Add simple NFS backup role

roles/backup_nfs/defaults/main.yml

@@ -0,0 +1,3 @@
+---
+backup_nfs_directory: /podman-nfs-backups
+backup_nfs_mountpoint: /opt/podman-nfs-backups

roles/backup_nfs/tasks/machinectl.yml

@@ -0,0 +1,6 @@
+---
+- name: Import per-user tasks
+  ansible.builtin.import_tasks: per-user.yml
+  become_method: community.general.machinectl
+  become_user: "{{ backup_nfs_users['user'] }}"
+  become: true

roles/backup_nfs/tasks/main.yml

@@ -0,0 +1,40 @@
+---
+- name: Install NFS client software
+  ansible.builtin.apt:
+    name: nfs-common
+    state: present
+
+- name: Check existence of mount directory
+  ansible.builtin.stat:
+    path: "{{ backup_nfs_mountpoint }}"
+  register: mountpoint
+
+- name: Create mountpoint if it does not exist
+  ansible.builtin.file:
+    path: "{{ backup_nfs_mountpoint }}"
+    state: directory
+    mode: "0700"
+    owner: root
+    group: root
+  when: not mountpoint.stat.exists
+
+- name: This block ensures the NFS directory will be unmounted if a task fails
+  block:
+    - name: Mount backup NFS directory
+      ansible.posix.mount:
+        src: "{{ backup_nfs_remote }}:{{ backup_nfs_directory }}"
+        path: "{{ backup_nfs_mountpoint }}"
+        opts: rw,sync,hard,vers=4
+        state: ephemeral
+        fstype: nfs
+
+    - name: Execute backup tasks inside service account
+      ansible.builtin.include_tasks: machinectl.yml
+      loop: "{{ backup_nfs_targets }}"
+      loop_control:
+        loop_var: backup_nfs_users
+  always:
+    - name: Unmount backup NFS directory
+      ansible.posix.mount:
+        path: "{{ backup_nfs_mountpoint }}"
+        state: unmounted

roles/backup_nfs/tasks/per-container.yml

@@ -0,0 +1,24 @@
+---
+- name: Ensure container is stopped
+  ansible.builtin.systemd_service:
+    name: container-{{ container }}.service
+    state: stopped
+    scope: user
+  register: container_state
+
+- name: Create volume export
+  containers.podman.podman_export:
+    volume: "{{ item }}"
+    dest: "{{ backup_nfs_mountpoint }}/{{ container }}-{{ item }}-{{ ansible_date_time['iso8601_basic_short'] }}.tar"
+  loop: "{{ backup_nfs_containers['volumes'] }}"
+
+# A container is not always running, so if it was stopped before
+# the backup procedure even started, do not start it again.
+# It's quite a hassle to have this behaviour with a handler, so
+# we just supress the linting error.
+- name: Start container again if necessary # noqa: no-handler
+  ansible.builtin.systemd_service:
+    name: container-{{ container }}.service
+    state: started
+    scope: user
+  when: container_state is changed

roles/backup_nfs/tasks/per-user.yml

@@ -0,0 +1,8 @@
+---
+- name: Iterate over configured nginx sites
+  ansible.builtin.include_tasks: per-container.yml
+  loop: "{{ backup_nfs_users['containers'] }}"
+  loop_control:
+    loop_var: backup_nfs_containers
+  vars:
+    container: "{{ backup_nfs_containers['name'] }}"