---
# tasks file for ipaclient

- name: Install - Ensure that IPA client packages are installed
  package:
    name: "{{ item }}"
    state: present
  with_items: "{{ ipaclient_packages }}"

- name: Install - Include Python2/3 import test
  include: "{{role_path}}/tasks/python_2_3_test.yml"
  static: yes

- name: Install - IPA discovery
  ipadiscovery:
    domain: "{{ ipaserver_domain | default(ipaclient_domain) | default(omit) }}"
    servers: "{{ groups.ipaserver | default(groups.ipaservers) | default(omit) }}"
    realm: "{{ ipaserver_realm | default(ipaclient_realm) | default(omit) }}"
    hostname: "{{ ipaclient_hostname | default(ansible_fqdn) }}"
    ca_cert_file: "{{ ipaclient_ca_cert_file | default(omit) }}"
    on_master: "{{ ipaclient_on_master }}"
    ntp_servers: "{{ ipaclient_ntp_servers | default([]) }}"
    no_ntp: "{{ ipaclient_no_ntp }}"
  register: ipadiscovery

- name: Install - Set default principal if no keytab is given
  set_fact:
    ipaadmin_principal: admin
  when: ipaadmin_principal is undefined and ipaclient_keytab is undefined

- name: Install - Cleanup leftover ccache
  file:
    path: "/etc/ipa/.dns_ccache"
    state: absent

- block:
  - name: Install - Test if IPA client has working krb5.keytab
    ipatest:
      servers: "{{ ipadiscovery.servers }}"
      domain: "{{ ipadiscovery.domain }}"
      realm: "{{ ipadiscovery.realm }}"
      hostname: "{{ ipadiscovery.hostname }}"
      kdc: "{{ ipadiscovery.kdc }}"
      kinit_attempts: "{{ ipaclient_kinit_attempts | default(omit) }}"
    register: ipatest
    when: not ipaclient_on_master | bool

  - name: Install - Disable One-Time Password for client with working krb5.keytab
    set_fact:
      ipaclient_use_otp: "no"
    when: ipaclient_use_otp | bool and ipatest.krb5_keytab_ok and not ipaclient_force_join | bool


  # The following block is executed when using OTP to enroll IPA client
  # ie when ipaclient_use_otp is set.
  # It connects to ipaserver and add the host with --random option in order
  # to create a OneTime Password
  # If a keytab is specified in the hostent, then the hostent will be disabled
  # if ipaclient_use_otp is set.
  - block:
    - fail: msg="Keytab or password is required for otp"
      when: ipaadmin_keytab is undefined and ipaadmin_password is undefined

    - name: Install - Get a One-Time Password for client enrollment
      no_log: yes
      ipahost:
        state: present
        principal: "{{ ipaadmin_principal | default('admin') }}"
        password: "{{ ipaadmin_password | default(omit) }}"
        keytab: "{{ ipaadmin_keytab | default(omit) }}"
        fqdn: "{{ ipadiscovery.hostname }}"
        lifetime: "{{ ipaclient_lifetime | default(omit) }}"
        random: True
      register: ipahost_output
      # If the host is already enrolled, this command will exit on error
      # The error can be ignored
      failed_when: ipahost_output|failed and "Password cannot be set on enrolled host" not in ipahost_output.msg
      delegate_to: "{{ ipadiscovery.servers[0] }}"

    - name: Install - Store the previously obtained OTP
      no_log: yes
      set_fact:
        ipaadmin_password: "{{ ipahost_output.host.randompassword if ipahost_output.host is defined }}"

    when: ipaclient_use_otp | bool

  - name: Install - Check if principal and keytab are set
    fail: msg="Principal and keytab cannot be used together"
    when: ipaadmin_principal is defined and ipaadmin_principal != "" and ipaclient_keytab is defined and ipaclient_keytab != ""

  - name: Install - Check if one of password and keytab are set
    fail: msg="At least one of password or keytab must be specified"
    when: not ipatest.krb5_keytab_ok and (ipaadmin_password is undefined or ipaadmin_password == "") and (ipaclient_keytab is undefined or ipaclient_keytab == "")

  - name: Install - Purge {{ ipadiscovery.realm }} from host keytab
    command: >
      /usr/sbin/ipa-rmkeytab
      -k /etc/krb5.keytab
      -r "{{ ipadiscovery.realm }}"
    register: iparmkeytab
    # Do not fail on error codes 3 and 5:
    #   3 - Unable to open keytab
    #   5 - Principal name or realm not found in keytab
    failed_when: iparmkeytab.rc != 0 and iparmkeytab.rc != 3 and iparmkeytab.rc != 5
    when: ipaclient_use_otp | bool or ipaclient_force_join | bool

  - name: Install - Join IPA
    ipajoin:
      servers: "{{ ipadiscovery.servers }}"
      domain: "{{ ipadiscovery.domain }}"
      realm: "{{ ipadiscovery.realm }}"
      kdc: "{{ ipadiscovery.kdc }}"
      basedn: "{{ ipadiscovery.basedn }}"
      hostname: "{{ ipadiscovery.hostname }}"
      force_join: "{{ ipaclient_force_join | default(omit) }}"
      principal: "{{ ipaadmin_principal if not ipaclient_use_otp | bool and ipaclient_keytab is not defined else '' }}"
      password: "{{ ipaadmin_password | default(omit) }}"
      keytab: "{{ ipaclient_keytab | default(omit) }}"
      #ca_cert_file: "{{ ipaclient_ca_cert_file | default(omit) }}"
      kinit_attempts: "{{ ipaclient_kinit_attempts | default(omit) }}"
    register: ipajoin
    when: not ipaclient_on_master | bool and (not ipatest.krb5_keytab_ok or ipaclient_force_join)

