx_container_state }}"

roles/nginx/tasks/main.yml

@@ -1,30 +1,10 @@
 ---
-- name: Check if state is supported
-  ansible.builtin.fail:
-    msg: >-2
-      Unsupported state '{{ nginx_state }}'. Supported
-      states are {{ nginx_states | join(', ') }}.
-  when: nginx_state not in nginx_states
 
-- name: Check if deployment_method is supported
-  ansible.builtin.fail:
-    msg: >-2
-      Unsupported state '{{ nginx_deployment_method }}'. Supported
-      states are {{ nginx_deployment_methods | join(', ') }}.
-  when: nginx_deployment_method not in nginx_deployment_methods
-
-- name: Ensure nginx config file is {{ nginx_state }}
-  ansible.builtin.file:
-    path: "{{ nginx_config_file }}"
-    state: "{{ nginx_state }}"
-  when: nginx_state == 'absent'
-
-- name: Ensure base path '{{ nginx_base_path }}' is {{ nginx_state }}
+- name: Ensure base path '{{ nginx_base_path }}' exists
   ansible.builtin.file:
     path: "{{ nginx_base_path }}"
-    mode: "0755"
-    state: >-2
-      {{ (nginx_state == 'present') | ternary('directory', 'absent') }}
+    state: directory
+    mode: 0755
 
 - name: Ensure nginx config file is templated
   ansible.builtin.copy:
@@ -33,8 +13,25 @@
     mode: 0640
   notify:
     - restart-nginx
-  when: nginx_state == 'present'
 
-- name: Deploy using {{ nginx_deployment_method }}
-  ansible.builtin.include_tasks:
-    file: "deploy-{{ nginx_deployment_method }}.yml"
+- name: Ensure docker container image is present
+  community.docker.docker_image:
+    name: "{{ nginx_container_image_reference }}"
+    state: present
+    source: pull
+    force_source: "{{ nginx_container_image_tag is defined and nginx_container_image_tag | string != '' }}"
+
+- name: Ensure docker container '{{ nginx_container_name }}' is running
+  community.docker.docker_container:
+    name: "{{ nginx_container_name }}"
+    image: "{{ nginx_container_image_reference }}"
+    env: "{{ nginx_container_env | default(omit, true) }}"
+    user: "{{ nginx_container_user | default(omit, true) }}"
+    ports: "{{ nginx_container_ports | default(omit, true) }}"
+    labels: "{{ nginx_container_labels | default(omit, true) }}"
+    volumes: "{{ nginx_container_volumes | default(omit, true) }}"
+    etc_hosts: "{{ nginx_container_etc_hosts | default(omit, true) }}"
+    networks: "{{ nginx_container_networks | default(omit, true) }}"
+    purge_networks: "{{ nginx_container_purge_networks | default(omit, true) }}"
+    restart_policy: "{{ nginx_container_restart_policy }}"
+    state: started

roles/nginx/vars/main.yml

@@ -1,7 +0,0 @@
----
-nginx_states:
-  - present
-  - absent
-nginx_deployment_methods:
-  - docker
-  - podman

roles/powerdns_tsig_key/README.md

@@ -1,25 +0,0 @@
-# `finallycoffee.base.powerdns_tsig_key`
-
-Simple ansible role for ensuring a TSIG key is present in a given PowerDNS-
-instance.
-
-## Usage
-
-The usage example below assumes `powerdns` is running in a container named `powerdns` (as supplied to `powerdns_tsig_key_container_name`.
-
-```yaml
-- hosts: "{{ target_hosts }}"
-  become: true
-  roles:
-    - role: finallycoffee.base.powerdns_tsig_key
-      vars:
-        powerdns_tsig_key_name: "nameofmykey"
-        powerdns_tsig_key_path: "/var/lib/myapp/tsig.key"
-        powernds_tsig_key_algo: "hmac-sha512"
-        powerdns_tsig_key_path_owner: "myappuser"
-        powerdns_tsig_key_path_group: "myappgroup"
-        powerdns_tsig_key_container_name: 'powerdns'
-```
-
-> [!NOTE]
-> Support for non-docker deployments is pending.

