matrix-backup-borg: add ability to backup to unencrypted repositories (#1754)

* matrix-backup-borg: added option for unencrypted repo access

* matrix-backup-borg: fixed requiring password for unencrypted repos; changed variable name

* matrix-backup-borg: add unknown_unencrypted_repo_access_is_ok to config.yaml.j2

* matrix-backup-borg: cleanup comments

* matrix-backup-borg: add documentation regarding unencrypted repos

* matrix-backup-borg: add readability and ease of use to code

* matrix-backup-borg: fix wording in defaults/main.yml comment

* matrix-backup-borg: add quotes to docs

* Indicate the variable to use

Co-authored-by: Slavi Pantaleev <slavi@devture.com>

docs/configuring-playbook-backup-borg.md

@@ -51,6 +51,8 @@ where:
 * PASSPHRASE - passphrase used for encrypting backups, you may generate it with `pwgen -s 64 1` or use any password manager
 * PRIVATE KEY - the content of the **private** part of the SSH key you created before
 
+To backup without encryption, add `matrix_backup_borg_encryption: 'none'` to your vars. This will also enable the `matrix_backup_borg_unknown_unencrypted_repo_access_is_ok` variable.
+
 `matrix_backup_borg_location_source_directories` defines the list of directories to back up: it's set to `{{ matrix_base_data_path }}` by default, which is the base directory for every service's data, such as Synapse, Postgres and the bridges. You might want to exclude certain directories or file patterns from the backup using the `matrix_backup_borg_location_exclude_patterns` variable.
 
 Check the `roles/matrix-backup-borg/defaults/main.yml` file for the full list of available options.

roles/matrix-backup-borg/defaults/main.yml

@@ -44,12 +44,15 @@ matrix_backup_borg_location_repositories: []
 # exclude following paths:
 matrix_backup_borg_location_exclude_patterns: []
 
-# borg encryption mode, only repokey-* is supported
+# borg encryption mode, only "repokey-*" and "none" are supported
 matrix_backup_borg_encryption: repokey-blake2
 
 # private ssh key used to connect to the borg repo
 matrix_backup_borg_ssh_key_private: ""
 
+# allow unencrypted repo access
+matrix_backup_borg_unknown_unencrypted_repo_access_is_ok: "{{ matrix_backup_borg_encryption == 'none' }}"
+
 # borg ssh command with ssh key
 matrix_backup_borg_storage_ssh_command: ssh -o "StrictHostKeyChecking accept-new" -i /etc/borgmatic.d/sshkey
 

roles/matrix-backup-borg/tasks/validate_config.yml

@@ -7,4 +7,9 @@
   with_items:
     - "matrix_backup_borg_ssh_key_private"
     - "matrix_backup_borg_location_repositories"
-    - "matrix_backup_borg_storage_encryption_passphrase"
+
+- name: Fail if encryption passphrase is undefined unless repository is unencrypted
+  fail:
+    msg: >-
+      You need to define a required passphrase using the `matrix_backup_borg_storage_encryption_passphrase` variable.
+  when: "matrix_backup_borg_storage_encryption_passphrase == '' and matrix_backup_borg_encryption != 'none'"

roles/matrix-backup-borg/templates/config.yaml.j2

@@ -11,6 +11,7 @@ storage:
   ssh_command: {{ matrix_backup_borg_storage_ssh_command|to_json }}
   archive_name_format: {{ matrix_backup_borg_storage_archive_name_format|to_json }}
   encryption_passphrase: {{ matrix_backup_borg_storage_encryption_passphrase|to_json }}
+  unknown_unencrypted_repo_access_is_ok: {{ matrix_backup_borg_unknown_unencrypted_repo_access_is_ok|to_json }}
 
 retention:
   keep_hourly: {{ matrix_backup_borg_retention_keep_hourly|to_json }}