matrix-backup-borg: add ability to backup to unencrypted repositories

[thebiblelover7]

No description provided.

[thebiblelover7]

This PR could be resolved by #1755 , so I don't know what should be done.

[etkecc]

Yes, you can do that with #1755 with configuration extension

[spantaleev]

How common are unencrypted Borg repositories? Perhaps backing up to such repositories is much quicker on low-power hardware, because it skips having to encrypt everything.

If it's a common use case, regardless of #1755, we can keep your PR to have a dedicated option for easy usage. Is setting this "ok" flag to true enough to do use an unencrypted repository? Or is something else necessary? It seems like if you leave matrix_backup_borg_storage_encryption_passphrase empty, roles/matrix-backup-borg/tasks/validate_config.yml will choke. We should probably fix this, and potentially update the docs too.

---

You've also named the variable matrix_backup_borg_unknown_unencrypted_access, which is inconsistent with how we name variables: matrix_(SERVICE_NAME)_(ORIGINAL_NAME_OF_CONFIGURATION_SETTING).

It should be called matrix_backup_borg_unknown_unencrypted_repo_access_is_ok instead.

---

Another good practice is to use |to_json when spewing variables into JSON/YAML configuration files.

-unknown_unencrypted_repo_access_is_ok: {{ matrix_backup_borg_unknown_unencrypted_access }}
+unknown_unencrypted_repo_access_is_ok: {{ matrix_backup_borg_unknown_unencrypted_repo_access_is_ok|to_json }}

[thebiblelover7]

@spantaleev I am currently backing up to my raspberry pi, and I don't need encryption which is why I disabled it on my repo.

I will try to fix those things soon.

[etkecc]

The #1755 has been merged. Could you try to use configuration extension for your use case and post feedback here, please?

It works the same as in other roles (eg synapse)

[thebiblelover7]

The #1755 has been merged. Could you try to use configuration extension for your use case and post feedback here, please?

It works the same as in other roles (eg synapse)

What I've seen is that it fails because you don't pass a password to matrix_backup_borg_storage_encryption_passphrase. As long as you pass it anything, it doesn't fail. I'm currently trying to find a way to have a conditional with_items so that it can only be verified when matrix_backup_borg_unknown_unencrypted_repo_access_is_ok is false.

I'm not very good with ansible, so any help is appreciated!

[spantaleev]

I'm currently trying to find a way to have a conditional with_items so that it can only be verified when matrix_backup_borg_unknown_unencrypted_repo_access_is_ok is false.

You can see some conditional with_items usage here:

matrix-docker-ansible-deploy/roles/matrix-client-element/tasks/setup_install.yml

Lines 3 to 13 in 5c1ee66

	- name: Ensure Element paths exists
	file:
	path: "{{ item.path }}"
	state: directory
	mode: 0750
	owner: "{{ matrix_user_username }}"
	group: "{{ matrix_user_groupname }}"
	with_items:
	- {path: "{{ matrix_client_element_data_path }}", when: true}
	- {path: "{{ matrix_client_element_docker_src_files_path }}", when: "{{ matrix_client_element_container_image_self_build }}"}
	when: "item.when|bool"

Alternatively, you can use another fail task for matrix_backup_borg_storage_encryption_passphrase which is "hidden" behind when: not matrix_backup_borg_unknown_unencrypted_repo_access_is_ok. Example:

- name: Fail if encryption enabled and encryption passphrase empty
  fail:
    msg: >-
      You need to define a required configuration setting (`matrix_backup_borg_storage_encryption_passphrase`).
  when: "matrix_backup_borg_storage_encryption_passphrase == '' and not matrix_backup_borg_unknown_unencrypted_repo_access_is_ok"

[etkecc]

I suppose you need to update validate_config as well, because it checks for encryption passphrase and some other things.
As @spantaleev suggested - add a new fail when no passphrase is given and unencrypted backups disabled in the validate_config file

Btw, don't forget to pull new changes first

[thebiblelover7]

@spantaleev Seems to me like this is ready to be merged. Let me know if there is anything else I should change!

I've tested it on my system and it seems to work, too.

[spantaleev]

Thank for contributing this and for the patience! 👍