2025-08-07 13:46:53 +02:00
41 changed files with 571 additions and 1049 deletions
--- a/.ansible-lint
+++ b/.ansible-lint
@ -1,3 +0,0 @@
 ---
 skip_list:
  - fqcn-builtins
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@ -8,9 +8,9 @@ jobs:
    steps:
    - uses: actions/checkout@v2
    - name: Set up Python
-      uses: actions/setup-python@v4
+      uses: actions/setup-python@v1
      with:
-        python-version: "3.10"
+        python-version: 3.8
    - name: Install Molecule
      run: |
        pip install -U pip setuptools wheel
--- a/.gitignore
+++ b/.gitignore
@ -1 +0,0 @@
 .cache
--- a/EXAMPLES.md
+++ b/EXAMPLES.md
@ -1,130 +0,0 @@
 # Additional Examples
 ## Custom SSH key for backups only
 ```
 - hosts: webservers
  roles:
  - role: borgbase.ansible_role_borgbackup
    borg_encryption_passphrase: CHANGEME
    borg_repository: ssh://m5vz9gp4@m5vz9gp4.repo.borgbase.com/./repo
    borgmatic_timer: systemd
    borg_ssh_key_name: id_backup
    borg_ssh_key_comment: backup key
    borg_ssh_command: "ssh -i {{ borg_ssh_key_file_path }} -o StrictHostKeyChecking=accept-new"
    borg_user: backupuser
    borg_group: backupuser
 ```
 ## Use service user and copy SSH key to target server
 Installs and configures the Borgmatic client and also initializes the repo on the
 remote backup server. (not tested)
 ```
 - name: Configure backup
  hosts: test.lab
  pre_tasks:
  - name: Get home of {{ borg_user }}
    ansible.builtin.user:
      name: "{{ borg_user }}"
      state: present
    register: user_info
    changed_when: false
    check_mode: true  # Important, otherwise user will be created
  - name: Save the user_info, we need them for the home_dir
    ansible.builtin.set_fact:
      backup_user_info: "{{ user_info }}"
  vars_files: []
  vars:
    borg_encryption_passphrase: "CHANGEME"
    borg_repository: "USER@TARGET_SERVER:/PATH/TO/BACKUP"
    borg_user: "srv_backup"
    borg_group: "srv_backup"
    borg_ssh_key_name: id_backup
    borg_ssh_command: "ssh -i {{ borg_ssh_key_file_path }} -o StrictHostKeyChecking=accept-new"
    borgmatic_timer: systemd
    borg_source_directories:
      - /srv/www
      - /var/lib/automysqlbackup
    borg_exclude_patterns:
      - /srv/www/old-sites
    borg_retention_policy:
      keep_hourly: 3
      keep_daily: 7
      keep_weekly: 4
      keep_monthly: 6
    borgmatic_hooks:
      before_backup:
      - echo "`date` - Starting backup."
  tasks:
    - name: Configure Borg Backup and Backupmatic
      tags:
        - always
        - install_backup
      ansible.builtin.include_role:
        name: ansible_role_borgbackup
        apply:
          tags:
            - always
    - name: Copy SSH-Key to Target {{ borg_repository }} and Init Repo
      tags:
        - never
        - backup_init_repo
      block:
        - name: Read ssh key
          ansible.builtin.slurp:
            src: "{{ borg_ssh_key_file_path }}.pub"
          register: backup_local_ssh_key
        - name: Set authorized key taken from file
          ansible.posix.authorized_key:
            # example:
            #   borg_repository: m5vz9gp4@m5vz9gp4.repo.borgbase.com:repo
            #   have three parts: "username"@"FQDN":"path/to/store/backup", specific:
            #     a) user: m5vz9gp4
            #     b) fqdn: m5vz9gp4.repo.borgbase.co
            #     c) dir: repo
            user: "{{ borg_repository | regex_search('(.*)@', '\\1') | first }}" # part a)
            state: present
            key: "{{ backup_local_ssh_key['content'] | b64decode }}"
          delegate_to: "{{ borg_repository | regex_search('@(.*):', '\\1') | first }}" # part b)
        - name: Init repository
          ansible.builtin.command:
            cmd: "su - {{ borg_user }} -c '/usr/local/bin/borgmatic rcreate --encryption keyfile --append-only'"
    - name: Activate systemd service and timer
      when:
        - borgmatic_timer is defined and borgmatic_timer == "systemd"
      tags:
        - never
        - backup_init_repo
      block:
        - name: Populate service facts
          ansible.builtin.service_facts:
        - name: Start borgmatic services
          ansible.builtin.systemd:
            name: "{{ item }}"
            state: started
            enabled: true
            masked: false
            daemon_reload: true
          when: "item in services"
          with_items:
            - borgmatic.service
        # bug: Need own section without masked else the timer are skipped
        - name: Start borgmatic timers
          ansible.builtin.systemd:
            name: "{{ item }}"
            state: started
            enabled: true
            daemon_reload: true
          with_items:
            - "borgmatic.timer"
 ```
--- a/README.md
+++ b/README.md
@ -1,36 +1,35 @@
 # Ansible Role: BorgBackup Client
-[![Test](https://github.com/borgbase/ansible-role-borgbackup/actions/workflows/main.yml/badge.svg)](https://github.com/borgbase/ansible-role-borgbackup/actions/workflows/main.yml) [![Ansible Galaxy](https://img.shields.io/ansible/role/d/borgbase/ansible_role_borgbackup?logo=ansible&color=5cbec1&label=Ansible%20Galaxy)](https://galaxy.ansible.com/ui/standalone/roles/borgbase/ansible_role_borgbackup/)
+[![Test](https://github.com/borgbase/ansible-role-borgbackup/actions/workflows/main.yml/badge.svg)](https://github.com/borgbase/ansible-role-borgbackup/actions/workflows/main.yml) [![Ansible Galaxy](https://img.shields.io/ansible/role/48519)](https://galaxy.ansible.com/m3nu/ansible_role_borgbackup)
-Set up encrypted, compressed and deduplicated backups using [BorgBackup](https://borgbackup.readthedocs.io/en/stable/) and [Borgmatic](https://github.com/witten/borgmatic). Currently supports Debian/Ubuntu, CentOS/Red Hat/Fedora, Archlinux and Manjaro.
+Set up encrypted, compressed and deduplicated backups using [BorgBackup](https://borgbackup.readthedocs.io/en/stable/) and [Borgmatic](https://github.com/witten/borgmatic). Currently supports Debian/Ubuntu and CentOS/Red Hat.
-Works great with [BorgBase.com](https://www.borgbase.com) - Simple and Secure Hosting for your Borg Repositories. To manage BorgBase repos via Ansible, also see Andy Hawkins' [BorgBase Collection](https://galaxy.ansible.com/adhawkins/borgbase).
+Works great with [BorgBase.com](https://www.borgbase.com) - Simple and Secure Hosting for your Borg Repositories.
-**Main features**
+Main features:
- Install Borg and Borgmatic from PyPi or distro packages
+- Set up Borg and Borgmatic
- Set up Borgmatic config
+- Add cron job at random time
- Schedule regular backups using Cron or Systemd timer
+- Provision new remote [BorgBase.com](https://www.borgbase.com) repo for storing backups (optional)
 ## Breaking changes
 - Older versions of this role set up a separate Cron job for creating and checking
  backups. With recent Borgmatic version, this feature is now managed in Borgmatic.
  As a result the extra Cron job will be removed by this role.
 - Older versions of this role only supported Cron for scheduling. If you use
  Systemd timers, be sure to remove the Cron job in `/etc/cron.d/borgmatic` first.
  The role will also alert you when trying to use both timers.
-## Example playbook with root as backup user, using the distro package and Cron timer
+## Example Playbook
 ```
- hosts: all
+- hosts: webservers
  roles:
-  - role: borgbase.ansible_role_borgbackup
+  - role: m3nu.ansible_role_borgbackup
    borg_install_method: package
    borg_encryption_passphrase: CHANGEME
-    borg_repository:
+    borg_repository: m5vz9gp4@m5vz9gp4.repo.borgbase.com:repo
      - ssh://xxxxxx@xxxxxx.repo.borgbase.com/./repo
    borg_source_directories:
-      - /var/www
+      - /srv/www
      - /var/lib/automysqlbackup
    borg_exclude_patterns:
      - /srv/www/old-sites
    borg_retention_policy:
      keep_hourly: 3
      keep_daily: 7
      keep_weekly: 4
      keep_monthly: 6
    borgmatic_hooks:
      before_backup:
      - echo "`date` - Starting backup."
