chore(lego): bash improvements in lego_run.sh

roles/lego/files/lego_run.sh

@@ -1,8 +1,14 @@
 #!/usr/bin/env bash
 
+set -euo pipefail
+
 LEGO_BINARY=$(/usr/bin/env which lego)
 
 if [[ -n "$LEGO_HTTP_FALLBACK_PORT" ]]; then
+  if ! nc_binary="$(type -p \"nc\")" || [[ -z $nc_binary ]]; then
+    echo "nc not found (in PATH), exiting"
+    exit 1
+  fi
   nc -z 127.0.0.1 $LEGO_HTTP_PORT;
   if [[ $? -eq 0 ]]; then
       LEGO_HTTP_PORT=$LEGO_HTTP_FALLBACK_PORT
@@ -11,12 +17,12 @@ fi
 
 LEGO_COMMAND_ARGS_EXPANDED=$(bash -c "echo $LEGO_COMMAND_ARGS") # This is a bit icky
 
-FILES_IN_DIR=$(find "$LEGO_CERT_STORE_PATH/certificates" | wc -l)
+FILES_IN_DIR=$(find "$LEGO_CERT_STORE_PATH/certificates" -type f | wc -l)
 if [[ $FILES_IN_DIR -gt 2 ]]; then
         $LEGO_BINARY $LEGO_COMMAND_ARGS_EXPANDED renew --days=$LEGO_CERT_DAYS_TO_RENEW
 else
         $LEGO_BINARY $LEGO_COMMAND_ARGS_EXPANDED run
 fi
 
-ls "$LEGO_CERT_STORE_PATH/certificates" | xargs -I{} -n 1 chmod "$LEGO_CERT_MODE" "$LEGO_CERT_STORE_PATH/certificates/{}"
-ls "$LEGO_CERT_STORE_PATH/certificates" | xargs -I{} -n 1 chown "$LEGO_CERT_USER":"$LEGO_CERT_GROUP" "$LEGO_CERT_STORE_PATH/certificates/{}"
+find "$LEGO_CERT_STORE_PATH/certificates/" -type f | xargs -I{} -n 1 chmod "$LEGO_CERT_MODE" "{}"
+find "$LEGO_CERT_STORE_PATH/certificates/" -type f | xargs -I{} -n 1 chown "${LEGO_CERT_USER}:${LEGO_CERT_GROUP}" "{}"

roles/restic/defaults/main.yml

@@ -10,41 +10,18 @@ restic_backup_stdin_command: ~
 restic_backup_stdin_command_filename: ~
 
 restic_policy_keep_all_within: 1d
-restic_policy_keep_hourly: 12
-restic_policy_keep_daily: 7
-restic_policy_keep_weekly: 6
-restic_policy_keep_monthly: 6
-restic_policy_keep_yearly: 5
+restic_policy_keep_hourly: 6
+restic_policy_keep_daily: 2
+restic_policy_keep_weekly: 7
+restic_policy_keep_monthly: 4
 restic_policy_backup_frequency: hourly
 
-restic_base_environment:
-  RESTIC_JOBNAME: "{{ restic_job_name | default('unknown') }}"
-  RESTIC_FORGET_KEEP_WITHIN: "{{ restic_policy_keep_all_within }}"
-  RESTIC_FORGET_KEEP_HOURLY: "{{ restic_policy_keep_hourly }}"
-  RESTIC_FORGET_KEEP_DAILY: "{{ restic_policy_keep_daily }}"
-  RESTIC_FORGET_KEEP_WEEKLY: "{{ restic_policy_keep_weekly }}"
-  RESTIC_FORGET_KEEP_MONTHLY: "{{ restic_policy_keep_monthly }}"
-  RESTIC_FORGET_KEEP_YEARLY: "{{ restic_policy_keep_yearly }}"
-
-restic_s3_environment:
-  AWS_ACCESS_KEY_ID: "{{ restic_s3_key_id }}"
-  AWS_SECRET_ACCESS_KEY: "{{ restic_s3_access_key }}"
-
-restic_complete_environment: >-
-  {{
-    restic_base_environment
-    | combine((restic_s3_environment
-      if (restic_s3_key_id and restic_s3_access_key) else {}) | default({}))
-    | combine(restic_environment | default({}))
-  }}
-
 restic_policy:
   keep_within: "{{ restic_policy_keep_all_within }}"
   hourly: "{{ restic_policy_keep_hourly }}"
   daily: "{{ restic_policy_keep_daily }}"
   weekly: "{{ restic_policy_keep_weekly }}"
   monthly: "{{ restic_policy_keep_monthly }}"
-  yearly: "{{ restic_policy_keep_yearly }}"
   frequency: "{{ restic_policy_backup_frequency }}"
 
