chore(lego): bash improvements in lego_run.sh

2024-09-12 08:22:30 +02:00
23 changed files with 231 additions and 247 deletions
--- a/README.md
+++ b/README.md
@ -5,12 +5,15 @@
 This ansible collection provides various roles for installing
 and configuring basic system utilities like gnupg, ssh etc
 - [`elasticsearch`](roles/elasticsearch/README.md): Deploy [elasticsearch](https://www.docker.elastic.co/r/elasticsearch/elasticsearch-oss),
  a popular (distributed) search and analytics engine, mostly known by it's
  letter "E" in the ELK-stack.
 - [`git`](roles/git/README.md): configures git on the target system
 - [`gnupg`](roles/gnupg/README.md): configures gnupg on the target system
- [`lego`](roles/lego/README.md): runs [lego (LetsEncrypt Go)](https://github.com/go-acme/lego),
+- [`mariadb`](roles/mariadb/README.md): runs [MariaDB Server](https://mariadb.org/), one of the world's most popular open source relational database
  a ACME client written in go, using systemd (timers). Multi-instance capable.
 - [`minio`](roles/minio/README.md): Deploy [min.io](https://min.io), an
  s3-compatible object storage server, using docker containers.
@ -21,9 +24,6 @@ and configuring basic system utilities like gnupg, ssh etc
 - [`restic`](roles/restic/README.md): Manage backups using restic
  and persist them to a configurable backend.
 - [`powerdns_tsig_key`](roles/powerdns_tsig_key/README.md): Simple ansible role
  for generating TSIG keys in PowerDNS.
 ## License
 [CNPLv7+](LICENSE.md): Cooperative Nonviolent Public License
--- a/galaxy.yml
+++ b/galaxy.yml
@ -1,20 +1,12 @@
 namespace: finallycoffee
 name: base
-version: 0.2.0
+version: 0.0.2
 readme: README.md
 authors:
 - transcaffeine <transcaffeine@finally.coffee>
 description: Roles for base services which are common dependencies other services like databases
 dependencies:
  "community.docker": "^3.0.0"
 license_file: LICENSE.md
 build_ignore:
 - '*.tar.gz'
 repository: https://git.finally.coffee/finallycoffee/base
-issues: https://codeberg.org/finallycoffee/ansible-collection-base/issues
+issues: https://git.finally.coffee/finallycoffee/base/issues
 tags:
  - docker
  - lego
  - minio
  - nginx
  - restic
--- a/meta/runtime.yml
+++ b/meta/runtime.yml
@ -1,3 +1,3 @@
 ---
-requires_ansible: ">=2.15"
+requires_ansible: ">=2.12"
--- a/roles/dns/README.md
+++ b/roles/dns/README.md
@ -1,33 +0,0 @@
 # `finallycoffee.base.dns` ansible role
 Simple role for wrapping around the
 [`famedly.dns.update`](https://github.com/famedly/ansible-collection-dns/blob/main/plugins/modules/update.py)
 ansible module.
 ## Usage
 ### Example playbook
 ```yaml
 - target: "{{ target_hosts }}"
  roles:
    - role: finallycoffee.base.dns
      vars:
        dns_server: "dns.example.org"
        dns_zone: "zone.example.org"
        dns_records: "{{ dns_records }}"
        dns_record_state: exact
        dns_tsig_name: "mykeyname"
        dns_tsig_algo: "hmac-sha256"
        dns_tsig_key: "mykeycontent"
  vars:
    dns_records:
      - type: A
        name: gitea
        content: "127.0.0.1"
      - type: AAAA
        name: gitea
        content: "fe80::1"
      - type: CNAME
        name: "_acme_challenge.gitea"
        content: "delegated-cname.challenge.example.org"
 ```
--- a/roles/elasticsearch/README.md
+++ b/roles/elasticsearch/README.md
@ -0,0 +1,22 @@
 # `finallycoffee.base.elastiscsearch`
 A simple ansible role which deploys a single-node elastic container to provide
 an easy way to do some indexing.
