refactor(setup-pgbackrest.yml): refactor as per Sam

Author: jchancojr

ansible/tasks/setup-pgbackrest.yml

@@ -63,14 +63,20 @@
     loop_var: conf_item
   when: stage2_nix
 
-- name: Symlink pgBackRest binary
-  ansible.legacy.file:
-    path: /usr/bin/pgbackrest
-    src: /var/lib/pgbackrest/.nix-profile/bin/pgbackrest
-    state: link
+- name: Configure sudoers for pgBackRest
+  ansible.builtin.lineinfile:
+    create: yes
+    line: 'postgres ALL=(pgbackrest) NOPASSWD: /var/lib/pgbackrest/.nix-profile/bin/pgbackrest'
+    mode: '0440'
+    path: '/etc/sudoers.d/pgbackrest'
+    validate: 'visudo -cf %s'
 
-- name: Sticky bit the pgBackRest binary
-  ansible.legacy.file:
-    mode: '4755'
-    path: /var/lib/pgbackrest/.nix-profile/bin/pgbackrest
-  become: true
+- name: Create pgBackRest wrapper script
+  ansible.builtin.copy:
+    content: |
+      #!/bin/bash
+      exec sudo -u pgbackrest /var/lib/pgbackrest/.nix-profile/bin/pgbackrest "$@"
+    dest: '/usr/bin/pgbackrest'
+    group: 'root'
+    mode: '0755'
+    owner: 'root'