---
### BASIC SOFTWARE
- name: "Install required software on servers"
  become: true
  ansible.builtin.package:
    name: "{{ item }}"
    state: "present"
  with_items:
    - "duplicity"           # Obviously needed for backup
    - "sshfs"               # TO be able to mount the remote directory
    - "python3-packaging"   # ??? For something
    - "acl"                 # To manage the access control on the backup data

### SSH ACCESS (USER/KEYS)
- name: "Create backup user on servers"
  become: true
  ansible.builtin.user:
    name: "{{ duplicity_server_user }}"
    generate_ssh_key: true    # We want to generate an ssh key to be able to configure the access on the clients later
    ssh_key_type: "ed25519"
    ssh_key_comment: "{{ duplicity_server_user }}@{{ ansible_hostname }} (generated by ansible)"
  register: "duplicity_server_created_user"   # Store the return value for the ssh key and home path

- name: "Store server ssh key as fact for later usage"
  ansible.builtin.set_fact:
    duplicity_server_user_key: "{{ duplicity_server_created_user['ssh_public_key'] }}"

- name: "Fetch sshd fingerprints from clients"
  ansible.builtin.slurp:
    src: "/etc/ssh/ssh_host_ecdsa_key.pub"
  delegate_to: "{{ item }}"
  with_items: "{{ groups['duplicityclient'] | flatten(levels=1) }}"
  changed_when: false
  register: "duplicity_client_host_key"

- name: "Register client host keys in server"
  become: true
  become_user: "{{ duplicity_server_user }}"
  ansible.builtin.known_hosts:
    name: "{{ item.item }}"
    key: "{{ item.item }} {{ item.content | b64decode }}"
  with_items: "{{ duplicity_client_host_key.results }}"

### GNUPG ENCRYPTION
- name: "Ensure gnupg config dir"
  become: true
  become_user: "{{ duplicity_server_user }}"
  ansible.builtin.command:
    cmd: "gpg --list-keys"
    creates: "{{ duplicity_server_created_user['home'] }}/.gnupg"

- name: "Install encryption key for backups"
  become: true
  become_user: "{{ duplicity_server_user }}"
  de_enbewe.duplicity.gpg_key:
    fpr: "{{ duplicity_server_gnupg_fingerprint }}"
    keyserver: "hkps://keys.openpgp.org"
    trust: 5
    homedir: "{{ duplicity_server_created_user['home'] }}/.gnupg"

### BACKUP SCRIPTS
- name: "Create backup script path"
  become: true
  ansible.builtin.file:
    path: "{{ duplicity_server_created_user['home'] }}/scripts"
    state: "directory"
    owner: "{{ duplicity_server_user }}"
    group: "{{ duplicity_server_user }}"
    mode: "u=rwx,g=rx,o=rx"

- name: "Create backup scripts for clients"
  become: true
  become_user: "{{ duplicity_server_user }}"
  ansible.builtin.template:
    src: "backup-script.j2"
    dest: "{{ duplicity_server_created_user['home'] }}/scripts/backup-{{ item }}.sh"
    mode: "u=rwx,g=rx,o=rx"
  with_items: "{{ groups['duplicityclient'] }}"

- name: "Register cronjob for clients"
  become: true
  ansible.builtin.cron:
    name: "backup-{{ item }}"
    user: "{{ duplicity_server_user }}"
    job: "{{ duplicity_server_created_user['home'] }}/scripts/backup-{{ item }}.sh"
    minute: "{{ hostvars[item].duplicity_client_backup_minute | default(12) }}"
    hour: "{{ hostvars[item].duplicity_client_backup_hour | default(1) }}"
  with_items: "{{ groups['duplicityclient'] }}"