- name: Generate user key pair
  openssh_keypair:
    path: /etc/ssh/ssh_user_ed25519_key
    type: ed25519
    comment: "{{ ansible_fqdn }}"
  register: user_key

- name: Check whether user certificate exists
  stat:
    path: /etc/ssh/ssh_user_ed25519_key-cert.pub
  register: cert_stat

- name: Generate SSH user certificate
  command:
    cmd: "ssh -o ConnectTimeout=3 -o ConnectionAttempts=1 root@atlas.hyp '/root/ssh_ca/ssh_ca.sh user hyp_user \"{{ user_key.public_key }}\" {{ ansible_fqdn }} \"hypervisor\"'"
  register: user_certificate
  delegate_to: localhost
  when: not cert_stat.stat.exists

- name: Place user certificate
  copy:
    dest: /etc/ssh/ssh_user_ed25519_key-cert.pub
    content: "{{ user_certificate.stdout }}"
    mode: 0644
  when: not cert_stat.stat.exists

- name: Enable user certificate
  copy:
    src: "{{ role_path }}/files/ssh_user_certificate.conf"
    dest: /etc/ssh/ssh_config.d/user_certificate.conf

- name: Install Borg
  apt:
    pkg:
      - borgbackup
      - borgmatic

- name: Copy Borgmatic script
  template:
    src: "{{ role_path }}/files/backup.yml"
    dest: /root/backup.yml

- name: Copy start_vms.sh
  copy:
    src: "{{ role_path }}/files/start_vms.sh"
    dest: /root/start_vms.sh
    mode: preserve

- name: Copy stop_vms.sh
  copy:
    src: "{{ role_path }}/files/stop_vms.sh"
    dest: /root/stop_vms.sh
    mode: preserve

- name: Copy systemd backup unit
  copy:
    src: "{{ role_path }}/files/backup.service"
    dest: /etc/systemd/system/backup.service
  notify: systemd daemon reload

- name: Copy systemd backup timer
  copy:
    src: "{{ role_path }}/files/backup.timer"
    dest: /etc/systemd/system/backup.timer
  notify: systemd daemon reload

- name: Enable backup timer
  systemd:
    name: backup.timer
    enabled: true
    state: started

- name: Add SSH host CA known host
  known_hosts:
    key: '@cert-authority *.dmz ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAX2IhgHNxC6JTvLu9cej+iWuG+uJFMXn4AiRro9533x Host Certficate Authority for DMZ'
    name: '@cert-authority *.dmz'
    path: /etc/ssh/ssh_known_hosts

- name: Add SSH host CA known host
  known_hosts:
    key: '@cert-authority *.hyp ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFzRkH3d/KVJQouswY/DMpenWbDFVOnI3Vut0xR0e1tb Host Certficate Authority for HYP'
    name: '@cert-authority *.hyp'
    path: /etc/ssh/ssh_known_hosts

- name: Generate host key pair
  openssh_keypair:
    path: /etc/ssh/ssh_host_ed25519_key
    type: ed25519
    comment: "{{ ansible_host }}"
  register: host_key

- name: Check whether host certificate exists
  stat:
    path: /etc/ssh/ssh_host_ed25519_key-cert.pub
  register: cert_stat

- name: Generate SSH host certificate
  command:
    cmd: "ssh -o ConnectTimeout=3 -o ConnectionAttempts=1 root@atlas.hyp '/root/ssh_ca/ssh_ca.sh host hyp_host \"{{ host_key.public_key }}\" {{ ansible_host }}'"
  register: host_certificate
  delegate_to: localhost
  when: not cert_stat.stat.exists

- name: Place host certificate
  copy:
    dest: /etc/ssh/ssh_host_ed25519_key-cert.pub
    content: "{{ host_certificate.stdout }}"
    mode: 0644
  when: not cert_stat.stat.exists

- name: Enable host certificate
  copy:
    dest: /etc/ssh/sshd_config.d/sshd_host_certificate.conf
    content: "HostCertificate /etc/ssh/ssh_host_ed25519_key-cert.pub"