---

- name: Install backup software
  apt: name="{{ item }}" state=installed
  with_items:
    - duplicity
    - duply

- name: Create directory for storing backups
  file: path="/srv/backups" state=directory
        owner="root" group="root" mode=751

- name: Create backup client groups
  group: name="{{ item.server | replace('.', '_') | regex_replace('^', 'bak-') }}"
         gid="{{ item.uid | default(omit) }}" system="yes"
  with_items: "{{ backup_clients }}"

- name: Create backup client users
  user: name="{{ item.server | replace('.', '_') | regex_replace('^', 'bak-') }}"
        group="{{ item.server | replace('.', '_') | regex_replace('^', 'bak-') }}"
        groups="backup"
        uid="{{ item.uid | default(omit) }}"
        system=yes createhome=no state=present home="/srv/backups/{{ item.server }}"
  with_items: "{{ backup_clients }}"

- name: Create home directories for backup client users
  file: path="/srv/backups/{{ item.server }}" state=directory
        owner="root" group="{{ item.server | replace('.', '_') | regex_replace('^', 'bak-') }}" mode=750
  with_items: "{{ backup_clients }}"

- name: Create duplicity directories for backup client users
  file: path="/srv/backups/{{ item.server }}/duplicity" state=directory
        owner="{{ item.server | replace('.', '_') | regex_replace('^', 'bak-') }}"
        group="{{ item.server | replace('.', '_') | regex_replace('^', 'bak-') }}"
        mode=770
  with_items: "{{ backup_clients }}"

- name: Create SSH directory for backup client users
  file: path="/srv/backups/{{ item.server }}/.ssh" state=directory
        owner="root" group="root" mode=751
  with_items: "{{ backup_clients }}"

- name: Populate authorized keys for backup client users
  authorized_key: user="{{ item.server | replace('.', '_') | regex_replace('^', 'bak-') }}"
                  key="{{ item.public_key }}" manage_dir="no" state="present"
  with_items: "{{ backup_clients }}"

- name: Set-up authorized_keys file permissions for backup client users
  file: path="/srv/backups/{{ item.server }}/.ssh/authorized_keys" state=file
        owner="root" group="{{ item.server | replace('.', '_') | regex_replace('^', 'bak-') }}"
        mode=640
  with_items: "{{ backup_clients }}"

- name: Deny the backup group login via regular SSH
  lineinfile: dest="/etc/ssh/sshd_config" state=present line="DenyGroups backup"
  notify:
    - Restart SSH

- name: Set-up directory for the backup OpenSSH server instance
  file: path="/etc/ssh-backup/" state=directory
        owner="root" group="root" mode="700"

- name: Deploy configuration file for the backup OpenSSH server instance service
  copy: src="ssh-backup.default" dest="/etc/default/ssh-backup"
        owner="root" group="root" mode="644"
  notify:
    - Restart backup SSH server

- name: Deploy configuration file for the backup OpenSSH server instance
  copy: src="backup-sshd_config" dest="/etc/ssh-backup/sshd_config"
        owner="root" group="root" mode="600"
  notify:
    - Restart backup SSH server

- name: Deploy the private keys for backup OpenSSH server instance
  copy: content="{{ item.value }}" dest="/etc/ssh-backup/ssh_host_{{ item.key }}_key"
        owner="root" group="root" mode="600"
  with_dict: "{{ backup_host_ssh_private_keys }}"
  no_log: True
  notify:
    - Restart backup SSH server

- name: Deploy backup OpenSSH server systemd service file
  copy: src="ssh-backup.service" dest="/etc/systemd/system/ssh-backup.service"
        owner=root group=root mode=644
  notify:
    - Reload systemd
    - Restart backup SSH server

- name: Start and enable OpenSSH backup service
  service: name="ssh-backup" state="started" enabled="yes"

- name: Deploy firewall configuration for backup server
  template: src="ferm_backup.conf.j2" dest="/etc/ferm/conf.d/40-backup.conf" owner=root group=root mode=640
  notify:
    - Restart ferm

- name: Explicitly run all handlers
  include: ../handlers/main.yml
  when: "handlers | default(False) | bool() == True"
  tags:
    - handlers