pulibrary · kayiwa · Oct 28, 2025 · Oct 28, 2025 · Oct 28, 2025 · Oct 29, 2025
diff --git a/roles/restic_backup/README.md b/roles/restic_backup/README.md
@@ -0,0 +1,38 @@
+Role Name
+=========
+
+A brief description of the role goes here.
+
+Requirements
+------------
+
+Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required.
+
+Role Variables
+--------------
+
+A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well.
+
+Dependencies
+------------
+
+A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles.
+
+Example Playbook
+----------------
+
+Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too:
+
+    - hosts: servers
+      roles:
+         - { role: username.rolename, x: 42 }
+
+License
+-------
+
+BSD
+
+Author Information
+------------------
+
+An optional section for the role authors to include contact information, or a website (HTML is not allowed).
diff --git a/roles/restic_backup/defaults/main.yml b/roles/restic_backup/defaults/main.yml
@@ -0,0 +1,101 @@
+---
+# Restic version to install
+restic_backup_version: "0.18.1"
+
+# Installation paths
+restic_backup_install_dir: "/usr/local/bin"
+restic_backup_config_dir: "/etc/restic"
+restic_backup_cache_dir: "/var/cache/restic"
+restic_backup_log_dir: "/var/log/restic"
+
+# Google Cloud Storage configuration
+restic_backup_gcs_bucket: ""
+restic_backup_gcs_project_id: "pul-gcdc"
+restic_backup_gcs_credentials_file: "{{ restic_backup_config_dir }}/gcs-credentials.json"
+
+# Repository configuration
+restic_backup_repository_password: ""
+restic_backup_repository_password_file: "{{ restic_backup_config_dir }}/repository-password"
+
+# Backup paths (list of directories to backup)
+restic_backup_paths:
+  - /etc
+  - /home
+  - /var/log
+
+# Exclude patterns
+restic_backup_exclude_patterns:
+  - "*.tmp"
+  - "*.cache"
+  - "*.swp"
+  - "/var/log/*.gz"
+  - "/home/*/.cache"
+  - "/root/.cache"
+
+# Exclude file
+restic_backup_exclude_file: "{{ restic_config_dir }}/exclude.txt"
+
+# Backup schedule (cron format)
+restic_backup_schedule:
+  minute: "0"
+  hour: "2"
+  day: "*"
+  month: "*"
+  weekday: "*"
+
+# Use systemd timer instead of cron
+restic_backup_use_systemd_timer: true
+
+# Retention policy
+restic_backup_retention_keep_last: 10
+restic_backup_retention_keep_hourly: 24
+restic_backup_retention_keep_daily: 7
+restic_backup_retention_keep_weekly: 4
+restic_backup_retention_keep_monthly: 6
+restic_backup_retention_keep_yearly: 2
+
+# Backup options
+restic_backup_tag: "{{ inventory_hostname }}"
+restic_backup_verbosity: 1  # 0=quiet, 1=normal, 2=verbose
+restic_backup_compression: "auto"  # auto, max, or off
+
+# Pre and post backup scripts
+restic_backup_pre_backup_script: ""
+restic_backup_post_backup_script: ""
+
+# Check and prune settings
+restic_backup_enable_check: true
+restic_backup_check_schedule:
+  minute: "30"
+  hour: "3"
+  day: "*"
+  month: "*"
+  weekday: "0"  # Sunday
+
+restic_backup_enable_prune: true
+restic_backup_prune_schedule:
+  minute: "0"
+  hour: "4"
+  day: "1"
+  month: "*"
+  weekday: "*"  # First of month
+
+# Notification settings
+restic_backup_enable_notifications: false
+restic_backup_notification_email: ""
+restic_backup_notification_on_success: false
+restic_backup_notification_on_failure: true
+
+# System user for running backups
+restic_backup_user: "root"
+restic_backup_group: "root"
+
+# Initialize repository if it doesn't exist
+restic_backup_initialize_repository: true
+
+# Environment variables
+restic_backup_environment_vars:
