fix(lego): quoting issues leading to wrongful error

README.md

@@ -5,10 +5,6 @@
 This ansible collection provides various roles for installing
 and configuring basic system utilities like gnupg, ssh etc
 
-- [`elasticsearch`](roles/elasticsearch/README.md): Deploy [elasticsearch](https://www.docker.elastic.co/r/elasticsearch/elasticsearch-oss),
-  a popular (distributed) search and analytics engine, mostly known by it's
-  letter "E" in the ELK-stack.
-
 - [`git`](roles/git/README.md): configures git on the target system
 
 - [`gnupg`](roles/gnupg/README.md): configures gnupg on the target system
@@ -16,8 +12,6 @@ and configuring basic system utilities like gnupg, ssh etc
 - [`lego`](roles/lego/README.md): runs [lego (LetsEncrypt Go)](https://github.com/go-acme/lego),
   a ACME client written in go, using systemd (timers). Multi-instance capable.
 
-- [`mariadb`](roles/mariadb/README.md): runs [MariaDB Server](https://mariadb.org/), one of the world's most popular open source relational database
-
 - [`minio`](roles/minio/README.md): Deploy [min.io](https://min.io), an
   s3-compatible object storage server, using docker containers.
 

galaxy.yml

@@ -1,6 +1,6 @@
 namespace: finallycoffee
 name: base
-version: 0.1.2
+version: 0.2.0
 readme: README.md
 authors:
 - transcaffeine <transcaffeine@finally.coffee>
@@ -14,9 +14,7 @@ repository: https://git.finally.coffee/finallycoffee/base
 issues: https://codeberg.org/finallycoffee/ansible-collection-base/issues
 tags:
   - docker
-  - elastic
   - lego
-  - mariadb
   - minio
   - nginx
   - restic

roles/elasticsearch/README.md

@@ -1,22 +0,0 @@
-# `finallycoffee.base.elastiscsearch`
-
-A simple ansible role which deploys a single-node elastic container to provide
-an easy way to do some indexing.
-
-## Usage
-
-Per default, `/opt/elasticsearch/data` is used to persist data, it is
-customizable by using either `elasticsearch_base_path` or `elasticsearch_data_path`.
-
-As elasticsearch be can be quite memory heavy, the maximum amount of allowed RAM
-can be configured using `elasticsearch_allocated_ram_mb`, defaulting to 512 (mb).
-
-The cluster name and discovery type can be overridden using
-`elasticsearch_config_cluster_name` (default: elastic) and
-`elasticsearch_config_discovery_type` (default: single-node), should one
-need a multi-node elasticsearch deployment.
-
-Per default, no ports or networks are mapped, and explizit mapping using
-either ports (`elasticsearch_container_ports`) or networks
-(`elasticsearch_container_networks`) is required in order for other services
-to use elastic.

roles/elasticsearch/defaults/main.yml

@@ -1,35 +0,0 @@
----
-
-elasticsearch_version: 7.17.7
-
-elasticsearch_base_path: /opt/elasticsearch
-elasticsearch_data_path: "{{ elasticsearch_base_path }}/data"
-
-elasticsearch_config_cluster_name: elastic
-elasticsearch_config_discovery_type: single-node
-elasticsearch_config_boostrap_memory_lock: true
-elasticsearch_allocated_ram_mb: 512
-
-elasticsearch_container_image_name: docker.elastic.co/elasticsearch/elasticsearch-oss
-elasticsearch_container_image_tag: ~
-elasticsearch_container_image: >-
-  {{ elasticsearch_container_image_name }}:{{ elasticsearch_container_image_tag | default(elasticsearch_version, true) }}
-
-elasticsearch_container_name: elasticsearch
-elasticsearch_container_env:
-  "ES_JAVA_OPTS": "-Xms{{ elasticsearch_allocated_ram_mb }}m -Xmx{{ elasticsearch_allocated_ram_mb }}m"
-  "cluster.name": "{{ elasticsearch_config_cluster_name }}"
-  "discovery.type": "{{ elasticsearch_config_discovery_type }}"
-  "bootstrap.memory_lock": "{{ 'true' if elasticsearch_config_boostrap_memory_lock else 'false' }}"
-elasticsearch_container_user: ~
-elasticsearch_container_ports: ~
-elasticsearch_container_labels:
-  version: "{{ elasticsearch_version }}"
-elasticsearch_container_ulimits:
-#  - "memlock:{{ (1.5 * 1024 * elasticsearch_allocated_ram_mb) | int }}:{{ (1.5 * 1024 * elasticsearch_allocated_ram_mb) | int }}"
-  - "memlock:-1:-1"
-elasticsearch_container_volumes:
-  - "{{ elasticsearch_data_path }}:/usr/share/elasticsearch/data:z"
-elasticsearch_container_networks: ~
-elasticsearch_container_purge_networks: ~
-elasticsearch_container_restart_policy: unless-stopped