@ -38,38 +37,20 @@ Works great with [BorgBase.com](https://www.borgbase.com) - Simple and Secure Ho
      - name: users
        hostname: database1.example.org
        port: 5433
 ```
 ## Example playbook with service user and Systemd timer
 ```
 - hosts: all
  roles:
  - role: borgbase.ansible_role_borgbackup
    borg_encryption_passphrase: CHANGEME
    borg_repository: ssh://xxxxxx@xxxxxx.repo.borgbase.com/./repo
    borgmatic_timer: systemd
    borg_user: "backupuser"
    borg_group: "backupuser"
    borg_source_directories:
      - /var/www
    borg_retention_policy:
      keep_hourly: 3
      keep_daily: 7
      keep_weekly: 4
      keep_monthly: 6
 ```
 ## Installation
 Download from Ansible Galaxy
 ```
-$ ansible-galaxy install borgbase.ansible_role_borgbackup
+$ ansible-galaxy install m3nu.ansible_role_borgbackup
 ```
-Clone latest version from Github
+Clone to local folder
 ```
 $ git clone https://github.com/borgbase/ansible-role-borgbackup.git roles/ansible_role_borgbackup
 ```
@ -77,50 +58,77 @@ $ git clone https://github.com/borgbase/ansible-role-borgbackup.git roles/ansibl
 ## Role Variables
-### Required Variables
+### Required Arguments
- `borg_repository`: Full path to repository. Your own server or [BorgBase.com](https://www.borgbase.com) repo.
+- `borg_repository`: Full path to repository. Your own server or [BorgBase.com](https://www.borgbase.com) repo. Not required when using auto creation of repositories. Can be a list if you want to backup to multiple repositories.
-  Can be a list if you want to backup to multiple repositories.
+- `borg_source_directories`: List of local folders to back up.
-### Optional Variables
+### Optional Arguments
 - `borg_dep_packages`: Dependency Packages to install `borg(backup)` and `borgmatic`.
 - `borg_distro_packages`: contains the names of distributions packages for `borg(backup)` and `borgmatic`, only used if `borg_install_method` is set to `package`.
 - `borg_encryption_passcommand`: The standard output of this command is used to unlock the encryption key.
 - `borg_encryption_passphrase`: Password to use for repokey or keyfile. Empty if repo is unencrypted.
 - `borg_exclude_from`: Read exclude patterns from one or more separate named files, one pattern per line.
 - `borg_exclude_patterns`: Paths or patterns to exclude from backup. See [official documentation](https://borgbackup.readthedocs.io/en/stable/usage/help.html#borg-help-patterns) for more.
 - `borg_install_method`: By default `pip` is used to install borgmatic. To install via your distributions package manager set this to `package` and (if needed) overwrite the `borg_distro_packages` variable to contain your distributions package names required to install borgmatic. Note that many distributions ship outdated versions of borgbackup and borgmatic; use at your own risk. `none` completely disables installation management.
 - `borg_require_epel`: When using `borg_install_method: package` on RHEL-based distributions, the EPEL repo is required. To disable the check (e.g. when using a custom mirror instead of the `epel-release` package), set this to `false`. Defaults to `{{ ansible_os_family == 'RedHat' and ansible_distribution != 'Fedora' }}` (i.e. `true` on Enterprise Linux-based distros).
 - `borg_lock_wait_time`: Config maximum seconds to wait for acquiring a repository/cache lock. Defaults to 5 seconds.
 - `borg_one_file_system`: Don't cross file-system boundaries. Defaults to `true`
 - `borg_pip_packages`: Dependancy Packages (pip) to install `borg(backup)` and `borgmatic`.
 - `borg_remote_path`: Path to the borg executable on the remote. It will default to `borg`.
 - `borg_remote_rate_limit`: Remote network upload rate limit in kiBytes/second.
 - `borg_retention_policy`: Retention policy for how many backups to keep in each category (daily, weekly, monthly, etc).
- `borg_source_directories`: List of local folders to back up. Default is `/etc/hostname` to prevent an empty backup.
+- `borg_ssh_command`: Command to use instead of just "ssh". This can be used to specify ssh options.
 - `borg_ssh_key_name`: Name of the SSH public and pivate key. Default `id_ed25519`
 - `borg_ssh_key_file_path`: SSH-key to be used. Default `~/.ssh/{{ borg_ssh_key_name }}`
 - `borg_ssh_key_type`: The algorithm used to generate the SSH private key. Choose: `rsa`, `dsa`, `rsa1`, `ecdsa`, `ed25519`. Default: `ed25519`
 - `borg_ssh_key_comment`: Comment added to the SSH public key.
 - `borg_ssh_command`: Command to use instead of just "ssh". This can be used to specify SSH options.
 - `borg_version`: Force a specific borg version to be installed
 - `borg_venv_path`: Path to store the venv for `borg(backup)` and `borgmatic`
 - `borgmatic_check_last`: Number of archives to check. Defaults to `3`
- `borgmatic_checks`: List of consistency checks. Defaults to monthly checks. See [docs](https://torsion.org/borgmatic/docs/how-to/deal-with-very-large-backups/#check-frequency) for all options.
+- `borgmatic_checks`: List of consistency checks. Defaults to `['repository']`
- `borgmatic_config_name`: Name to use for the Borgmatic config file. Defaults to `config.yaml`
+- `borgmatic_config_name`: Name to use for the borgmatic config file. Defaults to `config.yaml`
- `borgmatic_timer_hour`: Hour when regular create and prune cron/systemd-timer job will run. Defaults to `{{ 6 | random }}`
+- `borgmatic_cron_checks_day`: Day when cron job for infrequent checks will run. Defaults to `{{ 28 | random }}`
- `borgmatic_timer_minute`: Minute when regular create and prune cron/systemd-timer job will run. Defaults to  `{{ 59 | random }}`
+- `borgmatic_cron_checks_hour`: Hour when cron job for infrequent checks will run. Defaults to `{{ range(7, 24) | random }}`
- `borgmatic_timer_flags`: Flags to pass to borgmatic cron/systemd-timer job, like "--log-file /path/to/file.log --log-file-verbosity 2"
+- `borgmatic_cron_checks_minute`: Minute when cron job for infrequent checks will run. Defaults to  `{{ 59 | random }}`
 - `borgmatic_cron_hour`: Hour when regular create and prune cron job will run. Defaults to `{{ 6 | random }}`
 - `borgmatic_cron_minute`: Minute when regular create and prune cron job will run. Defaults to  `{{ 59 | random }}`
 - `borgmatic_hooks`: Hooks to monitor your backups e.g. with [Healthchecks](https://healthchecks.io/). See [official documentation](https://torsion.org/borgmatic/docs/how-to/monitor-your-backups/) for more.
- `borgmatic_timer`: If the variable is set, a timer is installed. A choice must be made between `cron` and `systemd`.
+- `borgmatic_large_repo`: Less frequent, monthly repo checking. Defaults to `true`
 - `borgmatic_relocated_repo_access_is_ok`: Bypass Borg error about a repository that has been moved. Defaults to `false`
 - `borgmatic_unknown_unencrypted_repo_access_is_ok`: Bypass Borg error about a previously unknown unencrypted repository. Defaults to `false`
 - `borgmatic_store_atime`: Store atime into archive. Defaults to `true`
 - `borgmatic_store_ctime`: Store ctime into archive. Defaults to `true`
- `borgmatic_version`: Force a specific borgmatic version to be installed
+- `ssh_key_file`: Path to a private ssh key file (default is `.ssh/id_ed25519`). It generates a ed25519 key if the file doesn't exist yet.
- `borg_user`: Name of the User to create Backups (service account)
+
- `borg_group`: Name of the Group to create Backups (service account)
+### Optional Arguments for [BorgBase.com](https://www.borgbase.com) repository auto creation
 This role can also set up a new repository on BorgBase, using the arguments below. Thanks to [Philipp Rintz](https://github.com/p-rintz) for contribution of this feature.
 - `create_repo`: Whether to let the role create the repository for the server. Default: False
 - `bb_token`: Your [BorgBase.com](https://www.borgbase.com) API-Token. Should be Create Only for security reasons.
 - `bb_region`: Which region the backups should be saved in. Choice: "eu" or "us".
 - `bb_new_sshkey`: Whether to use the automatically created SSH_key. Default: True
 - `bb_sshkey`: If there is a key already available on [BorgBase.com](https://www.borgbase.com) that should be used, it can be set with this variable. The key needs to be exactly the same, including key-comment.
 - `bb_append`: Should the permission of the newly created repository be append only? Default: True
 - `bb_quota`: To use a quota for the Server. Default: False
 - `bb_quota_size`: Will need to be set if `bb_quota` is set to True. In Gigabyte.
 - `bb_alertdays`: After how many days of no backup activity should alerts be sent out? Defaults to off.
 - `bb_repo_name`: What name the created repository should have. Defaults to the inventory_hostname.
 ### Use BorgBase Module Standalone
 You can also use the BorgBase-Ansible module directly if needed:
 ```
 - name: Create new repository for server in EU with new SSH_key and quota
  borgbase:
    repository_name: "{{ inventory_hostname }}"
    token: "Your Borgbase API Token"
    new_ssh_key: True
    ssh_key: "{{ some_variable }}"
    append_only: True
    quota_enable: True
    quota: 1000 #in GB
    region: eu
    alertdays: 2
  delegate_to: localhost
 ```
 ## Planned features
 - [x] Testing
 - [ ] Multiple repos in one role-call instead of callng this role multiple times.
