---
- name: Create SSH Directory
  ansible.builtin.file:
    path: /root/.ssh
    owner: root
    group: root
    mode: '0640'
    state: directory
  become: true

- name: Add borg server to known_hosts
  ansible.builtin.known_hosts:
    name: '{{ borg_server_host_url }}'
    key: '{{ borg_server_host_url }} {{ borg_server_host_ssh_key }}'
    path: /root/.ssh/known_hosts
    state: present
  become: true

- name: Generate SSH keys
  community.crypto.openssh_keypair:
    path: /root/.ssh/id_rsa
    owner: root
    group: root
    mode: '0600'
    comment: root@{{ inventory_hostname }}
  become: true
  register: ssh_key

- name: Deploy Keys to Borg server
  ansible.builtin.lineinfile:
    path: '{{ borg_server_user_home }}/.ssh/authorized_keys'
    line: >
      restrict,command="borg serve
      {{ "--append-only" if borg_mode_append_only }}
      --restrict-to-repository {{ borg_repo_name }}"
      {{ ssh_key.public_key }} root@{{ inventory_hostname }}
    search_string: '{{ ssh_key.public_key }}'
    state: present
  become: true
  delegate_to: '{{ borg_server_host }}'

- name: Initialise Borg repository
  ansible.builtin.command: >
    borg init --encryption=repokey
    borg@{{ borg_server_host_url }}:{{ borg_server_user_home }}/{{ borg_repo_name }}
  environment:
    BORG_PASSPHRASE: '{{ borg_passphrase }}'
  become: true
  register: init_borg_output
  changed_when: init_borg_output.rc != 2
  failed_when:
    - init_borg_output.rc != 2
    - init_borg_output.rc != 0

- name: Make sure key file exists
  ansible.builtin.file:
    path: '{{ borg_decryption_keys_yaml_path }}'
    state: touch
    mode: '0600'
    access_time: preserve
    modification_time: preserve
  delegate_to: localhost
  become: false

- name: Read Vars file
  ansible.builtin.include_vars:
    file: '{{ borg_decryption_keys_yaml_path }}'
  register: local

- name: Add repository encryption keys to ansible repo
  when: not inventory_hostname in local.ansible_facts
  throttle: 1
  block:
    - name: If host new read encryption keys
      ansible.builtin.command: >
        borg key export --paper
        borg@{{ borg_server_host_url }}:{{ borg_server_user_home }}/{{ borg_repo_name }}
      become: true
      register: borg_keys
      changed_when: borg_keys.rc != 0

    - name: If host new add encryption keys to vars
      ansible.builtin.set_fact:
        decryption_keys: '{{ local.ansible_facts | combine({inventory_hostname: borg_keys.stdout}) }}'

- name: Update encryption vars
  ansible.builtin.copy:
    content: '{{ decryption_keys | to_nice_yaml(indent=2, width=2048) }}'
    dest: '{{ borg_decryption_keys_yaml_path }}'
    mode: '0600'
  when: decryption_keys is defined
  delegate_to: localhost
  become: false

- name: Create backup scripts
  ansible.builtin.include_tasks: client_create_scripts_each.yml
  loop:
    - '{{ borg_backup_script_location }}'
    - '{{ borg_backup_script_location }}{{ "@" if borg_backup_argument != "" }}{{ borg_backup_argument }}'
  loop_control:
    loop_var: script_location

- name: Configure systemd borg_backup service
  ansible.builtin.template:
    src: borg_backup.service.j2
    dest: /etc/systemd/system/{{ borg_backup_timer_name }}{{ "@" if borg_backup_argument != "" }}{{ borg_backup_argument }}.service
    mode: '0644'
    owner: root
    group: root
  notify: Reload systemd
  become: true

- name: Configure systemd borg_backup timer
  ansible.builtin.template:
    src: borg_backup.timer.j2
    dest: /etc/systemd/system/{{ borg_backup_timer_name }}{{ "@" if borg_backup_argument != "" }}{{ borg_backup_argument }}.timer
    mode: '0644'
    owner: root
    group: root
  notify: Reload systemd
  become: true

- name: Reload systemd now before enabling services
  ansible.builtin.meta: flush_handlers

- name: Enable borg_backup systemd timer
  ansible.builtin.systemd:
    name: '{{ borg_backup_timer_name }}{{ "@" if borg_backup_argument != "" }}{{ borg_backup_argument }}.timer'
    state: started
    enabled: true
  become: true