---

- name: Prepare
  hosts: all
  gather_facts: false
  tasks:
    - name: Install python for Ansible
      raw: test -e /usr/bin/python3 || (apt -y update && apt install -y python3-minimal)
      become: true
      changed_when: false

- hosts: all
  become: true
  tasks:

    - name: Update all caches to avoid errors due to missing remote archives
      apt:
        update_cache: true
      changed_when: false

- hosts: backup-server
  become: true
  tasks:

    - name: Deploy SSH server keys
      copy:
        content: "{{ lookup('file', item.key) + '\n' }}"
        dest: "{{ item.value }}"
        owner: root
        group: root
        mode: 0600
      with_dict:
        tests/data/ssh/server_rsa: /etc/ssh/ssh_host_rsa_key
        tests/data/ssh/server_ed25519: /etc/ssh/ssh_host_ed25519_key
        tests/data/ssh/server_ecdsa: /etc/ssh/ssh_host_ecdsa_key
      notify:
        - Restart ssh

    - name: Drop the outdated public keys
      file:
        path: "{{ item }}"
        state: absent
      with_items:
        - /etc/ssh/ssh_host_rsa_key.pub
        - /etc/ssh/ssh_host_ed25519_key.pub
        - /etc/ssh/ssh_host_ecdsa_key.pub

    - name: Force the use of internal-sftp subsystem for SFTP
      lineinfile:
        path: /etc/ssh/sshd_config
        regexp: "^Subsystem.*sftp"
        line: "Subsystem sftp internal-sftp"
        state: present

    - name: Deploy custom SSH server configuration that chroots users
      copy:
        src: "tests/data/backup_server-sshd-chroot_backup_users.conf"
        dest: "/etc/ssh/sshd_config.d/chroot_backup_users.conf"
        owner: root
        group: root
        mode: 0600
      notify:
        - Restart ssh

    - name: Set-up backup group that will contain all backup users
      group:
        name: "backup-users"

    - name: Set-up backup user groups
      group:
        name: "{{ item.name }}"
      with_items: "{{ backup_users }}"

    - name: Set-up backup users
      user:
        name: "{{ item.name }}"
        group: "{{ item.name }}"
        groups:
          - "backup-users"
      with_items: "{{ backup_users }}"

    - name: Set-up authorised keys
      authorized_key:
        user: "{{ item.name }}"
        key: "{{ item.key }}"
      with_items: "{{ backup_users }}"

    - name: Set-up port forwarding
      command: "iptables -t nat -A PREROUTING -p tcp -m tcp --dport '{{ item }}' -j REDIRECT --to-ports 22"
      changed_when: false
      with_items:
        - 2222
        - 3333

    - name: Change ownership of home directories for SFTP chroot to work
      file:
        path: "/home/{{ item.name }}"
        state: directory
        owner: root
        group: root
        mode: 0755
      with_items: "{{ backup_users }}"

    - name: Set-up duplicity backup directories
      file:
        path: "~{{ item.name }}/duplicity"
        state: directory
        owner: root
        group: backup-users
        mode: 0770
      with_items: "{{ backup_users }}"

  handlers:
    - name: Restart ssh
      service:
        name: ssh
        state: restarted

  vars:
    backup_users:
      - name: bak-param-mandatory-bullseye
        key: "{{ lookup('file', 'tests/data/ssh/parameters-mandatory.pub') }}"
      - name: bak-param-mandatory-bookworm
        key: "{{ lookup('file', 'tests/data/ssh/parameters-mandatory.pub') }}"
      - name: backupuser
        key: "{{ lookup('file', 'tests/data/ssh/parameters-optional.pub') }}"