---

# See duply_main_conf.j2 for details on why this is required (at least
# on Debian 10 Buster). With newer versions of Debian it might be
# possible to switch to Paramiko backend.
- name: Install pexpect for pexpect+sftp Duplicity backend
  apt:
    name: "python-pexpect"
    state: present

- name: Install backup software
  apt:
    name:
      - duplicity
      - duply
    state: present

- name: Set-up Duply directories
  file:
    path: "{{ item }}"
    state: directory
    owner: root
    group: root
    mode: 0700
  with_items:
    - "/etc/duply"
    - "/etc/duply/main"
    - "/etc/duply/main/patterns"
    - "/etc/duply/main/gnupg"
    - "/etc/duply/main/ssh"
    - "/var/cache/duply"
    - "/var/cache/duply/main"

- name: Deploy GnuPG private keys
  copy:
    content: "{{ backup_encryption_key }}"
    dest: "/etc/duply/main/private_keys.asc"
    owner: root
    group: root
    mode: 0600
  notify:
    - Remove current keyring
    - Create keyring directory
    - Import private keys
    - Import public keys

- name: Deploy GnuPG public keys
  copy:
    content: "{{ backup_additional_encryption_keys | join('\n') }}"
    dest: "/etc/duply/main/public_keys.asc"
    owner: root
    group: root
    mode: 0600
  notify:
    - Remove current keyring
    - Create keyring directory
    - Import private keys
    - Import public keys

- name: Extract encryption key identifier (Duplicty requires key ID in hexadecimal format)
  shell: "set -o pipefail && gpg --no-tty --list-packets /etc/duply/main/private_keys.asc | grep keyid: |
    head -n1 | sed -e 's/.*: //'"
  args:
    executable: /bin/bash
  register: backup_encryption_key_id
  changed_when: false
  failed_when: not backup_encryption_key_id.stdout

- name: Extract additional encryption keys identifiers (Duplicty requires key ID in hexadecimal format)
  shell: "set -o pipefail &&  gpg --no-tty --list-packets /etc/duply/main/public_keys.asc | grep keyid: |
    sed -e 's/.*: //' | sort -u | tr '\n' ',' | sed -e 's/,$//'"
  args:
    executable: /bin/bash
  when: backup_additional_encryption_keys | length > 0
  register: backup_additional_encryption_keys_ids
  changed_when: false
  failed_when: not backup_additional_encryption_keys_ids.stdout

- name: Deploy private SSH key for logging-in into backup server
  copy:
    content: "{{ backup_ssh_key }}"
    dest: "/etc/duply/main/ssh/identity"
    owner: root
    group: root
    mode: 0600
  no_log: true

- name: Deploy custom known_hosts for backup purposes
  template:
    src: "known_hosts.j2"
    dest: "/etc/duply/main/ssh/known_hosts"
    owner: root
    group: root
    mode: 0600

- name: Deploy Duply configuration file
  template:
    src: "duply_main_conf.j2"
    dest: "/etc/duply/main/conf"
    owner: root
    group: root
    mode: 0600

- name: Deploy base exclude pattern (exclude all by default)
  copy:
    content: "- **"
    dest: "/etc/duply/main/exclude"
    owner: root
    group: root
    mode: 0600

- name: Set-up directory for storing pre-backup scripts
  file:
    path: "/etc/duply/main/pre.d/"
    state: directory
    owner: root
    group: root
    mode: 0700

- name: Set-up script for running all pre-backup scripts
  copy:
    src: "duply_pre"
    dest: "/etc/duply/main/pre"
    owner: root
    group: root
    mode: 0700

- name: Deploy crontab entry for running backups
  cron:
    name: backup
    cron_file: backup
    hour: "2"
    minute: "0"
    job: "/usr/bin/duply main backup"
    state: present
    user: root

- name: Ensure the file with include patterns exists (but do not overwrite)
  copy:
    content: ""
    dest: /etc/duply/main/include
    force: false
    group: root
    owner: root
    mode: 0600

- name: Explicitly run all handlers
  include: ../handlers/main.yml
  when: "run_handlers | default(False) | bool()"
  tags:
    - handlers