main.yml

---
- name: Ensure primary group for backups user exists
  group:
    name: "{{ backups_role_user_group }}"
    state: present

- name: Ensure additional groups for backups user exist
  group:
    name: "{{ item }}"
    state: present
  with_items: "{{ backups_role_user_groups.split(',') }}"
  when: backups_role_user_groups != ''

- name: Ensure restricted user for backups exists
  user:
    name: "{{ backups_role_user_name }}"
    group: "{{ backups_role_user_group }}"
    groups: "{{ backups_role_user_groups }}"
    system: true
    state: present
  when: backups_role_user_name != 'root'

- name: Ensure directory for backup script exists
  file:
    path: "{{ backups_role_script_dir }}"
    state: directory
    owner: "{{ backups_role_user_name }}"
    group: "{{ backups_role_user_group }}"
    mode: 0775

- name: Install backup script
  template:
    src: "cron-main.sh.j2"
    dest: "{{ backups_role_script_path }}"
    owner: "{{ backups_role_user_name }}"
    group: "{{ backups_role_user_group }}"
    mode: 0775

- name: Ensure postgresql "role" for backups exists with limited access to db
  postgresql_user:
    db: "{{ item }}"
    name: "{{ backups_role_postgresql_user_name }}"
    password: "{{ backups_role_postgresql_user_password }}"
    # This provides '{{ name  }}=c/{{ become_user }}' in {{ db }} database
    # Plus any other access it can have through privileges granted to PUBLIC
    # This `priv` key is not flexible enough to grant SELECT priv on *any* table
    # inside database. Thus, we do it in two steps.
    priv: "CONNECT"
  become: true
  become_user: "{{ postgresql_user }}"
  with_items: "{{ backups_role_db_names }}"
  when: _backups_role_postgresql_enabled

- name: Grant USAGE priv on public schema
  postgresql_privs:
    db: "{{ backups_role_db_names[0] }}"
    role: "{{ backups_role_postgresql_user_name }}"
    privs: USAGE
    type: schema
    objs: public
  become: true
  become_user: "{{ postgresql_user }}"
  when: _backups_role_postgresql_enabled

- name: Include taskfile for postgresql privileges
  include_tasks: postgresql_privs.yml
  loop: "{{ backups_role_db_names }}"
  loop_control:
    loop_var: _db_name
  when: _backups_role_postgresql_enabled

- name: Let backup user to use `{{ backups_role_sudoers_cmd_pattern }}` as root
  template:
    src: "sudoers.j2"
    dest: "/etc/sudoers.d/90-backup-user"
    mode: 0440
    group: "root"
  when: _backups_role_sudoers_enabled

- name: Install restic and configure restic repository
  include_role:
    name: vendor/coopdevs.restic-role
  vars:
    restic_version: "{{ backups_role_restic_version }}"
    restic_user: "{{ backups_role_user_name }}"
    restic_group: "{{ backups_role_user_group }}"
    restic_cron_stdout_file: "{{ backups_role_cron_stdout_file }}"
    restic_cron_stderr_file: "{{ backups_role_cron_stderr_file }}"
    restic_repos:
    - "{{ backups_role_restic_repo }}"


# Adding this user to docker group can have security issues when docker
# manages other containers too, but it's better than running docker from root.
- name: User to execute the manage docker on behalf of monitoring
  become: true
  user:
    name: "{{ backups_role_user_name }}"
    state: present
    shell: /bin/bash
    home: "/home/{{ backups_role_user_name }}"

- name: Install docker
  include_role:
    name: geerlingguy.docker
  vars:
    docker_users:
      - "{{ backups_role_user_name }}"

- name: Working directory
  file:
    state: directory
    path: "/home/{{ backups_role_user_name }}"
    owner: "{{ backups_role_user_name }}"

- name: Working directory
  file:
    state: directory
    path: "/home/{{ backups_role_user_name }}"
    owner: "{{ backups_role_user_name }}"

- name: Render template for the docker-compose file.
  template:
    src: backup-docker-compose.yml.j2
    dest: "/home/{{ backups_role_user_name }}/docker-compose.yml"
    owner: "{{ backups_role_user_name }}"


- name: Bring up the containers
  command: docker compose up -d # noqa: 304
  become: true
  become_user: "{{ backups_role_user_name }}"
  args:
    chdir: "/home/{{ backups_role_user_name }}"
  changed_when: false