  - block:
    - name: Install - End playbook processing
      file:
        path: "/etc/ipa/.dns_ccache"
        state: absent
    - fail:
        msg: "The krb5 configuration is not correct, please enable allow_repair to fix this."
      when: not ipatest.krb5_conf_ok
    - fail:
        msg: "The IPA test failed, please enable allow_repair to fix this."
      when: not ipatest.ipa_test_ok
    - fail:
        msg: "The ca.crt file is missing, please enable allow_repair to fix this."
      when: not ipatest.ca_crt_exists
    - meta: end_play
    when: not ipaclient_on_master | bool and not ipajoin.changed and not ipaclient_allow_repair | bool and (ipatest.krb5_keytab_ok or ipajoin.already_joined)

  - name: Install - Configure IPA default.conf
    include_role:
      name: ipaconf
    vars:
      ipaconf_server: "{{ ipadiscovery.servers[0] }}"
      ipaconf_domain: "{{ ipadiscovery.domain }}"
      ipaconf_realm: "{{ ipadiscovery.realm }}"
      ipaconf_hostname: "{{ ipadiscovery.hostname }}"
      ipaconf_basedn: "{{ ipadiscovery.basedn }}"
    when: not ipaclient_on_master | bool

  - name: Install - Configure SSSD
    ipasssd:
      servers: "{{ ipadiscovery.servers }}"
      domain: "{{ ipadiscovery.domain }}"
      realm: "{{ ipadiscovery.realm }}"
      hostname: "{{ ipadiscovery.hostname }}"
      services: ["ssh", "sudo"]
      krb5_offline_passwords: yes
      on_master: "{{ ipaclient_on_master }}"
      #primary: no
      #permit: no
      #dns_updates: no
      #all_ip_addresses: no

  - name: Install - Configure krb5 for IPA realm "{{ ipadiscovery.realm }} <= 4.4"
    include_role:
      name: krb5
    vars:
      krb5_servers: "{{ [ ] if ipadiscovery.dnsok else ipadiscovery.servers }}"
      krb5_realm: "{{ ipadiscovery.realm }}"
      krb5_dns_lookup_realm: "{{ 'true' if ipadiscovery.dnsok else 'false' }}"
      krb5_dns_lookup_kdc: "{{ 'true' if ipadiscovery.dnsok else 'false' }}"
      krb5_no_default_domain: "{{ 'true' if ipadiscovery.domain != ipadiscovery.client_domain else 'false' }}"
      krb5_pkinit_anchors: "FILE:/etc/ipa/ca.crt"
    when: not ipaclient_on_master | bool and ipadiscovery.ipa_python_version <= 40400

  - name: Install - Configure krb5 for IPA realm "{{ ipadiscovery.realm }} > 4.4"
    include_role:
      name: krb5
    vars:
      krb5_servers: "{{ [ ] if ipadiscovery.dnsok else ipadiscovery.servers }}"
      krb5_realm: "{{ ipadiscovery.realm }}"
      krb5_dns_lookup_realm: "{{ 'true' if ipadiscovery.dnsok else 'false' }}"
      krb5_dns_lookup_kdc: "{{ 'true' if ipadiscovery.dnsok else 'false' }}"
      krb5_no_default_domain: "{{ 'true' if ipadiscovery.domain != ipadiscovery.client_domain else 'false' }}"
      krb5_dns_canonicalize_hostname: "false"
      krb5_pkinit_pool: "FILE:/var/lib/ipa-client/pki/ca-bundle.pem"
      krb5_pkinit_anchors: "FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem"
    when: not ipaclient_on_master | bool and ipadiscovery.ipa_python_version > 40400

  - name: Install - IPA API calls for remaining enrollment parts
    ipaapi:
      servers: "{{ ipadiscovery.servers }}"
      realm: "{{ ipadiscovery.realm }}"
      hostname: "{{ ipadiscovery.hostname }}"
      #debug: yes
    register: ipaapi

  - name: Install - Fix IPA ca
    ipafixca:
      servers: "{{ ipadiscovery.servers }}"
      realm: "{{ ipadiscovery.realm }}"
      basedn: "{{ ipadiscovery.basedn }}"
      allow_repair: "{{ ipaclient_allow_repair }}"
    when: ipatest.krb5_keytab_ok and not ipatest.ca_crt_exists

  - name: Install - Create IPA NSS database
    ipanss:
      servers: "{{ ipadiscovery.servers }}"
      domain: "{{ ipadiscovery.domain }}"
      realm: "{{ ipadiscovery.realm }}"
      basedn: "{{ ipadiscovery.basedn }}"
      hostname: "{{ ipadiscovery.hostname }}"
      subject_base: "{{ ipaapi.subject_base }}"
      principal: "{{ ipaadmin_principal | default(omit) }}"
      mkhomedir: "{{ ipaclient_mkhomedir | default(omit) }}"
      ca_enabled: "{{ ipaapi.ca_enabled | default(omit) }}"
      on_master: "{{ ipaclient_on_master }}"

  - name: Install - IPA extras configuration
    ipaextras:
      servers: "{{ ipadiscovery.servers }}"
      domain: "{{ ipadiscovery.domain }}"
      ntp_servers: "{{ ipadiscovery.ntp_servers }}"
      ntp: "{{ ipaclient_ntp | default(omit) }}"
      on_master: "{{ ipaclient_on_master }}"
      #force_ntpd: no
      #sssd: yes
      #ssh: yes
      #trust_sshfp: yes
      #sshd: yes
      #automount_location:
      #firefox: no
      #firefox_dir:
      #no_nisdomain: no
      #nisdomain:

  always:
  - name: Cleanup leftover ccache
    file:
      path: "/etc/ipa/.dns_ccache"
      state: absent