 ## Usage
 Per default, `/opt/elasticsearch/data` is used to persist data, it is
 customizable by using either `elasticsearch_base_path` or `elasticsearch_data_path`.
 As elasticsearch be can be quite memory heavy, the maximum amount of allowed RAM
 can be configured using `elasticsearch_allocated_ram_mb`, defaulting to 512 (mb).
 The cluster name and discovery type can be overridden using
 `elasticsearch_config_cluster_name` (default: elastic) and
 `elasticsearch_config_discovery_type` (default: single-node), should one
 need a multi-node elasticsearch deployment.
 Per default, no ports or networks are mapped, and explizit mapping using
 either ports (`elasticsearch_container_ports`) or networks
 (`elasticsearch_container_networks`) is required in order for other services
 to use elastic.
--- a/roles/elasticsearch/defaults/main.yml
+++ b/roles/elasticsearch/defaults/main.yml
@ -0,0 +1,35 @@
 ---
 elasticsearch_version: 7.17.7
 elasticsearch_base_path: /opt/elasticsearch
 elasticsearch_data_path: "{{ elasticsearch_base_path }}/data"
 elasticsearch_config_cluster_name: elastic
 elasticsearch_config_discovery_type: single-node
 elasticsearch_config_boostrap_memory_lock: true
 elasticsearch_allocated_ram_mb: 512
 elasticsearch_container_image_name: docker.elastic.co/elasticsearch/elasticsearch-oss
 elasticsearch_container_image_tag: ~
 elasticsearch_container_image: >-
  {{ elasticsearch_container_image_name }}:{{ elasticsearch_container_image_tag | default(elasticsearch_version, true) }}
 elasticsearch_container_name: elasticsearch
 elasticsearch_container_env:
  "ES_JAVA_OPTS": "-Xms{{ elasticsearch_allocated_ram_mb }}m -Xmx{{ elasticsearch_allocated_ram_mb }}m"
  "cluster.name": "{{ elasticsearch_config_cluster_name }}"
  "discovery.type": "{{ elasticsearch_config_discovery_type }}"
  "bootstrap.memory_lock": "{{ 'true' if elasticsearch_config_boostrap_memory_lock else 'false' }}"
 elasticsearch_container_user: ~
 elasticsearch_container_ports: ~
 elasticsearch_container_labels:
  version: "{{ elasticsearch_version }}"
 elasticsearch_container_ulimits:
 #  - "memlock:{{ (1.5 * 1024 * elasticsearch_allocated_ram_mb) | int }}:{{ (1.5 * 1024 * elasticsearch_allocated_ram_mb) | int }}"
  - "memlock:-1:-1"
 elasticsearch_container_volumes:
  - "{{ elasticsearch_data_path }}:/usr/share/elasticsearch/data:z"
 elasticsearch_container_networks: ~
 elasticsearch_container_purge_networks: ~
 elasticsearch_container_restart_policy: unless-stopped
--- a/roles/elasticsearch/tasks/main.yml
+++ b/roles/elasticsearch/tasks/main.yml
@ -0,0 +1,32 @@
 ---
 - name: Ensure host directories are present
  file:
    path: "{{ item }}"
    state: directory
    mode: "0777"
  loop:
    - "{{ elasticsearch_base_path }}"
    - "{{ elasticsearch_data_path }}"
 - name: Ensure elastic container image is present
  docker_image:
    name: "{{ elasticsearch_container_image }}"
    state: present
    source: pull
    force_source: "{{ elasticsearch_container_image_tag|default(false, true)|bool }}"