+  RESTIC_CACHE_DIR: "{{ restic_backup_cache_dir }}"
+  RESTIC_PASSWORD_FILE: "{{ restic_backup_repository_password_file }}"
+  GOOGLE_PROJECT_ID: "{{ restic_backup_gcs_project_id }}"
+  GOOGLE_APPLICATION_CREDENTIALS: "{{ restic_backup_gcs_credentials_file }}"
diff --git a/roles/restic_backup/handlers/main.yml b/roles/restic_backup/handlers/main.yml
@@ -0,0 +1,2 @@
+---
+# handlers file for roles/restic_backup
diff --git a/roles/restic_backup/meta/main.yml b/roles/restic_backup/meta/main.yml
@@ -0,0 +1,17 @@
+---
+galaxy_info:
+  role_name: <role_name>
+  company: Princeton University Library
+  description: <Role Description>
+  author: pulibrary
+
+  license: MIT
+
+  min_ansible_version: 2.2
+
+  platforms:
+    - name: Ubuntu
+      versions:
+        - jammy
+dependencies:
+  - role: "<role I depend on>"
diff --git a/roles/restic_backup/molecule/default/ansible.cfg b/roles/restic_backup/molecule/default/ansible.cfg
@@ -0,0 +1,2 @@
+[defaults]
+remote_tmp = /tmp/ansible
diff --git a/roles/restic_backup/molecule/default/converge.yml b/roles/restic_backup/molecule/default/converge.yml
@@ -0,0 +1,15 @@
+---
+- name: Converge
+  hosts: all
+  vars:
+    - running_on_server: false
+  become: true
+  pre_tasks:
+    - name: Update cache
+      ansible.builtin.apt:
+        update_cache: true
+        cache_valid_time: 600
+  tasks:
+    - name: "Include example"
+      ansible.builtin.include_role:
+        name: example
diff --git a/roles/restic_backup/molecule/default/molecule.yml b/roles/restic_backup/molecule/default/molecule.yml
@@ -0,0 +1,31 @@
+---
+scenario:
+  name: default
+driver:
+  name: docker
+  command_timeout: 60
+lint: |
+  set -e
+  yamllint .
+  ansible-lint
+platforms:
+  - name: instance
+    image: "ghcr.io/pulibrary/pul_containers:jammy_multi"
+    command: "sleep infinity"
+    volumes:
+      - /sys/fs/cgroup:/sys/fs/cgroup:rw
+    privileged: true
+    pre_build_image: true
+    connection_options:
+      ansible_user: root
+      ansible_connection: docker
+provisioner:
+  name: ansible
+  log: true
+  playbooks:
+    prepare: prepare.yml
+  config_options:
+    defaults:
+      remote_tmp: /tmp/ansible
+verifier:
+  name: ansible
diff --git a/roles/restic_backup/molecule/default/prepare.yml b/roles/restic_backup/molecule/default/prepare.yml
@@ -0,0 +1,28 @@
+---
+- name: Prepare
+  hosts: all
+  gather_facts: false
+  connection: docker
+  tasks:
+    - name: Debug connection
+      ansible.builtin.debug:
+        msg: "Connected successfully"
+
+    - name: Check permissions
+      ansible.builtin.command: ls -la /tmp
+      register: tmp_permissions
+
+    - name: Display tmp permissions
+      ansible.builtin.debug:
+        var: tmp_permissions.stdout_lines
+
+    - name: Try to create directory manually
+      ansible.builtin.shell: |
+        mkdir -p /tmp/ansible
+        chmod 777 /tmp/ansible
+        ls -la /tmp/ansible
+      register: dir_creation
+
+    - name: Display directory creation result
+      ansible.builtin.debug:
+        var: dir_creation.stdout_lines
diff --git a/roles/restic_backup/molecule/default/verify.yml b/roles/restic_backup/molecule/default/verify.yml
@@ -0,0 +1,20 @@
+---
+- name: Verify
+  hosts: all
+  gather_facts: false
+  tasks:
+    - name: Check ruby package status
+      ansible.builtin.package:
+        name: "{{ item }}"
+        state: present
+      check_mode: true
+      register: pkg_status
+      loop:
+        - ruby-switch
+        - ruby2.6-dev
+        - ruby2.6
+
+    - name: Test for ruby packages
