Manage own borgmatic systemd service and timer

Ship borgmatic.service and borgmatic.timer from the backup role instead
of relying on the package-provided units. The units are deployed to
/etc/systemd/system (overriding the package units), with a configurable
schedule via role defaults.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

roles/backup/defaults/main.yml

@@ -0,0 +1,10 @@
+---
+# Schedule for our own borgmatic.timer (overrides the package-shipped unit).
+# OnCalendar uses systemd.time(7) syntax. RandomizedDelaySec spreads load so
+# every host doesn't hit the borg server at the same instant.
+borgmatic_oncalendar: "*-*-* 03:00:00"
+borgmatic_randomized_delay_sec: 3h
+borgmatic_persistent: true
+
+# Extra flags passed to the borgmatic invocation in our borgmatic.service.
+borgmatic_verbosity_args: "--verbosity -1 --syslog-verbosity 1"

roles/backup/tasks/main.yml

@@ -75,6 +75,29 @@
         group: root
         mode: '0640'
 
+    - name: Deploy borgmatic systemd service (overrides package unit)
+      ansible.builtin.template:
+        src: borgmatic.service.j2
+        dest: /etc/systemd/system/borgmatic.service
+        owner: root
+        group: root
+        mode: '0644'
+      register: _borgmatic_service_unit
+
+    - name: Deploy borgmatic systemd timer (overrides package unit)
+      ansible.builtin.template:
+        src: borgmatic.timer.j2
+        dest: /etc/systemd/system/borgmatic.timer
+        owner: root
+        group: root
+        mode: '0644'
+      register: _borgmatic_timer_unit
+
+    - name: Reload systemd if units changed
+      ansible.builtin.systemd:
+        daemon_reload: true
+      when: _borgmatic_service_unit is changed or _borgmatic_timer_unit is changed
+
     - name: Enable and start borgmatic timer
       ansible.builtin.systemd:
         name: borgmatic.timer

roles/backup/templates/borgmatic.service.j2

@@ -0,0 +1,21 @@
+# Managed by Ansible — do not edit by hand.
+[Unit]
+Description=borgmatic backup
+Wants=network-online.target
+After=network-online.target
+# Don't run on battery power.
+ConditionACPower=true
+
+[Service]
+Type=oneshot
+# Lower priority so backups don't starve foreground work.
+Nice=19
+CPUSchedulingPolicy=batch
+IOSchedulingClass=best-effort
+IOSchedulingPriority=7
+IOWeight=100
+Restart=no
+# Prevent rate limiting of borgmatic log events.
+LogRateLimitIntervalSec=0
+# Delay start by a random amount handled in the timer; keep the service simple.
+ExecStart=systemd-inhibit --who="borgmatic" --what="sleep:shutdown" --why="Prevent interrupting scheduled backup" /usr/bin/borgmatic {{ borgmatic_verbosity_args }}

roles/backup/templates/borgmatic.timer.j2

@@ -0,0 +1,11 @@
+# Managed by Ansible — do not edit by hand.
+[Unit]
+Description=Run borgmatic backup
+
+[Timer]
+OnCalendar={{ borgmatic_oncalendar }}
+RandomizedDelaySec={{ borgmatic_randomized_delay_sec }}
+Persistent={{ borgmatic_persistent | bool | lower }}
+
+[Install]
+WantedBy=timers.target