---

# tasks file for ipaserver

- block:

  - name: Install - Ensure that IPA server packages are installed

    package:

      name: "{{ ipaserver_packages }}"

      state: present

  - name: Install - Ensure that IPA server packages for dns are installed

    package:

      name: "{{ ipaserver_packages_dns }}"

      state: present

    when: ipaserver_setup_dns | bool

  - name: Install - Ensure that IPA server packages for adtrust are installed

    package:

      name: "{{ ipaserver_packages_adtrust }}"

      state: present

    when: ipaserver_setup_adtrust | bool

  - name: Install - Ensure that firewall packages installed

    package:

      name: "{{ ipaserver_packages_firewalld }}"

      state: present

    when: ipaserver_setup_firewalld | bool

  - name: Firewalld service - Ensure that firewalld is running

    systemd:

      name: firewalld

      enabled: yes

      state: started

    when: ipaserver_setup_firewalld | bool

  when: ipaserver_install_packages | bool

#- name: Install - Include Python2/3 import test

#  import_tasks: "{{ role_path }}/tasks/python_2_3_test.yml"

- include_tasks: "{{ role_path }}/tasks/copy_external_cert.yml"

  with_items: "{{ ipaserver_external_cert_files_from_controller }}"

  when: ipaserver_external_cert_files_from_controller is defined and

        ipaserver_external_cert_files_from_controller|length > 0 and

        not ipaserver_external_cert_files is defined

- name: Install - Server installation test

  ipaserver_test:

    ### basic ###

    dm_password: "{{ ipadm_password }}"

    password: "{{ ipaadmin_password }}"

    master_password: "{{ ipaserver_master_password | default(omit) }}"

    domain: "{{ ipaserver_domain | default(omit) }}"

    realm: "{{ ipaserver_realm | default(omit) }}"

    hostname: "{{ ipaserver_hostname | default(ansible_fqdn) }}"

    ca_cert_files: "{{ ipaserver_ca_cert_files | default(omit) }}"

    no_host_dns: "{{ ipaserver_no_host_dns }}"

    pki_config_override: "{{ ipaserver_pki_config_override | default(omit) }}"

    ### server ###

    setup_adtrust: "{{ ipaserver_setup_adtrust }}"

    setup_kra: "{{ ipaserver_setup_kra }}"

    setup_dns: "{{ ipaserver_setup_dns }}"

    idstart: "{{ ipaserver_idstart | default(omit) }}"

    idmax: "{{ ipaserver_idmax | default(omit) }}"

    # no_hbac_allow: "{{ ipaserver_no_hbac_allow }}"

    no_pkinit: "{{ ipaserver_no_pkinit }}"

    # no_ui_redirect: "{{ ipaserver_no_ui_redirect }}"

    dirsrv_config_file: "{{ ipaserver_dirsrv_config_file | default(omit) }}"

    ### ssl certificate ###

    dirsrv_cert_files: "{{ ipaserver_dirsrv_cert_files | default(omit) }}"

    dirsrv_cert_name: "{{ ipaserver_dirsrv_cert_name | default(omit) }}"

    dirsrv_pin: "{{ ipaserver_dirsrv_pin | default(omit) }}"

    http_cert_files: "{{ ipaserver_http_cert_files | default(omit) }}"

    http_cert_name: "{{ ipaserver_http_cert_name | default(omit) }}"

    http_pin: "{{ ipaserver_http_pin | default(omit) }}"

    pkinit_cert_files: "{{ ipaserver_pkinit_cert_files | default(omit) }}"

    pkinit_cert_name: "{{ ipaserver_pkinit_cert_name | default(omit) }}"

    pkinit_pin: "{{ ipaserver_pkinit_pin | default(omit) }}"

    ### client ###

    # mkhomedir

    ntp_servers: "{{ ipaclient_ntp_servers | default(omit) }}"

    ntp_pool: "{{ ipaclient_ntp_pool | default(omit) }}"

    no_ntp: "{{ ipaclient_no_ntp }}"

    # ssh_trust_dns

    # no_ssh

    # no_sshd

    # no_dns_sshfp

    ### certificate system ###

    external_ca: "{{ ipaserver_external_ca }}"

    external_ca_type: "{{ ipaserver_external_ca_type | default(omit) }}"

    external_ca_profile: "{{ ipaserver_external_ca_profile | default(omit) }}"

    external_cert_files: "{{ ipaserver_external_cert_files | default(omit) }}"

    subject_base: "{{ ipaserver_subject_base | default(omit) }}"

    ca_subject: "{{ ipaserver_ca_subject | default(omit) }}"