 - name: Ensure elastic container is running
  docker_container:
    name: "{{ elasticsearch_container_name }}"
    image: "{{ elasticsearch_container_image }}"
    env: "{{ elasticsearch_container_env | default(omit, True) }}"
    user: "{{ elasticsearch_container_user | default(omit, True) }}"
    ports: "{{ elasticsearch_container_ports | default(omit, True) }}"
    labels: "{{ elasticsearch_container_labels | default(omit, True) }}"
    volumes: "{{ elasticsearch_container_volumes }}"
    ulimits: "{{ elasticsearch_container_ulimits }}"
    networks: "{{ elasticsearch_container_networks | default(omit, True) }}"
    purge_networks: "{{ elasticsearch_container_purge_networks | default(omit, True) }}"
    restart_policy: "{{ elasticsearch_container_restart_policy }}"
    state: started
--- a/roles/lego/defaults/main.yml
+++ b/roles/lego/defaults/main.yml
@ -1,6 +1,6 @@
 ---
 lego_user: "lego"
-lego_version: "4.21.0"
+lego_version: "4.17.4"
 lego_instance: default
 lego_base_path: "/opt/lego"
 lego_cert_user: "acme-{{ lego_instance }}"
@ -58,7 +58,7 @@ lego_systemd_timer_name: "lego-{{ lego_instance }}.timer"
 lego_systemd_timer_template: lego.timer.j2
 lego_systemd_timer_calendar: "*-*-* *:00/15:00"
-lego_architecture: "{{ 'arm64' if ansible_architecture == 'aarch64' else 'amd64' }}"
+lego_architecture: "amd64"
 lego_os: "linux"
 lego_binary_allow_net_bind_service: false
--- a/roles/lego/files/lego_run.sh
+++ b/roles/lego/files/lego_run.sh
@ -1,8 +1,14 @@
 #!/usr/bin/env bash
 set -euo pipefail
 LEGO_BINARY=$(/usr/bin/env which lego)
 if [[ -n "$LEGO_HTTP_FALLBACK_PORT" ]]; then
  if ! nc_binary="$(type -p \"nc\")" || [[ -z $nc_binary ]]; then
    echo "nc not found (in PATH), exiting"
    exit 1
  fi
  nc -z 127.0.0.1 $LEGO_HTTP_PORT;
  if [[ $? -eq 0 ]]; then
      LEGO_HTTP_PORT=$LEGO_HTTP_FALLBACK_PORT
@ -11,12 +17,12 @@ fi
 LEGO_COMMAND_ARGS_EXPANDED=$(bash -c "echo $LEGO_COMMAND_ARGS") # This is a bit icky
-FILES_IN_DIR=$(find "$LEGO_CERT_STORE_PATH/certificates" | wc -l)
+FILES_IN_DIR=$(find "$LEGO_CERT_STORE_PATH/certificates" -type f | wc -l)
 if [[ $FILES_IN_DIR -gt 2 ]]; then
        $LEGO_BINARY $LEGO_COMMAND_ARGS_EXPANDED renew --days=$LEGO_CERT_DAYS_TO_RENEW
 else
        $LEGO_BINARY $LEGO_COMMAND_ARGS_EXPANDED run
 fi
-ls "$LEGO_CERT_STORE_PATH/certificates" | xargs -I{} -n 1 chmod "$LEGO_CERT_MODE" "$LEGO_CERT_STORE_PATH/certificates/{}"
+find "$LEGO_CERT_STORE_PATH/certificates/" -type f | xargs -I{} -n 1 chmod "$LEGO_CERT_MODE" "{}"
-ls "$LEGO_CERT_STORE_PATH/certificates" | xargs -I{} -n 1 chown "$LEGO_CERT_USER":"$LEGO_CERT_GROUP" "$LEGO_CERT_STORE_PATH/certificates/{}"
+find "$LEGO_CERT_STORE_PATH/certificates/" -type f | xargs -I{} -n 1 chown "${LEGO_CERT_USER}:${LEGO_CERT_GROUP}" "{}"
--- a/roles/mariadb/README.md
+++ b/roles/mariadb/README.md
@ -0,0 +1,19 @@
 # `finallycoffee.base.mariadb` ansible role
 This role deploys a MariaDB instance in a docker container.