 - [ ] Support more OSs, like Red Hat/Fedora/CentOS, SuSE, Gentoo, Slackware, Arch, BSD
 ## Contributing
@ -138,4 +146,4 @@ MIT/BSD
 ## Author
-© 2018-2023 Manuel Riel and contributors.
+© 2018-2020 Manuel Riel and contributors.
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -1,14 +1,25 @@
 ---
 borg_encryption_passphrase: ''
 borg_exclude_patterns: []
 borgmatic_config_name: config.yaml
 borgmatic_large_repo: true
 borgmatic_hooks:
  on_error:
  - echo "`date` - Error while creating a backup."
  before_backup:
  - echo "`date` - Starting backup."
  after_backup:
  - echo "`date` - Finished backup."
 borgmatic_checks:
  - repository
 borgmatic_check_last: 3
 borgmatic_store_atime: true
 borgmatic_store_ctime: true
 borgmatic_relocated_repo_access_is_ok: false
 borg_one_file_system: true
 borg_exclude_from: []
 borg_encryption_passcommand: false
 borg_lock_wait_time: 5
 borg_ssh_key_type: "ed25519"
 borg_ssh_key_name: "id_{{ borg_ssh_key_type }}"
 borg_ssh_key_comment: ''
 borg_ssh_key_file_path: "{{ backup_user_info.home }}/.ssh/{{ borg_ssh_key_name }}"
 borg_ssh_command: false
 borg_remote_path: false
 borg_remote_rate_limit: 0
@ -17,38 +28,18 @@ borg_retention_policy:
  keep_daily: 7
  keep_weekly: 4
  keep_monthly: 6
-borg_version: false
+create_repo: False
-borgmatic_timer_cron_name: "borgmatic"
+ssh_key_file: .ssh/id_ed25519
-borgmatic_timer: cron
+bb_new_sshkey: True
-borgmatic_timer_hour: "{{ range(0, 5) | random(seed=inventory_hostname) }}"
+bb_append: True
-borgmatic_timer_minute: "{{ range(0, 59) | random(seed=inventory_hostname) }}"
+bb_quota: False
-borgmatic_timer_flags: ""
+bb_quota_size: 0
-borg_install_method: "pip"
+bb_alertdays: 0
-borg_require_epel: "{{ ansible_os_family == 'RedHat' and ansible_distribution != 'Fedora' }}"
+bb_repo_name: "{{ inventory_hostname }}"
-
+bb_sshkey: "{{ root_user['ssh_public_key'] }}"
-borgmatic_config_name: config.yaml
+borgmatic_cron_name: borgmatic
-borgmatic_hooks:
+borgmatic_cron_hour: "{{ 6 | random(seed=inventory_hostname) }}"
-  on_error:
+borgmatic_cron_minute: "{{ 59 | random(seed=inventory_hostname) }}"
-    - echo "`date` - Error while creating a backup."
+borgmatic_cron_checks_day: "{{ range(1, 28) | random(seed=inventory_hostname) }}"
-  before_backup:
+borgmatic_cron_checks_hour: "{{ range(9, 24) | random(seed=inventory_hostname) }}"
-    - echo "`date` - Starting backup."
+borgmatic_cron_checks_minute: "{{ 59 | random(seed=inventory_hostname) }}"
  after_backup:
    - echo "`date` - Finished backup."
 borgmatic_checks:
  - name: repository
    frequency: "4 weeks"
  - name: archives
    frequency: "6 weeks"
 borgmatic_check_last: 3
 borgmatic_store_atime: true
 borgmatic_store_ctime: true
 borgmatic_relocated_repo_access_is_ok: false
 borgmatic_unknown_unencrypted_repo_access_is_ok: false
 borgmatic_version: ">=1.7.11"
 borg_venv_path: "/opt/borgmatic"
 borg_user: "root"
 borg_group: "root"
 backup_user_info:
  home: "/home/{{ borg_user }}"
 ...
--- a/library/borgbase.py
+++ b/library/borgbase.py
@ -0,0 +1,215 @@
 #!/usr/bin/python
 DOCUMENTATION = '''
 ---
 module: borgbase
 author: "Philipp Rintz (https://github.com/p-rintz)"
 short_description: Ansible module for creating new repositories with borgbase.com
 description:
  - Ansible Module for creating new repositories with borgbase.com including adding new ssh keys
 version_added: "2.6"
 '''
 EXAMPLES = '''
 - name: Create new repository for server in EU with new SSH_key and quota
  borgbase:
    repository_name: "{{ inventory_hostname }}"
    token: "Your Borgbase API Token"
    new_ssh_key: True
    ssh_key: "{{ some_variable }}"
    append_only: True
    quota_enable: True
    quota: 1000 #in GB
    region: eu
    alertdays: 2
  delegate_to: localhost
 - name: Create new repository without new key and no quota/alerting in US region
  borgbase:
    repository_name: "{{ inventory_hostname }}"
    token: "Your Borgbase API Token"
    new_ssh_key: False
    ssh_key: "ssh-ed25519 AAAAC3Nz......aLqRJw+dl/E+2BJ xxx@yyy"
    region: us
  delegate_to: localhost
 '''
 from ansible.module_utils.basic import *
 from ansible.module_utils.borgbase_api_client.client import GraphQLClient
 from ansible.module_utils.borgbase_api_client.mutations import *
 from ansible.module_utils.borgbase_api_client.queries import *
 def get_key_id(ssh_key):
    res = client.execute(KEY_DETAILS)
    for i  in res['data']['sshList']:
        if i['keyData'] == ssh_key:
            key_id = i['id']
    return key_id
 def add_ssh_key():
    key_name = 'Key for %s' % (module.params['repository_name'],)
    new_key_vars = {
        'name': key_name,
        'keyData': module.params['ssh_key']
    }
    res = client.execute(SSH_ADD, new_key_vars)
    new_key_id = res['data']['sshAdd']['keyAdded']['id']
    return new_key_id
 def add_repo(key_id):
    if module.params['append_only']:
        access_level = 'appendOnlyKeys'
    else:
        access_level = 'fullAccessKeys'
    if not module.params['quota_enable']:
        new_repo_vars = {
            'name': module.params['repository_name'],
            'quotaEnabled': module.params['quota_enable'],
            access_level: [key_id],
            'alertDays': module.params['alertdays'],
            'region': module.params['region']
        }
    else:
        new_repo_vars = {
            'name': module.params['repository_name'],
            'quotaEnabled': module.params['quota_enable'],
            'quota': 1000*module.params['quota'],
            access_level: [key_id],
            'alertDays': module.params['alertdays'],
            'region': module.params['region']
        }
    res = client.execute(REPO_ADD, new_repo_vars)
    return res
 def get_repo_id(name):
    res = client.execute(REPO_DETAILS)
    for repo in res['data']['repoList']:
        if repo['name'] == name:
            repo_id = repo['id']
            return repo_id
    return None
 def edit_repo(repo_id, key_id):
    if module.params['append_only']:
        access_level = 'appendOnlyKeys'
    else:
        access_level = 'fullAccessKeys'
    if not module.params['quota_enable']:
        repo_vars = {
            'id': repo_id,
            'name': module.params['repository_name'],
            access_level: [key_id],
            'alertDays': module.params['alertdays'],
            'region': module.params['region']
        }
    else:
        repo_vars = {
            'id': repo_id,
            'name': module.params['repository_name'],
            'quotaEnabled': module.params['quota_enable'],
            'quota': 1000*module.params['quota'],
            access_level: [key_id],
            'alertDays': module.params['alertdays'],
            'region': module.params['region']
        }
    res = client.execute(REPO_EDIT, repo_vars)
    return res
 def main():
    global module
    module = AnsibleModule(
             argument_spec  = dict(
                    repository_name = dict(
                        type='str',
                        required=True,
                    ),
                    token = dict(
                        required=True,
                        type='str',
                        no_log=True
                    ),
                    new_ssh_key = dict(
                        required=False,
                        default='True',
                        type='bool'
                    ),
                    ssh_key = dict(
                        required=True,
                        type='str'
                    ),
                    append_only = dict(
                        required=False,
                        default='True',
                        type='bool'
                    ),
                    quota_enable = dict(
                        required=False,
                        default='False',
                        type='bool'
                    ),
                    quota = dict(
                        required=False,
                        type='int'
                    ),
                    region = dict(
                        required=True,
                        type='str',
                        choice=["eu", "us"]
                    ),
                    alertdays = dict(
                        required=False,
                        default=0,
                        type='int'
                    )
            )
    )
    global client
    client = GraphQLClient(module.params['token'])
    # Add new SSH key or get ID of old key
    if module.params['new_ssh_key']:
        key_id = add_ssh_key()
    else:
        key_id = get_key_id(module.params['ssh_key'])
    # Check if repo with given name exists
    repo_id = get_repo_id(module.params['repository_name'])
    if repo_id is None:
        # Add new repo using the key
        res = add_repo(key_id)
        repo_exist = False
    else:
        # Edit the repo
        res = edit_repo(repo_id, key_id)
        repo_exist = True
    # Setup information for Ansible
    result = dict(
        changed = False,
        data = '',
        type = '',
        key_id = ''
    )
    # Test for success and change info
    if type(res) == dict:
        result['changed'] = True
        if repo_exist:
            result['data'] = res["data"]["repoEdit"]["repoEdited"]
        else:
            result['data'] = res['data']['repoAdd']['repoAdded']
        result['key_id'] = key_id
        module.exit_json(**result)
    else:
        result['data'] = res
        result['type'] = type(res)
        result['key_id'] = key_id
        module.fail_json(msg="Failed creating new respository.", **result)
 if __name__ == '__main__':
    main()
--- a/meta/argument_specs.yml
+++ b/meta/argument_specs.yml
@ -1,209 +0,0 @@
 argument_specs:
  main:
    # https://docs.ansible.com/ansible/latest/user_guide/playbooks_reuse_roles.html#role-argument-validation
    # https://docs.ansible.com/ansible/latest/dev_guide/developing_program_flow_modules.html#argument-spec
    short_description: Role to install borgbackup and borgmatic.
