Add support for S3 backend

README.md

@@ -4,7 +4,7 @@
 
 This role will setup [Restic](https://restic.net/) backups on a Debian/Ubuntu machine using a systemd service and timer.
 
-It is a bit specific since it assumes you want to use a SFTP backend for restic and will thus setup the SSH config and SSH private keys (see variables below).
+It supports S3 backend or SFTP backend and will thus setup the SSH config and SSH private keys (see variables below).
 
 ## Role Variables
 
@@ -47,6 +47,13 @@ The SSH configuration will be written in `{{ restic_user_home }}/.ssh/config`.
 - `restic_ssh_private_key_path`: path of the private key to use (`~/.ssh/backup`)
 - `restic_ssh_port`: SSH port to use with the backup machine (`23`)
 
+### S3 backend configuration
+
+- `restic_ssh_enabled`: set to false
+- `restic_repository_name`: set to s3 endpoint + bucket, restic syntax (e.g. `s3:https://s3.fr-par.scw.cloud/restic-bucket`)
+- `restic_aws_access_key_id`: `AWS_ACCESS_KEY_ID`
+- `restic_aws_secret_access_key`: `AWS_SECRET_ACCESS_KEY`
+
 ### Sytemd service and timer
 
 A `restic-backup.service` service will be created with all the parameters defined above. The service is of type `oneshot` and will be triggered periodically with `restic-backup.timer`.
@@ -87,6 +94,27 @@ You can see the logs of the backup with `journalctl`. (`journalctl -xefu restic-
       -----END OPENSSH PRIVATE KEY-----
 ```
 
+S3 example:
+
+```yaml
+---
+
+- hosts: myhost
+  roles: restic
+  vars:
+    restic_ssh_enabled: false
+    restic_repository: "s3:https://s3.fr-par.scw.cloud/restic-bucket"
+    restic_aws_access_key_id: xxxxx
+    restic_aws_secret_access_key: xxxxx
+    restic_folders:
+      - {path: "/srv"}
+      - {path: "/var/www"}
+    restic_databases:
+    - {name: website, dump_command: sudo -Hiu postgres pg_dump -Fc website}
+    - {name: website2, dump_command: mysqldump website2}
+    restic_password: mysuperduperpassword
+```
+
 Of course, `restic_password` and `restic_ssh_private_key` should be stored using ansible-vault.
 
 ## License

defaults/main.yml

@@ -18,8 +18,9 @@ restic_forget_keep_within: 30d
 restic_prune: true
 restic_check: true
 
+restic_ssh_enabled: true
 restic_ssh_host: backup
-restic_ssh_port: 22 
+restic_ssh_port: 22
 restic_ssh_private_key_path: '/root/.ssh/backup'
 
 restic_systemd_timer_on_calender: '*-*-* 03:00:00'

tasks/main.yml

@@ -15,13 +15,14 @@
     owner: root
     group: root
     mode: 0600
+  when: restic_ssh_enabled
 
 - name: Add SSH private key
   template:
     src: ssh_private_key.j2
     dest: '{{ restic_ssh_private_key_path }}'
     mode: 0600
-  when: restic_ssh_private_key is defined
+  when: restic_ssh_private_key is defined and restic_ssh_enabled
 
 - name: Add restic_env in home folder
   template:

templates/restic-backup.service.j2

@@ -4,9 +4,18 @@ Description=Restic backup
 [Service]
 Type=oneshot
 User={{ restic_user }}
+{% if restic_ssh_enabled %}
 Environment="RESTIC_REPOSITORY=sftp:{{ restic_ssh_host }}:{{ restic_repository_name }}"
+{% else %}
+Environment="RESTIC_REPOSITORY={{ restic_repository }}"
+{% endif -%}
 Environment="RESTIC_PASSWORD={{ restic_password}}"
 
+{% if restic_aws_access_key_id is defined and restic_aws_secret_access_key is defined %}
+Environment="AWS_ACCESS_KEY_ID={{ restic_aws_access_key_id}}"
+Environment="AWS_SECRET_ACCESS_KEY={{ restic_aws_secret_access_key}}"
+{% endif %}
+
 {% if restic_check %}
 ExecStartPre={{ restic_path }} check
 {% endif -%}

templates/restic_env.j2

@@ -1,2 +1,11 @@
-export RESTIC_REPOSITORY="sftp:{{ restic_ssh_host }}:{{ restic_repository_name }}"
+{% if restic_ssh_enabled %}
-export RESTIC_PASSWORD="{{ restic_password}}"
+export RESTIC_REPOSITORY=sftp:{{ restic_ssh_host }}:{{ restic_repository_name }}
+{% else %}
+export RESTIC_REPOSITORY="{{ restic_repository }}"
+{% endif -%}
+export RESTIC_PASSWORD={{ restic_password}}
+
+{% if restic_aws_access_key_id is defined and restic_aws_secret_access_key is defined %}
+export AWS_ACCESS_KEY_ID={{ restic_aws_access_key_id}}
+export AWS_SECRET_ACCESS_KEY={{ restic_aws_secret_access_key}}
+{% endif %}