---
- name: client | generate ssh key for this machine
  shell: if [ -f ~/.ssh/id_rsa ]; then rm -f ~/.ssh/id_rsa; fi && ssh-keygen -q -t rsa -b 4096 -f ~/.ssh/id_rsa -N "" creates=~/.ssh/id_rsa.pub

- name: client | fetch ssh-key
  shell: cat /root/.ssh/id_rsa.pub
  register: sshkey
  changed_when: False

- name: client | write passphrase
  lineinfile:
    dest: "/root/.borg.passphrase"
    state: "present"
    line: 'export BORG_PASSPHRASE="{{ borgbackup_passphrase }}"'
    create: "yes"

- name: client | template sshconfig for backup-hosts (no strict key checking)
  template:
    src: "ssh.config.j2"
    dest: "/root/.ssh/config"
    owner: "root"
    group: "root"

- name: client | put sshpubkey on the normal backupserver
  authorized_key:
    user: "{{ item.user }}"
    key: "{{ sshkey.stdout }}"
    key_options: 'command="cd {{ item.home }}{{ item.pool }}/{{ inventory_hostname }};borg serve --restrict-to-path {{ item.home }}/{{ item.pool }}/{{ inventory_hostname }}",no-port-forwarding,no-X11-forwarding,no-pty,no-agent-forwarding,no-user-rc'
  delegate_to: "{{ item.fqdn }}"
  when: item.type == 'normal'
  with_items: "{{ backupservers }}"

# rsync.net has no python, so we can only use raw to manage ssh keys - workaround with local tmp file
- name: client | get rsync.net authorized_keys file
  raw: scp {{ item.user }}@{{ item.fqdn }}:.ssh/authorized_keys /tmp/rsync.net-{{ item.fqdn }}-authkeys
  delegate_to: localhost
  become: no
  when: item.type == 'rsync.net'
  with_items: "{{ backupservers }}"
  changed_when: false

- name: client | modify local rsync.net authorized_keys
  authorized_key:
    user: "{{ ansible_user_id }}"
    key: "{{ sshkey.stdout }}"
    key_options: 'command="cd {{ item.home }}{{ item.pool }}/{{ inventory_hostname }};borg serve --restrict-to-path {{ item.home }}/{{ item.pool }}/{{ inventory_hostname }}",no-port-forwarding,no-X11-forwarding,no-pty,no-agent-forwarding,no-user-rc'
    path: "/tmp/rsync.net-{{ item.fqdn }}-authkeys"
    manage_dir: no
  delegate_to: localhost
  become: no
  when: item.type == 'rsync.net'
  with_items: "{{ backupservers }}"
  register: authkeys

- name: client | upload local authorized_keys to rsync.net
  raw: scp /tmp/rsync.net-{{ item.fqdn }}-authkeys {{ item.user }}@{{ item.fqdn }}:.ssh/authorized_keys
  delegate_to: localhost
  become: no
  when: item.type == 'rsync.net' and authkeys.changed
  with_items: "{{ backupservers }}"

- name: client | remove tmp authorized_keys files
  file:
    path: /tmp/rsync.net-{{ item.fqdn }}-authkeys
    state: absent
  delegate_to: localhost
  become: no
  with_items: "{{ backupservers }}"
  when: authkeys.changed
  changed_when: false

- name: client | check for mysql
  stat: path=/var/lib/automysqlbackup
  register: automysql

- name: client | put wrapper script
  template:
    src: "borg-backup.sh.j2"
    dest: "/usr/local/bin/borg-backup"
    owner: "root"
    group: "root"
    mode: "0744"

- name: client | create backup-directory on backup server
  shell: /usr/local/bin/borg-backup init
  register: backup_init
  changed_when: "'Remember your passphrase' in backup_init.stderr"

- name: client | create backup cronjob
  cron:
    cron_file: "borg-backup"
    user: "root"
    name: "borg-backup"
    minute: "{{ 59|random }}"
    hour: "{{ 5|random }}"
    job: "/usr/local/bin/borg-backup backup"

- name: client | disable automysqlbackup cronjob, it's in our pre-backup-tasks 
  lineinfile:
    dest: "/etc/cron.daily/automysqlbackup"
    regexp: "^/usr/sbin/automysqlbackup$"
    line: "#/usr/sbin/automysqlbackup"
    state: "present"
    backrefs: "yes"
    create: "no"
  when: automysql.stat.isdir is defined and automysql.stat.isdir == True