roles/restic/defaults/main.yml

@@ -10,41 +10,18 @@ restic_backup_stdin_command: ~
 restic_backup_stdin_command_filename: ~
 
 restic_policy_keep_all_within: 1d
-restic_policy_keep_hourly: 12
-restic_policy_keep_daily: 7
-restic_policy_keep_weekly: 6
-restic_policy_keep_monthly: 6
-restic_policy_keep_yearly: 5
+restic_policy_keep_hourly: 6
+restic_policy_keep_daily: 2
+restic_policy_keep_weekly: 7
+restic_policy_keep_monthly: 4
 restic_policy_backup_frequency: hourly
 
-restic_base_environment:
-  RESTIC_JOBNAME: "{{ restic_job_name | default('unknown') }}"
-  RESTIC_FORGET_KEEP_WITHIN: "{{ restic_policy_keep_all_within }}"
-  RESTIC_FORGET_KEEP_HOURLY: "{{ restic_policy_keep_hourly }}"
-  RESTIC_FORGET_KEEP_DAILY: "{{ restic_policy_keep_daily }}"
-  RESTIC_FORGET_KEEP_WEEKLY: "{{ restic_policy_keep_weekly }}"
-  RESTIC_FORGET_KEEP_MONTHLY: "{{ restic_policy_keep_monthly }}"
-  RESTIC_FORGET_KEEP_YEARLY: "{{ restic_policy_keep_yearly }}"
-
-restic_s3_environment:
-  AWS_ACCESS_KEY_ID: "{{ restic_s3_key_id }}"
-  AWS_SECRET_ACCESS_KEY: "{{ restic_s3_access_key }}"
-
-restic_complete_environment: >-
-  {{
-    restic_base_environment
-    | combine((restic_s3_environment
-      if (restic_s3_key_id and restic_s3_access_key) else {}) | default({}))
-    | combine(restic_environment | default({}))
-  }}
-
 restic_policy:
   keep_within: "{{ restic_policy_keep_all_within }}"
   hourly: "{{ restic_policy_keep_hourly }}"
   daily: "{{ restic_policy_keep_daily }}"
   weekly: "{{ restic_policy_keep_weekly }}"
   monthly: "{{ restic_policy_keep_monthly }}"
-  yearly: "{{ restic_policy_keep_yearly }}"
   frequency: "{{ restic_policy_backup_frequency }}"
 
 restic_user: root

roles/restic/files/restic-backup-directories.sh

@@ -1,37 +0,0 @@
-#!/usr/bin/env bash
-
-set -euo pipefail
-
-if [[ -n ${RESTIC_PRE_BACKUP_HOOK-} ]]; then
-    /bin/bash -c "$RESTIC_PRE_BACKUP_HOOK"
-fi
-
-echo "List existing snapshots or initialize repository"
-restic snapshots || restic init
-sleep 2;
-
-echo "Attempting to remove lock if present"
-restic unlock
-sleep 2
-
-echo "Start backup on ${@:1}"
-restic --verbose --retry-lock=${RESTIC_RETRY_LOCK:-5m} backup "${@:1}"
-sleep 2
-
-echo "Forget and prune old snapshots"
-restic forget --prune --retry-lock=${RESTIC_RETRY_LOCK:-5m} \
-    --keep-within=${RESTIC_FORGET_KEEP_WITHIN:-1d} \
-    --keep-hourly=${RESTIC_FORGET_KEEP_HOURLY:-6} \
-    --keep-daily=${RESTIC_FORGET_KEEP_DAILY:-2} \
-    --keep-weekly=${RESTIC_FORGET_KEEP_WEEKLY:-7} \
-    --keep-monthly=${RESTIC_FORGET_KEEP_MONTHLY:-4} \
-    --verbose
-sleep 2
-
-echo "Generate snapshot metrics"
-restic --json snapshots | /opt/restic-generate-snapshot-metrics.sh \
-    > /var/lib/node_exporter/restic-snapshots-${RESTIC_JOBNAME:-unknown}.prom-src
-sleep 2
-
-echo "Check repository"
-restic check

