feat: add initial setup for pearl server

roles/any.tools.restic/files/restic_backups_passwd

@@ -0,0 +1,7 @@
+$ANSIBLE_VAULT;1.1;AES256
+33666438313237356564363136333933633035303531653464643766373434623834663736386463
+3464643731366237633334616536613864396162353264360a316130333032316437393333396466
+34356638393834316235633062646330336438376135346666663064303831666632353834663465
+6636663930356138640a323433613263393939303833616637336436366630386133386338613736
+34353433643539306238663638656539373731616238656635353561356632366332623532396465
+3936373534643966616131616161633234663430633233653435

roles/any.tools.restic/tasks/main.yml

@@ -0,0 +1,56 @@
+---
+- name: Ensure download directory is present
+  ansible.builtin.file:
+    path: "/opt/restic/{{ restic_version }}"
+    state: directory
+    mode: '0755'
+
+- name: Ensure compressed binary is downloaded
+  ansible.builtin.get_url:
+    url: "https://github.com/restic/restic/releases/download/v{{ restic_version }}/restic_{{ restic_version }}_linux_arm64.bz2"
+    dest: "/opt/restic/{{ restic_version }}/restic-{{ restic_version }}.bz2"
+  register: res
+
+- name: Ensure binary is decompressed
+  ansible.builtin.shell:
+    cmd: "bunzip2 -k /opt/restic/{{ restic_version }}/restic-{{ restic_version }}.bz2"
+  when: 'res.changed'
+
+- name: Ensure binary is copied to correct location
+  ansible.builtin.copy:
+    src: "/opt/restic/{{ restic_version }}/restic-{{ restic_version }}"
+    remote_src: true
+    dest: '/usr/local/bin/restic'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+  when: 'res.changed'
+
+# - name: Ensure backup scripts directory is present
+#   ansible.builtin.file:
+#     path: '/etc/backups'
+#     state: directory
+#     mode: '0755'
+
+# - name: Ensure Restic backups password file is present
+#   ansible.builtin.copy:
+#     src: 'restic_backups_passwd'
+#     dest: '/etc/backups/restic_backups_passwd'
+#     owner: root
+#     group: root
+#     mode: '0600'
+
+# - name: Ensure backup-all script is present
+#   ansible.builtin.template:
+#     src: "backup-all.sh.j2"
+#     dest: '/etc/backups/backup-all.sh'
+#     owner: root
+#     group: root
+#     mode: '0644'
+
+# - name: Ensure backup cronjob is enabled
+#   ansible.builtin.cron:
+#     name: 'Perform nightly backups'
+#     minute: '0'
+#     hour: '2'
+#     job: '/usr/bin/bash /etc/backups/backup-all.sh'

roles/any.tools.restic/templates/backup-all.sh.j2

@@ -0,0 +1,43 @@
+#!/usr/bin/env bash
+
+# This script sequentially executes all shell scripts matching
+# /etc/backups/*.backup.sh, with environment variables configured to publish
+# backups to the local Restic REST server.
+
+# Get passed along to subcalls to bash
+export RESTIC_REPOSITORY='rest:http://{{ groups['nas'][0] }}:8000/backups'
+export RESTIC_PASSWORD_FILE='/etc/backups/restic_backups_passwd'
+
+log_file='/tmp/backup-all.sh.log'
+
+rm -f "$log_file"
+
+for script in $(find /etc/backups -name '*.backup.sh'); do
+    T="$(date +%s)"
+
+    /usr/bin/bash "$script"
+
+    res="$?"
+    T="$(($(date +%s)-T))"
+
+    if [[ $res == 0 ]]; then
+        header='OK'
+    else
+        header="FAIL ($res)"
+    fi
+
+    printf \
+        "%s: %s in %02dh%02dm%02ds\n" \
+        "$(basename "$script")" "$header" \
+        "$((T/3600%24))" "$((T/60%60))" "$((T%60))" \
+        >> "$log_file"
+done
+
+# Prune older backups
+/usr/local/bin/restic forget --keep-last 7 && \
+    /usr/local/bin/restic prune
+
+# Send status notification
+ntfy publish \
+    --title "Backups ($(hostname))" \
+    homelab "$(cat "$log_file")"