roles/elasticsearch/tasks/main.yml

@@ -1,32 +0,0 @@
----
-
-- name: Ensure host directories are present
-  file:
-    path: "{{ item }}"
-    state: directory
-    mode: "0777"
-  loop:
-    - "{{ elasticsearch_base_path }}"
-    - "{{ elasticsearch_data_path }}"
-
-- name: Ensure elastic container image is present
-  docker_image:
-    name: "{{ elasticsearch_container_image }}"
-    state: present
-    source: pull
-    force_source: "{{ elasticsearch_container_image_tag|default(false, true)|bool }}"
-
-- name: Ensure elastic container is running
-  docker_container:
-    name: "{{ elasticsearch_container_name }}"
-    image: "{{ elasticsearch_container_image }}"
-    env: "{{ elasticsearch_container_env | default(omit, True) }}"
-    user: "{{ elasticsearch_container_user | default(omit, True) }}"
-    ports: "{{ elasticsearch_container_ports | default(omit, True) }}"
-    labels: "{{ elasticsearch_container_labels | default(omit, True) }}"
-    volumes: "{{ elasticsearch_container_volumes }}"
-    ulimits: "{{ elasticsearch_container_ulimits }}"
-    networks: "{{ elasticsearch_container_networks | default(omit, True) }}"
-    purge_networks: "{{ elasticsearch_container_purge_networks | default(omit, True) }}"
-    restart_policy: "{{ elasticsearch_container_restart_policy }}"
-    state: started

roles/lego/defaults/main.yml

@@ -1,6 +1,6 @@
 ---
 lego_user: "lego"
-lego_version: "4.18.0"
+lego_version: "4.22.2"
 lego_instance: default
 lego_base_path: "/opt/lego"
 lego_cert_user: "acme-{{ lego_instance }}"

roles/lego/files/lego_run.sh

@@ -1,22 +1,35 @@
 #!/usr/bin/env bash
+set -euo pipefail
 
 LEGO_BINARY=$(/usr/bin/env which lego)
 
-if [[ -n "$LEGO_HTTP_FALLBACK_PORT" ]]; then
+if [[ -n "${LEGO_HTTP_FALLBACK_PORT:-}" ]]; then
+  if ! nc_binary="$(type -p 'nc')" || [[ -z $nc_binary ]]; then
+    echo "nc not found (in PATH), exiting"
+    exit 1
+  fi
   nc -z 127.0.0.1 $LEGO_HTTP_PORT;
   if [[ $? -eq 0 ]]; then
       LEGO_HTTP_PORT=$LEGO_HTTP_FALLBACK_PORT
   fi
 fi
 
+if [[ -n "${LEGO_PRE_RENEWAL_HOOK:-}" ]]; then
+  $LEGO_PRE_RENEWAL_HOOK
+fi
+
 LEGO_COMMAND_ARGS_EXPANDED=$(bash -c "echo $LEGO_COMMAND_ARGS") # This is a bit icky
 
-FILES_IN_DIR=$(find "$LEGO_CERT_STORE_PATH/certificates" | wc -l)
+FILES_IN_DIR=$(find "$LEGO_CERT_STORE_PATH/certificates" -type f | wc -l)
 if [[ $FILES_IN_DIR -gt 2 ]]; then
         $LEGO_BINARY $LEGO_COMMAND_ARGS_EXPANDED renew --days=$LEGO_CERT_DAYS_TO_RENEW
 else
         $LEGO_BINARY $LEGO_COMMAND_ARGS_EXPANDED run
 fi
 