roles/restic/files/restic-generate-snapshot-metrics.sh

@@ -1,12 +0,0 @@
-#!/usr/bin/env bash
-
-RESTIC_JSON=$(</dev/stdin)
-
-echo $RESTIC_JSON | jq -r '.[]
-    | {
-        "hostname": .hostname,
-        "username": .username,
-	"short_id": .short_id,
-        "time": ((((.time | split(".")[0]) + "Z") | fromdate) - (3600 * (.time | split("+")[1] | split(":")[0] | tonumber + 1))),
-        "paths": .paths[]
-    } | "restic_snapshots{hostname=\"\(.hostname)\",username=\"\(.username)\",short_id=\"\(.short_id)\",paths=\"\(.paths)\"} \(.time)"'

roles/restic/templates/restic.service.j2

@@ -9,43 +9,26 @@ SyslogIdentifier={{ restic_systemd_syslog_identifier }}
 
 Environment=RESTIC_REPOSITORY={{ restic_repo_url }}
 Environment=RESTIC_PASSWORD={{ restic_repo_password }}
-{% for kv in restic_complete_environment | dict2items %}
-Environment={{ kv.key }}={{ kv.value }}
-{% endfor %}
-
-{% if restic_init | default(true) %}
-ExecStartPre=-/bin/sh -c '/usr/bin/restic snapshots || /usr/bin/restic init'
+{% if restic_s3_key_id and restic_s3_access_key %}
+Environment=AWS_ACCESS_KEY_ID={{ restic_s3_key_id }}
+Environment=AWS_SECRET_ACCESS_KEY={{ restic_s3_access_key }}
 {% endif %}
 {% if restic_unlock_before_backup | default(false) %}
-ExecStartPre=-/bin/sh -c 'sleep 3 && /usr/bin/restic unlock'
+ExecStartPre=-/bin/sh -c '/usr/bin/restic unlock'
 {% endif %}
+
+ExecStartPre=-/bin/sh -c '/usr/bin/restic snapshots || /usr/bin/restic init'
 {% if restic_backup_pre_hook | default(false) %}
-ExecStartPre=-{{ restic_backup_pre_hook }}
+ExecStart=-{{ restic_backup_pre_hook }}
 {% endif %}
 {% if restic_backup_stdin_command %}
-ExecStart=/bin/sh -c '{{ restic_backup_stdin_command }} | /usr/bin/restic backup \
-	--retry-lock {{ restic_retry_lock | default('5m') }} \
-	--verbose --stdin \
-	--stdin-filename {{ restic_backup_stdin_command_filename }}'
+ExecStart=/bin/sh -c '{{ restic_backup_stdin_command }} | /usr/bin/restic backup --verbose --stdin --stdin-filename {{ restic_backup_stdin_command_filename }}'
 {% else %}
-ExecStart=/opt/restic-backup-directories.sh {{ restic_backup_paths | join(' ') }}
-{% endif %}
-{% if restic_forget_prune | default(true) %}
-ExecStartPost=/usr/bin/restic forget --prune \
-	--retry-lock {{ restic_retry_lock | default('5m') }} \
-	--keep-within={{ restic_policy.keep_within }} \
-	--keep-hourly={{ restic_policy.hourly }} \
-	--keep-daily={{ restic_policy.daily }} \
-	--keep-weekly={{ restic_policy.weekly }} \
-	--keep-monthly={{ restic_policy.monthly }} \
-	--keep-yearly={{ restic_policy.yearly }}
-{% endif %}
-{% if restic_list_snapshots | default(true) %}
-ExecStartPost=-/usr/bin/restic snapshots --retry-lock {{ restic_retry_lock | default('5m') }}
+ExecStart=/usr/bin/restic --verbose backup {{ restic_backup_paths | join(' ') }}
 {% endif %}
+ExecStartPost=/usr/bin/restic forget --prune --keep-within={{ restic_policy.keep_within }} --keep-hourly={{ restic_policy.hourly }} --keep-daily={{ restic_policy.daily }} --keep-weekly={{ restic_policy.weekly }} --keep-monthly={{ restic_policy.monthly }}
+ExecStartPost=-/usr/bin/restic snapshots
 {% if restic_backup_post_hook | default(false) %}
 ExecStartPost=-{{ restic_backup_post_hook }}
 {% endif %}
-{% if restic_check | default(true) %}
-ExecStartPost=/usr/bin/restic check --retry-lock {{ restic_retry_lock | default('5m') }}
-{% endif %}
+ExecStartPost=/usr/bin/restic check