---
- name: duplicity | check vars are defined
  assert:
    that:
      - duplicity_archive_dir is defined
      - duplicity_s3_path is defined
      - duplicity_s3_passphrase is defined
      - duplicity_s3_access_key is defined
      - duplicity_s3_secret_key is defined
  tags: ['backup_duplicity']

- name: duplicity | install packages
  apt:
    name: 
      - duplicity
      - python3-boto
    state: present
  tags: ['backup_duplicity']

- name: duplicity | check for dedicated GPG key standalone
  shell: |
    gpg --list-options show-only-fpr-mbox --list-secret-keys -a "{{ duplicity_gpg_real_name }}" | awk '{print $1}'
  register: duplicity_get_key
  when:
    - duplicity_oneforall_key == False
  tags: ['backup_duplicity']

- name: duplicity | check for dedicated GPG key infra
  shell: |
    gpg --list-options show-only-fpr-mbox --list-secret-keys -a "{{ duplicity_gpg_real_name }}" | awk '{print $1}'
  register: duplicity_get_key
  delegate_to: localhost
  when:
    - duplicity_oneforall_key == True
  tags: ['backup_duplicity']

- set_fact:
    duplicity_gpg_key: "{{ duplicity_get_key.stdout }}"
  when:
    - duplicity_oneforall_key == False
    - duplicity_get_key.stdout != ''
  tags: ['backup_duplicity']

- set_fact:
    duplicity_gpg_key: "{{ duplicity_get_key.stdout }}"
  delegate_to: localhost
  when:
    - duplicity_oneforall_key == True
    - duplicity_get_key.stdout != ''
  tags: ['backup_duplicity']

- name: duplicity | generate dedicated GPG key standalone
  shell: |
    gpg --batch --gen-key <<EOF
    %echo Generating a OpenPGP key
    %no-protection
    Key-Type: eddsa
    Key-Curve: Ed25519
    Key-Usage: cert
    Subkey-Type: ecdh
    Subkey-Curve: Curve25519
    Subkey-Usage: encrypt
    Name-Real: "{{ duplicity_gpg_real_name }}"
    Name-Email: "{{ duplicity_gpg_email }}"
    Expire-Date: 0
    %commit
    EOF
  when:
    - duplicity_oneforall_key == False
    - duplicity_gpg_key is undefined
  tags: ['backup_duplicity']

- name: duplicity | generate dedicated GPG key infra
  shell: |
    gpg --batch --gen-key <<EOF
    %echo Generating a OpenPGP key
    %no-protection
    Key-Type: eddsa
    Key-Curve: Ed25519
    Key-Usage: cert
    Subkey-Type: ecdh
    Subkey-Curve: Curve25519
    Subkey-Usage: encrypt
    Name-Real: "{{ duplicity_gpg_real_name }}"
    Name-Email: "{{ duplicity_gpg_email }}"
    Expire-Date: 0
    %commit
    EOF
  delegate_to: localhost
  when:
    - duplicity_oneforall_key == True
    - duplicity_gpg_key is undefined
  tags: ['backup_duplicity']

- name: duplicity | check for dedicated GPG key infra on remote
  shell: |
    gpg --list-options show-only-fpr-mbox --list-secret-keys -a "{{ duplicity_gpg_real_name }}" | awk '{print $1}'
  register: duplicity_get_key_remote
  when:
    - duplicity_oneforall_key == True
  tags: ['backup_duplicity']

- set_fact:
    duplicity_gpg_key_remote: "{{ duplicity_get_key_remote.stdout }}"
  when:
    - duplicity_oneforall_key == True
    - duplicity_get_key_remote.stdout != ''
  tags: ['backup_duplicity']

- name: duplicity | export public key
  shell: |
    gpg --export -a "{{ duplicity_gpg_real_name }}" > /home/ansible/{{ duplicity_gpg_real_name }}_public.key
  delegate_to: localhost
  when:
    - duplicity_oneforall_key == True
    - duplicity_gpg_key_remote is undefined
  tags: ['backup_duplicity']

- name: duplicity | export private key
  shell: |
    gpg --export-secret-key -a "{{ duplicity_gpg_real_name }}" > /home/ansible/{{ duplicity_gpg_real_name }}_private.key
  delegate_to: localhost
  when:
    - duplicity_oneforall_key == True
    - duplicity_gpg_key_remote is undefined
  tags: ['backup_duplicity']