 ## Usage
 The role expects the following variables to be populated with values and/or secrets:
 ```yaml
 mariadb_root_password: #mariadb root password
 mariadb_database: # name of the database to create
 mariadb_username: # name of a user to auto-create and assign permission on the mariadb_database
 mariadb_password: # password of the user in mariadb_username
 ```
 ## Requirements
 - Docker installed
 - python-docker present on target system for ansible to be able to talk with the docker API.
--- a/roles/mariadb/defaults/main.yml
+++ b/roles/mariadb/defaults/main.yml
@ -0,0 +1,32 @@
 ---
 mariadb_version: "10.11.6"
 mariadb_base_path: /var/lib/mariadb
 mariadb_data_path: "{{ mariadb_base_path }}/{{ mariadb_version }}"
 mariadb_root_password: ~
 mariadb_database: ~
 mariadb_username: ~
 mariadb_password: ~
 mariadb_container_base_environment:
  MARIADB_ROOT_PASSWORD: "{{ mariadb_root_password }}"
 mariadb_container_extra_environment: {}
 mariadb_container_name: mariadb
 mariadb_container_image_name: docker.io/mariadb
 mariadb_container_image_tag: ~
 mariadb_container_image: "{{ mariadb_container_image_name }}:{{ mariadb_container_image_tag | default(mariadb_version, true) }}"
 mariadb_container_base_volumes:
  - "{{ mariadb_data_path }}:{{ mariadb_container_data_path }}:z"
 mariadb_container_extra_volumes: []
 mariadb_container_base_labels:
  version: "{{ mariadb_version }}"
 mariadb_container_extra_labels: {}
 mariadb_container_restart_policy: "unless-stopped"
 mariadb_container_environment: >-2
  {{ mariadb_container_base_environment
  | combine(mariadb_container_database_environment
      if (mariadb_database and mariadb_username and mariadb_password)
      else {}, recursive=True)
  | combine(mariadb_container_extra_environment) }}
--- a/roles/mariadb/tasks/main.yml
+++ b/roles/mariadb/tasks/main.yml
@ -0,0 +1,20 @@
 ---
 - name: Ensure mariaDB container image is present on host
  community.docker.docker_image:
    name: "{{ mariadb_container_image }}"
    state: present
    source: pull
 - name: Ensure mariaDB {{ mariadb_version }} is running as '{{ mariadb_container_name }}'
  community.docker.docker_container:
    name: "{{ mariadb_container_name }}"
    image: "{{ mariadb_container_image }}"
    env: "{{ mariadb_container_environment }}"
    ports: "{{ mariadb_container_ports }}"
    labels: "{{ mariadb_container_labels }}"
    volumes: "{{ mariadb_container_volumes }}"
    networks: "{{ mariadb_container_networks | default(omit, true) }}"
    etc_hosts: "{{ mariadb_container_etc_hosts | default(omit, true) }}"
    purge_networks: "{{ mariadb_container_purge_networks | default(omit, true) }}"
    restart_policy: "{{ mariadb_container_restart_policy }}"
    state: started
--- a/roles/mariadb/vars/main.yml
+++ b/roles/mariadb/vars/main.yml
@ -0,0 +1,10 @@
 ---
 mariadb_container_database_environment:
  MARIADB_DATABASE: "{{ mariadb_database }}"
  MARIADB_USER: "{{ mariadb_username }}"
  MARIADB_PASSWORD: "{{ mariadb_password }}"
 mariadb_container_data_path: /var/lib/mysql
 mariadb_container_volumes: "{{ mariadb_container_base_volumes + mariadb_container_extra_volumes }}"
 mariadb_container_labels: "{{ mariadb_container_base_labels | combine(mariadb_container_extra_labels, recursive=True) }}"
--- a/roles/nginx/README.md
+++ b/roles/nginx/README.md
@ -26,8 +26,3 @@ For exposing this server to the host and/or internet, the `nginx_container_ports
 from host to container), `nginx_container_networks` (docker networking) or `nginx_container_labels`
 (for label-based routing discovery like traefik) can be used. The options correspond to the arguments
 of the `community.docker.docker_container` module.
