---
- hosts: ldap-server 
  become: true
  tasks:

  - name: update
    dnf: 
      update_cache: yes 

  - name: install freeipa-server
    dnf:
      name: freeipa-server
      state: present

  - name: install freeipa-server-dns
    dnf:
      name: ipa-server-dns
      state: present

  - name: enable firewalld
    systemd:
      name: firewalld
      enabled: yes
      state: started

  - name: open firewalld ports
    firewalld:
      service: "{{ item }}"
      permanent: yes
      immediate: yes
      state: enabled
    loop:
      - http
      - https
      - dns
      - kerberos
      - kpasswd
      - ldap
      - ldaps
      - ntp

  - name: enable firewalld
    systemd:
      name: firewalld
      enabled: yes
      state: started

  - name: generate pass admin
    set_fact:
      admin_password: "{{ lookup('ansible.builtin.password', '/dev/null length=12') }}"

  - name: generate pass directory manager
    set_fact:
      ds_password: "{{ lookup('ansible.builtin.password', '/dev/null length=12') }}"

  - name: save admin pass
    copy:
      content: "{{ admin_password }}"
      dest: "./admin_pass"
    become: no 
    delegate_to: localhost

  - name: save directory manager pass
    copy:
      content: "{{ ds_password }}"
      dest: "./ds_pass"
    become: no 
    delegate_to: localhost

  - name: change hosts
    lineinfile:
      path: /etc/hosts
      line: "10.10.1.10 ldap-server.lab.local ldap-server"
      state: present

  - name: freeipa server config
    command: >
      ipa-server-install -U
      --domain=lab.local
      --realm=LAB.LOCAL
      --admin-password={{ admin_password }}
      --ds-password={{ ds_password }}
      --setup-dns
      --auto-forwarders
      --no-host-dns
 
  - name: generate ssh key
    openssh_keypair:
      path: "./id_rsa"
      type: rsa
      size: 4096
    register: key_data
    delegate_to: localhost
    become: false 

  - name: auth kerberos
    shell: echo "{{ admin_password }}" | kinit admin@LAB.LOCAL

  - name: generate pass pupkin.v
    set_fact:
      user_password: "{{ lookup('ansible.builtin.password', '/dev/null length=12') }}"

  - name: create user 
    command: ipa user-add pupkin.a --first=Aristarkh --last=Pupkin --cn=pupkin.a --password
    args:
      stdin: "{{ user_password }}"
    ignore_errors: yes

  - name: add ssh public key 
    command: ipa user-mod pupkin.a --sshpubkey="{{ key_data.public_key }}"

  - name: show pass
    debug:
      msg: "ВНИМАНИЕ!!! Сохраните сгенерированные пароли: admin - {{ admin_password }}, directory manager - {{ ds_password }}, pupkin.a - {{ user_password }}"



- hosts: ldap-client 
  become: yes
  tasks:

  - name: update
    dnf: 
      update_cache: yes 

  - name: install ipa-client
    dnf:
      name: ipa-client
      state: present


  - name: add dns
    lineinfile:
      path: /etc/resolv.conf
      line: "nameserver 10.10.1.10"
      insertbefore: BOF
      state: present

  - name: get admin pass
    set_fact:
      admin_password: "{{ lookup('file', './admin_pass') | trim }}"

  - name: freeipa client config
    command: >
      ipa-client-install -U
      --domain=lab.local
      --realm=LAB.LOCAL
      --server=ldap-server.lab.local
      --principal=admin
      --password={{ admin_password }}
      --mkhomedir