    # ca_signing_algorithm

    ### dns ###

    allow_zone_overlap: "{{ ipaserver_allow_zone_overlap }}"

    reverse_zones: "{{ ipaserver_reverse_zones | default([]) }}"

    no_reverse: "{{ ipaserver_no_reverse }}"

    auto_reverse: "{{ ipaserver_auto_reverse }}"

    zonemgr: "{{ ipaserver_zonemgr | default(omit) }}"

    forwarders: "{{ ipaserver_forwarders | default([]) }}"

    no_forwarders: "{{ ipaserver_no_forwarders }}"

    auto_forwarders: "{{ ipaserver_auto_forwarders }}"

    forward_policy: "{{ ipaserver_forward_policy | default(omit) }}"

    no_dnssec_validation: "{{ ipaserver_no_dnssec_validation }}"

    ### ad trust ###

    enable_compat: "{{ ipaserver_enable_compat }}"

    netbios_name: "{{ ipaserver_netbios_name | default(omit) }}"

    rid_base: "{{ ipaserver_rid_base | default(omit) }}"

    secondary_rid_base: "{{ ipaserver_secondary_rid_base | default(omit) }}"

    ### additional ###

  register: result_ipaserver_test

- block:

  # This block is executed only when

  # not ansible_check_mode and

  # not (not result_ipaserver_test.changed and

  #      (result_ipaserver_test.client_already_configured is defined or

  #       result_ipaserver_test.server_already_configured is defined)

  - block:

    - name: Install - Master password creation

      no_log: yes

      ipaserver_master_password:

        dm_password: "{{ ipadm_password }}"

        master_password: "{{ ipaserver_master_password | default(omit) }}"

      register: result_ipaserver_master_password

    - name: Install - Use new master password

      no_log: yes

      set_fact:

        ipaserver_master_password:

          "{{ result_ipaserver_master_password.password }}"

    when: ipaserver_master_password is undefined

  - name: Install - Server preparation

    ipaserver_prepare:

      ### basic ###

      dm_password: "{{ ipadm_password }}"

      password: "{{ ipaadmin_password }}"

      ip_addresses: "{{ ipaserver_ip_addresses | default([]) }}"

      domain: "{{ result_ipaserver_test.domain }}"

      realm: "{{ result_ipaserver_test.realm }}"

      hostname: "{{ result_ipaserver_test.hostname }}"

      no_host_dns: "{{ result_ipaserver_test.no_host_dns }}"

      ### server ###

      setup_adtrust: "{{ ipaserver_setup_adtrust }}"

      setup_kra: "{{ ipaserver_setup_kra }}"

      setup_dns: "{{ ipaserver_setup_dns }}"

      ### certificate system ###

      external_ca: "{{ ipaserver_external_ca }}"

      external_ca_type: "{{ ipaserver_external_ca_type | default(omit) }}"

      external_ca_profile:

        "{{ ipaserver_external_ca_profile | default(omit) }}"

      external_cert_files:

        "{{ ipaserver_external_cert_files | default(omit) }}"

      subject_base: "{{ ipaserver_subject_base | default(omit) }}"

      ca_subject: "{{ ipaserver_ca_subject | default(omit) }}"

      ### dns ###

      allow_zone_overlap: "{{ ipaserver_allow_zone_overlap }}"

      reverse_zones: "{{ ipaserver_reverse_zones | default([]) }}"

      no_reverse: "{{ ipaserver_no_reverse }}"

      auto_reverse: "{{ ipaserver_auto_reverse }}"

      zonemgr: "{{ ipaserver_zonemgr | default(omit) }}"

      forwarders: "{{ ipaserver_forwarders | default([]) }}"

      no_forwarders: "{{ ipaserver_no_forwarders }}"

      auto_forwarders: "{{ ipaserver_auto_forwarders }}"

      forward_policy: "{{ ipaserver_forward_policy | default(omit) }}"

      no_dnssec_validation: "{{ ipaserver_no_dnssec_validation }}"

