{% for name, minion_id in salt.pillar.get("restic:server:clients", {}).items() %}
restic-{{ name }}:
  user.present:
    - home: {{ salt.pillar.get("restic:server:mount") }}/{{ name }}
    - createhome: true
    - system: true

{{ salt.pillar.get("restic:server:mount") }}/{{ name }}/.ssh:
  file.directory:
    - user: restic-{{ name }}
    - group: restic-{{ name }}
    - mode: 700
{{ salt.pillar.get("restic:server:mount") }}/{{ name }}/.ssh/authorized_keys:
  file.managed:
    - user: restic-{{ name }}
    - group: restic-{{ name }}
    - mode: 400
    # TODO: we don't ensure a root rsa key exists on the minion
    - contents: {{ salt.mine.get(minion_id, 'root_id_rsa_pub').get(minion_id, "") | yaml_encode }}
{% endfor %}

{% if salt.pillar.get("restic:client", None) is not none %}
{%   if salt.pillar.get("restic:client:install", True)%}
'download restic':
  cmd.script:
    - shell: /bin/bash
    - source: 'salt://restic/files/install.sh'
    - template: jinja
    - unless: "/bin/restic version | grep 'restic {{ salt.pillar.get("restic:version") }} '"
{%   endif %}

/etc/logrotate.d/restic-backup:
  file.managed:
    - user: root
    - group: root
    - mode: 644
    - contents: |
        /var/log/restic/backup.log {
            monthly
            rotate 3
            compress
            missingok
            notifempty
            create 600 root root
        }

restic dirs:
  file.directory:
    - user: root
    - group: root
    - mode: 700
    - names:
      - /opt/restic: []
      - /var/log/restic: []

restic scripts:
  file.managed:
    - template: jinja
    - user: root
    - group: root
    - mode: 700
    - names:
      - /opt/restic/env.sh:
        - source: 'salt://restic/files/env.sh'
      - /opt/restic/backup.sh:
        - source: 'salt://restic/files/backup.sh'
    - require:
      - file: /opt/restic

restic cron:
  cron.present:
    - name: "/opt/restic/backup.sh 2>&1 >/dev/null"
    - identifier: restic backup
    - minute: random
    - hour: 4
    - dayweek: 0

{% endif %}