    description: Role to install borgbackup and borgmatic
    author:
      - 2018-2020 Manuel Riel and contributors.
      - Frank Dornheim
    options:
      borg_dep_packages:
        type: str
        required: false
        description: Dependancy Packages to install borg(backup) and borgmatic.
      borg_distro_packages:
        type: str
        required: false
        description: |
          Contains the names of distributions packages for borg(backup) and borgmatic,
          only used if `borg_install_method` is set to package
      borg_pip_packages:
        type: str
        required: false
        description: Dependancy Packages (pip) to install borg(backup) and borgmatic.
      borg_venv_path:
        type: str
        required: false
        description: Path to store the venv for borg(backup) and borgmatic.
      borg_install_method:
        type: str
        required: false
        default: pip
        description: |
          By default pip is used to install borgmatic.
          To install via your distributions package manager set this to package and (if needed)
          overwrite the borg_distro_packages variable to contain your distributions package names
          required to install borgmatic.
          Note that many distributions ship outdated versions of borgbackup and borgmatic; use at your own risk.
          Set to none to disable installation management.
      borgmatic_config_name:
        type: str
        required: false
        default: config.yaml
        description: Name to use for the borgmatic config file.
      borg_user:
        type: str
        default: root
        description: Name of the User to create Backups (Service Account)
      borg_group:
        type: str
        default: root
        description: Name of the Group to create Backups (Service Account)
      borg_source_directories:
        type: list
        default: "/etc/hostname"
        required: false
        description: List of local folders to back up.
      borg_one_file_system:
        type: str
        required: false
        description: Don't cross file-system boundaries.
      borg_repository:
        type: str
        required: true
        description: |
          Full path to repository.
          Your own server or [BorgBase.com](https://www.borgbase.com) repo.
          Not required when using auto creation of repositories.
          Can be a list if you want to backup to multiple repositories.
      borgmatic_store_atime:
        type: bool
        required: false
        description: Store atime into archive.
      borgmatic_store_ctime:
        type: bool
        required: false
        description: Store ctime into archive.
      borg_exclude_patterns:
        type: list
        required: false
        description: Any paths matching these patterns are excluded from backups. Globs and tildes are expanded.
      borg_exclude_from:
        type: list
        required: false
        description: Read exclude patterns from one or more separate named files, one pattern per line.
      borg_remote_path:
        type: str
        required: false
        description: Alternate Borg remote executable. Defaults to "borg"
      borg_encryption_passphrase:
        type: str
        description: |
          The standard output of this command is used to unlock the encryption key.
          Only use on repositories that were initialized with passcommand/repokey encryption.
          Note that if both encryption_passcommand and encryption_passphrase are set,
          then encryption_passphrase takes precedence.
      borg_encryption_passcommand:
        type: str
        required: false
        description: secret-tool lookup borg-repository repo-name
      borg_remote_rate_limit:
        type: int
        required: false
        description: Remote network upload rate limit in kiBytes/second.
      borg_ssh_key_file_path:
        type: str
        required: false
        description: Path to ssh-key
      borg_ssh_command:
        type: str
        description: Command to use instead of just ssh. This can be used to specify ssh options.
      borg_lock_wait_time:
        type: int
        description: Maximum seconds to wait for acquiring a repository/cache lock.
      borgmatic_relocated_repo_access_is_ok:
        type: bool
        description: Bypass Borg error about a repository that has been moved.
      borgmatic_unknown_unencrypted_repo_access_is_ok:
        type: bool
        description: Bypass Borg error about a previously unknown unencrypted repository.
      borg_retention_policy:
        type: dict
        description: Define the pruning policy
        options:
          keep_secondly:
            type: int
            required: false
            description: Number of secondly archives to keep.
          keep_minutely:
            type: int
            required: false
            description: Number of minutely archives to keep.
          keep_hourly:
            type: int
            required: false
            description: Number of hourly archives to keep.
          keep_daily:
            type: int
            required: false
            description: Number of daily archives to keep.
          keep_weekly:
            type: int
            required: false
            description: Number of weekly archives to keep.
          keep_monthly:
            type: int
            required: false
            description: Number of monthly archives to keep.
          keep_yearly:
            type: int
            required: false
            description: Number of yearly archives to keep.
      borgmatic_checks:
        type: list
        required: false
        description: |
          List of one or more consistency checks to run
          "repository", "archives", "data", and/or "extract".
          Defaults to "repository" and "archives".
          Set to "disabled" to disable all consistency checks.
          "repository" checks the consistency of the repository,
          "archives" checks all of the archives, "data" verifies
          the integrity of the data within the  archives, and
          "extract" does an extraction dry-run of the  most recent archive.
          Note that "data" implies "archives".
      borgmatic_check_last:
        type: int
        required: false
        description: Restrict the number of checked archives to the last n. Applies only to the "archives" check.
      borgmatic_hooks:
        type: dict
        required: false
        description: Shell commands or scripts to execute before and after a backup or if an error has occurred.
      borgmatic_timer_cron_name:
        type: str
        required: false
        description: Name of the cron Job
      borgmatic_timer:
        type: str
        required: false
        description: If the variable is set, a timer is installed. A choice must be made between "cron" and "systemd".
      borgmatic_timer_hour:
        type: str
        required: false
        description: Hour when regular create and prune cron/systemd-timer job will run.
      borgmatic_timer_minute:
        type: str
        required: false
        description: Minute when regular create and prune cron/systemd-timer job will run.
      borgmatic_timer_flags:
        type: str
        required: false
        description: Flags to pass to borgmatic cron/systemd-timer job, like "--log-file /path/to/file.log --log-file-verbosity 2"
      borgmatic_version:
        type: str
        required: false
        description: Borgmatic version to install. Defaults to 'latest'
      borg_ssh_key_type:
        type: str
        required: false
        description: The algorithm used to generate the SSH private key
      borg_ssh_key_name:
        type: str
        required: false
        description: Name of the SSH public and private key
      borg_ssh_key_comment:
        type: str
        required: false
        description: Comment added to the SSH public key.
--- a/meta/main.yml
+++ b/meta/main.yml
@ -4,19 +4,21 @@ dependencies: []
 galaxy_info:
  author: Manuel Riel
  role_name: ansible_role_borgbackup
-  namespace: borgbase
+  namespace: m3nu
  description: Set up backup to remote machine using Borg and Borgmatic.
  company: "BorgBase.com"
  license: license (BSD, MIT)
-  min_ansible_version: "2.0"
+  min_ansible_version: 2.0
  platforms:
    - name: Debian
      versions:
        - all
    - name: Ubuntu
      versions:
-        - all
+        - trusty
-    - name: ArchLinux
+        - xenial
        - bionic
    - name: Archlinux
      versions:
        - all
  galaxy_tags:
--- a/module_utils/README
+++ b/module_utils/README
@ -0,0 +1,6 @@
 The "borgbase_api_client" folder of the API client repository will need to be put into this folder.
