ansible/roles/backup/tasks/borgcontroller.yml

---
- name: Login to borg controller
  ansible.builtin.uri:
    url: "{{ borgcontroller_url }}/api/auth/login"
    method: POST
    body_format: json
    body:
      username: "{{ borgcontroller_username }}"
      password: "{{ borgcontroller_password }}"
    status_code: 200
  delegate_to: localhost
  become: false
  register: _bc_login
  no_log: true

- name: Get borg server SSH endpoint
  ansible.builtin.uri:
    url: "{{ borgcontroller_url }}/api/config"
    method: GET
    headers:
      Cookie: "{{ _bc_login.cookies_string }}"
  delegate_to: localhost
  become: false
  register: _bc_config

- name: List repositories
  ansible.builtin.uri:
    url: "{{ borgcontroller_url }}/api/repositories"
    method: GET
    headers:
      Cookie: "{{ _bc_login.cookies_string }}"
  delegate_to: localhost
  become: false
  register: _bc_repos

- name: Find existing repository for this host
  ansible.builtin.set_fact:
    _bc_existing: >-
      {{ _bc_repos.json | selectattr('alias', 'eq', inventory_hostname) | list }}

- name: Create repository if missing
  ansible.builtin.uri:
    url: "{{ borgcontroller_url }}/api/repositories"
    method: POST
    body_format: json
    body:
      alias: "{{ inventory_hostname }}"
      sshPublicKey: "{{ root_ssh.ssh_public_key }}"
      storageSize: "{{ backup_hosts[inventory_hostname].storage_size_gb | int }}"
    headers:
      Cookie: "{{ _bc_login.cookies_string }}"
    status_code: [200, 201]
  delegate_to: localhost
  become: false
  when: _bc_existing | length == 0

- name: Update repository SSH key if root's key changed
  ansible.builtin.uri:
    url: "{{ borgcontroller_url }}/api/repositories/{{ _bc_existing[0].id }}"
    method: PATCH
    body_format: json
    body:
      sshPublicKey: "{{ root_ssh.ssh_public_key }}"
    headers:
      Cookie: "{{ _bc_login.cookies_string }}"
    status_code: 200
  delegate_to: localhost
  become: false
  when:
    - _bc_existing | length > 0
    - _bc_existing[0].sshPublicKey != root_ssh.ssh_public_key

- name: Re-list repositories after possible create/update
  ansible.builtin.uri:
    url: "{{ borgcontroller_url }}/api/repositories"
    method: GET
    headers:
      Cookie: "{{ _bc_login.cookies_string }}"
  delegate_to: localhost
  become: false
  register: _bc_repos_after

- name: Resolve repository for this host
  ansible.builtin.set_fact:
    _bc_repo: >-
      {{ (_bc_repos_after.json | selectattr('alias', 'eq', inventory_hostname) | list)[0] }}

- name: Build borg SSH URI
  ansible.builtin.set_fact:
    borgcontroller_repo_uri: "ssh://{{ _bc_config.json.borgSshHost }}/./{{ _bc_repo.id }}"
    _bc_borg_host: "{{ _bc_config.json.borgSshHost.split('@')[1].split(':')[0] }}"
    _bc_borg_port: "{{ _bc_config.json.borgSshHost.split('@')[1].split(':')[1] | default('22') }}"

- name: Ensure /root/.ssh exists
  ansible.builtin.file:
    path: /root/.ssh
    state: directory
    owner: root
    group: root
    mode: '0700'

- name: Scan borg server SSH host key
  ansible.builtin.command: ssh-keyscan -p {{ _bc_borg_port }} {{ _bc_borg_host }}
  register: _bc_keyscan
  changed_when: false
  check_mode: false

- name: Trust borg server SSH host key (root known_hosts)
  ansible.builtin.lineinfile:
    path: /root/.ssh/known_hosts
    line: "{{ item }}"
    create: true
    owner: root
    group: root
    mode: '0600'
  loop: "{{ _bc_keyscan.stdout_lines }}"
  when:
    - item | length > 0
    - not item.startswith('#')

- name: Initialize borg repository (no-op if already initialized)
  ansible.builtin.command:
    cmd: borg init --encryption=none {{ borgcontroller_repo_uri }}
  register: _borg_init
  changed_when: _borg_init.rc == 0
  failed_when:
    - _borg_init.rc != 0
    - "'already exists' not in (_borg_init.stderr | default(''))"