Rootless restic

config.flaudisio.yml

@@ -56,9 +56,26 @@ dotfiles_post_commands:
   - cmd: pre-commit init-templatedir ~/.git-template
     creates: ~/.git-template
 
+# restic
+restic_configure_non_root_capabilities: true
+restic_bin_owner: root
+restic_bin_group: "{{ __current_user }}"
+restic_bin_mode: "0750"
+
 # resticprofile
 resticprofile_symlink_name: rp
 
+resticprofile_user: "{{ __current_user }}"
+
+resticprofile_log_dir: "{{ '~/.local/share/resticprofile/logs' | expanduser }}"
+
+resticprofile_log_owner: "{{ __current_user }}"
+resticprofile_log_group: "{{ __current_user }}"
+
+resticprofile_config_dir: "{{ '~/.config/resticprofile' | expanduser }}"
+resticprofile_config_owner: "{{ __current_user }}"
+resticprofile_config_group: "{{ __current_user }}"
+
 resticprofile_config_templates:
   - src: "{{ __templates_dir }}/resticprofile/.env.j2"
     sensitive: true

roles/local/restic/defaults/main.yml

@@ -9,6 +9,12 @@ restic_archive_url: >-
 restic_sha256sums_url: >-
   https://github.com/restic/restic/releases/download/v{{ restic_version }}/SHA256SUMS
 
+# Ref: https://restic.readthedocs.io/en/stable/080_examples.html#backing-up-your-system-without-running-restic-as-root
+restic_configure_non_root_capabilities: false
+
 restic_bin_path: /usr/local/bin/restic
+restic_bin_owner: root
+restic_bin_group: root
+restic_bin_mode: "0755"
 
 restic_configure_bash_completion: true

roles/local/restic/tasks/main.yml

@@ -31,19 +31,28 @@
       ansible.builtin.shell: >
         bzip2 --decompress --stdout '{{ _archive_local_file }}' > '{{ restic_bin_path }}'
 
-    - name: Ensure binary file has the correct permissions
-      ansible.builtin.file:
-        path: "{{ restic_bin_path }}"
-        state: file
-        owner: root
-        group: root
-        mode: "0755"
-
     - name: Remove temporary directory
       ansible.builtin.file:
         path: "{{ _temp_dir.path }}"
         state: absent
 
+- name: Set binary file permissions
+  ansible.builtin.file:
+    path: "{{ restic_bin_path }}"
+    state: file
+    owner: "{{ restic_bin_owner }}"
+    group: "{{ restic_bin_group }}"
+    mode: "{{ restic_bin_mode }}"
+
+- name: Configure non-root user capabilities on binary file
+  community.general.capabilities:
+    path: "{{ restic_bin_path }}"
+    capability: cap_dac_read_search=+ep
+    state: "{{ (restic_configure_non_root_capabilities | bool) | ternary('present', 'absent') }}"
+  # Module is not idempotent, ignore changes for now
+  # Ref: https://github.com/ansible-collections/community.general/issues/4067
+  changed_when: false
+
 - name: Configure Bash completion
   ansible.builtin.command: >
     {{ restic_bin_path }} generate --bash-completion /etc/bash_completion.d/restic

roles/local/resticprofile/defaults/main.yml

@@ -11,9 +11,13 @@ resticprofile_bin_path: /usr/local/bin/resticprofile
 resticprofile_symlink_name: ""
 
 resticprofile_log_dir: /var/log/resticprofile
+resticprofile_log_owner: root
+resticprofile_log_group: root
 
 resticprofile_config_dir: /etc/resticprofile
 resticprofile_config_file: "{{ resticprofile_config_dir }}/profiles.yaml"
+resticprofile_config_owner: root
+resticprofile_config_group: root
 resticprofile_config_inline: {}
 resticprofile_config_templates: []
 

roles/local/resticprofile/tasks/main.yml

@@ -34,8 +34,8 @@
   ansible.builtin.file:
     path: "{{ resticprofile_log_dir }}"
     state: directory
-    owner: root
-    group: root
+    owner: "{{ resticprofile_log_owner }}"
+    group: "{{ resticprofile_log_group }}"
     mode: "0755"
   tags: resticprofile:install
 
@@ -53,17 +53,17 @@
   ansible.builtin.file:
     path: "{{ resticprofile_config_dir }}"
     state: directory
-    owner: root
-    group: root
+    owner: "{{ resticprofile_config_owner }}"
+    group: "{{ resticprofile_config_group }}"
     mode: "0755"
   tags: resticprofile:config
 
 - name: Render config templates
   ansible.builtin.template:
     src: "{{ tpl_src }}"
     dest: "{{ resticprofile_config_dir ~ '/' ~ tpl_dest }}"
-    owner: root
-    group: root
+    owner: "{{ resticprofile_config_owner }}"
+    group: "{{ resticprofile_config_group }}"
     mode: "{{ is_sensitive | ternary('0600', '0644') }}"
     lstrip_blocks: true
   no_log: "{{ is_sensitive }}"
@@ -81,8 +81,8 @@
   ansible.builtin.template:
     src: profiles.yaml.j2
     dest: "{{ resticprofile_config_file }}"
-    owner: root
-    group: root
+    owner: "{{ resticprofile_config_owner }}"
+    group: "{{ resticprofile_config_group }}"
     mode: "0644"
     lstrip_blocks: true
   when: resticprofile_config_inline != {}
@@ -94,6 +94,7 @@
   loop: "{{ resticprofile_enable_schedules }}"
   register: _rp_schedule_status
   changed_when: false
+  become: "{{ '/home' not in resticprofile_config_dir }}"
   tags: resticprofile:schedule
 
 - name: Configure enabled schedules
@@ -109,6 +110,7 @@
     new_schedule_stdout: "{{ _rp_new_schedule.stdout_lines }}"
     new_schedule_normalized: "{{ new_schedule_stdout | select('match', '.*Normalized form.*') | sort }}"
   when: item not in resticprofile_disable_schedules
+  become: "{{ '/home' not in resticprofile_config_dir }}"
   tags: resticprofile:schedule
 
 - name: Remove disabled schedules
@@ -118,4 +120,5 @@
   register: _rp_unschedule
   changed_when: >
     'no scheduled jobs found' not in _rp_unschedule.stdout
+  become: "{{ '/home' not in resticprofile_config_dir }}"
   tags: resticprofile:schedule

roles/local/resticprofile/templates/logrotate.j2

@@ -7,5 +7,5 @@
   delaycompress
   missingok
   notifempty
-  create 644 root root
+  create 644 {{ resticprofile_log_owner }} {{ resticprofile_log_group }}
 }

templates/resticprofile/profiles.yaml.j2

@@ -12,8 +12,6 @@ global:
   restic-stale-lock-age: 12h
   schedule-defaults:
     ignore-on-battery-less-than: 30
-    permission: system
-    after-network-online: true
     lock-wait: 15m
     log: {{ resticprofile_log_dir }}/{{ '{{ .Profile.Name }}' }}.log
 
@@ -34,7 +32,7 @@ global:
       - includes.txt
     run-after-fail:
       - >-
-        /home/flaudisio/.local/bin/notify-send-as-user.sh --expire-time 0 --icon dialog-error
+        notify-send --expire-time 0 --icon dialog-error
         "resticprofile backup error"
         "See execution logs in {{ resticprofile_log_dir }}/{{ '{{ .Profile.Name }}' }}.log"
       # - >-