 Folder structure:
 ansible-role-borgbackup/
 |---------------------+ module_utils/
                      |-------- borgbase_api_client/
--- a/molecule/default/Dockerfile.j2
+++ b/molecule/default/Dockerfile.j2
@ -14,10 +14,10 @@ ENV {{ var }} {{ value }}
 {% endfor %}
 {% endif %}
-RUN if [ $(command -v apt-get) ]; then apt-get update && apt-get install -y python3 python3-pip sudo bash ca-certificates iproute2 python3-apt aptitude && apt-get clean; \
+RUN if [ $(command -v apt-get) ]; then apt-get update && apt-get install -y python sudo bash ca-certificates iproute2 python3-apt aptitude && apt-get clean; \
    elif [ $(command -v dnf) ]; then dnf makecache && dnf --assumeyes install /usr/bin/python3 /usr/bin/python3-config /usr/bin/dnf-3 sudo bash iproute && dnf clean all; \
    elif [ $(command -v yum) ]; then yum makecache fast && yum install -y /usr/bin/python /usr/bin/python2-config sudo yum-plugin-ovl bash iproute && sed -i 's/plugins=0/plugins=1/g' /etc/yum.conf && yum clean all; \
    elif [ $(command -v zypper) ]; then zypper refresh && zypper install -y python sudo bash python-xml iproute2 && zypper clean -a; \
    elif [ $(command -v apk) ]; then apk update && apk add --no-cache python sudo bash ca-certificates; \
-    elif [ $(command -v pacman) ]; then pacman --noconfirm -Suy python python-pip sudo openssh; \
+    elif [ $(command -v pacman) ]; then pacman --noconfirm -Suy python sudo openssh; \
    elif [ $(command -v xbps-install) ]; then xbps-install -Syu && xbps-install -y python sudo bash ca-certificates iproute2 && xbps-remove -O; fi
--- a/molecule/default/converge.yml
+++ b/molecule/default/converge.yml
@ -5,13 +5,11 @@
    - name: Set ssh server package name for non-Archlinux ansible_os_family
      set_fact:
        openssh_package: "openssh-server"
        pip3_extra_args: ""
      when: ansible_os_family != "Archlinux"
-    - name: Set ssh server package name and pip3 argument for Archlinux ansible_os_family
+    - name: Set ssh server package name for Archlinux ansible_os_family
      set_fact:
        openssh_package: "openssh"
        pip3_extra_args: "--break-system-packages"
      when: ansible_os_family == "Archlinux"
    - name: Install openssh
@ -19,23 +17,10 @@
        name: "{{ openssh_package }}"
        state: present
    - name: Enable EPEL for yamllint
      package:
        name: epel-release
        state: present
      when: ansible_os_family == 'RedHat' and ansible_distribution != 'Fedora'
    - name: Install yamllint
      package:
        name: yamllint
        state: present
  roles:
-    - role: borgbase.ansible_role_borgbackup
+    - role: m3nu.ansible_role_borgbackup
      borg_install_method: pip
      borgmatic_timer: cron
      borg_repository: m5vz9gp4@m5vz9gp4.repo.borgbase.com:repo
      borg_encryption_passphrase: CHANGEME
      borg_repository: m5vz9gp4@m5vz9gp4.repo.borgbase.com:repo
      borg_source_directories:
        - /srv/www
        - /var/lib/automysqlbackup
@ -53,3 +38,9 @@
        - name: users
          hostname: database1.example.org
          port: 5433
  post_tasks:
  - name: Install yamllint for checking config file
    pip:
      name: yamllint
      executable: pip3
--- a/molecule/default/molecule.yml
+++ b/molecule/default/molecule.yml
@ -6,12 +6,16 @@ driver:
 platforms:
  - name: archlinux-latest
    image: archlinux:latest
-  - name: almalinux-9
+  - name: centos-7
-    image: almalinux:9
+    image: centos:7
-  # - name: fedora-latest
+  - name: almalinux-8
-  #   image: fedora:latest
+    image: almalinux:8
-  - name: debian-bookworm
+  - name: fedora-latest
-    image: debian:bookworm
+    image: fedora:latest
  - name: debian-bullseye
    image: debian:bullseye
  - name: ubuntu-bionic
    image: ubuntu:bionic
  - name: ubuntu-latest
    image: ubuntu:latest
 provisioner:
--- a/requirements-dev.txt
+++ b/requirements-dev.txt
@ -1,4 +1,3 @@
 ansible
 ansible-lint
-molecule
+molecule[lint,docker]
 molecule-plugins[docker]
--- a/tasks/00_assert.yml
+++ b/tasks/00_assert.yml
@ -1,9 +0,0 @@
 ---
 - name: Ensure legacy hooks aren't used
  ansible.builtin.assert:
    that:
      - borgmatic_failure_command is undefined
      - borgmatic_before_backup_command is undefined
      - borgmatic_after_backup_command is undefined
    msg: Please use the new borgmatic_hooks variable instead of individual before/after/failure hooks.
 ...
--- a/tasks/01_install.yml
+++ b/tasks/01_install.yml
@ -1,22 +0,0 @@
 ---
 - name: Install borgbackup
  when: borg_install_method != "none"
  block:
    - name: Include OS-specific variables
      include_vars: "{{ item }}"
      with_first_found:
        - "{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.yml"
        - "{{ ansible_os_family }}-{{ ansible_distribution_major_version }}.yml"
        - "{{ ansible_distribution }}.yml"
        - "{{ ansible_os_family }}.yml"
        - "{{ ansible_lsb.id }}.yml"
    - name: Install general dependencies (openssh)
      ansible.builtin.package:
        name: "{{ borg_dep_packages }}"
        state: present
    - name: Install Borg and Borgmatic
      ansible.builtin.include_tasks:
        file: noauto_install_{{ borg_install_method }}.yml
 ...
--- a/tasks/02_user_management.yml
+++ b/tasks/02_user_management.yml
@ -1,25 +0,0 @@
 ---
 # So in different positions in that role we need the user home
 # Since we cannot be sure that this FSH is compatible we will determine it.
 - name: Get home dir
  when:
    - borg_user == "root"
  block:
    - name: Get home if borg_user == "root"
      ansible.builtin.user:
        name: "{{ borg_user }}"
        state: present
      register: user_info
      changed_when: false
      check_mode: true  # Important, otherwise user will be created
    - name: Save the user_info, we need them for the home_dir
      ansible.builtin.set_fact:
        backup_user_info: "{{ user_info }}"
 - name: Create user if borg_user != "root"
  when:
    - borg_user != "root"
  ansible.builtin.include_tasks:
    file: noauto_create_backup_user_and_group.yml
 ...
--- a/tasks/03_create_key.yml
+++ b/tasks/03_create_key.yml
@ -1,29 +0,0 @@
 ---
 - name: Create SSH key (if neeeded) for {{ borg_user }}
  block:
    - name: Ensure directory exist
      ansible.builtin.file:
        path: "{{ backup_user_info.home }}/.ssh/"
        state: directory
        mode: "0700"
        owner: "{{ borg_user }}"
        group: "{{ borg_group }}"
    - name: Generate an OpenSSH keypair
      community.crypto.openssh_keypair:
        path: "{{ borg_ssh_key_file_path }}"
        mode: "0600"
        type: "{{ borg_ssh_key_type }}"
        owner: "{{ borg_user }}"
        group: "{{ borg_group }}"
        comment: "{{ borg_ssh_key_comment }}"
    - name: Read SSH key
      ansible.builtin.slurp:
        src: "{{ borg_ssh_key_file_path }}.pub"
      register: backup_local_ssh_key
    - name: Print key
      ansible.builtin.debug:
        msg: "The generated key is: {{ backup_local_ssh_key['content'] | b64decode }}"
 ...
--- a/tasks/05_configure.yml
+++ b/tasks/05_configure.yml
@ -1,19 +0,0 @@
 ---
 - name: Add Borgmatic config file
  block:
    - name: Ensure /etc/borgmatic exists
      ansible.builtin.file:
        path: /etc/borgmatic
        state: directory
        mode: "0700"
        owner: "{{ borg_user }}"
        group: "{{ borg_group }}"
    - name: Add Borgmatic configuration
      ansible.builtin.template:
        src: config.yaml.j2
        dest: "/etc/borgmatic/{{ borgmatic_config_name }}"
        mode: "0600"
        owner: "{{ borg_user }}"
        group: "{{ borg_group }}"
 ...
--- a/tasks/07_install_timer.yml
+++ b/tasks/07_install_timer.yml
@ -1,8 +0,0 @@
 ---
 - name: Install timer to run Borgmatic
  when:
    - borgmatic_timer is defined and borgmatic_timer | length > 0
  block:
    - name: Start timer install script
      ansible.builtin.include_tasks:
        file: noauto_create_timer_{{ borgmatic_timer }}.yml
--- a/tasks/Archlinux.yml
+++ b/tasks/Archlinux.yml
@ -0,0 +1 @@
 ---
--- a/tasks/Debian.yml
+++ b/tasks/Debian.yml
@ -0,0 +1 @@
 ---
--- a/tasks/RedHat.yml
+++ b/tasks/RedHat.yml
@ -0,0 +1 @@
 ---
--- a/tasks/main.yml
+++ b/tasks/main.yml
@ -1,7 +1,158 @@
 ---
- name: Add and run all plays
+- name: Ensure legacy hooks aren't used
-  include_tasks: "{{ bak_element }}"
+  assert:
-  with_items: "{{ lookup('ansible.builtin.fileglob', '*.yml').split(',') | reject('search', 'main.yml') | reject('search', 'noauto_*') | sort }}"
+    that:
-  loop_control:
+      - borgmatic_failure_command is undefined
-    loop_var: bak_element
+      - borgmatic_before_backup_command is undefined
-...