-ls "$LEGO_CERT_STORE_PATH/certificates" | xargs -I{} -n 1 chmod "$LEGO_CERT_MODE" "$LEGO_CERT_STORE_PATH/certificates/{}"
+find "$LEGO_CERT_STORE_PATH/certificates" -type f | xargs -I{} -n 1 chmod "$LEGO_CERT_MODE" "{}"
-ls "$LEGO_CERT_STORE_PATH/certificates" | xargs -I{} -n 1 chown "$LEGO_CERT_USER":"$LEGO_CERT_GROUP" "$LEGO_CERT_STORE_PATH/certificates/{}"
+find "$LEGO_CERT_STORE_PATH/certificates" -type f | xargs -I{} -n 1 chown "${LEGO_CERT_USER}:${LEGO_CERT_GROUP}" "{}"
+
+if [[ -n "${LEGO_POST_RENEWAL_HOOK:-}" ]]; then
+  $LEGO_POST_RENEWAL_HOOK
+fi

roles/mariadb/README.md

@@ -1,19 +0,0 @@
-# `finallycoffee.base.mariadb` ansible role
-
-This role deploys a MariaDB instance in a docker container.
-
-## Usage
-
-The role expects the following variables to be populated with values and/or secrets:
-
-```yaml
-mariadb_root_password: #mariadb root password
-mariadb_database: # name of the database to create
-mariadb_username: # name of a user to auto-create and assign permission on the mariadb_database
-mariadb_password: # password of the user in mariadb_username
-```
-
-## Requirements
-
-- Docker installed
-- python-docker present on target system for ansible to be able to talk with the docker API.

roles/mariadb/defaults/main.yml

@@ -1,32 +0,0 @@
----
-
-mariadb_version: "10.11.9"
-mariadb_base_path: /var/lib/mariadb
-mariadb_data_path: "{{ mariadb_base_path }}/{{ mariadb_version }}"
-
-mariadb_root_password: ~
-mariadb_database: ~
-mariadb_username: ~
-mariadb_password: ~
-
-mariadb_container_base_environment:
-  MARIADB_ROOT_PASSWORD: "{{ mariadb_root_password }}"
-mariadb_container_extra_environment: {}
-
-mariadb_container_name: mariadb
-mariadb_container_image_name: docker.io/mariadb
-mariadb_container_image_tag: ~
-mariadb_container_image: "{{ mariadb_container_image_name }}:{{ mariadb_container_image_tag | default(mariadb_version, true) }}"
-mariadb_container_base_volumes:
-  - "{{ mariadb_data_path }}:{{ mariadb_container_data_path }}:z"
-mariadb_container_extra_volumes: []
-mariadb_container_base_labels:
-  version: "{{ mariadb_version }}"
-mariadb_container_extra_labels: {}
-mariadb_container_restart_policy: "unless-stopped"
-mariadb_container_environment: >-2
-  {{ mariadb_container_base_environment
-  | combine(mariadb_container_database_environment
-      if (mariadb_database and mariadb_username and mariadb_password)
-      else {}, recursive=True)
-  | combine(mariadb_container_extra_environment) }}

roles/mariadb/tasks/main.yml

@@ -1,20 +0,0 @@
----
-- name: Ensure mariaDB container image is present on host
-  community.docker.docker_image:
-    name: "{{ mariadb_container_image }}"
-    state: present
-    source: pull
-
-- name: Ensure mariaDB {{ mariadb_version }} is running as '{{ mariadb_container_name }}'
-  community.docker.docker_container:
-    name: "{{ mariadb_container_name }}"
-    image: "{{ mariadb_container_image }}"
-    env: "{{ mariadb_container_environment }}"
-    ports: "{{ mariadb_container_ports }}"
-    labels: "{{ mariadb_container_labels }}"
-    volumes: "{{ mariadb_container_volumes }}"
-    networks: "{{ mariadb_container_networks | default(omit, true) }}"
-    etc_hosts: "{{ mariadb_container_etc_hosts | default(omit, true) }}"
-    purge_networks: "{{ mariadb_container_purge_networks | default(omit, true) }}"
-    restart_policy: "{{ mariadb_container_restart_policy }}"
-    state: started