 ## Deployment methods
 Set `nginx_deployment_method` to either `docker` or `podman` to use the respective ansible modules for
 creating and managing the container and its image. See all supported methods in `nginx_deployment_methods`.
--- a/roles/nginx/defaults/main.yml
+++ b/roles/nginx/defaults/main.yml
@ -1,10 +1,9 @@
 ---
-nginx_version: "1.27.2"
+
 nginx_version: "1.25.3"
 nginx_flavour: alpine
 nginx_base_path: /opt/nginx
 nginx_config_file: "{{ nginx_base_path }}/nginx.conf"
 nginx_state: present
 nginx_deployment_method: docker
 nginx_container_name: nginx
 nginx_container_image_reference: >-
@ -27,9 +26,6 @@ nginx_container_image_repository: >-
 nginx_container_image_registry: "docker.io"
 nginx_container_image_name: "nginx"
 nginx_container_image_tag: ~
 nginx_container_image_source: pull
 nginx_container_state: >-2
  {{ (nginx_state == 'present') | ternary('started', 'absent') }}
 nginx_container_restart_policy: "unless-stopped"
 nginx_container_volumes:
--- a/roles/nginx/meta/main.yml
+++ b/roles/nginx/meta/main.yml
@ -1,12 +0,0 @@
 ---
 allow_duplicates: true
 dependencies: []
 galaxy_info:
  role_name: nginx
  description: Deploy nginx, a webserver
  galaxy_tags:
    - nginx
    - http
    - webserver
    - docker
    - podman
--- a/roles/nginx/tasks/deploy-docker.yml
+++ b/roles/nginx/tasks/deploy-docker.yml
@ -1,28 +0,0 @@
 ---
 - name: Ensure docker container image '{{ nginx_container_image_reference }}' is {{ nginx_state }}
  community.docker.docker_image:
    name: "{{ nginx_container_image_reference }}"
    state: "{{ nginx_state }}"
    source: "{{ nginx_container_image_source }}"
    force_source: >-2
      {{ nginx_container_image_force_source
        | default(nginx_container_image_tag | default(false, true)) }}
  register: nginx_container_image_info
  until: nginx_container_image_info is success
  retries: 5
  delay: 3
 - name: Ensure docker container '{{ nginx_container_name }}' is {{ nginx_container_state }}
  community.docker.docker_container:
    name: "{{ nginx_container_name }}"
    image: "{{ nginx_container_image_reference }}"
    env: "{{ nginx_container_env | default(omit, true) }}"
    user: "{{ nginx_container_user | default(omit, true) }}"
    ports: "{{ nginx_container_ports | default(omit, true) }}"
    labels: "{{ nginx_container_labels | default(omit, true) }}"
    volumes: "{{ nginx_container_volumes | default(omit, true) }}"
    etc_hosts: "{{ nginx_container_etc_hosts | default(omit, true) }}"
    networks: "{{ nginx_container_networks | default(omit, true) }}"
    purge_networks: "{{ nginx_container_purge_networks | default(omit, true) }}"
    restart_policy: "{{ nginx_container_restart_policy }}"
    state: "{{ nginx_container_state }}"
--- a/roles/nginx/tasks/deploy-podman.yml
+++ b/roles/nginx/tasks/deploy-podman.yml
@ -1,27 +0,0 @@
 ---
 - name: Ensure container image '{{ nginx_container_image_reference }}' is {{ nginx_state }}
  containers.podman.podman_image:
    name: "{{ nginx_container_image_reference }}"
    state: "{{ nginx_state }}"
    pull: "{{ nginx_container_image_source == 'pull' }}"
    force: >-2
      {{ nginx_container_image_force_source
        | default(nginx_container_image_tag | default(false, true)) }}
  register: nginx_container_image_info
  until: nginx_container_image_info is success
  retries: 5
  delay: 3
 - name: Ensure container '{{ nginx_container_name }}' is {{ nginx_container_state }}
  containers.podman.podman_container:
    name: "{{ nginx_container_name }}"