+      - borgmatic_after_backup_command is undefined
    msg: Please use the new borgmatic_hooks variable instead of individual before/after/failure hooks.
 - name: Include OS-specific variables
  include_vars: "{{ item }}"
  with_first_found:
    - "{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.yml"
    - "{{ ansible_os_family }}-{{ ansible_distribution_major_version }}.yml"
    - "{{ ansible_distribution }}.yml"
    - "{{ ansible_os_family }}.yml"
    - "{{ ansible_lsb.id }}.yml"
 - name: Run OS-specific tasks
  include: "{{ item }}"
  with_first_found:
    - "{{ ansible_os_family }}-{{ ansible_distribution_major_version }}.yml"
    - "{{ ansible_os_family }}.yml"
 - name: Install required System Packages
  package:
    name: "{{ borg_packages }}"
    state: present
 - name: Create virtualenv for borg  # noqa package-latest
  pip:
    name:
    - pip
    - setuptools
    state: latest
    virtualenv: /opt/borgmatic
    virtualenv_command: "{{ python_bin }} -m venv"
 - name: Install dependent Python Packages
  pip:
    name: "{{ borg_dependent_python_packages }}"
    virtualenv: /opt/borgmatic
  when: borg_dependent_python_packages is defined
 - name: Install main Python Packages
  pip:
    name: "{{ borg_python_packages }}"
    virtualenv: /opt/borgmatic
  when: borg_python_packages is defined
 - name: Create borgmatic command in /usr/local/bin
  copy:
    content: |
      #!/bin/bash
      . /opt/borgmatic/bin/activate
      borgmatic "$@"
    dest: /usr/local/bin/borgmatic
    owner: root
    group: root
    mode: "0755"
 - name: Ensure root has SSH key.
  user:
    name: "root"
    generate_ssh_key: yes
    ssh_key_file: "{{ ssh_key_file }}"
    ssh_key_type: ed25519
  register: root_user
 - name: Print key created for root user (use for remote repo)
  debug:
    var: root_user['ssh_public_key']
 - name: Create new repository for server
  borgbase:
    repository_name: "{{ bb_repo_name }}"
    token: "{{ bb_token }}"
    new_ssh_key: "{{ bb_new_sshkey }}"
    ssh_key: "{{ bb_sshkey }}"
    append_only: "{{ bb_append }}"
    quota_enable: "{{ bb_quota }}"
    quota: "{{ bb_quota_size }}"
    region: "{{ bb_region }}"
    alertdays: "{{ bb_alertdays }}"
  delegate_to: localhost
  become: no
  register: repo_creation
  when: create_repo
 - name: Set Repository Fact
  set_fact:
    borg_repository: |-
          {% if borg_repository is defined and borg_repository is string %}
          {{ [borg_repository] + [ repo_creation['data']['repoPath'] ] }}
          {% elif borg_repository is defined %}
          {{ borg_repository + [ repo_creation['data']['repoPath'] ] }}
          {% else %}
          {{ repo_creation['data']['repoPath'] }}
          {% endif %}
  when: create_repo
 - name: Ensure /etc/borgmatic exists
  file:
    path: /etc/borgmatic
    state: directory
    mode: 0700
    owner: root
 - name: Add Borgmatic configuration
  template:
    src: config.yaml.j2
    dest: "/etc/borgmatic/{{ borgmatic_config_name }}"
    mode: 0600
 - name: Add cron-job for borgmatic (large repo, create and check separate)
  block:
    - name: Add cron job for regular create and prune
      cron:
        name: "{{ borgmatic_cron_name }}"
        hour: "{{ borgmatic_cron_hour }}"
        minute: "{{ borgmatic_cron_minute }}"
        user: "root"
        cron_file: "{{ borgmatic_cron_name }}"
        job: "borgmatic -c /etc/borgmatic/{{ borgmatic_config_name }} --create --prune"
    - name: Add cron job for infrequent checks
      cron:
        name: "{{ borgmatic_cron_name }}-check"
        day: "{{ borgmatic_cron_checks_day }}"
        hour: "{{ borgmatic_cron_checks_hour }}"
        minute: "{{ borgmatic_cron_checks_minute }}"
        user: "root"
        cron_file: "{{ borgmatic_cron_name }}"
        job: "borgmatic -c /etc/borgmatic/{{ borgmatic_config_name }} --check"
  when: borgmatic_large_repo
 - name: Add cron-job for borgmatic (normal-sized repo)
  block:
    - name: Add cron job for create, check and prune
      cron:
        name: "{{ borgmatic_cron_name }}"
        hour: "{{ borgmatic_cron_hour }}"
        minute: "{{ borgmatic_cron_minute }}"
        user: "root"
        cron_file: "{{ borgmatic_cron_name }}"
        job: "borgmatic -c /etc/borgmatic/{{ borgmatic_config_name }}"
    - name: Ensure separate check cron job is absent
      cron:
        name: "{{ borgmatic_cron_name }}-check"
        state: absent
  when: not borgmatic_large_repo
 - name: Set PATH for borgmatic cron job.
  cron:
    user: "root"
    cron_file: "{{ borgmatic_cron_name }}"
    name: PATH
    env: yes
    value: /usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
--- a/tasks/noauto_create_backup_user_and_group.yml
+++ b/tasks/noauto_create_backup_user_and_group.yml
@ -1,34 +0,0 @@
 ---
 - name: Setup backup environment
  when:
    - backup_create_local_user is not defined or backup_create_local_user
    - borg_user != "root"
  block:
    - name: Add local backup group
      ansible.builtin.group:
        name: "{{ borg_group }}"
        state: present
    - name: Add local backup user
      ansible.builtin.user:
        name: "{{ borg_user }}"
        shell: "/bin/bash"
        groups: "{{ borg_group }}"
        comment: "Backup User Account"
        append: true
      register: user_info
    - name: Save the user_info, we need them for the home_dir
      ansible.builtin.set_fact:
        backup_user_info: "{{ user_info }}"
    - name: Add sudo users
      community.general.sudoers:
        name: "backup"
        state: present
        user: "{{ borg_user }}"
        nopassword: true
        commands:
          - "/opt/borgmatic/bin/borg"
          - "/usr/local/bin/borgmatic -c /etc/borgmatic/{{ borgmatic_config_name }}"
 ...
--- a/tasks/noauto_create_timer_cron.yml
+++ b/tasks/noauto_create_timer_cron.yml
@ -1,31 +0,0 @@
 ---
 - name: Ensure Cron is installed
  ansible.builtin.package:
    name: "{{ borg_cron_package }}"
    state: present
 - name: Add Cron job for borgmatic
  block:
    - name: Add single Cron job for borgmatic
      cron:
        name: "{{ borgmatic_timer_cron_name }}"
        hour: "{{ borgmatic_timer_hour }}"
        minute: "{{ borgmatic_timer_minute }}"
        user: "{{ borg_user }}"
        cron_file: "{{ borgmatic_timer_cron_name }}"
        job: "borgmatic -c /etc/borgmatic/{{ borgmatic_config_name }} {{ borgmatic_timer_flags }}"
    - name: Ensure separate check cron job is absent
      cron:
        name: "{{ borgmatic_timer_cron_name }}-check"
        cron_file: "{{ borgmatic_timer_cron_name }}"
        state: absent
 - name: Set PATH for borgmatic cron job.
  cron:
    user: "{{ borg_user }}"
    cron_file: "{{ borgmatic_timer_cron_name }}"
    name: PATH
    env: true
    value: /usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
 ...
--- a/tasks/noauto_create_timer_systemd.yml
+++ b/tasks/noauto_create_timer_systemd.yml
@ -1,67 +0,0 @@
 ---
 - name: Register existence of Borgmatic cron file.
  cron:
    name: "{{ borgmatic_timer_cron_name }}"
    cron_file: "{{ borgmatic_timer_cron_name }}"
    state: absent
  check_mode: true
  register: cron_file_exists
  ignore_errors: true
 - name: Ensure no Borgmatic Cron file exists.
  ansible.builtin.assert:
    that:
      - not cron_file_exists.changed
      - not cron_file_exists.failed or "Failed to find" in cron_file_exists.msg
    fail_msg: Found an existing Borgmatic Cron job. Please remove before using Systemd timer.