roles/mariadb/vars/main.yml

@@ -1,10 +0,0 @@
----
-
-mariadb_container_database_environment:
-  MARIADB_DATABASE: "{{ mariadb_database }}"
-  MARIADB_USER: "{{ mariadb_username }}"
-  MARIADB_PASSWORD: "{{ mariadb_password }}"
-
-mariadb_container_data_path: /var/lib/mysql
-mariadb_container_volumes: "{{ mariadb_container_base_volumes + mariadb_container_extra_volumes }}"
-mariadb_container_labels: "{{ mariadb_container_base_labels | combine(mariadb_container_extra_labels, recursive=True) }}"

roles/nginx/defaults/main.yml

@@ -1,5 +1,5 @@
 ---
-nginx_version: "1.27.2"
+nginx_version: "1.27.4"
 nginx_flavour: alpine
 nginx_base_path: /opt/nginx
 nginx_config_file: "{{ nginx_base_path }}/nginx.conf"

roles/restic/defaults/main/config.yml

@@ -1,5 +1,4 @@
 ---
-
 restic_repo_url: ~
 restic_repo_password: ~
 restic_s3_key_id: ~
@@ -8,6 +7,8 @@ restic_s3_access_key: ~
 restic_backup_paths: []
 restic_backup_stdin_command: ~
 restic_backup_stdin_command_filename: ~
+restic_backup_generate_metrics_command: >-2
+  {{ restic_script_generate_snapshot_metrics }}
 
 restic_policy_keep_all_within: 1d
 restic_policy_keep_hourly: 12
@@ -18,13 +19,16 @@ restic_policy_keep_yearly: 5
 restic_policy_backup_frequency: hourly
 
 restic_base_environment:
-  RESTIC_JOBNAME: "{{ restic_job_name | default('unknown') }}"
+  RESTIC_REPOSITORY: "{{ restic_repo_url }}"
+  RESTIC_PASSWORD: "{{ restic_repo_password }}"
+  RESTIC_JOBNAME: "{{ restic_job_name }}"
   RESTIC_FORGET_KEEP_WITHIN: "{{ restic_policy_keep_all_within }}"
   RESTIC_FORGET_KEEP_HOURLY: "{{ restic_policy_keep_hourly }}"
   RESTIC_FORGET_KEEP_DAILY: "{{ restic_policy_keep_daily }}"
   RESTIC_FORGET_KEEP_WEEKLY: "{{ restic_policy_keep_weekly }}"
   RESTIC_FORGET_KEEP_MONTHLY: "{{ restic_policy_keep_monthly }}"
   RESTIC_FORGET_KEEP_YEARLY: "{{ restic_policy_keep_yearly }}"
+  RESTIC_GENERATE_SNAPSHOT_METRICS_COMMAND: "{{ restic_backup_generate_metrics_command }}"
 
 restic_s3_environment:
   AWS_ACCESS_KEY_ID: "{{ restic_s3_key_id }}"
@@ -33,8 +37,8 @@ restic_s3_environment:
 restic_complete_environment: >-
   {{
     restic_base_environment
-    | combine((restic_s3_environment
+    | combine((restic_s3_environment | default({}))
-      if (restic_s3_key_id and restic_s3_access_key) else {}) | default({}))
+      if (restic_s3_key_id and restic_s3_access_key) else {})
     | combine(restic_environment | default({}))
   }}
 
@@ -46,15 +50,3 @@ restic_policy:
   monthly: "{{ restic_policy_keep_monthly }}"
   yearly: "{{ restic_policy_keep_yearly }}"
   frequency: "{{ restic_policy_backup_frequency }}"
-
-restic_user: root
-restic_create_user: false
-restic_start_job_on_unit_change: false
-
-restic_job_name: ~
-restic_job_description: "Restic backup job for {{ restic_job_name }}"
-restic_systemd_unit_naming_scheme: "restic.{{ restic_job_name }}"
-restic_systemd_working_directory: /tmp
-restic_systemd_syslog_identifier: "restic-{{ restic_job_name }}"
-
-restic_package_name: restic

roles/restic/defaults/main/main.yml

@@ -0,0 +1,16 @@
+---
+restic_user: root
+restic_user_create: false
+restic_create_user: "{{ restic_user_create }}"
+restic_user_create_home: false
+restic_user_system: false
+
+restic_state: present
+restic_version: "0.17.3"
+restic_job_name: default
+restic_job_state: "{{ restic_state }}"
+restic_job_directory: "/etc/restic"
+
+restic_package_name: restic
+restic_script_generate_snapshot_metrics: "/opt/restic-generate-snapshot-metrics.sh"
+restic_start_job_on_unit_change: true

