allow access to backups through sftp in ro mode

roles/common/defaults/main.yml

@@ -18,15 +18,16 @@ user_default_groups:
 
 openssh_port: "22"
 
-backup_owner: backup
+backup_owner: backup-sync
 backup_group: "{{ backup_owner }}"
+backup_chroot_dir: /mnt/backup
 
 storage_box_enabled: no
 storage_box_host: storage.example.com
 storage_box_port: 23
 storage_box_path: /home/backup
 storage_box_mount:
-  path: "/mnt/backup"
+  path: "{{ backup_chroot_dir }}"
   owner: "{{ backup_owner }}"
   group: "{{ backup_group }}"
   options: [rw,default_permissions]
@@ -34,14 +35,14 @@ storage_box_username: u123456-sub1
 storage_box_password: somesecret
 
 borg_encryption_mode: keyfile
-borg_passphrase: "{{ vault_borg_passphrase }}"
 borg_repository: |-
   {%- if storage_box_enabled -%}
   {{ storage_box_host }}:{{ storage_box_path }}/borg
   {%- else -%}
-  {{ storage_box_mount.path }}/borg
+  {{ backup_chroot_dir }}/borg
   {%- endif -%}
 
+borgmatic_config_dir: /etc/borgmatic
 borgmatic_config:
   location:
     source_directories:
@@ -69,7 +70,8 @@ borgmatic_config:
       - /var/snap
     exclude_caches: true
   storage:
-    encryption_passphrase: "{{ borg_passphrase }}"
+    umask: "{{ borg_umask }}"
+    encryption_passphrase: "{{ vault_borg_passphrase }}"
     compression: zlib,7
   retention:
     keep_hourly: 24