 - name: Create borgbackup timer
  block:
    - name: Copy systemd files
      ansible.builtin.template:
        src: "{{ item.src }}"
        dest: "{{ item.dest }}"
        owner: root
        group: root
        backup: true
        mode: "{{ item.mode }}"
      with_items:
        - { src: "borgmatic.timer.j2", dest: "/usr/lib/systemd/system/borgmatic.timer", mode: "0644" }
        - { src: "borgmatic.service.j2", dest: "/usr/lib/systemd/system/borgmatic.service", mode: "0644" }
    - name: Populate service facts
      ansible.builtin.service_facts:
      # If the role is running and the repo is not yet initialized, an error will occur.
      # Therefore the service is stopped by default and must be started manually.
    - name: Stop fresh installed borgmatic.timer and borgmatic.service
      when: "'borgmatic.service' not in ansible_facts.services"
      block:
        - name: Set borgmatic services to stopped - newly installed
          ansible.builtin.systemd:
            name: "{{ item }}"
            state: stopped
            enabled: false
            masked: false
            daemon_reload: true
          when: item in ansible_facts.services
          with_items:
            - borgmatic.service
        # bug: Need own section without masked else the timer are skipped
        - name: Set borgmatic timers to stopped - newly installed
          ansible.builtin.systemd:
            name: "{{ item }}"
            state: stopped
            enabled: false
            daemon_reload: true
          with_items:
            - "borgmatic.timer"
        - name: Show hints
          when: "'backup_init_repo' not in ansible_run_tags"
          ansible.builtin.debug:
            msg: >-
              Attention: Since the repo was not initialized automatically,
              the systemd service (borgmatic.service) and the timer (borgmatic.timer) are not activated.
 ...
--- a/tasks/noauto_install_package.yml
+++ b/tasks/noauto_install_package.yml
@ -1,21 +0,0 @@
 ---
 - name: Install borgbackup by distro
  block:
    - name: Check if EPEL repo is enabled, if installation from distro is requested
      when: borg_require_epel
      block:
        - name: Get list of installed packages
          ansible.builtin.package_facts:
            manager: auto
        - name: Ensure EPEL is enabled
          ansible.builtin.assert:
            that:
              - "'epel-release' in ansible_facts.packages"
            fail_msg: Need EPEL repo to install via distro package.
    - name: Install borgmatic and borg via distribution package manager
      ansible.builtin.package:
        name: "{{ item }}"
        state: present
      loop: "{{ borg_distro_packages }}"
 ...
--- a/tasks/noauto_install_pip.yml
+++ b/tasks/noauto_install_pip.yml
@ -1,57 +0,0 @@
 ---
 - name: Install Borg and Borgmatic via pip
  block:
    - name: Ensure the crb repository is enabled for RedHat (needed for xxhash)
      community.general.dnf_config_manager:
        name: crb
        state: enabled
      when: ansible_os_family == 'RedHat' and ansible_distribution != 'Fedora'
    - name: Install build dependencies
      ansible.builtin.package:
        name: "{{ borg_pip_packages }}"
        state: present
    - name: Create virtualenv for borg  # noqa package-latest
      ansible.builtin.pip:
        name:
          - pip
          - setuptools
        state: latest
        virtualenv: "{{ borg_venv_path }}"
        virtualenv_command: "{{ python_bin }} -m venv"
    - name: Install dependent Python packages
      ansible.builtin.pip:
        name: "{{ borg_dependent_python_packages }}"
        virtualenv: "{{ borg_venv_path }}"
      when: borg_dependent_python_packages is defined
    - name: Install main Python packages
      ansible.builtin.pip:
        name: "{{ item.name }}"
        version: "{{ item.version | default(omit, true) }}"
        virtualenv: "{{ borg_venv_path }}"
      when: borg_python_packages is defined
      loop: "{{ borg_python_packages }}"
 - name: Create links to Borgmatic and Borg binaries
  block:
    - name: Create borgmatic command in /usr/local/bin
      ansible.builtin.copy:
        content: |
          #!/bin/bash
          . "{{ borg_venv_path }}"/bin/activate
          borgmatic "$@"
        dest: /usr/local/bin/borgmatic
        mode: "0755"
    - name: Create borg command in /usr/local/bin
      ansible.builtin.copy:
        content: |
          #!/bin/bash
          . "{{ borg_venv_path }}"/bin/activate
          borg "$@"
        dest: /usr/local/bin/borg
        mode: "0755"
 ...
--- a/templates/borgmatic.service.j2
+++ b/templates/borgmatic.service.j2
@ -1,60 +0,0 @@
 # Managed by Ansible, please don't edit manually
 [Unit]
 Description=borgmatic backup
 Wants=backup_normal_repo.timer
 Wants=network-online.target
 After=network-online.target
 # Prevent borgmatic from running unless the machine is plugged into power. Remove this line if you
 # want to allow borgmatic to run anytime.
 ConditionACPower=true
 [Service]
 Type=oneshot
 User={{ borg_user }}
 ExecStart=borgmatic -c /etc/borgmatic/{{ borgmatic_config_name }} {{ borgmatic_timer_flags }}
 # Source: https://projects.torsion.org/borgmatic-collective/borgmatic/raw/branch/master/sample/systemd/borgmatic.service
 # Security settings for systemd running as root, optional but recommended to improve security. You
 # can disable individual settings if they cause problems for your use case. For more details, see
 # the systemd manual: https://www.freedesktop.org/software/systemd/man/systemd.exec.html
 LockPersonality=true
 # Certain borgmatic features like Healthchecks integration need MemoryDenyWriteExecute to be off.
 # But you can try setting it to "yes" for improved security if you don't use those features.
 MemoryDenyWriteExecute=no
 NoNewPrivileges=yes
 PrivateDevices=yes
 PrivateTmp=yes
 ProtectClock=yes
 ProtectControlGroups=yes
 ProtectHostname=yes
 ProtectKernelLogs=yes
 ProtectKernelModules=yes
 ProtectKernelTunables=yes
 RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
 RestrictNamespaces=yes
 RestrictRealtime=yes
 RestrictSUIDSGID=yes
 SystemCallArchitectures=native
 SystemCallFilter=@system-service
 SystemCallErrorNumber=EPERM
 # To restrict write access further, change "ProtectSystem" to "strict" and uncomment
 # "ReadWritePaths", "ReadOnlyPaths", "ProtectHome", and "BindPaths". Then add any local repository
 # paths to the list of "ReadWritePaths" and local backup source paths to "ReadOnlyPaths". This
 # leaves most of the filesystem read-only to borgmatic.
 ProtectSystem=full
 # ReadWritePaths=-/mnt/my_backup_drive
 # ReadOnlyPaths=-/var/lib/my_backup_source
 # This will mount a tmpfs on top of /root and pass through needed paths
 # ProtectHome=tmpfs
 # BindPaths=-/root/.cache/borg -/root/.config/borg -/root/.borgmatic
 # May interfere with running external programs within borgmatic hooks.
 # CapabilityBoundingSet=CAP_DAC_READ_SEARCH CAP_NET_RAW
 # Lower CPU and I/O priority.
 Nice=19
 CPUSchedulingPolicy=batch
 IOSchedulingClass=best-effort
 IOSchedulingPriority=7
 IOWeight=100
--- a/templates/borgmatic.timer.j2
+++ b/templates/borgmatic.timer.j2
@ -1,13 +0,0 @@
 # Managed by Ansible, please don't edit manually
 [Unit]
 Description=Start creating of Backups - see: https://www.freedesktop.org/software/systemd/man/systemd.time.html#
 [Timer]
 # Day-of-the-Week Year-Month-Day Hour:Minutes:Seconds
 # Persistent -> resume backup after shutdown
 OnCalendar= *-*-* {{ borgmatic_timer_hour }}:{{ borgmatic_timer_minute }}:00
 Persistent=true
 [Install]
 WantedBy=timers.target
--- a/templates/config.yaml.j2
+++ b/templates/config.yaml.j2
@ -1,28 +1,21 @@
-#jinja2: lstrip_blocks: True, trim_blocks: True
+#jinja2: lstrip_blocks: "True", trim_blocks: "True"
 ---
 # Managed by Ansible, please don't edit manually
 # Full config: https://torsion.org/borgmatic/docs/reference/config.yaml
 location:
 {% if borg_source_directories is not defined or borg_source_directories | length == 0 %}
    source_directories:
-        - /etc/hostname # prevent empty backupconfig
+{% for dir in borg_source_directories %}
 {% else %}
    source_directories:
    {% for dir in borg_source_directories %}
        - {{ dir }}
-    {% endfor %}
+{% endfor %}
 {% endif %}
    # Stay in same file system (do not cross mount points).
    one_file_system: {{ borg_one_file_system }}
    repositories:
 {% if borg_repository is iterable and (borg_repository is not string and borg_repository is not mapping) %}