      ### ad trust ###

      enable_compat: "{{ ipaserver_enable_compat }}"

      netbios_name: "{{ ipaserver_netbios_name | default(omit) }}"

      rid_base: "{{ ipaserver_rid_base | default(omit) }}"

      secondary_rid_base: "{{ ipaserver_secondary_rid_base | default(omit) }}"

      ### additional ###

      setup_ca: "{{ result_ipaserver_test.setup_ca }}"

      _hostname_overridden: "{{ result_ipaserver_test._hostname_overridden }}"

    register: result_ipaserver_prepare

  - name: Install - Setup NTP

    ipaserver_setup_ntp:

      ntp_servers: "{{ result_ipaserver_test.ntp_servers | default(omit) }}"

      ntp_pool: "{{ result_ipaserver_test.ntp_pool | default(omit) }}"

    when: not ipaclient_no_ntp | bool and (ipaserver_external_cert_files

          is undefined or ipaserver_external_cert_files|length < 1)

  - name: Install - Setup DS

    ipaserver_setup_ds:

      dm_password: "{{ ipadm_password }}"

      password: "{{ ipaadmin_password }}"

      # master_password: "{{ ipaserver_master_password }}"

      domain: "{{ result_ipaserver_test.domain }}"

      realm: "{{ result_ipaserver_test.realm | default(omit) }}"

      hostname: "{{ result_ipaserver_test.hostname }}"

      # ip_addresses: "{{ result_ipaserver_prepare.ip_addresses }}"

      # reverse_zones: "{{ result_ipaserver_prepare.reverse_zones }}"

      # setup_adtrust: "{{ result_ipaserver_test.setup_adtrust }}"

      # setup_kra: "{{ result_ipaserver_test.setup_kra }}"

      # setup_dns: "{{ ipaserver_setup_dns }}"

      setup_ca: "{{ result_ipaserver_test.setup_ca }}"

      # no_host_dns: "{{ result_ipaserver_test.no_host_dns }}"

      dirsrv_config_file: "{{ ipaserver_dirsrv_config_file | default(omit) }}"

      dirsrv_cert_files: "{{ ipaserver_dirsrv_cert_files | default(omit) }}"

      _dirsrv_pkcs12_info: "{{ result_ipaserver_test._dirsrv_pkcs12_info if result_ipaserver_test._dirsrv_pkcs12_info != None else omit }}"

      external_cert_files:

        "{{ ipaserver_external_cert_files | default(omit) }}"

      subject_base: "{{ result_ipaserver_prepare.subject_base }}"

      ca_subject: "{{ result_ipaserver_prepare.ca_subject }}"

      # no_reverse: "{{ ipaserver_no_reverse }}"

      # auto_forwarders: "{{ ipaserver_auto_forwarders }}"

      no_pkinit: "{{ result_ipaserver_test.no_pkinit }}"

      no_hbac_allow: "{{ ipaserver_no_hbac_allow }}"

      idstart: "{{ result_ipaserver_test.idstart }}"

      idmax: "{{ result_ipaserver_test.idmax }}"

  - name: Install - Setup KRB

    ipaserver_setup_krb:

      dm_password: "{{ ipadm_password }}"

      password: "{{ ipaadmin_password }}"

      master_password: "{{ ipaserver_master_password }}"

      domain: "{{ result_ipaserver_test.domain }}"

      realm: "{{ result_ipaserver_test.realm }}"

      hostname: "{{ result_ipaserver_test.hostname }}"

      # ip_addresses: "{{ result_ipaserver_prepare.ip_addresses }}"

      reverse_zones: "{{ result_ipaserver_prepare.reverse_zones }}"

      setup_adtrust: "{{ result_ipaserver_test.setup_adtrust }}"

      setup_kra: "{{ result_ipaserver_test.setup_kra }}"

      setup_dns: "{{ ipaserver_setup_dns }}"

      setup_ca: "{{ result_ipaserver_test.setup_ca }}"

      no_host_dns: "{{ result_ipaserver_test.no_host_dns }}"

      external_cert_files:

        "{{ ipaserver_external_cert_files | default(omit) }}"

      subject_base: "{{ result_ipaserver_prepare.subject_base }}"

      ca_subject: "{{ result_ipaserver_prepare.ca_subject }}"

      no_reverse: "{{ ipaserver_no_reverse }}"

      auto_forwarders: "{{ ipaserver_auto_forwarders }}"

      no_pkinit: "{{ result_ipaserver_test.no_pkinit }}"

      no_hbac_allow: "{{ ipaserver_no_hbac_allow }}"

      idstart: "{{ result_ipaserver_test.idstart }}"

      idmax: "{{ result_ipaserver_test.idmax }}"

      _pkinit_pkcs12_info: "{{ result_ipaserver_test._pkinit_pkcs12_info if result_ipaserver_test._pkinit_pkcs12_info != None else omit }}"

  - name: Install - Setup custodia

    ipaserver_setup_custodia:

      realm: "{{ result_ipaserver_test.realm }}"

      hostname: "{{ result_ipaserver_test.hostname }}"

      setup_ca: "{{ result_ipaserver_test.setup_ca }}"

  - name: Install - Setup CA

    ipaserver_setup_ca:

      dm_password: "{{ ipadm_password }}"

      password: "{{ ipaadmin_password }}"

      master_password: "{{ ipaserver_master_password }}"

      # ip_addresses: "{{ result_ipaserver_prepare.ip_addresses }}"

      domain: "{{ result_ipaserver_test.domain }}"

      realm: "{{ result_ipaserver_test.realm }}"

      hostname: "{{ result_ipaserver_test.hostname }}"

      no_host_dns: "{{ result_ipaserver_test.no_host_dns }}"

      pki_config_override: "{{ ipaserver_pki_config_override |

                               default(omit) }}"

      setup_adtrust: "{{ result_ipaserver_test.setup_adtrust }}"

      setup_kra: "{{ result_ipaserver_test.setup_kra }}"

      setup_dns: "{{ ipaserver_setup_dns }}"

      setup_ca: "{{ result_ipaserver_test.setup_ca }}"

      idstart: "{{ result_ipaserver_test.idstart }}"

      idmax: "{{ result_ipaserver_test.idmax }}"

      no_hbac_allow: "{{ ipaserver_no_hbac_allow }}"

      no_pkinit: "{{ result_ipaserver_test.no_pkinit }}"

      dirsrv_config_file: "{{ ipaserver_dirsrv_config_file | default(omit) }}"

      dirsrv_cert_files: "{{ ipaserver_dirsrv_cert_files | default([]) }}"

      _dirsrv_pkcs12_info: "{{ result_ipaserver_test._dirsrv_pkcs12_info if result_ipaserver_test._dirsrv_pkcs12_info != None else omit }}"

      external_ca: "{{ ipaserver_external_ca }}"

      external_ca_type: "{{ ipaserver_external_ca_type | default(omit) }}"

      external_ca_profile:

        "{{ ipaserver_external_ca_profile | default(omit) }}"

      external_cert_files:

        "{{ ipaserver_external_cert_files | default(omit) }}"

      subject_base: "{{ result_ipaserver_prepare.subject_base }}"

      _subject_base: "{{ result_ipaserver_prepare._subject_base }}"

      ca_subject: "{{ result_ipaserver_prepare.ca_subject }}"

      _ca_subject: "{{ result_ipaserver_prepare._ca_subject }}"

      ca_signing_algorithm: "{{ ipaserver_ca_signing_algorithm |

                                default(omit) }}"

      reverse_zones: "{{ result_ipaserver_prepare.reverse_zones }}"

      no_reverse: "{{ ipaserver_no_reverse }}"

      auto_forwarders: "{{ ipaserver_auto_forwarders }}"

      _http_ca_cert: "{{ result_ipaserver_test._http_ca_cert }}"

    register: result_ipaserver_setup_ca

  - name: Copy /root/ipa.csr to "{{ inventory_hostname }}-ipa.csr"

    fetch:

      src: /root/ipa.csr

      dest: "{{ inventory_hostname }}-ipa.csr"

      flat: yes

    when: result_ipaserver_setup_ca.csr_generated | bool and

          ipaserver_copy_csr_to_controller | bool

  - block:

    - name: Install - Setup otpd

      ipaserver_setup_otpd:

        realm: "{{ result_ipaserver_test.realm }}"

        hostname: "{{ result_ipaserver_test.hostname }}"

        setup_ca: "{{ result_ipaserver_test.setup_ca }}"