    image: "{{ nginx_container_image_reference }}"
    env: "{{ nginx_container_env | default(omit, true) }}"
    user: "{{ nginx_container_user | default(omit, true) }}"
    ports: "{{ nginx_container_ports | default(omit, true) }}"
    labels: "{{ nginx_container_labels | default(omit, true) }}"
    volumes: "{{ nginx_container_volumes | default(omit, true) }}"
    etc_hosts: "{{ nginx_container_etc_hosts | default(omit, true) }}"
    network: "{{ nginx_container_networks | default(omit, true) }}"
    restart_policy: "{{ nginx_container_restart_policy }}"
    state: "{{ nginx_container_state }}"
--- a/roles/nginx/tasks/main.yml
+++ b/roles/nginx/tasks/main.yml
@ -1,30 +1,10 @@
 ---
 - name: Check if state is supported
  ansible.builtin.fail:
    msg: >-2
      Unsupported state '{{ nginx_state }}'. Supported
      states are {{ nginx_states | join(', ') }}.
  when: nginx_state not in nginx_states
- name: Check if deployment_method is supported
+- name: Ensure base path '{{ nginx_base_path }}' exists
  ansible.builtin.fail:
    msg: >-2
      Unsupported state '{{ nginx_deployment_method }}'. Supported
      states are {{ nginx_deployment_methods | join(', ') }}.
  when: nginx_deployment_method not in nginx_deployment_methods
 - name: Ensure nginx config file is {{ nginx_state }}
  ansible.builtin.file:
    path: "{{ nginx_config_file }}"
    state: "{{ nginx_state }}"
  when: nginx_state == 'absent'
 - name: Ensure base path '{{ nginx_base_path }}' is {{ nginx_state }}
  ansible.builtin.file:
    path: "{{ nginx_base_path }}"
-    mode: "0755"
+    state: directory
-    state: >-2
+    mode: 0755
      {{ (nginx_state == 'present') | ternary('directory', 'absent') }}
 - name: Ensure nginx config file is templated
  ansible.builtin.copy:
@ -33,8 +13,25 @@
    mode: 0640
  notify:
    - restart-nginx
  when: nginx_state == 'present'
- name: Deploy using {{ nginx_deployment_method }}
+- name: Ensure docker container image is present
-  ansible.builtin.include_tasks:
+  community.docker.docker_image:
-    file: "deploy-{{ nginx_deployment_method }}.yml"
+    name: "{{ nginx_container_image_reference }}"
    state: present
    source: pull
    force_source: "{{ nginx_container_image_tag is defined and nginx_container_image_tag | string != '' }}"
 - name: Ensure docker container '{{ nginx_container_name }}' is running
  community.docker.docker_container:
    name: "{{ nginx_container_name }}"
    image: "{{ nginx_container_image_reference }}"
    env: "{{ nginx_container_env | default(omit, true) }}"
    user: "{{ nginx_container_user | default(omit, true) }}"
    ports: "{{ nginx_container_ports | default(omit, true) }}"
    labels: "{{ nginx_container_labels | default(omit, true) }}"
    volumes: "{{ nginx_container_volumes | default(omit, true) }}"
    etc_hosts: "{{ nginx_container_etc_hosts | default(omit, true) }}"
    networks: "{{ nginx_container_networks | default(omit, true) }}"
    purge_networks: "{{ nginx_container_purge_networks | default(omit, true) }}"
    restart_policy: "{{ nginx_container_restart_policy }}"
    state: started
--- a/roles/nginx/vars/main.yml
+++ b/roles/nginx/vars/main.yml
@ -1,7 +0,0 @@
 ---
 nginx_states:
  - present
  - absent
 nginx_deployment_methods:
  - docker
  - podman
--- a/roles/powerdns_tsig_key/README.md
+++ b/roles/powerdns_tsig_key/README.md
@ -1,25 +0,0 @@
 # `finallycoffee.base.powerdns_tsig_key`
 Simple ansible role for ensuring a TSIG key is present in a given PowerDNS-
 instance.
