---
# Get host keytab
- name: Determine whether we need to get host keytab
  stat: path=/etc/krb5.keytab
  register: host_keytab_status
  tags:
  - base
  - config
  - krb5

- name: Get admin keytab
  delegate_to: "{{ ipa_server }}"
  ansible.builtin.shell: echo "{{ipa_admin_password}}" | kinit admin
  tags:
  - base
  - config
  - krb5
  when: not host_keytab_status.stat.exists

- name: Create host entry
  delegate_to: "{{ ipa_server }}"
  ansible.builtin.command: ipa host-add --force {{inventory_hostname}}
  register: host_add_result
  changed_when: "'Added host' in host_add_result.stdout"
  failed_when: "not ('Added host' in host_add_result.stdout or 'already exists' in host_add_result.stderr)"
  tags:
  - base
  - config
  - krb5
  when: not host_keytab_status.stat.exists

- name: Create additional host entries
  delegate_to: "{{ ipa_server }}"
  ansible.builtin.command: ipa host-add --force {{item}}
  with_items: "{{ additional_host_keytabs }}"
  register: hosts_add_result
  changed_when: "'Added host' in hosts_add_result.stdout"
  failed_when: "not ('Added host' in hosts_add_result.stdout or 'already exists' in hosts_add_result.stderr)"
  tags:
  - base
  - config
  - krb5
  when: not host_keytab_status.stat.exists

- name: Generate host keytab
  delegate_to: "{{ ipa_server }}"
  ansible.builtin.command: ipa-getkeytab -s {{ipa_server}} -p host/{{inventory_hostname}} -k /tmp/{{inventory_hostname}}.kt
  register: getkeytab_result
  changed_when: false
  failed_when: "'successfully retrieved' not in getkeytab_result.stderr"
  tags:
  - base
  - config
  - krb5
  when: not host_keytab_status.stat.exists

- name: Add additional host keytabs
  delegate_to: "{{ ipa_server }}"
  ansible.builtin.command: ipa-getkeytab -s {{ipa_server}} -p host/{{item}} -k /tmp/{{inventory_hostname}}.kt
  with_items: "{{ additional_host_keytabs }}"
  register: getkeytabs_result
  changed_when: false
  failed_when: "'successfully retrieved' not in getkeytabs_result.stderr"
  tags:
  - base
  - config
  - krb5
  when: not host_keytab_status.stat.exists

- name: Destroy kerberos ticket
  delegate_to: "{{ ipa_server }}"
  ansible.builtin.command: kdestroy -A
  tags:
  - base
  - config
  - krb5
  when: not host_keytab_status.stat.exists

- name: Get keytab
  delegate_to: "{{ ipa_server }}"
  ansible.builtin.command: base64 /tmp/{{inventory_hostname}}.kt
  register: keytab
  tags:
  - base
  - config
  - krb5
  when: not host_keytab_status.stat.exists

- name: Destroy stored keytab
  delegate_to: "{{ ipa_server }}"
  ansible.builtin.file: path=/tmp/{{inventory_hostname}}.kt state=absent
  tags:
  - base
  - config
  - krb5
  when: not host_keytab_status.stat.exists

- name: Deploy base64 keytab
  ansible.builtin.copy: dest=/etc/krb5.keytab.b64
        content={{keytab.stdout}}
        owner=root group=root mode=0600
  tags:
  - base
  - config
  - krb5
  when: not host_keytab_status.stat.exists

- name: Base64-decode keytab
  ansible.builtin.shell: "umask 077; base64 -d /etc/krb5.keytab.b64 >/etc/krb5.keytab"
  tags:
  - base
  - config
  - krb5
  when: not host_keytab_status.stat.exists

- name: Set keytab permissions
  ansible.builtin.file: path=/etc/krb5.keytab owner=root group=root mode=0600
  tags:
  - base
  - config
  - krb5
  when: not host_keytab_status.stat.exists

- name: Destroy encoded keytab
  ansible.builtin.file: path=/etc/krb5.keytab.b64 state=absent
  tags:
  - base
  - config
  - krb5
  when: not host_keytab_status.stat.exists