# vim: ft=yaml.ansible
---
- name: Create SSH directory
  file:
    path: "{{ services.restic.volume_folder }}/ssh"
    owner: root
    group: root
    mode: '0700'
    state: directory

- name: Copy private SSH key
  copy:
    dest: "{{ services.restic.volume_folder }}/ssh/id_ed25519"
    owner: root
    group: root
    mode: '0600'
    content: "{{ restic_secrets.ssh_privkey }}"

- name: Derive public SSH key
  shell: >-
    ssh-keygen -f {{ services.restic.volume_folder }}/ssh/id_ed25519 -y
      > {{ services.restic.volume_folder }}/ssh/id_ed25519.pub
  args:
    creates: "{{ services.restic.volume_folder }}/ssh/id_ed25519.pub"

- name: Set file permissions on public SSH key
  file:
    path: "{{ services.restic.volume_folder }}/ssh/id_ed25519.pub"
    owner: root
    group: root
    mode: '0644'
    state: touch

- name: Create SSH config
  template:
    src: restic.ssh.config.j2
    dest: "{{ services.restic.volume_folder }}/ssh/config"
    owner: root
    group: root
    mode: '0600'

- name: Setup restic backup
  docker_compose:
    project_name: restic_backup
    pull: true
    definition:
      version: '3.6'
      services:
        restic-backup:
          image: mazzolino/restic:{{ services.restic.version }}
          restart: always
          environment:
            RUN_ON_STARTUP: "false"
            BACKUP_CRON: "0 30 3 * * *"
            RESTIC_REPOSITORY: "sftp:{{ services.restic.user }}@{{ services.restic.domain }}:{{ services.restic.repository }}"
            RESTIC_PASSWORD: "{{ restic_secrets.repository_password }}"
            RESTIC_BACKUP_SOURCES: "/mnt/volumes"
            RESTIC_BACKUP_ARGS: >-
              --tag datacoop-volumes
              --exclude '*.tmp'
              --verbose
            RESTIC_FORGET_ARGS: >-
              --keep-last 10
              --keep-daily 7
              --keep-weekly 5
              --keep-monthly 12
            TZ: Europe/Copenhagen
          volumes:
            - "{{ services.restic.volume_folder }}/ssh:/run/secrets/.ssh:ro"
            - /docker-volumes:/mnt/volumes:ro

        restic-prune:
          image: "mazzolino/restic:{{ services.restic.version }}"
          environment:
            RUN_ON_STARTUP: "false"
            PRUNE_CRON: "0 0 4 * * *"
            RESTIC_REPOSITORY: "sftp:{{ services.restic.user }}@{{ services.restic.domain }}:{{ services.restic.repository }}"
            RESTIC_PASSWORD: "{{ restic_secrets.repository_password }}"
            TZ: Europe/copenhagen
          volumes:
            - "{{ services.restic.volume_folder }}/ssh:/run/secrets/.ssh:ro"