initial commit

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

roles/restic/tasks/backend.yml

@@ -0,0 +1,19 @@
+---
+- name: Ensure restic local repo directory exists
+  file:
+    path: "{{ restic_repo }}"
+    state: directory
+    owner: root
+    group: root
+    mode: "0700"
+  when: restic_repo is defined and restic_repo.startswith('/')  # only local path
+
+- name: Ensure restic repo is initialized
+  ansible.builtin.shell: |
+    set -euo pipefail
+    source /etc/restic/restic.env
+    restic snapshots > /dev/null 2>&1 || restic init
+    touch /etc/restic/.initialized
+  args:
+    creates: /etc/restic/.initialized
+

roles/restic/tasks/backend_sftp.yml

@@ -0,0 +1,30 @@
+---
+- name: Deploy Restic SSH key
+  ansible.builtin.copy:
+    src: restic_backup         # local path in your playbook repo
+    dest: "{{ restic_ssh_key }}"    # e.g. /root/.ssh/restic_backup
+    owner: root
+    group: root
+    mode: '0600'
+
+- name: Ensure restic repo directory exists on Storage Box
+  ansible.builtin.shell: |
+    ssh -i {{ restic_ssh_key }} -o BatchMode=yes -o StrictHostKeyChecking=no -p {{ restic_ssh_port }} {{ restic_user }}@{{ restic_host }} \
+    "mkdir -p {{ restic_remote_path }} && chmod 700 {{ restic_remote_path }}" < /dev/null
+  changed_when: false
+
+- name: Write the ssh config for the root user
+  # TODO: this replaces roots config and should be much smarter, safe for me currently
+  template:
+    src: restic-ssh-config.j2
+    dest: /root/.ssh/config
+    mode: "0644"
+
+- name: Initialize restic repo on Storage Box (if needed)
+  ansible.builtin.shell: |
+    source /etc/restic/restic.env
+    restic snapshots > /dev/null 2>&1 || restic init
+    touch /etc/restic/.initialized
+  args:
+    creates: /etc/restic/.initialized
+

roles/restic/tasks/backup.yml

@@ -0,0 +1,34 @@
+- name: Install restic backup service
+  template:
+    src: restic-backup.service.j2
+    dest: /etc/systemd/system/restic-backup.service
+
+- name: Install restic backup timer
+  template:
+    src: restic-backup.timer.j2
+    dest: /etc/systemd/system/restic-backup.timer
+
+- name: Enable and start restic backup timer
+  systemd:
+    name: restic-backup.timer
+    enabled: true
+    state: started
+    daemon_reload: true
+
+- name: Install restic prune service
+  template:
+    src: restic-prune.service.j2
+    dest: /etc/systemd/system/restic-prune.service
+
+- name: Install restic prune timer
+  template:
+    src: restic-prune.timer.j2
+    dest: /etc/systemd/system/restic-prune.timer
+
+- name: Enable and start restic prune timer
+  systemd:
+    name: restic-prune.timer
+    enabled: true
+    state: started
+    daemon_reload: true
+

roles/restic/tasks/config.yml

@@ -0,0 +1,24 @@
+- name: Create restic config directory
+  file:
+    path: /etc/restic
+    state: directory
+    mode: "0700"
+
+- name: Write restic environment file
+  template:
+    src: restic.env.j2
+    dest: /etc/restic/restic.env
+    mode: "0600"
+
+- name: Write restic backup script
+  template:
+    src: restic-backup.sh.j2
+    dest: /usr/local/bin/restic-backup
+    mode: "0750"
+
+- name: Write restic prune script
+  template:
+    src: restic-prune.sh.j2
+    dest: /usr/local/bin/restic-prune
+    mode: "0750"
+

roles/restic/tasks/install.yml

@@ -0,0 +1,6 @@
+- name: Install restic
+  apt:
+    name: restic
+    state: present
+    update_cache: true
+

roles/restic/tasks/main.yml

@@ -0,0 +1,15 @@
+---
+- name: Install restic binary
+  include_tasks: install.yml
+
+- name: Configure restic environment
+  include_tasks: config.yml
+
+- name: Prepare backup repository
+  include_tasks: "{{ backend_file }}"
+  vars:
+    backend_file: "{{ 'backend_sftp.yml' if restic_backend_type == 'sftp' else 'backend.yml' }}"
+
+- name: Create systemd backup timer and service
+  include_tasks: backup.yml
+