---
# tasks file for ansible-role-sssd

- name: Load specific OS vars
  include_vars: "{{ item }}"
  with_first_found:
    - "{{ ansible_distribution|lower }}-{{ ansible_distribution_version }}.yml"
    - "{{ ansible_distribution|lower }}.yml"
    - "{{ ansible_os_family|lower }}.yml"

# Packages [[[
- name: Install sssd
  package:
    name: "{{ item }}"
    state: "{{ sssd_pkg_state }}"
  with_flattened:
    - '{{ sssd_pkg_list | to_nice_json }}'

- name: Remove unwanted packages
  package:
    name: "{{ item }}"
    state: "{{ sssd__unwanted_packages_state }}"
  with_flattened:
    - '{{ sssd__unwanted_packages_list | to_nice_json }}'
# ]]]

# Update nsswitch.conf
- name: CONFIG sudoers nsswitch.conf
  lineinfile:
    dest: /etc/nsswitch.conf
    state: present
    regexp: '^sudoers:'
    line: 'sudoers:        files'
    owner: root
    group: root
    mode: 0644
  when: not sssd_sudoers_ldap and sssd_nsswitch_manage

# Configuration file
- name: CONFIG sssd.conf
  template:
    src: "{{ sssd_main_conf_tpl }}"
    dest: "{{ sssd_main_conf_path }}"
    mode: 0600
    owner: root
    group: root
    backup: true
  when: sssd_conf_manage
  notify:
    - restart sssd
    - restart logind

- name: "CONFIG conf.d/{{ sssd_domain }}.conf"
  blockinfile:
    state: present
    create: yes
    mode: 0600
    owner: root
    group: root
    insertbefore: BOF
    dest: "/etc/sssd/conf.d/{{ sssd_domain }}.conf"
    content: |
      [domain/{{ sssd_domain }}]
      #ldap_default_authtok = password for {{ sssd_bind_dn }} after END BLOCK
      {% if sssd_bind_password %}ldap_default_authtok = {{ sssd_bind_password }}{% endif %}
  when: sssd_conf_manage
  notify:
    - restart sssd
    - restart logind

- name: Ensure home directories are created upon login with pam
  lineinfile:
    dest: /etc/pam.d/common-account
    regexp: 'pam_mkhomedir\.so'
    line: "session	required			pam_mkhomedir.so	umask=0022	skel=/etc/skel/	silent"
    state: present
  when: sssd_mkhomedir

- meta: flush_handlers
  when: sssd_flush_handlers