---

- name: Install backup software
  apt:
    name: "{{ item }}"
    state: installed
  with_items:
    - duplicity
    - duply

- name: Create directory for storing backups
  file:
    path: "/srv/backups"
    state: directory
    owner: root
    group: root
    mode: 0751
  tags:
    # [ANSIBLE0009] Octal file permissions must contain leading zero
    #   Misleading message, linting is complaining here actually because of the
    #   executable bit without read/write for others (e.g. the "1" in "0751").
    - skip_ansible_lint

- name: Create backup client groups
  group:
    name: "{{ item.server | replace('.', '_') | regex_replace('^', 'bak-') }}"
    gid: "{{ item.uid | default(omit) }}"
    system: yes
  with_items: "{{ backup_clients }}"

- name: Create backup client users
  user:
    name: "{{ item.server | replace('.', '_') | regex_replace('^', 'bak-') }}"
    group: "{{ item.server | replace('.', '_') | regex_replace('^', 'bak-') }}"
    groups: "backup"
    uid: "{{ item.uid | default(omit) }}"
    system: yes
    createhome: no
    state: present
    home: "/srv/backups/{{ item.server }}"
  with_items: "{{ backup_clients }}"

- name: Create home directories for backup client users
  file:
    path: "/srv/backups/{{ item.server }}"
    state: directory
    owner: root
    group: "{{ item.server | replace('.', '_') | regex_replace('^', 'bak-') }}"
    mode: 0750
  with_items: "{{ backup_clients }}"

- name: Create duplicity directories for backup client users
  file:
    path: "/srv/backups/{{ item.server }}/duplicity"
    state: directory
    owner: "{{ item.server | replace('.', '_') | regex_replace('^', 'bak-') }}"
    group: "{{ item.server | replace('.', '_') | regex_replace('^', 'bak-') }}"
    mode: 0770
  with_items: "{{ backup_clients }}"

- name: Create SSH directory for backup client users
  file:
    path: "/srv/backups/{{ item.server }}/.ssh"
    state: directory
    owner: root
    group: root
    mode: 0751
  with_items: "{{ backup_clients }}"
  tags:
    # [ANSIBLE0009] Octal file permissions must contain leading zero
    #   Misleading message, linting is complaining here actually because of the
    #   executable bit without read/write for others (e.g. the "1" in "0751").
    - skip_ansible_lint

- name: Populate authorized keys for backup client users
  authorized_key:
    user: "{{ item.server | replace('.', '_') | regex_replace('^', 'bak-') }}"
    key: "{{ item.public_key }}"
    manage_dir: no
    state: present
  with_items: "{{ backup_clients }}"

- name: Set-up authorized_keys file permissions for backup client users
  file:
    path: "/srv/backups/{{ item.server }}/.ssh/authorized_keys"
    state: file
    owner: root
    group: "{{ item.server | replace('.', '_') | regex_replace('^', 'bak-') }}"
    mode: 0640
  with_items: "{{ backup_clients }}"

- name: Deny the backup group login via regular SSH
  lineinfile:
    dest: "/etc/ssh/sshd_config"
    state: present
    line: "DenyGroups backup"
  notify:
    - Restart SSH

- name: Set-up directory for the backup OpenSSH server instance
  file:
    path: "/etc/ssh-backup/"
    state: directory
    owner: root
    group: root
    mode: 0700

- name: Deploy configuration file for the backup OpenSSH server instance service
  copy:
    src: "ssh-backup.default"
    dest: "/etc/default/ssh-backup"
    owner: root
    group: root
    mode: 0644
  notify:
    - Restart backup SSH server

- name: Deploy configuration file for the backup OpenSSH server instance
  copy:
    src: "backup-sshd_config"
    dest: "/etc/ssh-backup/sshd_config"
    owner: root
    group: root
    mode: 0600
  notify:
    - Restart backup SSH server

- name: Deploy the private keys for backup OpenSSH server instance
  template:
    src: "ssh_host_key.j2"
    dest: "/etc/ssh-backup/ssh_host_{{ item.key }}_key"
    owner: root
    group: root
    mode: 0600
  with_dict: "{{ backup_host_ssh_private_keys }}"
  notify:
    - Restart backup SSH server
  no_log: True

- name: Deploy backup OpenSSH server systemd service file
  copy:
    src: "ssh-backup.service"
    dest: "/etc/systemd/system/ssh-backup.service"
    owner: root
    group: root
    mode: 0644
  notify:
    - Reload systemd
    - Restart backup SSH server

- name: Start and enable OpenSSH backup service
  service:
    name: "ssh-backup"
    state: started
    enabled: yes

- name: Deploy firewall configuration for backup server
  template:
    src: "ferm_backup.conf.j2"
    dest: "/etc/ferm/conf.d/40-backup.conf"
    owner: root
    group: root
    mode: 0640
  notify:
    - Restart ferm

- name: Explicitly run all handlers
  include: ../handlers/main.yml
  when: "handlers | default(False) | bool() == True"
  tags:
    - handlers