---

- name: install kerberoes user utility
  package:
    name: krb5-user
    state: present

- name: check if we have a cached kerberos ticket
  delegate_to: "{{ ipa_server }}"
  vars: {ansible_user: ""}
  become: no
  command: klist
  run_once: yes
  changed_when: false

- name: check if the host exists in the directory
  delegate_to: "{{ ipa_server }}"
  vars: {ansible_user: ""}
  become: no
  command: flock /tmp/ansible-lock ipa host-show {{ ansible_fqdn }}
  register: host_show
  failed_when: host_show.rc == 1
  changed_when: false

- name: create the host principal
  delegate_to: "{{ ipa_server }}"
  vars: {ansible_user: ""}
  become: no
  command: flock /tmp/ansible-lock ipa host-add {{ ansible_fqdn }} --force
            --sshpubkey \"{{ ansible_ssh_host_key_rsa_public }}\"
            --os {{ ansible_distribution }}
  when: host_show.rc != 0
  tags: [install]

- name: check if /etc/krb5.keytab exists
  stat: path=/etc/krb5.keytab
  register: keytab

- name: generate the host keytab
  delegate_to: "{{ ipa_server }}"
  vars: {ansible_user: ""}
  become: no
  command: flock /tmp/ansible-lock /usr/sbin/ipa-getkeytab -s {{ ipa_server }} -p host/{{ ansible_fqdn }} -k /tmp/{{ ansible_hostname }}.keytab
  when: 'not keytab.stat.exists or "Keytab: True" not in host_show.stdout'
  tags: [install]

- name: transfer the keytab over to the IPA client
  synchronize:
    src: /tmp/{{ ansible_hostname }}.keytab
    dest: /etc/krb5.keytab
    archive: no
    ssh_args: -l root
  delegate_to: "{{ ipa_server }}"
  vars: {ansible_user: ""}
  become: no
  when: 'not keytab.stat.exists or "Keytab: True" not in host_show.stdout'
  notify: restart sssd
  tags: [install]

- name: remove the keytab file on the FreeIPA server
  delegate_to: "{{ ipa_server }}"
  vars: {ansible_user: ""}
  become: no
  file:
    path: /tmp/{{ ansible_hostname }}.keytab
    state: absent
  tags: [install]

- name: create the directory /etc/sssd
  file:
    path: /etc/sssd
    state: directory

- name: configure sssd
  template:
    src: sssd.conf.j2
    dest: /etc/sssd/sssd.conf
    mode: 0600
  notify: restart sssd
  tags: [configure]

- name: install sssd
  apt: name=sssd state=present
  tags: [install]

- name: automatically create user home directories
  copy:
    src: mkhomedir
    dest: /usr/share/pam-configs/mkhomedir
  notify: execute pam-auth-update

- name: configure krb5
  template:
    src: krb5.conf.j2
    dest: /etc/krb5.conf
  tags: [configure]

- name: set AuthorizedKeysCommand for sshd
  lineinfile:
    regexp: AuthorizedKeysCommand\b
    line: AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys
    dest: /etc/ssh/sshd_config
  notify: restart sshd
  tags: [configure]

- name: set AuthorizedKeysCommandUser for sshd
  lineinfile:
    regexp: AuthorizedKeysCommandUser
    line: AuthorizedKeysCommandUser nobody
    dest: /etc/ssh/sshd_config
  notify: restart sshd
  tags: [configure]

- name: set GlobalKnownHostsFile for ssh
  lineinfile:
    regexp: GlobalKnownHostsFile
    line: GlobalKnownHostsFile /var/lib/sss/pubconf/known_hosts
    dest: /etc/ssh/ssh_config

- name: set ProxyCommand for ssh
  lineinfile:
    regexp: ProxyCommand
    line: ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p %h
    dest: /etc/ssh/ssh_config
  tags: [configure]

- name: start and enable sssd
  service: name=sssd state=started enabled=yes
  tags: [serve]

- name: exclude lastlog and faillog from backups
  copy:
    src: backup_excludes
    dest: /var/log/.backup
  tags: [configure]