    - name: Install - Setup HTTP

      ipaserver_setup_http:

        dm_password: "{{ ipadm_password }}"

        password: "{{ ipaadmin_password }}"

        master_password: "{{ ipaserver_master_password }}"

        domain: "{{ result_ipaserver_test.domain }}"

        realm: "{{ result_ipaserver_test.realm }}"

        hostname: "{{ result_ipaserver_test.hostname }}"

        # ip_addresses: "{{ result_ipaserver_prepare.ip_addresses }}"

        reverse_zones: "{{ result_ipaserver_prepare.reverse_zones }}"

        setup_adtrust: "{{ result_ipaserver_test.setup_adtrust }}"

        setup_kra: "{{ result_ipaserver_test.setup_kra }}"

        setup_dns: "{{ ipaserver_setup_dns }}"

        setup_ca: "{{ result_ipaserver_test.setup_ca }}"

        no_host_dns: "{{ result_ipaserver_test.no_host_dns }}"

        dirsrv_cert_files: "{{ ipaserver_dirsrv_cert_files | default([]) }}"

        external_cert_files:

          "{{ ipaserver_external_cert_files | default(omit) }}"

        subject_base: "{{ result_ipaserver_prepare.subject_base }}"

        _subject_base: "{{ result_ipaserver_prepare._subject_base }}"

        ca_subject: "{{ result_ipaserver_prepare.ca_subject }}"

        _ca_subject: "{{ result_ipaserver_prepare._ca_subject }}"

        no_reverse: "{{ ipaserver_no_reverse }}"

        auto_forwarders: "{{ ipaserver_auto_forwarders }}"

        no_pkinit: "{{ result_ipaserver_test.no_pkinit }}"

        no_hbac_allow: "{{ ipaserver_no_hbac_allow }}"

        idstart: "{{ result_ipaserver_test.idstart }}"

        idmax: "{{ result_ipaserver_test.idmax }}"

        http_cert_files: "{{ ipaserver_http_cert_files | default([]) }}"

        no_ui_redirect: "{{ ipaserver_no_ui_redirect }}"

        _http_pkcs12_info: "{{ result_ipaserver_test._http_pkcs12_info if result_ipaserver_test._http_pkcs12_info != None else omit }}"

    - name: Install - Setup KRA

      ipaserver_setup_kra:

        hostname: "{{ result_ipaserver_test.hostname }}"

        setup_ca: "{{ result_ipaserver_test.setup_ca }}"

        dm_password: "{{ ipadm_password }}"

        setup_kra: "{{ result_ipaserver_test.setup_kra }}"

        realm: "{{ result_ipaserver_test.realm }}"

        pki_config_override: "{{ ipaserver_pki_config_override |

                                 default(omit) }}"

      when: result_ipaserver_test.setup_kra | bool

    - name: Install - Setup DNS

      ipaserver_setup_dns:

        ip_addresses: "{{ ipaserver_ip_addresses | default([]) }}"

        domain: "{{ result_ipaserver_test.domain }}"

        realm: "{{ result_ipaserver_test.realm }}"

        hostname: "{{ result_ipaserver_test.hostname }}"

        setup_ca: "{{ result_ipaserver_test.setup_ca }}"

        setup_dns: "{{ ipaserver_setup_dns }}"

        forwarders: "{{ result_ipaserver_prepare.forwarders }}"

        forward_policy: "{{ result_ipaserver_prepare.forward_policy }}"

        zonemgr: "{{ ipaserver_zonemgr | default(omit) }}"

        no_dnssec_validation: "{{ result_ipaserver_prepare.no_dnssec_validation }}"

        ### additional ###

        dns_ip_addresses: "{{ result_ipaserver_prepare.dns_ip_addresses }}"

        dns_reverse_zones: "{{ result_ipaserver_prepare.dns_reverse_zones }}"

      when: ipaserver_setup_dns | bool

    - name: Install - Setup ADTRUST

      ipaserver_setup_adtrust:

        hostname: "{{ result_ipaserver_test.hostname }}"

        setup_ca: "{{ result_ipaserver_test.setup_ca }}"

        setup_adtrust: "{{ result_ipaserver_test.setup_adtrust }}"

        ### ad trust ###

        enable_compat: "{{ ipaserver_enable_compat }}"

        rid_base: "{{ result_ipaserver_test.rid_base }}"

        secondary_rid_base: "{{ result_ipaserver_test.secondary_rid_base }}"

