---
- name: FreeIPA | PATCH | Request or renew Let's Encrypt Certificates
  ansible.builtin.include_tasks:
    file: certs.yml

- name: FreeIPA | PATCH | Deploy first FreeIPA server
  ansible.builtin.include_role:
    role: freeipa.ansible_freeipa.ipaserver
  vars:
    ipaserver_ca_cert_files:
      - /root/isrgrootx1.pem
      - /root/isrg-root-x2.pem
    ipaserver_dirsrv_cert_name: "{{ ansible_inventory }}"
    ipaserver_dirsrv_cert_files: [ "/root/server.p12" ]
    ipaserver_dirsrv_pin: ""
    ipaserver_firewalld_zone: public
    ipaserver_http_cert_name: "{{ ansible_inventory }}"
    ipaserver_http_cert_files: [ "/root/server.p12" ]
    ipaserver_http_pin: ""
    ipaserver_no_hbac_allow: true
    ipaserver_no_pkinit: true
    ipaserver_setup_dns: false
  when: inventory_hostname == groups['ipaservers'][0]

- name: FreeIPA | PATCH | Deploy replica FreeIPA servers
  ansible.builtin.include_role:
    role: freeipa.ansible_freeipa.ipareplica
  vars:
    ipareplica_ca_cert_files:
      - /root/isrgrootx1.pem
      - /root/isrg-root-x2.pem
    ipareplica_dirsrv_cert_name: "{{ ansible_inventory }}"
    ipareplica_dirsrv_cert_files: [ "/root/server.p12" ]
    ipareplica_dirsrv_pin: ""
    ipareplica_firewalld_zone: public
    ipareplica_http_cert_name: "{{ ansible_inventory }}"
    ipareplica_http_cert_files: [ "/root/server.p12" ]
    ipareplica_http_pin: ""
    ipareplica_no_pkinit: true
    ipareplica_setup_dns: false

- name: FreeIPA | AUDIT | Check current authselect configuration
  command: authselect current
  register: freeipa_authselect_status
  changed_when: false

- name: FreeIPA | PATCH | Apply authselect profile with sssd, sudo, and mkhomedir if not set
  command: authselect select sssd with-sudo with-mkhomedir
  when: >
    'Profile ID: sssd' not in freeipa_authselect_status.stdout or
    'with-sudo' not in freeipa_authselect_status.stdout or
    'with-mkhomedir' not in freeipa_authselect_status.stdout