fix(restic): attempt to unlock repository at boot

roles/elasticsearch/defaults/main.yml

@@ -1,35 +0,0 @@
----
-
-elasticsearch_version: 7.10.2
-
-elasticsearch_base_path: /opt/elasticsearch
-elasticsearch_data_path: "{{ elasticsearch_base_path }}/data"
-
-elasticsearch_config_cluster_name: elastic
-elasticsearch_config_discovery_type: single-node
-elasticsearch_config_boostrap_memory_lock: true
-elasticsearch_allocated_ram_mb: 512
-
-elasticsearch_container_image_name: docker.elastic.co/elasticsearch/elasticsearch-oss
-elasticsearch_container_image_tag: ~
-elasticsearch_container_image: >-
-  {{ elasticsearch_container_image_name }}:{{ elasticsearch_container_image_tag | default(elasticsearch_version, true) }}
-
-elasticsearch_container_name: elasticsearch
-elasticsearch_container_env:
-  "ES_JAVA_OPTS": "-Xms{{ elasticsearch_allocated_ram_mb }}m -Xmx{{ elasticsearch_allocated_ram_mb }}m"
-  "cluster.name": "{{ elasticsearch_config_cluster_name }}"
-  "discovery.type": "{{ elasticsearch_config_discovery_type }}"
-  "bootstrap.memory_lock": "{{ 'true' if elasticsearch_config_boostrap_memory_lock else 'false' }}"
-elasticsearch_container_user: ~
-elasticsearch_container_ports: ~
-elasticsearch_container_labels:
-  version: "{{ elasticsearch_version }}"
-elasticsearch_container_ulimits:
-#  - "memlock:{{ (1.5 * 1024 * elasticsearch_allocated_ram_mb) | int }}:{{ (1.5 * 1024 * elasticsearch_allocated_ram_mb) | int }}"
-  - "memlock:-1:-1"
-elasticsearch_container_volumes:
-  - "{{ elasticsearch_data_path }}:/usr/share/elasticsearch/data:z"
-elasticsearch_container_networks: ~
-elasticsearch_container_purge_networks: ~
-elasticsearch_container_restart_policy: unless-stopped

roles/elasticsearch/tasks/main.yml

@@ -1,32 +0,0 @@
----
-
-- name: Ensure host directories are present
-  file:
-    path: "{{ item }}"
-    state: directory
-    mode: "0777"
-  loop:
-    - "{{ elasticsearch_base_path }}"
-    - "{{ elasticsearch_data_path }}"
-
-- name: Ensure elastic container image is present
-  docker_image:
-    name: "{{ elasticsearch_container_image }}"
-    state: present
-    source: pull
-    force_source: "{{ elasticsearch_container_image_tag|default(false, true)|bool }}"
-
-- name: Ensure elastic container is running
-  docker_container:
-    name: "{{ elasticsearch_container_name }}"
-    image: "{{ elasticsearch_container_image }}"
-    env: "{{ elasticsearch_container_env | default(omit, True) }}"
-    user: "{{ elasticsearch_container_user | default(omit, True) }}"
-    ports: "{{ elasticsearch_container_ports | default(omit, True) }}"
-    labels: "{{ elasticsearch_container_labels | default(omit, True) }}"
-    volumes: "{{ elasticsearch_container_volumes }}"
-    ulimits: "{{ elasticsearch_container_ulimits }}"
-    networks: "{{ elasticsearch_container_networks | default(omit, True) }}"
-    purge_networks: "{{ elasticsearch_container_purge_networks | default(omit, True) }}"
-    restart_policy: "{{ elasticsearch_container_restart_policy }}"
-    state: started

roles/gitea/defaults/main.yml

@@ -1,6 +1,6 @@
 ---
 
-gitea_version: "1.16.8"
+gitea_version: "1.16.4"
 gitea_user: git
 gitea_base_path: "/opt/gitea"
 gitea_data_path: "{{ gitea_base_path }}/data"

roles/restic/tasks/main.yml

@@ -44,14 +44,22 @@
 
 - name: Ensure systemd service file for '{{ restic_job_name }}' is templated
   template:
-    dest: "/etc/systemd/system/{{ restic_systemd_unit_naming_scheme }}.service"
-    src: restic.service.j2
+    dest: "/etc/systemd/system/{{ service.unit_name }}.service"
+    src: "{{ service.file }}"
     owner: root
     group: root
     mode: 0640
   notify:
     - reload-systemd
     - trigger-restic
+  loop:
+    - unit_name: "{{ restic_systemd_unit_naming_scheme }}"
+      file: restic.service.j2
+    - unit_name: "{{ restic_systemd_unit_naming_scheme }}-unlock"
+      file: restic-unlock.service.j2
+  loop_control:
+    loop_var: service
+    label: "{{ service.file }}"
 
 - name: Ensure systemd service file for '{{ restic_job_name }}' is templated
   template:
@@ -66,6 +74,11 @@
 - name: Flush handlers to ensure systemd knows about '{{ restic_job_name }}'
   meta: flush_handlers
 
+- name: Ensure systemd service for unlocking repository for '{{ restic_job_name }}' is enabled
+  systemd:
+    name: "{{ restic_systemd_unit_naming_scheme }}-unlock.service"
+    enabled: true
+
 - name: Ensure systemd timer for '{{ restic_job_name }}' is activated
   systemd:
     name: "{{ restic_systemd_unit_naming_scheme }}.timer"

roles/restic/templates/restic-unlock.service.j2

@@ -0,0 +1,21 @@
+[Unit]
+Description={{ restic_job_description }} - Unlock after reboot job
+
+[Service]
+Type=oneshot
+User={{ restic_user }}
+WorkingDirectory={{ restic_systemd_working_directory }}
+SyslogIdentifier={{ restic_systemd_syslog_identifier }}
+
+Environment=RESTIC_REPOSITORY={{ restic_repo_url }}
+Environment=RESTIC_PASSWORD={{ restic_repo_password }}
+{% if restic_s3_key_id and restic_s3_access_key %}
+Environment=AWS_ACCESS_KEY_ID={{ restic_s3_key_id }}
+Environment=AWS_SECRET_ACCESS_KEY={{ restic_s3_access_key }}
+{% endif %}
+
+ExecStartPre=-/bin/sh -c '/usr/bin/restic snapshots || /usr/bin/restic init'
+ExecStart=/usr/bin/restic unlock
+
+[Install]
+WantedBy=multi-user.target