roles/restic/defaults/main/systemd.yml

@@ -0,0 +1,20 @@
+---
+restic_systemd_job_description: "Restic backup service"
+restic_systemd_unit_naming_scheme: "restic-{{ restic_job_name }}"
+restic_systemd_timer_naming_scheme: >-2
+  {{ restic_systemd_unit_naming_scheme }}.timer
+restic_systemd_timer_state_map:
+  present: "started"
+  absent: "stopped"
+  masked: "started"
+restic_systemd_timer_state: >-2
+  {{ restic_systemd_timer_state_map[restic_job_state] }}
+
+restic_systemd_syslog_identifier: "restic@%i"
+restic_systemd_working_directory: /tmp
+restic_systemd_install_wanted_by: "basic.target"
+restic_systemd_install_default_instance: "default"
+
+restic_systemd_start_job_on_unit_change: false
+restic_systemd_service_exec_start: "/opt/restic-backup.sh"
+

roles/restic/files/restic-backup.sh

@@ -0,0 +1,43 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+if [[ -n ${RESTIC_PRE_BACKUP_HOOK-} ]]; then
+    /bin/bash -c "$RESTIC_PRE_BACKUP_HOOK"
+fi
+
+echo "List existing snapshots or initialize repository"
+restic snapshots || restic init
+sleep 1;
+
+echo "Attempting to remove lock if present"
+restic unlock
+sleep 1;
+
+echo "Start backup on ${@:1}"
+restic --verbose --retry-lock=${RESTIC_RETRY_LOCK:-5m} backup "${@:1}"
+sleep 1;
+
+if [[ -n ${RESTIC_POIST_BACKUP_HOOK-} ]]; then
+    /bin/bash -c "$RESTIC_POST_BACKUP_HOOK"
+fi
+
+echo "Forget and prune old snapshots"
+restic forget --prune --retry-lock=${RESTIC_RETRY_LOCK:-5m} \
+    --keep-within=${RESTIC_FORGET_KEEP_WITHIN:-1d} \
+    --keep-hourly=${RESTIC_FORGET_KEEP_HOURLY:-6} \
+    --keep-daily=${RESTIC_FORGET_KEEP_DAILY:-2} \
+    --keep-weekly=${RESTIC_FORGET_KEEP_WEEKLY:-7} \
+    --keep-monthly=${RESTIC_FORGET_KEEP_MONTHLY:-4} \
+    --verbose
+sleep 2
+
+echo "Generate snapshot metrics"
+if [[ -n ${RESTIC_GENERATE_SNAPSHOT_METRICS_COMMAND-} ]]; then
+    restic --json snapshots | ${RESTIC_GENERATE_SNAPSHOT_METRICS_COMMAND} \
+        > /var/lib/node_exporter/restic-snapshots-${RESTIC_JOBNAME:-unknown}.prom-src
+    sleep 2;
+fi
+
+echo "Check repository"
+restic check

roles/restic/files/restic-snapshot-metrics.sh

@@ -0,0 +1,12 @@
+#!/usr/bin/env bash
+
+RESTIC_JSON=$(</dev/stdin)
+
+echo $RESTIC_JSON | jq -r '.[]
+    | {
+        "hostname": .hostname,
+        "username": .username,
+        "short_id": .short_id,
+        "time": ((((.time | split(".")[0]) + "Z") | fromdate) - (3600 * (.time | split("+")[1] | split(":")[0] | tonumber + 1))),
+        "paths": .paths[]
+    } | "restic_snapshots{hostname=\"\(.hostname)\",username=\"\(.username)\",short_id=\"\(.short_id)\",paths=\"\(.paths)\"} \(.time)"'

roles/restic/handlers/main.yml

@@ -1,13 +1,12 @@
 ---
-
 - name: Ensure system daemon is reloaded
   listen: reload-systemd
-  systemd:
+  ansible.builtin.systemd:
     daemon_reload: true
 