 ## Usage
 The usage example below assumes `powerdns` is running in a container named `powerdns` (as supplied to `powerdns_tsig_key_container_name`.
 ```yaml
 - hosts: "{{ target_hosts }}"
  become: true
  roles:
    - role: finallycoffee.base.powerdns_tsig_key
      vars:
        powerdns_tsig_key_name: "nameofmykey"
        powerdns_tsig_key_path: "/var/lib/myapp/tsig.key"
        powernds_tsig_key_algo: "hmac-sha512"
        powerdns_tsig_key_path_owner: "myappuser"
        powerdns_tsig_key_path_group: "myappgroup"
        powerdns_tsig_key_container_name: 'powerdns'
 ```
 > [!NOTE]
 > Support for non-docker deployments is pending.
--- a/roles/restic/defaults/main.yml
+++ b/roles/restic/defaults/main.yml
@ -10,41 +10,18 @@ restic_backup_stdin_command: ~
 restic_backup_stdin_command_filename: ~
 restic_policy_keep_all_within: 1d
-restic_policy_keep_hourly: 12
+restic_policy_keep_hourly: 6
-restic_policy_keep_daily: 7
+restic_policy_keep_daily: 2
-restic_policy_keep_weekly: 6
+restic_policy_keep_weekly: 7
-restic_policy_keep_monthly: 6
+restic_policy_keep_monthly: 4
 restic_policy_keep_yearly: 5
 restic_policy_backup_frequency: hourly
 restic_base_environment:
  RESTIC_JOBNAME: "{{ restic_job_name | default('unknown') }}"
  RESTIC_FORGET_KEEP_WITHIN: "{{ restic_policy_keep_all_within }}"
  RESTIC_FORGET_KEEP_HOURLY: "{{ restic_policy_keep_hourly }}"
  RESTIC_FORGET_KEEP_DAILY: "{{ restic_policy_keep_daily }}"
  RESTIC_FORGET_KEEP_WEEKLY: "{{ restic_policy_keep_weekly }}"
  RESTIC_FORGET_KEEP_MONTHLY: "{{ restic_policy_keep_monthly }}"
  RESTIC_FORGET_KEEP_YEARLY: "{{ restic_policy_keep_yearly }}"
 restic_s3_environment:
  AWS_ACCESS_KEY_ID: "{{ restic_s3_key_id }}"
  AWS_SECRET_ACCESS_KEY: "{{ restic_s3_access_key }}"
 restic_complete_environment: >-
  {{
    restic_base_environment
    | combine((restic_s3_environment
      if (restic_s3_key_id and restic_s3_access_key) else {}) | default({}))
    | combine(restic_environment | default({}))
  }}
 restic_policy:
  keep_within: "{{ restic_policy_keep_all_within }}"
  hourly: "{{ restic_policy_keep_hourly }}"
  daily: "{{ restic_policy_keep_daily }}"
  weekly: "{{ restic_policy_keep_weekly }}"
  monthly: "{{ restic_policy_keep_monthly }}"
  yearly: "{{ restic_policy_keep_yearly }}"
  frequency: "{{ restic_policy_backup_frequency }}"
 restic_user: root
--- a/roles/restic/templates/restic.service.j2
+++ b/roles/restic/templates/restic.service.j2
@ -9,43 +9,26 @@ SyslogIdentifier={{ restic_systemd_syslog_identifier }}
 Environment=RESTIC_REPOSITORY={{ restic_repo_url }}
 Environment=RESTIC_PASSWORD={{ restic_repo_password }}
-{% for kv in restic_complete_environment | dict2items %}
