- name: "create repository's root directory {{ borgbackup_sshd_repository_path }}"
  file:
    path: '{{ borgbackup_sshd_repository_path }}'
    state: directory
    mode: u=rwx,go=x
  register: _repo_dir
- name: fetch host's architecture to select container image
  setup:
    gather_subset: min
  when: not borgbackup_sshd_container_image and ansible_architecture is not defined
- docker_container:
    name: '{{ borgbackup_sshd_container_name }}'
    image: >-
      {{ borgbackup_sshd_container_image or _default_container_images[ansible_architecture] }}
    env:
      SSH_CLIENT_PUBLIC_KEYS: "{{ borgbackup_sshd_client_public_keys }}"
      SSH_CLIENT_PUBLIC_KEYS_APPEND_ONLY: "{{ borgbackup_sshd_client_public_keys_append_only }}"
    read_only: yes
    mounts:
    - type: volume
      source: '{{ borgbackup_sshd_container_name }}_host_keys'
      target: /etc/ssh/host_keys
      read_only: no
    - type: bind
      source: '{{ _repo_dir.path }}'
      target: /repository
      read_only: no
    - type: tmpfs
      target: /home/borg/.ssh # authorized_keys
      tmpfs_size: 16k
      tmpfs_mode: '1777'
    - type: tmpfs
      # > FileNotFoundError: [Errno 2] No usable temporary directory found [...]
      target: /tmp
      tmpfs_size: 1M
      tmpfs_mode: '1777'
    # > *Note* that from community.general 3.0.0 on, if `networks_cli_compatible' is `true'
    # > and `networks' contains at least one network, the default value for `network_mode'
    # will be the name of the first network in the `networks' list.
    network_mode: "{{ borgbackup_sshd_network_name | default('default') }}"
    networks_cli_compatible: yes
    published_ports: >-
      {{ ['0.0.0.0:%d:2200' % borgbackup_sshd_published_port]
         if (borgbackup_sshd_published_port is defined) else [] }}
    cap_drop: [ALL]
    security_opts: [no-new-privileges]
    cpu_quota: 8000
    cpu_period: 10000
    # 64MiB was insufficient for two parallel operations, e.g. `borg create` & `borg list`
    memory: 128M
    restart_policy: unless-stopped
    state: started
  register:  _container
- name: determine offset of user namespace remapping
  stat:
    path: '{{ _container.container.ResolvConfPath }}'
  register: _container_resolvconf
- name: adapt ownership of repository's root directory
  file:
    path: '{{ _repo_dir.path }}'
    owner: '{{ _container_resolvconf.stat.uid + 100 }}'
- name: wait for host keys
  wait_for:
    path: "{{ (_container.container.Mounts | items2dict(key_name='Destination', value_name='Source'))['/etc/ssh/host_keys'] }}/{{ item }}.pub"
  loop: [rsa, ed25519]
  register: _host_keys_files
- name: read host keys
  slurp:
    src: '{{ item }}'
  loop: "{{ _host_keys_files.results | map(attribute='path') | list }}"
  register: _host_keys_base64
- name: check if repository is initialized
  stat:
    path: '{{ _repo_dir.path }}/config'
  register: _repository_config_file
- name: decode host keys & set return variables
  set_fact:
    borgbackup_sshd_host_keys: >-
      {{ _host_keys_base64.results | map(attribute='content') | map('b64decode') | map('trim') | list }}
    borgbackup_sshd_repository_initialized: '{{ _repository_config_file.stat.exists }}'