- name: install needed packages for scripts
  package:
    name: "{{ item }}"
    state: present
  with_items:
  - python3-freeipa
  - python3-requests-gssapi
  tags:
  - ipa/server
  - packages


#
# Cleanup stage users
#
- name: Create the service for stage users
  include_role:
    name: keytab/service
    apply:
      tags:
      - ipa/server
      - config
      - keytab
  vars:
    host: "{{ ipa_server }}"
    service: stage-users


- name: Create the Stage User Administrator role
  ipa_role:
    name: "Stage User Administrator"
    description: "Role for users that need to perform admin tasks on stage users."
    privilege:
    - "Stage User Administrators"
    service:
    - "stage-users/{{ ipa_server }}"
    ipa_host: "{{ inventory_hostname }}"
    ipa_user: admin
    ipa_pass: "{{ipa_admin_password}}"
    validate_certs: no
  run_once: yes
  delegate_to: "ipa01{{ env_suffix }}.iad2.fedoraproject.org"
  tags:
  - ipa/server
  - config


- name: Deploy the stage users cleanup script
  copy:
    src: cleanup-stage-users.py
    dest: /etc/cron.daily/cleanup-stage-users
    mode: 0755
  # Only run the cron job on one server
  run_once: yes
  delegate_to: "ipa01{{ env_suffix }}.iad2.fedoraproject.org"
  tags:
  - ipa/server
  - config


#
# OTP check for sysadmins
#
- name: Copy file for checking if sysadmins have otp set
  template:
    src: check_sysadmin_otp.py.j2
    dest: /root/check_sysadmin_otp.py
    owner: root
    group: root
  tags:
  - ipa/server
  - otp_script