+      ansible.builtin.assert:
+        that:
+          - not pkg_status.changed
diff --git a/roles/restic_backup/tasks/configure.yml b/roles/restic_backup/tasks/configure.yml
@@ -0,0 +1,109 @@
+---
+- name: Restic_Backup - Create GCS credentials file
+  ansible.builtin.copy:
+    content: "{{ restic_backup_gcs_credentials_json }}"
+    dest: "{{ restic_backup_gcs_credentials_file }}"
+    owner: "{{ restic_backup_user }}"
+    group: "{{ restic_backup_group }}"
+    mode: '0600'
+  no_log: true
+  tags:
+    - restic-credentials
+
+- name: Restic_backup - Create repository password file
+  ansible.builtin.copy:
+    content: "{{ restic_backup_repository_password }}"
+    dest: "{{ restic_backup_repository_password_file }}"
+    owner: "{{ restic_backup_user }}"
+    group: "{{ restic_backup_group }}"
+    mode: '0600'
+  no_log: true
+  tags:
+    - restic-credentials
+
+- name: Restic_backup - Create exclude patterns file
+  ansible.builtin.copy:
+    content: |
+      {% for pattern in restic_backup_exclude_patterns %}
+      {{ pattern }}
+      {% endfor %}
+    dest: "{{ restic_backup_exclude_file }}"
+    owner: "{{ restic_backup_user }}"
+    group: "{{ restic_backup_group }}"
+    mode: '0644'
+  tags:
+    - restic-config
+
+- name: Restic_backup - Create Restic environment file
+  ansible.builtin.template:
+    src: restic-env.j2
+    dest: "{{ restic_backup_config_dir }}/restic-env"
+    owner: "{{ restic_backup_user }}"
+    group: "{{ restic_backup_group }}"
+    mode: '0600'
+  tags:
+    - restic-config
+
+- name: Restic_backup - Create backup script
+  ansible.builtin.template:
+    src: restic-backup.sh.j2
+    dest: "{{ restic_backup_install_dir }}/restic-backup.sh"
+    owner: "{{ restic_backup_user }}"
+    group: "{{ restic_backup_group }}"
+    mode: '0750'
+  tags:
+    - restic-scripts
+
+- name: Restic_backup - Create restore script
+  ansible.builtin.template:
+    src: restic-restore.sh.j2
+    dest: "{{ restic_backup_install_dir }}/restic-restore.sh"
+    owner: "{{ restic_backup_user }}"
+    group: "{{ restic_backup_group }}"
+    mode: '0750'
+  tags:
+    - restic-scripts
+
+- name: Restic_backup - Create check script
+  ansible.builtin.template:
+    src: restic-check.sh.j2
+    dest: "{{ restic_backup_install_dir }}/restic-check.sh"
+    owner: "{{ restic_backup_user }}"
+    group: "{{ restic_backup_group }}"
+    mode: '0750'
+  when: restic_enable_check | bool
+  tags:
+    - restic-scripts
+
+- name: Restic_backup - Create prune script
+  ansible.builtin.template:
+    src: restic-prune.sh.j2
+    dest: "{{ restic_backup_install_dir }}/restic-prune.sh"
+    owner: "{{ restic_backup_user }}"
+    group: "{{ restic_backup_group }}"
+    mode: '0750'
+  when: restic_enable_prune | bool
+  tags:
+    - restic-scripts
+
+- name: Restic_backup - Create pre-backup script
+  ansible.builtin.copy:
+    content: "{{ restic_backup_pre_backup_script }}"
+    dest: "{{ restic_backup_config_dir }}/pre-backup.sh"
+    owner: "{{ restic_backup_user }}"
+    group: "{{ restic_backup_group }}"
+    mode: '0750'
+  when: restic_backup_pre_backup_script | length > 0
+  tags:
+    - restic-scripts
+
+- name: Restic_backup - Create post-backup script
+  ansible.builtin.copy:
+    content: "{{ restic_backup_post_backup_script }}"
+    dest: "{{ restic_backup_config_dir }}/post-backup.sh"
+    owner: "{{ restic_backup_user }}"
+    group: "{{ restic_backup_group }}"
+    mode: '0750'
+  when: restic_backup_post_backup_script | length > 0
+  tags:
+    - restic-scripts