---

- name: Install pexpect for pexpect+sftp Duplicity backend (mainly needed on Stretch)
  apt:
    name: "python-pexpect"
    state: present

- name: Install backup software
  apt:
    name:
      - duplicity
      - duply
    state: present

- name: Set-up Duply directories
  file:
    path: "{{ item }}"
    state: directory
    owner: root
    group: root
    mode: 0700
  with_items:
    - "/etc/duply"
    - "/etc/duply/main"
    - "/etc/duply/main/patterns"
    - "/etc/duply/main/gnupg"
    - "/etc/duply/main/ssh"
    - "/var/cache/duply"
    - "/var/cache/duply/main"

- name: Deploy GnuPG private keys
  copy:
    content: "{{ backup_encryption_key }}"
    dest: "/etc/duply/main/private_keys.asc"
    owner: root
    group: root
    mode: 0600
  notify:
    - Clean-up GnuPG keyring for import of new keys
    - Import private keys
    - Import public keys

- name: Deploy GnuPG public keys
  copy:
    content: "{{ backup_additional_encryption_keys | join('\n') }}"
    dest: "/etc/duply/main/public_keys.asc"
    owner: root
    group: root
    mode: 0600
  notify:
    - Clean-up GnuPG keyring for import of new keys
    - Import private keys
    - Import public keys

- name: Extract encryption key identifier (Duplicty requires key ID in hexadecimal format)
  shell: "set -o pipefail && {{ gnupg_binary }} --no-tty --list-packets /etc/duply/main/private_keys.asc | grep keyid: |
    head -n1 | sed -e 's/.*: //' | sed -re 's/^.{{ '{' + gnupg_key_cutoff + '}' }}//'"
  args:
    executable: /bin/bash
  register: backup_encryption_key_id
  changed_when: false
  failed_when: not backup_encryption_key_id.stdout

- name: Extract additional encryption keys identifiers (Duplicty requires key ID in hexadecimal format)
  shell: "set -o pipefail &&  {{ gnupg_binary }} --no-tty --list-packets /etc/duply/main/public_keys.asc | grep keyid: |
    sed -e 's/.*: //' | sort -u | sed -re 's/^.{{ '{' + gnupg_key_cutoff + '}' }}//' | tr '\n' ',' | sed -e 's/,$//'"
  args:
    executable: /bin/bash
  when: backup_additional_encryption_keys
  register: backup_additional_encryption_keys_ids
  changed_when: false
  failed_when: not backup_additional_encryption_keys_ids.stdout

- name: Deploy private SSH key for logging-in into backup server
  copy:
    content: "{{ backup_ssh_key }}"
    dest: "/etc/duply/main/ssh/identity"
    owner: root
    group: root
    mode: 0600
  no_log: true

- name: Deploy custom known_hosts for backup purposes
  template:
    src: "known_hosts.j2"
    dest: "/etc/duply/main/ssh/known_hosts"
    owner: root
    group: root
    mode: 0600

- name: Deploy Duply configuration file
  template:
    src: "duply_main_conf.j2"
    dest: "/etc/duply/main/conf"
    owner: root
    group: root
    mode: 0600

- name: Deploy base exclude pattern (exclude all by default)
  copy:
    content: "- **"
    dest: "/etc/duply/main/exclude"
    owner: root
    group: root
    mode: 0600

- name: Set-up directory for storing pre-backup scripts
  file:
    path: "/etc/duply/main/pre.d/"
    state: directory
    owner: root
    group: root
    mode: 0700

- name: Set-up script for running all pre-backup scripts
  copy:
    src: "duply_pre"
    dest: "/etc/duply/main/pre"
    owner: root
    group: root
    mode: 0700

- name: Deploy crontab entry for running backups
  cron:
    name: backup
    cron_file: backup
    hour: 2
    minute: 0
    job: "/usr/bin/duply main backup"
    state: present
    user: root

- name: Ensure the file with include patterns exists (but do not overwrite)
  copy:
    content: ""
    dest: /etc/duply/main/include
    force: false
    group: root
    owner: root
    mode: 0600

- name: Explicitly run all handlers
  include: ../handlers/main.yml
  when: "run_handlers | default(False) | bool()"
  tags:
    - handlers