---
- name: Pin borgmatic
  template:
    src: "{{ item.src }}"
    dest: "{{ item.dest }}"
    owner: root
    group: root
    mode: u=rw,g=r,o=
  loop:
    - src: apt/list.j2
      dest: /etc/apt/sources.list.d/bullseye.list
    - src: apt/preferences.j2
      dest: /etc/apt/preferences.d/borgmatic-bullseye
  when:
    - "ansible_distribution == 'Debian'"
    - "ansible_distribution_major_version in ('stretch', 'buster', '9', '10')"

- name: Install borgmatic
  apt:
    name: borgmatic
    update_cache: true
  register: apt_result
  retries: 3
  until: apt_result is succeeded

- name: Create configuration directory for borgmatic
  file:
    path: /etc/borgmatic
    state: directory
    owner: root
    group: root
    mode: u=rwx,g=rx,o=

- name: Add borgmatic configuration file
  become: true
  template:
    src: config.yaml.j2
    dest: /etc/borgmatic/config.yaml
    owner: root
    group: root
    mode: u=rw,g=r,o=
  vars:
    borg_host_dir: "/borg/{{ inventory_hostname }}"

- name: Create SSH key
  openssh_keypair:
    path: "/etc/borgmatic/id_remote"
    type: ed25519
    regenerate: full_idempotence
    owner: root
    group: root
    mode: u=rw,g=,o=
  register: ssh_key

- name: Gather SSH host keys
  delegate_to: "{{ borg_server_host }}"
  command: "ssh-keyscan {{ borg_server_host }}"
  register: keys

- name: Add server key to known hosts
  known_hosts:
    hash_host: true
    host: "{{ borg_server_host }}"
    key: "{{ item }}"
  loop: "{{ keys.stdout_lines }}"

- name: Add public key to remote
  delegate_to: "{{ borg_server_host }}"
  become: true
  authorized_key:
    exclusive: false
    user: "{{ borg_server_user }}"
    key: "{{ ssh_key.public_key }}"
    key_options: "{{ options | join(',') }}"
  vars:
    borg_host_dir: "/borg/{{ inventory_hostname }}"
    options:
      - 'command="borg serve --restrict-to-path {{ borg_host_dir }}"'
      - no-agent-forwarding
      - no-port-forwarding
      - no-pty
      - no-user-rc
      - no-X11-forwarding

- name: Init repository
  command: borgmatic init --encryption repokey

- name: Install timer and service for borgmatic
  template:
    src: "{{ item }}.j2"
    dest: "/etc/systemd/system/{{ item }}"
    owner: root
    group: root
    mode: u=rw,g=r,o=
  loop:
    - borgmatic.timer
    - borgmatic.service
  notify:
    - Run systemd daemon-reload

- name: Run systemd deamon-reload
  systemd:
    daemon_reload: true

- name: Start and enable borgmatic timer
  systemd:
    name: borgmatic.timer
    state: started
    enabled: true
...