Ensure restic gets the correct permissions when it's updated

Yes it's weird to modify the system package like this, but it's very handy.

See also https://restic.readthedocs.io/en/stable/080_examples.html#backing-up-your-system-without-running-restic-as-root

ansible/roles/restic/files/restic-post.hook

@@ -0,0 +1,9 @@
+[Trigger]
+Operation = Upgrade
+Type = Package
+Target = restic
+
+[Action]
+Description = Set restic binary permissions
+When = PostTransaction
+Exec = /usr/share/libalpm/scripts/restic-post.sh

ansible/roles/restic/files/restic-post.sh

@@ -0,0 +1,14 @@
+#!/usr/bin/env bash
+
+# See https://restic.readthedocs.io/en/stable/080_examples.html#backing-up-your-system-without-running-restic-as-root
+
+set -e
+
+RESTIC_BIN=$(which restic)
+
+# Set owner
+chown root:restic $RESTIC_BIN
+chmod 750 $RESTIC_BIN
+
+# Lest restic run root things
+setcap cap_dac_read_search=+ep $RESTIC_BIN

ansible/roles/restic/tasks/main.yml

@@ -58,3 +58,19 @@
     dest: /etc/logrotate.d/backrest
     mode: "0600"
   become: true
+
+- name: Install pacman post script
+  template:
+    src: files/restic-post.sh
+    dest: /usr/share/libalpm/scripts/restic-post.sh
+    mode: "0700"
+  become: true
+  when: ansible_os_family == 'Archlinux'
+
+- name: Install pacman post hook
+  template:
+    src: files/restic-post.hook
+    dest: /usr/share/libalpm/hooks/restic-post.hook
+    mode: "0600"
+  become: true
+  when: ansible_os_family == 'Archlinux'