feat(restic): add optional hook and optional unlock

fix(restic): change systemd service type to simple, remove wanted-by, allow post-start hooks
The old service type oneshot combined with a wanted-by of multi-user.target can lead to an infite recursion which systemd does not warn about, causing a service that never activates.
2024-05-05 16:36:30 +02:00 · 2024-04-14 15:14:02 +02:00 · 2024-02-06 12:41:16 +01:00 · 2024-02-06 12:33:19 +01:00 · 2024-02-06 11:05:13 +01:00 · 2023-11-07 18:38:16 +01:00
9 changed files with 121 additions and 9 deletions
--- a/roles/dns/defaults/main.yml
+++ b/roles/dns/defaults/main.yml
@ -0,0 +1,2 @@
+---
+dns_record_state: present
--- a/roles/dns/tasks/main.yml
+++ b/roles/dns/tasks/main.yml
@ -0,0 +1,11 @@
+---
+
+- name: Ensure DNS records in '{{ dns_zone }}' are up to date
+  famedly.dns.update:
+    primary_master: "{{ dns_server }}"
+    zone: "{{ dns_zone }}"
+    tsig_name: "{{ dns_tsig_name }}"
+    tsig_algo: "{{ dns_tsig_algo }}"
+    tsig_key: "{{ dns_tsig_key }}"
+    rr_set: "{{ dns_records }}"
+    state: "{{ dns_record_state }}"
--- a/roles/mariadb/defaults/main.yml
+++ b/roles/mariadb/defaults/main.yml
@ -1,6 +1,6 @@
 ---

-mariadb_version: "10.6.11"
+mariadb_version: "10.11.6"
 mariadb_base_path: /var/lib/mariadb
 mariadb_data_path: "{{ mariadb_base_path }}/{{ mariadb_version }}"

--- a/roles/nginx/defaults/main.yml
+++ b/roles/nginx/defaults/main.yml
@ -1,6 +1,6 @@
 ---

-nginx_version: "1.25.1"
+nginx_version: "1.25.3"
 nginx_flavour: alpine
 nginx_base_path: /opt/nginx
 nginx_config_file: "{{ nginx_base_path }}/nginx.conf"
--- a/roles/powerdns_tsig_key/defaults/main.yml
+++ b/roles/powerdns_tsig_key/defaults/main.yml
@ -0,0 +1,2 @@
+---
+powerdns_tsig_key_container_name: powerdns
--- a/roles/powerdns_tsig_key/tasks/main.yml
+++ b/roles/powerdns_tsig_key/tasks/main.yml
@ -0,0 +1,92 @@
+---
+- name: Ensure unix group '{{ powerdns_tsig_key_path_group }}' exists
+  ansible.builtin.group:
+    name: "{{ powerdns_tsig_key_path_group }}"
+    state: "present"
+    system: true
+  register: powerdns_tsig_key_path_group_info
+  when: powerdns_tsig_key_path_group is defined
+
+- name: Ensure unix user '{{ powerdns_tsig_key_path_owner }}' exists
+  ansible.builtin.user:
+    name: "{{ powerdns_tsig_key_path_owner }}"
+    state: "present"
+    system: true
+    create_home: false
+    groups: "{{ powerdns_tsig_key_path_group is defined | ternary([powerdns_tsig_key_path_group], omit) }}"
+    append: "{{ powerdns_tsig_key_path_group is defined | ternary(true, omit) }}"
+  register: powerdns_tsig_key_path_owner_info
+  when: powerdns_tsig_key_path_owner is defined
+
+- name: Check if TSIG key is already present
+  ansible.builtin.stat:
+    path: "{{ powerdns_tsig_key_path }}"
+  register: powerdns_tsig_key_info
+
+- name: Ensure TSIG key directory is present
+  ansible.builtin.file:
+    path: "{{ powerdns_tsig_key_path | dirname }}"
+    state: directory
+    owner: "{{ powerdns_tsig_key_path_owner | default(omit) }}"
+    group: "{{ powerdns_tsig_key_path_group | default(omit) }}"
+    mode: "u+rwX,g-rwx,o-rwx"
+    recurse: true
+
+- name: Ensure a TSIG key is configured and persisted
+  when: >-
+    not powerdns_tsig_key_info.stat.exists
+    or powerdns_tsig_key_info.stat.size == 0
+  block:
+    - name: Ensure TSIG key is not already present
+      community.docker.docker_container_exec:
+        container: "{{ powerdns_tsig_key_container_name }}"
+        command: "pdnsutil list-tsig-keys"
+      delegate_to: "{{ powerdns_tsig_key_hostname }}"
+      register: powerdns_tsig_key_powerdns_info
+      changed_when: false
+      check_mode: false
+      become: true
+
+    - name: Ensure TSIG key is generated in powerdns
+      community.docker.docker_container_exec:
+        container: "{{ powerdns_tsig_key_container_name }}"
+        command: "pdnsutil generate-tsig-key '{{ powerdns_tsig_key_name }}' '{{ powerdns_tsig_key_algo }}'"
+      when: >-
+        (powerdns_tsig_key_name ~ '. ' ~ powerdns_tsig_key_algo ~ '. ')
+        not in powerdns_tsig_key_powerdns_info.stdout
+      delegate_to: "{{ powerdns_tsig_key_hostname }}"
+      register: powerdns_tsig_key_powerdns_generated_key
+      throttle: 1
+      become: true
+
+    - name: Extract TSIG key into variable
+      ansible.builtin.set_fact:
+        powerdns_tsig_key_key: >-
+          {{
+            (powerdns_tsig_key_powerdns_generated_tsig_key.stdout | trim | split(' ') | list | last)
+            if (powerdns_tsig_key_name ~ '. ' ~ powerdns_tsig_key_algo ~ '. ')
+            not in powerdns_tsig_key_powerdns_info.stdout
+            else (powerdns_generated_tsig_key | trim | split(' ') | list | last)
+          }}
+      vars:
+        powerdns_generated_tsig_key: >-
+          {% for line in powerdns_tsig_key_powerdns_info.stdout_lines %}
+          {% if powerdns_tsig_key_name in line %}
+          {{ line }}
+          {% endif %}
+          {% endfor %}
+
+    - name: Ensure TSIG key is persisted into {{ powerdns_tsig_key_path }}
+      ansible.builtin.copy:
+        content: "{{ powerdns_tsig_key_key }}"
+        dest: "{{ powerdns_tsig_key_path }}"
+        owner: "{{ powerdns_tsig_key_path_owner | default(omit) }}"
+        group: "{{ powerdns_tsig_key_path_group | default(omit) }}"
+        mode: "0600"
+
+- name: Ensure TSIG key permissions on {{ powerdns_tsig_key_path }} are correct
+  ansible.builtin.file:
+    path: "{{ powerdns_tsig_key_path }}"
+    owner: "{{ powerdns_tsig_key_path_owner | default(omit) }}"
+    group: "{{ powerdns_tsig_key_path_group | default(omit) }}"
+    mode: "0600"
--- a/roles/restic/tasks/main.yml
+++ b/roles/restic/tasks/main.yml
@ -8,7 +8,7 @@
  when: restic_create_user

