---
- name: Install needed packages for scripts
  ansible.builtin.package:
    name: "{{ item }}"
    state: present
  with_items:
  - python3-freeipa
  - python3-requests-gssapi
  tags:
  - ipa/server
  - packages


#
# Cleanup stage users
#
- name: Create the service for stage users
  ansible.builtin.include_role:
    name: "keytab/service" # noqa role-name[path]
    apply:
      tags:
      - ipa/server
      - config
      - keytab
  vars:
    host: "{{ ipa_server }}" # noqa: var-naming[no-role-prefix]
    service: stage-users # noqa: var-naming[no-role-prefix]


- name: Create the Stage User Administrator role
  community.general.ipa_role:
    name: "Stage User Administrator"
    description: "Role for users that need to perform admin tasks on stage users."
    privilege:
    - "Stage User Administrators"
    service:
    - "stage-users/{{ ipa_server }}"
    ipa_host: "{{ inventory_hostname }}"
    ipa_user: admin
    ipa_pass: "{{ ipa_admin_password }}"
    validate_certs: no
  run_once: yes
  delegate_to: "{{ ipa_server }}"
  tags:
  - ipa/server
  - config


- name: Deploy the stage users cleanup script
  ansible.builtin.copy:
    src: cleanup-stage-users.py
    dest: /etc/cron.daily/cleanup-stage-users
    mode: "0755"
  # Only run the cron job on one server
  run_once: yes
  delegate_to: "{{ ipa_server }}"
  tags:
  - ipa/server
  - config


#
# OTP check for sysadmins
#
- name: Copy file for checking if sysadmins have otp set
  ansible.builtin.template:
    src: check_sysadmin_otp.py.j2
    dest: /root/check_sysadmin_otp.py
    owner: root
    group: root
    mode: "0644"
  tags:
  - ipa/server
  - otp_script


#
# Collectd statistics plugin
# Requires the stage-users service to have been defined (above) with the
# corresponding permissions. That's why I'm keeping this block here and not as
# a subrole of the collectd role.
#
- name: Install and setup collectd-ipa
  # Only collect stats on one server
  run_once: yes
  delegate_to: "{{ ipa_server }}"
  block:
  - name: Install collectd-ipa
    ansible.builtin.package:
      state: present
      name: python3-collectd-ipa
    tags:
    - packages
    - collectd

  - name: Install collectd ipa config
    ansible.builtin.template:
      src: "ipa.collectd.conf.j2"
      dest: "/etc/collectd.d/ipa.conf"
      owner: root
      group: root
      mode: "0640"
    tags:
    - collectd
    - config
    notify: Restart collectd

  - name: Let collectd talk to the REST API
    ansible.posix.seboolean:
      name: collectd_tcp_network_connect
      state: yes
      persistent: yes
    tags:
    - collectd


#
# Nagios monitoring
#
- name: Create the service for nagios monitoring
  ansible.builtin.include_role:
    name: "keytab/service" # noqa role-name[path]
    apply:
      tags:
      - ipa/server
      - config
      - keytab
  vars:
    host: "{{ ipa_server }}" # noqa: var-naming[no-role-prefix]
    service: monitoring # noqa: var-naming[no-role-prefix]
    owner_user: nagios
    owner_group: nagios