- name: install needed packages for scripts
  package:
    name: "{{ item }}"
    state: present
  with_items:
  - python3-freeipa
  - python3-requests-gssapi
  tags:
  - ipa/server
  - packages


#
# Cleanup stage users
#
- name: Create the service for stage users
  include_role:
    name: keytab/service
    apply:
      tags:
      - ipa/server
      - config
      - keytab
  vars:
    host: "{{ ipa_server }}"
    service: stage-users


- name: Create the Stage User Administrator role
  ipa_role:
    name: "Stage User Administrator"
    description: "Role for users that need to perform admin tasks on stage users."
    privilege:
    - "Stage User Administrators"
    service:
    - "stage-users/{{ ipa_server }}"
    ipa_host: "{{ inventory_hostname }}"
    ipa_user: admin
    ipa_pass: "{{ipa_admin_password}}"
    validate_certs: no
  run_once: yes
  delegate_to: "ipa01{{ env_suffix }}.iad2.fedoraproject.org"
  tags:
  - ipa/server
  - config


- name: Deploy the stage users cleanup script
  copy:
    src: cleanup-stage-users.py
    dest: /etc/cron.daily/cleanup-stage-users
    mode: 0755
  # Only run the cron job on one server
  run_once: yes
  delegate_to: "ipa01{{ env_suffix }}.iad2.fedoraproject.org"
  tags:
  - ipa/server
  - config


#
# OTP check for sysadmins
#
- name: Copy file for checking if sysadmins have otp set
  template:
    src: check_sysadmin_otp.py.j2
    dest: /root/check_sysadmin_otp.py
    owner: root
    group: root
  tags:
  - ipa/server
  - otp_script


#
# Collectd statistics plugin
# Requires the stage-users service to have been defined (above) with the
# corresponding permissions. That's why I'm keeping this block here and not as
# a subrole of the collectd role.
#
- name: Install and setup collectd-ipa
  block:
  - name: install collectd-ipa
    package:
      state: present
      name: python3-collectd-ipa
    tags:
    - packages
    - collectd

  - name: install collectd ipa config
    template:
      src: "ipa.collectd.conf.j2"
      dest: "/etc/collectd.d/ipa.conf"
      owner: root
      group: root
      mode: 0640
    tags:
    - collectd
    - config
    notify: restart collectd

  - name: Let collectd talk to the RabbitMQ management interface
    seboolean:
      name: collectd_tcp_network_connect
      state: yes
      persistent: yes
    tags:
    - collectd
  # Only collect stats on one server
  run_once: yes
  delegate_to: "ipa01{{ env_suffix }}.iad2.fedoraproject.org"