backup foreman

using `+/usr/bin/foreman-maintain` makes systemd execute the binary as
root, not as the user the main execution happens as

See https://www.freedesktop.org/software/systemd/man/systemd.service.html#Command%20lines

puppet/data/common.yaml

@@ -21,6 +21,7 @@ profiles::backup::receiver::targets:
   - controller01
   - discourse01
   - puppet01
+  - foreman01
 
 profiles::backup::sender::host: '%{alias("backup_servicename")}'
 profiles::backup::sender::ssh_key: 'AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNfA651gsxAgFzWdBjFbTTXgZ+mIovdHE2TZShmyDJ9h6On+qQ3WOGVXflyrocM93vR4diZT80bnyIpLZtIf5RY='

puppet/modules/profiles/manifests/foreman.pp

@@ -11,4 +11,22 @@
   puppet::config::main { 'dns_alt_names':
     value => $foreman::serveraliases,
   }
+
+  package {'rubygem-foreman_maintain':
+    ensure => present,
+  }
+
+  $backup_path = '/var/backups'
+
+  file {$backup_path:
+    ensure => directory,
+  }
+
+  include profiles::backup::sender
+
+  restic::repository { 'foreman':
+    backup_cap_dac_read_search => true,
+    backup_path                => $backup_path,
+    backup_pre_cmd             => ["+/usr/bin/foreman-maintain backup online --assumeyes --preserve-directory ${backup_path}/foreman"],
+  }
 }

puppet/spec/classes/profiles_foreman_spec.rb

@@ -4,6 +4,13 @@
   on_supported_os.each do |os, os_facts|
     context "on #{os}" do
       let(:facts) { os_facts }
+      let(:pre_condition) do
+        <<~PUPPET
+        class { 'restic':
+          password => 'SuperSecret',
+        }
+        PUPPET
+      end
 
       it { is_expected.to compile.with_all_deps }
     end