---
- name: Gather ansible_local facts
  ansible.builtin.setup:
    gather_subset: local

- name: Install backports repository
  ansible.builtin.include_role:
    name: backports
  when: "ansible_distribution_release in borg__backports_needed"

- name: Install borgmatic
  ansible.builtin.apt:
    name: borgmatic
    default_release: "{{ (release in borg__backports_needed)
                        | ternary(release + '-backports', omit) }}"
  vars:
    release: "{{ ansible_distribution_release }}"

- name: Install borgmatic
  ansible.builtin.apt:
    name: borgmatic
  when: "ansible_distribution_release not in borg__backports_needed"

- name: Create configuration directory for borgmatic
  ansible.builtin.file:
    path: /etc/borgmatic
    state: directory
    owner: root
    group: root
    mode: u=rwx,g=rx,o=

- name: Create SSH key
  community.crypto.openssh_keypair:
    path: "/etc/borgmatic/remote"
    type: ed25519
    regenerate: full_idempotence
    owner: root
    group: root
    mode: u=rw,g=,o=
  register: ssh_key

- name: Add server key to known hosts
  ansible.builtin.known_hosts:
    hash_host: true
    host: "{{ item.0.name }}"
    key: "{{ item.0.name }} {{ item.1 }}"
  loop: "{{ borg__targets | subelements('hostkeys')  }}"

- name: Wait for key deployment
  block:
    - name: Show the generated public key
      ansible.builtin.debug:
        msg: "{{ ssh_key.public_key }}"

    - name: Please deploy the public key on every target
      ansible.builtin.pause: null
  when: "borg__targets
         | map(attribute='name')
         | difference(ansible_local.borgmatic_deployed_keys
                      | default([]))
         | count > 0"

- name: Add borgmatic configuration file
  ansible.builtin.template:
    src: config.yaml.j2
    dest: /etc/borgmatic/config.yaml
    owner: root
    group: root
    mode: u=rw,g=r,o=
  vars:
    borg__config:
      location:
        source_directories: "{{ borg__backup_dirs }}"
        exclude_patterns: "{{ borg__exclude_patterns }}"
        repositories: "{{ borg__targets | map('borg__to_repo') }}"
        borgmatic_source_directory: /tmp/borgmatic # TODO
      storage:
        encryption_passphrase: "{{ borg__passphrase }}"
        ssh_command: "ssh -i /etc/borgmatic/remote"
      retention:
        keep_hourly: "{{ borg__keep_hourly }}"
        keep_daily: "{{ borg__keep_daily }}"
        keep_weekly: "{{ borg__keep_weekly }}"
        keep_monthly: "{{ borg__keep_monthly }}"
      consistency:
        checks:
          - repository
          - archives
      hooks:
        postgresql_databases: "{{ borg__postgresql }}"
        mysql_databases: "{{ borg__mysql }}"

- name: Init repository
  ansible.builtin.command: borgmatic init --encryption repokey

- name: Create Ansible facts.d directory
  ansible.builtin.file:
    path: /etc/ansible/facts.d
    state: directory
    owner: root
    group: root
    mode: u=rwx,g=rx,o=

- name: Check deployed keys fact
  ansible.builtin.copy:
    dest: /etc/ansible/facts.d/borgmatic_deployed_keys.fact
    owner: root
    group: root
    content: "{{ borg__targets | map(attribute='name') }}"
    mode: u=rw,g=r,o=

- name: Create override directory
  ansible.builtin.file:
    path: /etc/systemd/system/borgmatic.timer.d
    state: directory
    owner: root
    group: root
    mode: u=rwx,g=rx,o=rx

- name: Override borgmatic.timer
  ansible.builtin.template:
    src: override.conf.j2
    dest: /etc/systemd/system/borgmatic.timer.d/override.conf
    owner: root
    group: root
    mode: u=rw,g=r,o=r
  notify:
    - Run daemon-reload

- name: Start and enable borgmatic timer
  ansible.builtin.systemd_service:
    name: borgmatic.timer
    state: started
    daemon_reload: true
    enabled: true
...