---

- name: Build trusted domains list
  set_fact: ad_trusted_domains_conf={{ ad_trusted_domains_conf | default([]) + [ad_default_trusted_domain | combine(item,recursive=True)] }}
  with_items: "{{ ad_trusted_domains }}"
  tags: auth
- set_fact: ad_trusted_domains={{ ad_trusted_domains_conf | default([]) }}
  tags: auth

- include: install_{{ ansible_os_family }}.yml

- name: Set LDAP base
  set_fact: ad_ldap_base=DC={{ ad_realm | regex_replace('\.',',DC=') }}
  tags: auth

- include_tasks: pam_{{ ansible_os_family }}.yml

- name: Check if there's a secrets.tdb DB
  stat: path=/var/lib/samba/private/secrets.tdb
  register: ad_samba_secrets
  tags: auth

- name: Deploy sssd configuration
  template: src=sssd.conf.j2 dest=/etc/sssd/sssd.conf mode=600
  notify: restart sssd ad
  tags: auth

- name: Deploy krb5 configuration
  template: src=krb5.conf.j2 dest=/etc/krb5.conf
  tags: auth

- name: Remove current keytab
  file: path=/etc/krb5.keytab state=absent
  when: ad_force_join | bool
  tags: auth

- name: Check if we already have our keytab file
  stat: path=/etc/krb5.keytab
  register: ad_keytab
  tags: auth

  # We need to have our correct hostname before joining the domain !!
- name: Set system hostname
  hostname: name={{ system_hostname | default(inventory_hostname | regex_replace('^([^\.]+)\..*','\\1')) }}
  tags: auth

- name: Join the domain
  command: adcli join {{ ad_realm | upper }} --login-user={{ ad_admin }} --host-fqdn={{ ansible_hostname }}.{{ ad_realm }} --stdin-password
  args:
    stdin: "{{ ad_admin_pass }}"
  no_log: True
  when: not ad_keytab.stat.exists
  register: ad_join
  tags: auth

- name: Check if we're a DC
  stat: path=/var/lib/samba/private/secrets.keytab
  register: ad_dc_keytab
  tags: auth

- name: Add a cron task to renew machine password
  cron:
    name: sssd_ad
    cron_file: renew_ad_pass
    minute: "{{ 59 | random(seed=inventory_hostname) }}"
    hour: "{{ 23 | random(seed=inventory_hostname) }}"
    day: "{{ 28 | random(seed=inventory_hostname) }}"
    user: root
    job: net ads changetrustpw
    state: "{{ (ad_dc_keytab.stat.exists or not ad_samba_secrets.stat.exists) | ternary('absent','present') }}"
  tags: auth

- name: Create keytabs dir
  file: path=/var/lib/sss/keytabs state=directory owner=sssd mode=700
  tags: auth

- name: Join trusted domains
  command: adcli join {{ item.name | upper }} --login-user={{ item.admin_user }} --stdin-password --host-keytab=/var/lib/sss/keytabs/{{ item.name | upper }}.keytab
  args:
    stdin: "{{ item.admin_pass }}"
    creates: /var/lib/sss/keytabs/{{ item.name | upper }}.keytab
  become_user: sssd
  with_items: "{{ ad_trusted_domains }}"
  register: ad_trusted_join
  tags: auth

- name: Start and enable services
  service: name={{ item }} state=started enabled=True
  with_items:
    - sssd
    - oddjobd
  tags: auth

  # On el8 for example, sssd is already installed and running on a default setup
  # so we need to restart it now, so users are available (for eg, ssh authorized_keys setup)
  # We can't rely on the handler, because it would only run at the end of the playbook
- name: Restart sssd if needed
  service: name=sssd state=restarted
  when: ad_join.changed or ad_trusted_join.results | selectattr('changed','equalto',True) | list | length > 0
  tags: auth