+{% if restic_s3_key_id and restic_s3_access_key %}
-Environment={{ kv.key }}={{ kv.value }}
+Environment=AWS_ACCESS_KEY_ID={{ restic_s3_key_id }}
-{% endfor %}
+Environment=AWS_SECRET_ACCESS_KEY={{ restic_s3_access_key }}
 {% if restic_init | default(true) %}
 ExecStartPre=-/bin/sh -c '/usr/bin/restic snapshots || /usr/bin/restic init'
 {% endif %}
 {% if restic_unlock_before_backup | default(false) %}
-ExecStartPre=-/bin/sh -c 'sleep 3 && /usr/bin/restic unlock'
+ExecStartPre=-/bin/sh -c '/usr/bin/restic unlock'
 {% endif %}
 ExecStartPre=-/bin/sh -c '/usr/bin/restic snapshots || /usr/bin/restic init'
 {% if restic_backup_pre_hook | default(false) %}
-ExecStartPre=-{{ restic_backup_pre_hook }}
+ExecStart=-{{ restic_backup_pre_hook }}
 {% endif %}
 {% if restic_backup_stdin_command %}
-ExecStart=/bin/sh -c '{{ restic_backup_stdin_command }} | /usr/bin/restic backup \
+ExecStart=/bin/sh -c '{{ restic_backup_stdin_command }} | /usr/bin/restic backup --verbose --stdin --stdin-filename {{ restic_backup_stdin_command_filename }}'
 	--retry-lock {{ restic_retry_lock | default('5m') }} \
 	--verbose --stdin \
 	--stdin-filename {{ restic_backup_stdin_command_filename }}'
 {% else %}
-ExecStart=/opt/restic-backup-directories.sh {{ restic_backup_paths | join(' ') }}
+ExecStart=/usr/bin/restic --verbose backup {{ restic_backup_paths | join(' ') }}
 {% endif %}
 {% if restic_forget_prune | default(true) %}
 ExecStartPost=/usr/bin/restic forget --prune \
 	--retry-lock {{ restic_retry_lock | default('5m') }} \
 	--keep-within={{ restic_policy.keep_within }} \
 	--keep-hourly={{ restic_policy.hourly }} \
 	--keep-daily={{ restic_policy.daily }} \
 	--keep-weekly={{ restic_policy.weekly }} \
 	--keep-monthly={{ restic_policy.monthly }} \
 	--keep-yearly={{ restic_policy.yearly }}
 {% endif %}
 {% if restic_list_snapshots | default(true) %}
 ExecStartPost=-/usr/bin/restic snapshots --retry-lock {{ restic_retry_lock | default('5m') }}
 {% endif %}
 ExecStartPost=/usr/bin/restic forget --prune --keep-within={{ restic_policy.keep_within }} --keep-hourly={{ restic_policy.hourly }} --keep-daily={{ restic_policy.daily }} --keep-weekly={{ restic_policy.weekly }} --keep-monthly={{ restic_policy.monthly }}
 ExecStartPost=-/usr/bin/restic snapshots
 {% if restic_backup_post_hook | default(false) %}
 ExecStartPost=-{{ restic_backup_post_hook }}
 {% endif %}
-{% if restic_check | default(true) %}
+ExecStartPost=/usr/bin/restic check
 ExecStartPost=/usr/bin/restic check --retry-lock {{ restic_retry_lock | default('5m') }}
 {% endif %}
`@ -1,3 +1,3 @@`
	`---`	`---`

	`requires_ansible: ">=2.15"`	`requires_ansible: ">=2.12"`