---
- name: client | generate ssh key for this machine
  user:
    name: "{{ borgbackup_client_user }}"
    generate_ssh_key: yes
    ssh_key_bits: 2048
    ssh_key_file: "{{ borgbackup_ssh_key }}"
    ssh_key_type: rsa

- name: client | fetch ssh-key
  shell: "cat {{ borgbackup_ssh_key }}.pub"
  register: sshkey
  changed_when: False

- name: client | write passphrase
  lineinfile:
    dest: "~{{ borgbackup_client_user }}/.borg.passphrase"
    state: "present"
    line: 'export BORG_PASSPHRASE="{{ borgbackup_passphrase }}"'
    create: "yes"

- name: client | disable strict key checking for backup servers
  blockinfile:
    dest: "~{{ borgbackup_client_user }}/.ssh/config"
    create: yes
    marker: "### {mark} ANSIBLE MANAGED BLOCK {{ item.fqdn }} ###"
    content: |
      Host {{ item.fqdn }}
        StrictHostKeyChecking no
        IdentityFile {{ borgbackup_ssh_key }}
        {% if item.port is defined %}
        Port {{ item.port }}
        {% endif %}
  with_items: "{{ borgbackup_servers }}"

- name: client | put sshpubkey on the normal backupserver
  authorized_key:
    user: "{{ item.user }}"
    key: "{{ sshkey.stdout }}"
    key_options: 'command="cd {{ item.home }}{{ item.pool }}/{{ inventory_hostname }};borg serve {% if borgbackup_appendonly %}--append-only {% endif %}--restrict-to-path {{ item.home }}/{{ item.pool }}/{{ inventory_hostname }}",no-port-forwarding,no-X11-forwarding,no-pty,no-agent-forwarding,no-user-rc'
  delegate_to: "{{ item.fqdn }}"
  when: item.type == 'normal'
  with_items: "{{ borgbackup_servers }}"

# rsync.net and hetzner have no python, so we can only use raw to manage ssh keys - workaround with local tmp file
- name: client | get authorized_keys file
  raw: scp {{ item.user }}@{{ item.fqdn }}:.ssh/authorized_keys /tmp/authkeys-{{ item.type }}-{{ item.fqdn }}-authkeys
  delegate_to: localhost
  become: no
  when: item.type in ['rsync.net','hetzner']
  with_items: "{{ borgbackup_servers }}"
  changed_when: false

- name: client | modify local rsync.net/hetzner authorized_keys
  authorized_key:
    user: "{{ ansible_user_id }}"
    key: "{{ sshkey.stdout }}"
    key_options: 'command="cd {{ item.pool }}/{{ inventory_hostname }};/usr/local/bin/borg1 serve {% if borgbackup_appendonly %}--append-only {% endif %} --restrict-to-path {{ item.pool }}/{{ inventory_hostname }}",no-port-forwarding,no-X11-forwarding,no-pty,no-agent-forwarding,no-user-rc'
    path: "/tmp/authkeys-{{ item.type }}-{{ item.fqdn }}-authkeys"
    manage_dir: no
  delegate_to: localhost
  become: no
  when: item.type in ['rsync.net','hetzner']
  with_items: "{{ borgbackup_servers }}"
  register: authkeys

- name: client | upload local authorized_keys to rsync.net / hetzner
  raw: scp /tmp/authkeys-{{ item.type }}-{{ item.fqdn }}-authkeys {{ item.user }}@{{ item.fqdn }}:.ssh/authorized_keys
  delegate_to: localhost
  become: no
  when: item.type in ['rsync.net','hetzner'] and authkeys.changed
  with_items: "{{ borgbackup_servers }}"

- name: client | remove tmp authorized_keys files
  file:
    path: /tmp/authkeys-{{ item.type }}-{{ item.fqdn }}-authkeys
    state: absent
  delegate_to: localhost
  become: no
  with_items: "{{ borgbackup_servers }}"
  when: authkeys.changed
  changed_when: false

- name: client | check for mysql
  stat: path=/var/lib/automysqlbackup
  register: automysql

- name: client | put wrapper script
  template:
    src: "borg-backup.sh.j2"
    dest: "/usr/local/bin/borg-backup"
    owner: "{{ borgbackup_owner }}"
    group: "{{ borgbackup_group }}"
    mode: "0744"

- name: client | create backup-directory on backup server
  shell: /usr/local/bin/borg-backup init
  become_user: "{{ borgbackup_client_user }}"
  register: backup_init
  changed_when: "'Remember your passphrase' in backup_init.stderr"

- name: client | create backup cronjob
  cron:
    cron_file: "borg-backup"
    user: "{{ borgbackup_client_user }}"
    name: "borg-backup"
    minute: "{{ borgbackup_cron_minute }}"
    hour: "{{ borgbackup_cron_hour }}"
    day: "{{ borgbackup_cron_day }}"
    job: "/usr/local/bin/borg-backup backup"

- name: client | disable automysqlbackup cronjob, it's in our pre-backup-tasks 
  lineinfile:
    dest: "/etc/cron.daily/automysqlbackup"
    regexp: "^/usr/sbin/automysqlbackup$"
    line: "#/usr/sbin/automysqlbackup"
    state: "present"
    backrefs: "yes"
    create: "no"
  when: automysql.stat.isdir is defined and automysql.stat.isdir == True