 - name: Ensure systemd service for '{{ restic_job_name }}' is started immediately
   listen: trigger-restic
-  systemd:
+  ansible.builtin.systemd:
-    name: "{{ restic_systemd_unit_naming_scheme }}.service"
+    name: "{{ restic_systemd_timer_naming_scheme }}"
     state: started
-  when: restic_start_job_on_unit_change
+  when: (not ansible_check_mode) and restic_start_job_on_unit_change

roles/restic/tasks/check.yml

@@ -0,0 +1,35 @@
+---
+- name: Check if 'restic_state' is valid
+  ansible.builtin.fail:
+    msg: >-2
+      Unknown value '{{ restic_state }}' for 'restic_state'!
+      Supported values are {{ restic_states | join(', ') }}
+  when: restic_state not in restic_states
+
+- name: Ensure 'restic_job_name' is properly populated
+  ansible.builtin.fail:
+    msg: >-2
+      Unsupported restic_job_name '{{ restic_job_name | string }}'!
+  when:
+    - not (restic_job_name | string | length > 0)
+
+- name: Ensure either backup_paths or backup_stdin_command is populated
+  ansible.builtin.fail:
+    msg: >-2
+      Setting both `restic_backup_paths` and `restic_backup_stdin_command`
+      is not supported!
+  when: restic_backup_paths|length > 0 and restic_backup_stdin_command and false
+
+- name: Ensure a filename for stdin_command backup is given
+  ansible.builtin.fail:
+    msg: >-2
+      `restic_backup_stdin_command` was set but no filename for the resulting
+      output was supplied in `restic_backup_stdin_command_filename`.
+  when: restic_backup_stdin_command and not restic_backup_stdin_command_filename
+
+- name: Ensure backup frequency adheres to systemd's OnCalender syntax
+  command:
+    cmd: "systemd-analyze calendar {{ restic_policy.frequency }}"
+  register: systemd_calender_parse_res
+  failed_when: systemd_calender_parse_res.rc != 0
+  changed_when: false

roles/restic/tasks/configure.yml

@@ -0,0 +1,30 @@
+---
+- name: Ensure systemd timer file for '{{ restic_job_name }}' is {{ restic_state }}'
+  ansible.builtin.template:
+    dest: "/etc/systemd/system/{{ restic_systemd_unit_naming_scheme }}.timer"
+    src: restic.timer.j2
+    owner: root
+    group: root
+    mode: "0640"
+  when: restic_state == 'present'
+  register: restic_systemd_timer_info
+  notify:
+    - reload-systemd
+
+- name: Ensure restic configuration for '{{ restic_job_name }}' is {{ restic_job_state }}
+  ansible.builtin.template:
+    src: "restic.conf.j2"
+    dest: "{{ restic_job_directory }}/{{ restic_job_name }}.conf"
+    mode: "0640"
+  when: restic_job_state in ['present', 'masked']
+  notify:
+    - trigger-restic
+
+- name: Ensure restic configuration for '{{ restic_job_name }}' is {{ restic_job_state }}
+  ansible.builtin.file:
+    path: "{{ restic_job_directory }}/{{ restic_job_name }}.conf"
+    state: "{{ restic_job_state }}"
+  when: restic_job_state not in ['present', 'masked']
+
+- name: Flush handlers to ensure systemd knows about '{{ restic_job_name }}'
+  meta: flush_handlers

roles/restic/tasks/install.yml

@@ -0,0 +1,48 @@
+---
+- name: Ensure restic is installed
+  block:
+    - name: Ensure restic is installed via apt
+      apt:
+        package: restic
+        state: latest
+      when: ansible_os_family == 'Debian'
+    - name: Ensure restic is installed via dnf
+      dnf:
+        name: restic
+        state: latest
+      when: ansible_os_family == 'RedHat'
+    - name: Ensure restic is installed using the auto-detected package-manager
+      package:
+        name: "{{ restic_package_name }}"
+        state: present
+      when: ansible_os_family not in ['RedHat', 'Debian']
+
+- name: Ensure restic backup scripts are {{ restic_state }}
+  ansible.builtin.copy:
+    src: "{{ script.source }}"
+    dest: "{{ script.destination }}"
+    mode: "{{ script.mode }}"
+  loop:
+    - source: restic-backup.sh
+      destination: "{{ restic_systemd_service_exec_start }}"
+      mode: "0510"
+    - source: restic-snapshot-metrics.sh
+      destination: "{{ restic_script_generate_snapshot_metrics }}"
+      mode: "0510"
+  loop_control:
+    loop_var: script
+    label: "{{ script.source }}"
+
+- name: Ensure systemd service file for restic template unit is {{ restic_state }}
+  ansible.builtin.template:
+    dest: "/etc/systemd/system/restic@.service"
+    src: "restic@.service.j2"
+    owner: root
+    group: root
+    mode: "0640"
+  when: restic_state == 'present'
+  notify:
+    - reload-systemd
+    - trigger-restic
+
+

