---
# Configures PAM and SSSD post-ipa client installation. It is recommended that
# that we use a custom authselect profile and build it out from there.
- name: Enterprise Linux 7 PAM Configuration
  copy:
    src: "etc/pam.d/{{ ansible_distribution }}-{{ ansible_distribution_major_version }}-system-auth-ac"
    dest: "{{ item }}"
    mode: "0644"
    owner: root
    group: root
  with_items:
    - /etc/pam.d/system-auth-ac
    - /etc/pam.d/password-auth-ac
  when:
    - ansible_facts['os_family'] == 'RedHat'
    - ansible_facts['distribution_major_version'] == '7'

- name: Enterprise Linux 8 PAM Configuration
  when:
    - ansible_facts['os_family'] == 'RedHat'
    - ansible_facts['distribution_major_version'] == '8'
  block:
    - name: Ensure Custom Profile is removed
      file:
        state: absent
        path: /etc/authselect/custom/sssd-rocky

    - name: Create custom authselect profile based on sssd
      command: >
        /usr/bin/authselect create-profile sssd-rocky
        --base-on sssd
        --symlink-dconf
        --symlink-meta
        --symlink=postlogin
        --symlink=smartcard-auth
        --symlink=fingerprint-auth

    - name: Override system-auth and password-auth
      copy:
        src: "etc/authselect/custom/sssd-aoc/{{ ansible_distribution }}-{{ ansible_distribution_major_version }}-system-auth"
        dest: "{{ item }}"
        mode: '0644'
        owner: root
        group: root
      with_items:
        - /etc/authselect/custom/sssd-aoc/system-auth
        - /etc/authselect/custom/sssd-aoc/password-auth

    - name: Select New Profile
      command: >
        /usr/bin/authselect select custom/sssd-aoc
        without-nullok
        with-faillock
        with-mkhomedir
        with-sudo
        --force

    - name: Apply new settings
      command: /usr/bin/authselect apply-changes

    - name: Enable oddjobd
      service:
        name: oddjobd
        state: started
        enabled: yes