#vim: set ft=ansible:
---
# tasks file for bastion

######################### Setting up environment for post deployment administration

- name: install ipa client packages
  yum:
    name: "ipa-client"
    state: present

- name: Register bastion with IPA using host password (first try)
  command: >
    /usr/sbin/ipa-client-install --domain=OPENTLC.COM
    -w '{{ipa_host_password}}'
    -N -U --mkhomedir --no-dns-sshfp
    --hostname={{bastion_public_dns_chomped}}
    {{ipa_additional_options|d('')}}
  when: ipa_host_password is defined
  register: ipa_r1
  ignore_errors: yes

- name: Retry to register bastion with IPA using host password
  shell: >
    /usr/sbin/ipa-client-install --uninstall;
    rm -f /var/lib/ipa-client/sysrestore.state;
    /usr/sbin/ipa-client-install --domain=OPENTLC.COM
    -w '{{ipa_host_password}}'
    -N -U --mkhomedir --no-dns-sshfp
    --hostname={{bastion_public_dns_chomped}}
    {{ipa_additional_options|d('')}}
  when:
    - ipa_host_password is defined
    - ipa_r1 is failed
  register: ipa_r
  until:
    - ipa_r is succeeded
  retries: 5

- name: Register bastion with IPA using OpenTLC admin creds (first try)
  command: >
    /usr/sbin/ipa-client-install --domain=OPENTLC.COM
    -p {{ipa_kerberos_user}} -w '{{ipa_kerberos_password}}'
    -N -U --mkhomedir --no-dns-sshfp
    --hostname={{bastion_public_dns_chomped}}
    {{ipa_additional_options|d('')}}
  when:
    - ipa_host_password is not defined
    - ipa_kerberos_user is defined
    - ipa_kerberos_password is defined
  register: ipa_r1
  ignore_errors: yes

- name: Retry to register bastion with IPA using OpenTLC admin creds
  shell: >
    /usr/sbin/ipa-client-install --uninstall;
    rm -f /var/lib/ipa-client/sysrestore.state;
    /usr/sbin/ipa-client-install --domain=OPENTLC.COM
    -p {{ipa_kerberos_user}} -w '{{ipa_kerberos_password}}'
    -N -U --mkhomedir --no-dns-sshfp
    --hostname={{bastion_public_dns_chomped}}
    {{ipa_additional_options|d('')}}
  when:
    - ipa_host_password is not defined
    - ipa_kerberos_user is defined
    - ipa_kerberos_password is defined
    - ipa_r1 is failed
  register: ipa_r
  until: ipa_r is succeeded
  retries: 5

- name: Create an archive of the ipa-client-* logs
  archive:
    path:
      - /var/log/ipaclient-install.log
      - /var/log/ipaclient-uninstall.log
    dest: /tmp/ipa-client-logs.tar.gz
  ignore_errors: yes

- name: Fetch the ipa-client-logs archive
  fetch:
    src: /tmp/ipa-client-logs.tar.gz
    dest: "{{ANSIBLE_REPO_PATH}}/workdir/{{project_tag}}_ipa-client-logs.tar.gz"
    flat: true
  ignore_errors: yes

- name: Copy over ipa_optimize.sh script
  copy:
    src: "{{ role_path }}/files/ipa_optimize.sh"
    dest: /opt/ipa_optimize.sh
    owner: root
    group: root
    mode: 0700
  notify: Run ipa_optimize.sh

- name: Add opentlc-access ipa group to sudoers.d
  lineinfile:
    path: /etc/sudoers.d/opentlc-sudoers
    state: present
    create: yes
    line: '%opentlc-access ALL=(ALL)       NOPASSWD: ALL'
    validate: '/usr/sbin/visudo -cf %s'
  register: result
  retries: 20
  until: result is succeeded

# sssd bug, fixed by restart
- name: Restart sssd
  service:
    name: sssd
    state: restarted
  register: sssd_restart_result
  retries: 6
  delay: 10
  until: sssd_restart_result is succeeded