roles/restic/tasks/main.yml

@@ -1,77 +1,39 @@
 ---
+- name: Check if role input is valid
+  ansible.builtin.include_tasks:
+    file: check.yml
 
-- name: Ensure {{ restic_user }} system user exists
+- name: Ensure restic is {{ restic_state }}
-  user:
+  ansible.builtin.include_tasks:
+    file: install.yml
+
+- name: Ensure restic user '{{ restic_user }}' is {{ restic_state }}
+  ansible.builtin.user:
     name: "{{ restic_user }}"
-    state: present
+    state: "{{ restic_state }}"
-    system: true
+    system: "{{ restic_user_system }}"
+    create_home: "{{ restic_user_create_home }}"
   when: restic_create_user
 
-- name: Ensure either backup_paths or backup_stdin_command is populated
+- name: Ensure restic configuration for job is {{ restic_job_state }}
-  when: restic_backup_paths|length > 0 and restic_backup_stdin_command and false
+  ansible.builtin.include_tasks:
-  fail:
+    file: "configure.yml"
-    msg: "Setting both `restic_backup_paths` and `restic_backup_stdin_command` is not supported"
-
-- name: Ensure a filename for stdin_command backup is given
-  when: restic_backup_stdin_command and not restic_backup_stdin_command_filename
-  fail:
-    msg: "`restic_backup_stdin_command` was set but no filename for the resulting output was supplied in `restic_backup_stdin_command_filename`"
-
-- name: Ensure backup frequency adheres to systemd's OnCalender syntax
-  command:
-    cmd: "systemd-analyze calendar {{ restic_policy.frequency }}"
-  register: systemd_calender_parse_res
-  failed_when: systemd_calender_parse_res.rc != 0
-  changed_when: false
-
-- name: Ensure restic is installed
-  block:
-    - name: Ensure restic is installed via apt
-      apt:
-        package: restic
-        state: latest
-      when: ansible_os_family == 'Debian'
-    - name: Ensure restic is installed via dnf
-      dnf:
-        name: restic
-        state: latest
-      when: ansible_os_family == 'RedHat'
-    - name: Ensure restic is installed using the auto-detected package-manager
-      package:
-        name: "{{ restic_package_name }}"
-        state: present
-      when: ansible_os_family not in ['RedHat', 'Debian']
-
-- name: Ensure systemd service file for '{{ restic_job_name }}' is templated
-  template:
-    dest: "/etc/systemd/system/{{ restic_systemd_unit_naming_scheme }}.service"
-    src: restic.service.j2
-    owner: root
-    group: root
-    mode: 0640
-  notify:
-    - reload-systemd
-    - trigger-restic
-
-- name: Ensure systemd service file for '{{ restic_job_name }}' is templated
-  template:
-    dest: "/etc/systemd/system/{{ restic_systemd_unit_naming_scheme }}.timer"
-    src: restic.timer.j2
-    owner: root
-    group: root
-    mode: 0640
-  notify:
-    - reload-systemd
-
-- name: Flush handlers to ensure systemd knows about '{{ restic_job_name }}'
-  meta: flush_handlers
 
 - name: Ensure systemd timer for '{{ restic_job_name }}' is activated
-  systemd:
+  ansible.builtin.systemd:
-    name: "{{ restic_systemd_unit_naming_scheme }}.timer"
+    name: "{{ restic_systemd_timer_naming_scheme }}"
     enabled: true
+  when:
+    - restic_systemd_timer_info.changed
+    - not restic_systemd_timer_info.failed
+    - not ansible_check_mode
 
