- name: Install packages
  package:
    name:
      - krb5-admin-server
    state: present

# Note the following is not really for production, where we already
# have a database setup.  It is exercsied by testing however.
- name: Look for primary database
  stat:
    path: /var/lib/krb5kdc/principal
  register: _db_created

- name: Setup clean primary
  when: not _db_created.stat.exists
  block:

    - name: Setup primary db
      shell: |
          yes {{ kerberos_kdc_master_key }} | kdb5_util create -r {{ kerberos_kdc_realm }} -s

    - name: Generate and save admin principal password
      copy:
        dest: '/etc/krb5kdc/admin.passwd'
        content: '{{ lookup("password", "/dev/null chars=ascii_letters,digits length=12") }}'
        owner: root
        group: root
        mode: '0600'

    - name: Setup initial admin principal
      shell: |
          echo "addprinc -pw $(cat /etc/krb5kdc/admin.passwd) admin/admin@{{ kerberos_kdc_realm }}" | kadmin.local

    # https://web.mit.edu/kerberos/krb5-latest/doc/admin/install_kdc.html
    #   It is not strictly necessary to have the primary KDC server in
    #   the Kerberos database, but it can be handy if you want to be
    #   able to swap the primary KDC with one of the replicas.
    - name: Create primary host principal and keytab
      shell:
        cmd: |
          echo "addprinc -randkey host/{{ inventory_hostname }}" | kadmin.local
          echo "ktadd host/{{ inventory_hostname }}" | kadmin.local

    - name: Create replica host principals
      shell:
        cmd: 'echo "addprinc -randkey host/{{ item }}" | kadmin.local'
      with_inventory_hostnames: kerberos-kdc-replica

# The stash file is used to decrypt the on-disk database.  Without
# this you are prompted for the master password on daemon start.  This
# needs to be distributed to the replicas so they can also open the
# database.
- name: Read and save stash file
  slurp:
    src: '/etc/krb5kdc/stash'
  register: kerberos_kdc_stash_file_contents

# Export this so replica servers can use this variable to authenicate
# and create keytabs for their host principals, if they need to.
- name: Read in admin/admin password
  slurp:
    src: "/etc/krb5kdc/admin.passwd"
  register: _admin_password
- name: Export admin password
  set_fact:
    kerberos_kdc_admin_password: '{{ _admin_password.content | b64decode }}'

# kprop is what pushes the db to replicas.  Set it up to run via cron
# periodically.
- name: Install kprop script
  template:
    src: 'run-kprop.sh.j2'
    dest: '/usr/local/bin/run-kprop.sh'
    mode: '0755'
    owner: root
    group: root

- name: kprop cron to push db to replicas
  cron:
    name: kprop
    minute: '15'
    job: '/usr/local/bin/run-kprop.sh >/dev/null 2>&1'

- name: start krb5-admin-server
  systemd:
    state: started
    enabled: yes
    name: krb5-admin-server

- name: start krb5-kdc
  systemd:
    state: started
    enabled: yes
    name: krb5-kdc

- name: Setup db backup streaming job
  block:
    - name: Create backup streaming config dir
      file:
        path: /etc/borg-streams
        state: directory

    - name: Create db streaming file
      copy:
        content: >-
            /usr/sbin/kdb5_util dump
        dest: /etc/borg-streams/kdb5