---
- hosts:
    - ipaservers
  become: true  # Required by FreeIPA roles
  vars:
    # Required for FreeIPA setup
    baseline_epel_packages_allowed:
      - certbot
      - python3-certbot
      - python3-pyrfc3339
      - python3-parsedatetime
      - python3-josepy
      - python3-importlib-metadata
      - python3-configargparse
      - python3-acme
      - python3-zipp
      - python3-pyOpenSSL
    # 2.1 Configure Server Services
    # These services are required by FreeIPA.
    rhel9cis_autofs_services: true  # TODO: can we mask it? This is required by FreeIPA but we don't use it.
    rhel9cis_dns_server: true
    rhel9cis_httpd_server: true
    # 2.2 Configure Client Services
    # These services are required by FreeIPA.
    rhel9cis_openldap_clients_required: true
    # 5.3.2 Configure authselect
    # ipaservers are part of Linux Identity Management. Joining your host to an IdM
    # domain automatically configures SSSD authentication on your host.
    rhel9cis_allow_authselect_updates: false
    # TODO: Restricted umask breaks FreeIPA roles
    rhel9cis_rule_5_4_2_6: false
    rhel9cis_rule_5_4_3_3: false
  roles:
    - name: sr2c.core.baseline
      tags: bootstrap
    - name: sr2c.core.freeipa
      tags: freeipa

- hosts:
    - keycloak
  become: true
  vars:
    rhel9cis_autofs_services: true  # TODO: can we mask it? This is required by FreeIPA but we don't use it.
    # 2.2 Configure Client Services
    # These services are required by FreeIPA.
    rhel9cis_openldap_clients_required: true
    # 5.3.2 Configure authselect
    # ipaservers are part of Linux Identity Management. Joining your host to an IdM
    # domain automatically configures SSSD authentication on your host.
    rhel9cis_allow_authselect_updates: false
    podman_host_rootless_users: ["identity"]
  roles:
    - name: sr2c.core.baseline
      tags: bootstrap
    - name: freeipa.ansible_freeipa.ipaclient
      state: present
      tags: bootstrap
    - name: sr2c.core.podman_keycloak
      tags: keycloak