-- name: Ensure systemd timer for '{{ restic_job_name }}' is started
+- name: Ensure systemd timer for '{{ restic_job_name }}' is {{ restic_job_state }}
-  systemd:
+  ansible.builtin.systemd:
-    name: "{{ restic_systemd_unit_naming_scheme }}.timer"
+    name: "{{ restic_systemd_timer_naming_scheme }}"
-    state: started
+    state: "{{ restic_job_state }}"
+    masked: "{{ (restic_job_state == 'masked') | ternary('true', omit) }}"
+  when:
+    - restic_systemd_timer_info.changed
+    - not restic_systemd_timer_info.failed
+    - not ansible_check_mode

roles/restic/templates/restic.conf.j2

@@ -0,0 +1,3 @@
+{% for kv in restic_complete_environment | dict2items %}
+{{ kv.key }}={{ kv.value }}
+{% endfor %}

roles/restic/templates/restic.service.j2

@@ -1,51 +0,0 @@
-[Unit]
-Description={{ restic_job_description }}
-
-[Service]
-Type=simple
-User={{ restic_user }}
-WorkingDirectory={{ restic_systemd_working_directory }}
-SyslogIdentifier={{ restic_systemd_syslog_identifier }}
-
-Environment=RESTIC_REPOSITORY={{ restic_repo_url }}
-Environment=RESTIC_PASSWORD={{ restic_repo_password }}
-{% for kv in restic_complete_environment | dict2items %}
-Environment={{ kv.key }}={{ kv.value }}
-{% endfor %}
-
-{% if restic_init | default(true) %}
-ExecStartPre=-/bin/sh -c '/usr/bin/restic snapshots || /usr/bin/restic init'
-{% endif %}
-{% if restic_unlock_before_backup | default(false) %}
-ExecStartPre=-/bin/sh -c 'sleep 3 && /usr/bin/restic unlock'
-{% endif %}
-{% if restic_backup_pre_hook | default(false) %}
-ExecStartPre=-{{ restic_backup_pre_hook }}
-{% endif %}
-{% if restic_backup_stdin_command %}
-ExecStart=/bin/sh -c '{{ restic_backup_stdin_command }} | /usr/bin/restic backup \
-	--retry-lock {{ restic_retry_lock | default('5m') }} \
-	--verbose --stdin \
-	--stdin-filename {{ restic_backup_stdin_command_filename }}'
-{% else %}
-ExecStart=/opt/restic-backup-directories.sh {{ restic_backup_paths | join(' ') }}
-{% endif %}
-{% if restic_forget_prune | default(true) %}
-ExecStartPost=/usr/bin/restic forget --prune \
-	--retry-lock {{ restic_retry_lock | default('5m') }} \
-	--keep-within={{ restic_policy.keep_within }} \
-	--keep-hourly={{ restic_policy.hourly }} \
-	--keep-daily={{ restic_policy.daily }} \
-	--keep-weekly={{ restic_policy.weekly }} \
-	--keep-monthly={{ restic_policy.monthly }} \
-	--keep-yearly={{ restic_policy.yearly }}
-{% endif %}
-{% if restic_list_snapshots | default(true) %}
-ExecStartPost=-/usr/bin/restic snapshots --retry-lock {{ restic_retry_lock | default('5m') }}
-{% endif %}
-{% if restic_backup_post_hook | default(false) %}
-ExecStartPost=-{{ restic_backup_post_hook }}
-{% endif %}
-{% if restic_check | default(true) %}
-ExecStartPost=/usr/bin/restic check --retry-lock {{ restic_retry_lock | default('5m') }}
-{% endif %}

roles/restic/templates/restic@.service.j2

@@ -0,0 +1,15 @@
+[Unit]
+Description={{ restic_systemd_job_description }}
+
+[Service]
+Type=simple
+EnvironmentFile={{ restic_job_directory }}/%i.conf
+User={{ restic_user }}
+WorkingDirectory={{ restic_systemd_working_directory }}
+SyslogIdentifier={{ restic_systemd_syslog_identifier }}
+
+ExecStart={{ restic_systemd_service_exec_start }}
+
+[Install]
+WantedBy={{ restic_systemd_install_wanted_by }}
+DefaultInstance={{ restic_systemd_install_default_instance }}

roles/restic/vars/main.yml

@@ -0,0 +1,9 @@
+---
+restic_states:
+  - "present"
+  - "absent"
+
+restic_job_states:
+  - "present"
+  - "masked"
+  - "absent"