Integrate restic backup system

roles/restic/files/restic_backups_passwd

@@ -0,0 +1,7 @@
+$ANSIBLE_VAULT;1.1;AES256
+33666438313237356564363136333933633035303531653464643766373434623834663736386463
+3464643731366237633334616536613864396162353264360a316130333032316437393333396466
+34356638393834316235633062646330336438376135346666663064303831666632353834663465
+6636663930356138640a323433613263393939303833616637336436366630386133386338613736
+34353433643539306238663638656539373731616238656635353561356632366332623532396465
+3936373534643966616131616161633234663430633233653435

roles/restic/tasks/main.yml

@@ -25,3 +25,32 @@
     group: 'root'
     mode: '0755'
   when: 'res.changed'
+
+- name: Ensure backup scripts directory is present
+  ansible.builtin.file:
+    path: '/etc/backups'
+    state: directory
+    mode: '0755'
+
+- name: Ensure Restic backups password file is present
+  ansible.builtin.copy:
+    src: 'restic_backups_passwd'
+    dest: '/etc/backups/restic_backups_passwd'
+    owner: root
+    group: root
+    mode: '0600'
+
+- name: Ensure backup-all script is present
+  ansible.builtin.template:
+    src: "backup-all.sh.j2"
+    dest: '/etc/backups/backup-all.sh'
+    owner: root
+    group: root
+    mode: '0644'
+
+- name: Ensure backup cronjob is enabled
+  ansible.builtin.cron:
+    name: 'Perform nightly backups'
+    minute: '0'
+    hour: '2'
+    job: 'bash /etc/backups/backup-all.sh'

roles/restic/templates/backup-all.sh.j2

@@ -0,0 +1,17 @@
+#!/usr/bin/env bash
+
+# This script sequentially executes all shell scripts matching
+# /etc/backups/*.backup.sh, with environment variables configured to publish
+# backups to the local Restic REST server.
+
+# Get passed along to subcalls to bash
+export RESTIC_REPOSITORY='rest:http://{{ groups['nas'][0] }}:8000/backups'
+export RESTIC_PASSWORD_FILE='/etc/backups/restic_backups_passwd'
+
+for script in $(find /etc/backups -name '*.backup.sh'); do
+    bash "$script"
+done
+
+# Prune older backups
+restic forget --keep-last 7 && \
+    restic prune