 - name: Ensure either backup_paths or backup_stdin_command is populated
-  when: restic_backup_paths|length > 0 and restic_backup_stdin_command
+  when: restic_backup_paths|length > 0 and restic_backup_stdin_command and false
  fail:
    msg: "Setting both `restic_backup_paths` and `restic_backup_stdin_command` is not supported"

--- a/roles/restic/templates/restic.service.j2
+++ b/roles/restic/templates/restic.service.j2
@ -2,7 +2,7 @@
 Description={{ restic_job_description }}

 [Service]
-Type=oneshot
+Type=simple
 User={{ restic_user }}
 WorkingDirectory={{ restic_systemd_working_directory }}
 SyslogIdentifier={{ restic_systemd_syslog_identifier }}
@ -13,8 +13,14 @@ Environment=RESTIC_PASSWORD={{ restic_repo_password }}
 Environment=AWS_ACCESS_KEY_ID={{ restic_s3_key_id }}
 Environment=AWS_SECRET_ACCESS_KEY={{ restic_s3_access_key }}
 {% endif %}
+{% if restic_unlock_before_backup | default(false) %}
+ExecStartPre=-/bin/sh -c '/usr/bin/restic unlock'
+{% endif %}

 ExecStartPre=-/bin/sh -c '/usr/bin/restic snapshots || /usr/bin/restic init'
+{% if restic_backup_pre_hook | default(false) %}
+ExecStart=-{{ restic_backup_pre_hook }}
+{% endif %}
 {% if restic_backup_stdin_command %}
 ExecStart=/bin/sh -c '{{ restic_backup_stdin_command }} | /usr/bin/restic backup --verbose --stdin --stdin-filename {{ restic_backup_stdin_command_filename }}'
 {% else %}
@ -22,7 +28,7 @@ ExecStart=/usr/bin/restic --verbose backup {{ restic_backup_paths | join(' ') }}
 {% endif %}
 ExecStartPost=/usr/bin/restic forget --prune --keep-within={{ restic_policy.keep_within }} --keep-hourly={{ restic_policy.hourly }} --keep-daily={{ restic_policy.daily }} --keep-weekly={{ restic_policy.weekly }} --keep-monthly={{ restic_policy.monthly }}
 ExecStartPost=-/usr/bin/restic snapshots
+{% if restic_backup_post_hook | default(false) %}
+ExecStartPost=-{{ restic_backup_post_hook }}
+{% endif %}
 ExecStartPost=/usr/bin/restic check
-
-[Install]
-WantedBy=multi-user.target
--- a/roles/restic/templates/restic.timer.j2
+++ b/roles/restic/templates/restic.timer.j2
@ -1,9 +1,8 @@
 [Unit]
-Description=Run {{ restic_job_name }}
+Description=Run {{ restic_timer_description | default(restic_job_name) }}

 [Timer]
 OnCalendar={{ restic_policy.frequency }}
-Persistent=True
 Unit={{ restic_systemd_unit_naming_scheme }}.service

 [Install]
Author	SHA1	Message	Date
transcaffeine	e7886d8c98	feat(restic): add optional hook and optional unlock	2024-05-05 16:36:30 +02:00
Johanna Dorothea Reichmann	13d40341a0	fix(restic): change systemd service type to simple, remove wanted-by, allow post-start hooks The old service type oneshot combined with a wanted-by of multi-user.target can lead to an infite recursion which systemd does not warn about, causing a service that never activates.	2024-04-14 15:14:02 +02:00
transcaffeine	12b98487a5	update(mariadb): bump version to 10.11.6	2024-02-06 12:41:16 +01:00
transcaffeine	2e6cb0a4d5	update(mariadb): bump version to 10.6.16	2024-02-06 12:33:19 +01:00
transcaffeine	52d25942b4	update(nginx): bump version to 1.25.3	2024-02-06 11:05:13 +01:00
Johanna Dorothea Reichmann	af17bea1e1	feat: add finallycoffee.base.powerdns_tsig_key role	2023-11-07 18:38:16 +01:00
Johanna Dorothea Reichmann	52bf02e084	feat: add finallycoffee.base.dns role	2023-11-07 18:37:58 +01:00