  {% for repo in borg_repository %}
-        - path: {{ repo }}
+        - {{ repo }}
  {% endfor %}
 {% elif borg_repository is defined and borg_repository is string %}
-        - path: {{ borg_repository }}
+        - {{ borg_repository }}
 {% endif %}
    # Store atime into archive.
@ -66,10 +59,8 @@ location:
 # https://borgbackup.readthedocs.io/en/stable/usage/general.html#environment-variables for
 # details.
 storage:
 {% if borg_encryption_passphrase %}
    encryption_passphrase: {{ borg_encryption_passphrase }}
 {% endif %}
    # The standard output of this command is used to unlock the encryption key. Only
    # use on repositories that were initialized with passcommand/repokey encryption.
    # Note that if both encryption_passcommand and encryption_passphrase are set,
@ -82,7 +73,7 @@ storage:
    # Type of compression to use when creating archives. See
    # https://borgbackup.readthedocs.org/en/stable/usage.html#borg-create for details.
    # Defaults to no compression.
-    compression: {{ borg_compression|default('auto,zstd') }}
+    compression: auto,zstd
    # Remote network upload rate limit in kiBytes/second.
 {% if borg_remote_rate_limit %}
@ -112,9 +103,6 @@ storage:
    # Bypass Borg error about a repository that has been moved.
    relocated_repo_access_is_ok: {{ borgmatic_relocated_repo_access_is_ok }}
    # Bypass Borg error about a previously unknown unencrypted repository.
    unknown_unencrypted_repo_access_is_ok: {{ borgmatic_unknown_unencrypted_repo_access_is_ok }}
 # Retention policy for how many backups to keep in each category. See
 # https://borgbackup.readthedocs.org/en/stable/usage.html#borg-prune for details.
 # At least one of the "keep" options is required for pruning to work.
@ -154,6 +142,11 @@ retention:
    keep_yearly: {{ borg_retention_policy.keep_yearly }}
 {% endif %}
    # When pruning, only consider archive names starting with this prefix.
    # Borg placeholders can be used. See the output of "borg help placeholders" for
    # details. Default is "{hostname}-".
    prefix: '{hostname}-'
 # Consistency checks to run after backups. See
 # https://borgbackup.readthedocs.org/en/stable/usage.html#borg-check and
 # https://borgbackup.readthedocs.org/en/stable/usage.html#borg-extract for details.
@ -174,6 +167,11 @@ consistency:
    # Restrict the number of checked archives to the last n. Applies only to the "archives" check.
    check_last: {{ borgmatic_check_last }}
    # When performing the "archives" check, only consider archive names starting with
    # this prefix. Borg placeholders can be used. See the output of
    # "borg help placeholders" for details. Default is "{hostname}-".
    prefix: '{hostname}-'
 # Shell commands or scripts to execute before and after a backup or if an error has occurred.
 # IMPORTANT: All provided commands and scripts are executed with user permissions of borgmatic.
 # Do not forget to set secure permissions on this file as well as on any script listed (chmod 0700) to
@ -181,5 +179,5 @@ consistency:
 hooks:
 {% for hook in borgmatic_hooks %}
    {{ hook }}:
-{{ borgmatic_hooks[hook] | to_nice_yaml(indent=4) | indent(8, first=true) }}
+        {{ borgmatic_hooks[hook] | to_nice_yaml(indent=2) | trim | indent(8) }}
 {% endfor %}
--- a/vars/Archlinux.yml
+++ b/vars/Archlinux.yml
@ -1,24 +1,10 @@
 ---
-borg_dep_packages:
+borg_packages:
-  - openssh
+  - cronie
 borg_cron_package: cronie
 borg_pip_packages:
  - acl
  - gcc
-  - lz4
+  - openssh
  - openssl
  - pkgconfig
  - python-pip
  - python-setuptools
  - xxhash
  - xz
  - zstd
 borg_distro_packages:
  - borg
  - borgmatic
 python_bin: python3
 pip_bin: pip3
--- a/vars/Debian.yml
+++ b/vars/Debian.yml
@ -1,16 +1,8 @@
 ---
-borg_dep_packages:
+borg_packages:
  - openssh-client
 borg_cron_package: cron
 borg_pip_packages:
  - libssl-dev
  - libacl1-dev
  - libacl1
  - liblz4-dev
  - libzstd-dev
  - libxxhash-dev
  - build-essential
  - python3-setuptools
  - python3-dev
@ -18,10 +10,8 @@ borg_pip_packages:
  - python3-pkgconfig
  - python3-msgpack
  - python3-venv
-
+  - openssh-client
-borg_distro_packages:
+  - cron
  - borgbackup
  - borgmatic
 python_bin: python3
 pip_bin: pip3
--- a/vars/Fedora.yml
+++ b/vars/Fedora.yml
@ -1,29 +1,17 @@
 ---
-borg_dep_packages:
+borg_packages:
-  - openssh-clients
+  - libacl-devel
-
+  - libacl
 borg_cron_package: cronie
 borg_pip_packages:
  - gcc
  - gcc-c++
  - libacl
  - libacl-devel
  - libzstd-devel
  - lz4-devel
  - openssl-devel
  - openssl-devel
  - python3-cython
  # - python3-devel
  - python3-pip
  - python3-setuptools
  - python3-wheel
-  - xxhash
+  - python3-devel
-  - xxhash-devel
+  - python3-setuptools
-
+  - python3-Cython
-borg_distro_packages:
+  - openssh-clients
-  - borgbackup
+  - cronie
  - borgmatic
 python_bin: python3
 pip_bin: pip3
--- a/vars/ManjaroLinux.yml
+++ b/vars/ManjaroLinux.yml
@ -1,24 +1,8 @@
 ---
-borg_dep_packages:
+borg_packages:
  - openssh
 borg_cron_package: cronie
 borg_pip_packages:  # untested
  - libssl-dev
  - libacl1-dev
  - libacl1
  - build-essential
  - python3-setuptools
  - python3-dev
  - python3-pip
  - python3-pkgconfig
  - python3-msgpack
  - python3-venv
 borg_distro_packages:
  - borg
  - borgmatic
  - openssh
  - cronie
 python_bin: python3
 pip_bin: pip3
--- a/vars/RedHat-10.yml
+++ b/vars/RedHat-10.yml
@ -1,28 +0,0 @@
 ---
 borg_dep_packages:
  - openssh-clients
 borg_cron_package: cronie
 borg_pip_packages:
  - gcc
  - gcc-c++
  - libacl
  - libacl-devel
  - libzstd-devel
  - lz4-devel
  - openssl-devel
  # - python3-devel
  - python3-pip
  - python3-setuptools
  - xxhash
  - xxhash-devel
  # - python3-virtualenv
  # - python3-wheel
 borg_distro_packages:
  - borgbackup
  - borgmatic
 python_bin: python3
 pip_bin: pip3
--- a/vars/RedHat-8.yml
+++ b/vars/RedHat-8.yml
@ -1,10 +1,5 @@
 ---
-borg_dep_packages:
+borg_packages:
  - openssh-clients
 borg_cron_package: cronie
 borg_pip_packages:
  - libacl-devel
  - libacl
  - gcc
@ -15,10 +10,8 @@ borg_pip_packages:
  - python3-devel
  - python3-setuptools
  - python3-virtualenv
-
+  - openssh-clients
-borg_distro_packages:
+  - cronie
  - borgbackup
  - borgmatic
 python_bin: python3
 pip_bin: pip3
--- a/vars/RedHat-9.yml
+++ b/vars/RedHat-9.yml
@ -1,28 +1,17 @@
 ---
-borg_dep_packages:
+borg_packages:
-  - openssh-clients
+  - libacl-devel
-
+  - libacl
 borg_cron_package: cronie
 borg_pip_packages:
  - gcc
  - gcc-c++
  - libacl
  - libacl-devel
  - libzstd-devel
  - lz4-devel
  - openssl-devel
  # - python3-devel
  - python3-pip
  - python3-wheel
  - python3-devel
  - python3-setuptools
-  - xxhash
+  - python3-virtualenv
-  - xxhash-devel
+  - openssh-clients
-  # - python3-virtualenv
+  - cronie
  # - python3-wheel
 borg_distro_packages:
  - borgbackup
  - borgmatic
 python_bin: python3
 pip_bin: pip3
--- a/vars/RedHat.yml
+++ b/vars/RedHat.yml
@ -1,10 +1,5 @@
 ---
-borg_dep_packages:
+borg_packages:
  - openssh-clients
 borg_cron_package: cronie
 borg_pip_packages:
  - libacl-devel
  - libacl
  - gcc
@ -14,10 +9,8 @@ borg_pip_packages:
  - python36-wheel
  - python36-devel
  - python-setuptools
-
+  - openssh-clients
-borg_distro_packages:
+  - cronie
  - borgbackup
  - borgmatic
 python_bin: python3
 pip_bin: pip3
--- a/vars/main.yml
+++ b/vars/main.yml
@ -2,9 +2,6 @@
 borg_dependent_python_packages:
  - cython
  - pkgconfig
 borg_python_packages:
-  - name: borgbackup
+  - borgbackup
-    version: "{{ borg_version }}"
+  - borgmatic
  - name: borgmatic
    version: "{{ borgmatic_version }}"