- name: duplicity | copy keys to the server
  copy:
    src: "{{ item }}"
    dest: "{{ item }}"
  with_items:
   - "/home/ansible/{{ duplicity_gpg_real_name }}_public.key"
   - "/home/ansible/{{ duplicity_gpg_real_name }}_private.key"
  when:
    - duplicity_oneforall_key == True
    - duplicity_gpg_key_remote is undefined
  tags: ['backup_duplicity']

- name: duplicity | import keys to the server
  shell: |
    gpg --import {{ item }}
  with_items:
   - "/home/ansible/{{ duplicity_gpg_real_name }}_public.key"
   - "/home/ansible/{{ duplicity_gpg_real_name }}_private.key"
  when:
    - duplicity_oneforall_key == True
    - duplicity_gpg_key_remote is undefined
  tags: ['backup_duplicity']

- name: duplicity | import ownertrust
  shell: "/usr/bin/echo '{{ duplicity_gpg_key }}:6:' |/usr/bin/gpg --import-ownertrust"
  when:
    - duplicity_oneforall_key == True
    - duplicity_gpg_key_remote is undefined
  tags: ['backup_duplicity']

- name: duplicity | delete exported keys
  ansible.builtin.file:
    path: '{{ item }}'
    state: absent
  with_items:
   - "/home/ansible/{{ duplicity_gpg_real_name }}_public.key"
   - "/home/ansible/{{ duplicity_gpg_real_name }}_private.key"
  delegate_to: localhost
  when:
    - duplicity_oneforall_key == True
    - duplicity_gpg_key_remote is undefined
  tags: ['backup_duplicity']

- name: duplicity | delete exported keys on remote
  ansible.builtin.file:
    path: '{{ item }}'
    state: absent
  with_items:
   - "/home/ansible/{{ duplicity_gpg_real_name }}_public.key"
   - "/home/ansible/{{ duplicity_gpg_real_name }}_private.key"
  when:
    - duplicity_oneforall_key == True
    - duplicity_gpg_key_remote is undefined
  tags: ['backup_duplicity']

- name: duplicity | create configuration directory
  file:
    path: /etc/duplicity
    state: directory
    mode: '0755'
  tags: ['backup_duplicity']

- name: duplicity | copy configuration file
  template:
    src: duplicity.cnf.j2
    dest: /etc/duplicity/duplicity.cnf
    owner: root
    group: root
    mode: 0600
  tags: ['backup_duplicity']

- name: duplicity | copy exclude.list
  template:
    src: exclude.list.j2
    dest: /etc/duplicity/exclude.list
    owner: root
    group: root
    mode: 0644
  tags: ['backup_duplicity']

- name: duplicity | create backup cronjob
  cron:
    name: duplicity backup
    minute: "{{ duplicity_cron_backup_minute }}"
    hour: "{{ duplicity_cron_backup_hour }}"
    day: "{{ duplicity_cron_backup_day }}"
    month: "{{ duplicity_cron_backup_month }}"
    weekday: "{{ duplicity_cron_backup_weekday }}"
    user: "{{ duplicity_cron_backup_user }}"
    job: ". /etc/duplicity/duplicity.cnf && duplicity --encrypt-key {{ duplicity_gpg_key }} --s3-use-new-style -v 4 --archive-dir={{ duplicity_archive_dir }} --full-if-older-than {{ duplicity_full_older_than }}D / \"{{ duplicity_s3_path }}\" --exclude-filelist {{ duplicity_exclude_filelist }}"
  when: 
    - duplicity_gpg_key is defined
  tags: ['backup_duplicity']

- name: duplicity | create cleanup cronjob
  cron:
    name: duplicity cleanup
    minute: "{{ duplicity_cron_backup_minute+30 }}"
    hour: "{{ duplicity_cron_backup_hour+3 }}"
    day: "{{ duplicity_cron_backup_day }}"
    month: "{{ duplicity_cron_backup_month }}"
    weekday: "{{ duplicity_cron_backup_weekday }}"
    user: "{{ duplicity_cron_backup_user }}"
    job: ". /etc/duplicity/duplicity.cnf && duplicity --encrypt-key {{ duplicity_gpg_key }} --force --s3-use-new-style -v 4 remove-older-than {{ duplicity_remove_older_than }}D \"{{ duplicity_s3_path }}\""
  when: 
    - duplicity_gpg_key is defined
  tags: ['backup_duplicity']