        ### additional ###

        adtrust_netbios_name: "{{ result_ipaserver_prepare.adtrust_netbios_name }}"

        adtrust_reset_netbios_name:

          "{{ result_ipaserver_prepare.adtrust_reset_netbios_name }}"

      when: result_ipaserver_test.setup_adtrust

    - name: Install - Set DS password

      ipaserver_set_ds_password:

        dm_password: "{{ ipadm_password }}"

        password: "{{ ipaadmin_password }}"

        domain: "{{ result_ipaserver_test.domain }}"

        realm: "{{ result_ipaserver_test.realm }}"

        hostname: "{{ result_ipaserver_test.hostname }}"

        setup_ca: "{{ result_ipaserver_test.setup_ca }}"

        subject_base: "{{ result_ipaserver_prepare.subject_base }}"

        ca_subject: "{{ result_ipaserver_prepare.ca_subject }}"

        no_pkinit: "{{ result_ipaserver_test.no_pkinit }}"

        no_hbac_allow: "{{ ipaserver_no_hbac_allow }}"

        idstart: "{{ result_ipaserver_test.idstart }}"

        idmax: "{{ result_ipaserver_test.idmax }}"

        dirsrv_config_file: "{{ ipaserver_dirsrv_config_file | default(omit) }}"

        _dirsrv_pkcs12_info: "{{ result_ipaserver_test._dirsrv_pkcs12_info if result_ipaserver_test._dirsrv_pkcs12_info != None else omit }}"

    - name: Install - Setup client

      include_role:

        name: ipaclient

      vars:

        state: present

        ipaclient_on_master: yes

        ipaclient_domain: "{{ result_ipaserver_test.domain }}"

        ipaclient_realm: "{{ result_ipaserver_test.realm }}"

        ipaclient_servers: ["{{ result_ipaserver_test.hostname }}"]

        ipaclient_hostname: "{{ result_ipaserver_test.hostname }}"

        ipaclient_no_ntp:

          "{{ 'true' if result_ipaserver_test.ipa_python_version >= 40690

               else 'false' }}"

        ipaclient_install_packages: "{{ ipaserver_install_packages }}"

    - name: Install - Enable IPA

      ipaserver_enable_ipa:

        hostname: "{{ result_ipaserver_test.hostname }}"

        setup_dns: "{{ ipaserver_setup_dns }}"

        setup_ca: "{{ result_ipaserver_test.setup_ca }}"

      register: result_ipaserver_enable_ipa

    - name: Install - Cleanup root IPA cache

      file:

        path: "/root/.ipa_cache"

        state: absent

      when: result_ipaserver_enable_ipa.changed

    - name: Install - Configure firewalld

      command: >

        firewall-cmd

        --permanent

        --add-service=freeipa-ldap

        --add-service=freeipa-ldaps

        {{ "--add-service=freeipa-trust" if ipaserver_setup_adtrust | bool

           else "" }}

        {{ "--add-service=dns" if ipaserver_setup_dns | bool else "" }}

        {{ "--add-service=ntp" if not ipaclient_no_ntp | bool else "" }}

      when: ipaserver_setup_firewalld | bool

    - name: Install - Configure firewalld runtime

      command: >

        firewall-cmd

        --add-service=freeipa-ldap

        --add-service=freeipa-ldaps

        {{ "--add-service=freeipa-trust" if ipaserver_setup_adtrust | bool

           else "" }}

        {{ "--add-service=dns" if ipaserver_setup_dns | bool else "" }}

        {{ "--add-service=ntp" if not ipaclient_no_ntp | bool else "" }}

      when: ipaserver_setup_firewalld | bool

    when: not result_ipaserver_setup_ca.csr_generated | bool

  always:

  - name: Cleanup temporary files

    file:

      path: "{{ item }}"

      state: absent

    with_items:

    - "/etc/ipa/.tmp_pkcs12_dirsrv"

    - "/etc/ipa/.tmp_pkcs12_http"

    - "/etc/ipa/.tmp_pkcs12_pkinit"

  when: not ansible_check_mode and not

        (not result_ipaserver_test.changed and

         (result_ipaserver_test.client_already_configured is defined or

          result_ipaserver_test.server_already_configured is defined))