---
# This playbook is meant to be used with callable variables, like adhoc or AWX.
# What: Pulls keytabs for a kerberos service
# What is expected:
#  -> ipa_service, using this format: SVC/hostname.rockylinux.org@ROCKYLINUX.ORG
#  -> ipa_keytab_fullpath: The full path to the keytab. Example: /etc/gitlab/gitlab.keytab
#  -> ipa_server: This needs to be one of the IPA servers
#  -> ipa_owner: If applicable, the local account that will own this keytab (eg for Apache)

- name: Pull keytab from IPA
  hosts: "{{ host }}"
  become: false
  gather_facts: false
  vars_files:
    - vars/encpass.yml

  tasks:
    - name: "Checking for user variables"
      assert:
        that:
          - ipaadmin_password | mandatory
          - ipa_service | mandatory
          - ipa_keytab_fullpath | mandatory
          - ipa_server | mandatory
        success_msg: "Required variables provided"
        fail_msg: "We are missing required information"

    - name: "Pulling keytab"
      command: "ipa-getkeytab -s {{ ipa_server }} -p {{ ipa_service }} -k {{ ipa_keytab_fullpath }}"
      register: ipakeytab_result
      changed_when:
        - ipakeytab_result.rc == 0
      tags:
        - keytab

    - name: "Set ownership if applicable"
      file:
        path: "{{ ipa_keytab_fullpath }}"
        owner: "{{ ipa_owner }}"
        group: "{{ ipa_owner }}"
        mode: '0600'
        state: file
      when: ipa_owner
      tags:
        - keytab