feat(restic): Use RESTIC_PASSWORD_FILE instead of RESTIC_PASSWORD

2026-02-03 12:26:24 +01:00
3 changed files with 31 additions and 1 deletions
--- a/roles/restic/defaults/main.yml
+++ b/roles/restic/defaults/main.yml
@@ -51,6 +51,11 @@ restic_user: root
 restic_create_user: false
 restic_start_job_on_unit_change: false

+restic_base_path: /opt/restic
+resitc_credentials_base_path: "/var/lib/restic/{{ restic_job_name }}/"
+restic_password_file_path: "{{ resitc_credentials_base_path }}/restic-passwd"
+restic_password_file_mode: 0600 #should not be less restrictive
+
 restic_job_name: ~
 restic_job_description: "Restic backup job for {{ restic_job_name }}"
 restic_systemd_unit_naming_scheme: "restic.{{ restic_job_name }}"
--- a/roles/restic/tasks/main.yml
+++ b/roles/restic/tasks/main.yml
@@ -6,6 +6,23 @@
    state: present
    system: true
  when: restic_create_user
+  register: restic_user_res
+
+- name: Ensure base directory for restic is created
+  ansible.builtin.file:
+    path: "{{ restic_base_path }}"
+    state: directory
+    owner: "{{ restic_user_res.uid | default(root) }}"
+    group: "{{ restic_user_res.group | default(root) }}"
+    mode: "0755"
+
+- name: Ensure credentials directory for restic is created
+  ansible.builtin.file:
+    path: "{{ resitc_credentials_base_path }}"
+    state: directory
+    owner: "{{ restic_user_res.uid | default(root) }}"
+    group: "{{ restic_user_res.group | default(root) }}"
+    mode: "0700"

 - name: Ensure either backup_paths or backup_stdin_command is populated
  when: restic_backup_paths|length > 0 and restic_backup_stdin_command and false
@@ -42,6 +59,14 @@
        state: present
      when: ansible_os_family not in ['RedHat', 'Debian']

+- name: Ensure restic password file is created and uptodate
+  copy:
+    dest: "{{ restic_password_file_path }}"
+    mode: "{{ restic_password_file_mode }}"
+    owner: "{{ restic_user_res.uid | default(root) }}"
+    group: "{{ restic_user_res.group | default(root) }}"
+    content: "{{ restic_repo_password }}"
+
 - name: Ensure systemd service file for '{{ restic_job_name }}' is templated
  template:
    dest: "/etc/systemd/system/{{ restic_systemd_unit_naming_scheme }}.service"
--- a/roles/restic/templates/restic.service.j2
+++ b/roles/restic/templates/restic.service.j2
@@ -8,7 +8,7 @@ WorkingDirectory={{ restic_systemd_working_directory }}
 SyslogIdentifier={{ restic_systemd_syslog_identifier }}

 Environment=RESTIC_REPOSITORY={{ restic_repo_url }}
-Environment=RESTIC_PASSWORD={{ restic_repo_password }}
+Environment=RESTIC_PASSWORD_FILE={{ restic_password_file_path }}
 {% for kv in restic_complete_environment | dict2items %}
 Environment={{ kv.key }}={{ kv.value }}
 {% endfor %}