 restic_user: root

roles/restic/templates/restic.service.j2

@@ -9,43 +9,26 @@ SyslogIdentifier={{ restic_systemd_syslog_identifier }}
 
 Environment=RESTIC_REPOSITORY={{ restic_repo_url }}
 Environment=RESTIC_PASSWORD={{ restic_repo_password }}
-{% for kv in restic_complete_environment | dict2items %}
-Environment={{ kv.key }}={{ kv.value }}
-{% endfor %}
-
-{% if restic_init | default(true) %}
-ExecStartPre=-/bin/sh -c '/usr/bin/restic snapshots || /usr/bin/restic init'
+{% if restic_s3_key_id and restic_s3_access_key %}
+Environment=AWS_ACCESS_KEY_ID={{ restic_s3_key_id }}
+Environment=AWS_SECRET_ACCESS_KEY={{ restic_s3_access_key }}
 {% endif %}
 {% if restic_unlock_before_backup | default(false) %}
-ExecStartPre=-/bin/sh -c 'sleep 3 && /usr/bin/restic unlock'
+ExecStartPre=-/bin/sh -c '/usr/bin/restic unlock'
 {% endif %}
+
+ExecStartPre=-/bin/sh -c '/usr/bin/restic snapshots || /usr/bin/restic init'
 {% if restic_backup_pre_hook | default(false) %}
-ExecStartPre=-{{ restic_backup_pre_hook }}
+ExecStart=-{{ restic_backup_pre_hook }}
 {% endif %}
 {% if restic_backup_stdin_command %}
-ExecStart=/bin/sh -c '{{ restic_backup_stdin_command }} | /usr/bin/restic backup \
-	--retry-lock {{ restic_retry_lock | default('5m') }} \
-	--verbose --stdin \
-	--stdin-filename {{ restic_backup_stdin_command_filename }}'
+ExecStart=/bin/sh -c '{{ restic_backup_stdin_command }} | /usr/bin/restic backup --verbose --stdin --stdin-filename {{ restic_backup_stdin_command_filename }}'
 {% else %}
-ExecStart=/opt/restic-backup-directories.sh {{ restic_backup_paths | join(' ') }}
-{% endif %}
-{% if restic_forget_prune | default(true) %}
-ExecStartPost=/usr/bin/restic forget --prune \
-	--retry-lock {{ restic_retry_lock | default('5m') }} \
-	--keep-within={{ restic_policy.keep_within }} \
-	--keep-hourly={{ restic_policy.hourly }} \
-	--keep-daily={{ restic_policy.daily }} \
-	--keep-weekly={{ restic_policy.weekly }} \
-	--keep-monthly={{ restic_policy.monthly }} \
-	--keep-yearly={{ restic_policy.yearly }}
-{% endif %}
-{% if restic_list_snapshots | default(true) %}
-ExecStartPost=-/usr/bin/restic snapshots --retry-lock {{ restic_retry_lock | default('5m') }}
+ExecStart=/usr/bin/restic --verbose backup {{ restic_backup_paths | join(' ') }}
 {% endif %}
+ExecStartPost=/usr/bin/restic forget --prune --keep-within={{ restic_policy.keep_within }} --keep-hourly={{ restic_policy.hourly }} --keep-daily={{ restic_policy.daily }} --keep-weekly={{ restic_policy.weekly }} --keep-monthly={{ restic_policy.monthly }}
+ExecStartPost=-/usr/bin/restic snapshots
 {% if restic_backup_post_hook | default(false) %}
 ExecStartPost=-{{ restic_backup_post_hook }}
 {% endif %}
-{% if restic_check | default(true) %}
-ExecStartPost=/usr/bin/restic check --retry-lock {{ restic_retry_lock | default('5m') }}
-{% endif %}
+ExecStartPost=/usr/bin/restic check