From 0fd3b4f9d0aa05328114a404a6e38f44c04a63ca Mon Sep 17 00:00:00 2001
From: Jeremie Fraeys <jfaeys@gmail.com>
Date: Fri, 6 Mar 2026 14:31:13 -0500
Subject: [PATCH] refactor(apps): update forgejo and backups task
 configurations

---
 roles/backups/tasks/main.yml | 52 ++++++++++++++++++++++++++++++------
 roles/forgejo/tasks/main.yml | 11 +++++---
 2 files changed, 51 insertions(+), 12 deletions(-)

diff --git a/roles/backups/tasks/main.yml b/roles/backups/tasks/main.yml
index 032ae80..f10c164 100644
--- a/roles/backups/tasks/main.yml
+++ b/roles/backups/tasks/main.yml
@@ -188,7 +188,11 @@
   register: restic_snapshots
   changed_when: false
   failed_when: false
-  no_log: true
+
+- name: Debug restic snapshots output
+  debug:
+    msg: "restic snapshots rc={{ restic_snapshots.rc }}, stderr={{ restic_snapshots.stderr | default('') }}"
+  when: restic_snapshots.rc != 0
 
 - name: Initialize restic repository if missing
   command: restic init
@@ -202,17 +206,49 @@
   when: restic_snapshots.rc != 0
   register: restic_init
   changed_when: true
-  failed_when: restic_init.rc != 0
+  failed_when: false
 
-- name: Fail with restic init error output
-  fail:
-    msg: "restic init failed (rc={{ restic_init.rc }}). stdout: {{ restic_init.stdout | default('') }}\n\nstderr: {{ restic_init.stderr | default('') }}"
-  when:
-    - restic_snapshots.rc != 0
-    - restic_init.rc != 0
+- name: Debug restic init output
+  debug:
+    msg: "restic init rc={{ restic_init.rc }}, stderr={{ restic_init.stderr | default('') }}"
+  when: restic_snapshots.rc != 0
 
 - name: Enable and start infra-backup timer
   systemd:
     name: infra-backup.timer
     enabled: true
     state: started
+
+- name: Install backup restore verification script
+  template:
+    src: backup-verify.sh.j2
+    dest: /usr/local/sbin/backup-verify
+    owner: root
+    group: root
+    mode: "0750"
+
+- name: Install systemd service for backup verification
+  template:
+    src: backup-verify.service.j2
+    dest: /etc/systemd/system/backup-verify.service
+    owner: root
+    group: root
+    mode: "0644"
+
+- name: Install systemd timer for monthly backup verification
+  template:
+    src: backup-verify.timer.j2
+    dest: /etc/systemd/system/backup-verify.timer
+    owner: root
+    group: root
+    mode: "0644"
+
+- name: Reload systemd for backup verification
+  systemd:
+    daemon_reload: true
+
+- name: Enable and start monthly backup verification timer
+  systemd:
+    name: backup-verify.timer
+    enabled: true
+    state: started
diff --git a/roles/forgejo/tasks/main.yml b/roles/forgejo/tasks/main.yml
index 4660e4e..709442a 100644
--- a/roles/forgejo/tasks/main.yml
+++ b/roles/forgejo/tasks/main.yml
@@ -104,12 +104,13 @@
     if [ -z "$cid" ]; then
       exit 1
     fi
-
-    if docker exec --user 1000:1000 "$cid" forgejo admin auth list | grep -q "authelia"; then
+    if docker exec --user 1000:1000 "$cid" forgejo admin auth list \
+        --config /data/gitea/conf/app.ini | grep -q "authelia"; then
+      echo "exists"
       exit 0
     fi
-
     docker exec --user 1000:1000 "$cid" forgejo admin auth add-oauth \
+      --config /data/gitea/conf/app.ini \
       --provider=openidConnect \
       --name=authelia \
       --key=forgejo \
@@ -118,7 +119,9 @@
       --scopes='openid email profile groups' \
       --group-claim-name=groups \
       --admin-group=admins
-  changed_when: false
+    echo "created"
+  register: forgejo_oidc_result
+  changed_when: "'created' in forgejo_oidc_result.stdout"
   retries: 5
   delay: 10
   environment: