From dc08b29ffb7ec1cb2aac7fb3225905b50f2ead17 Mon Sep 17 00:00:00 2001
From: Karl Goetz <karl@medeopolis.au>
Date: Thu, 21 Sep 2023 15:21:20 +1000
Subject: [PATCH] Make gpg_key completely optional

In the current codebase GPG_KEY is set to disabled if gpg_key is unset. This
causes a problem because GPG_KEY is completely optional when GPG_KEYS_ENC and
GPG_KEY_SIGN are in use together.

This change will comment out GPG_KEY instead of adding it with disabled= to
allow GPG_KEYS_ENC and GPG_KEY_SIGN to be used.
---
 README.md                   | 2 +-
 templates/etc/duply/conf.j2 | 2 ++
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 3d8954a..5558e5e 100644
--- a/README.md
+++ b/README.md
@@ -14,7 +14,7 @@ None
 * `duply_backup_profiles`: [default: `{}`]: Duply backup profiles
 * `duply_backup_profiles.key`: The name of the profile (e.g. `etc`)
 * `duply_backup_profiles.key.conf`: Conf declarations
-* `duply_backup_profiles.key.conf.gpg_key`: Encrypt with key (**optional**, omitting will disable encryption)
+* `duply_backup_profiles.key.conf.gpg_key`: Encrypt with key (**optional**, omitting `gpg_key` but including `gpg_keys_enc` and `gpg_key_sign` will enable separate signing and encrypting keys. Omitting two or more options will disable encryption)
 * `duply_backup_profiles.key.conf.gpg_pw`: Symmetric encryption using passphrase only (**optional**)
 * `duply_backup_profiles.key.conf.gpg_keys_enc`: Public key to encrypt to (**optional**)
 * `duply_backup_profiles.key.conf.gpg_key_sign`: A secret key for signing (**optional**)
diff --git a/templates/etc/duply/conf.j2 b/templates/etc/duply/conf.j2
index b527291..a91ad4d 100644
--- a/templates/etc/duply/conf.j2
+++ b/templates/etc/duply/conf.j2
@@ -11,6 +11,8 @@
 #  GPG_PW='passphrase' - symmetric encryption using passphrase only
 {% if item.value.conf.gpg_key is defined %}
 GPG_KEY='{{ item.value.conf.gpg_key }}'
+{% elif (item.value.conf.gpg_keys_enc is defined) and (item.value.conf.gpg_key_sign is defined) %}
+# GPG_KEY= not in use; see GPG_KEYS_ENC and GPG_KEY_SIGN below
 {% else %}
 GPG_KEY='disabled'
 {% endif %}