---
- name: Skip hosts without backup config
  ansible.builtin.debug:
    msg: "No entry in backup_hosts for {{ inventory_hostname }}; skipping backup role."
  when: inventory_hostname not in (backup_hosts | default({}))

- name: Configure borgmatic
  when: inventory_hostname in (backup_hosts | default({}))
  block:

    - name: Install borgmatic
      ansible.builtin.package:
        name: borgmatic
        state: present

    - name: Ensure /etc/borgmatic exists
      ansible.builtin.file:
        path: /etc/borgmatic
        state: directory
        owner: root
        group: root
        mode: '0750'

    - name: Ensure root has an SSH key for the borg server
      ansible.builtin.user:
        name: root
        generate_ssh_key: true
        ssh_key_type: ed25519
        ssh_key_file: .ssh/id_ed25519
        ssh_key_comment: "borgmatic@{{ inventory_hostname }}"
      register: root_ssh

    - name: Register / look up repository on borg controller
      ansible.builtin.include_tasks: borgcontroller.yml
      when:
        - borgcontroller_username is defined
        - borgcontroller_password is defined

    - name: Build borgmatic config (strip controller-only keys, inject repository)
      ansible.builtin.set_fact:
        _borgmatic_config: >-
          {{
            (backup_hosts[inventory_hostname]
             | dict2items
             | rejectattr('key', 'in', ['storage_size_gb'])
             | items2dict)
            | combine(
                {'repositories': [{'path': borgcontroller_repo_uri, 'label': inventory_hostname}]}
                if borgcontroller_repo_uri is defined else {}
              )
          }}

    - name: Deploy borgmatic config
      ansible.builtin.template:
        src: borgmatic.yaml.j2
        dest: /etc/borgmatic/config.yaml
        owner: root
        group: root
        mode: '0640'

    - name: Enable and start borgmatic timer
      ansible.builtin.systemd:
        name: borgmatic.timer
        enabled: true
        state: started