---
- name: FreeIPA Client | PATCH | Join IPA domain
  ansible.builtin.include_role:
    role: freeipa.ansible_freeipa.ipaclient
  vars:
    ipaclient_hostname: "{{ inventory_hostname }}"
  when: ansible_user == "root"  # We've already joined if we're using an unprivileged user

- name: FreeIPA Client | AUDIT | Check current authselect configuration
  become: true
  ansible.builtin.command: authselect current
  register: _baseline_freeipa_authselect_status
  changed_when: false

- name: FreeIPA Client | PATCH | Apply authselect profile with sssd, sudo, and more if not set
  become: true
  ansible.builtin.command: authselect select sssd with-sudo with-mkhomedir with-subid with-faillock with-pwhistory without-nullok --force
  when: >
    'Profile ID: sssd' not in _baseline_freeipa_authselect_status.stdout or
    'with-sudo' not in _baseline_freeipa_authselect_status.stdout or
    'with-mkhomedir' not in _baseline_freeipa_authselect_status.stdout or
    'with-subid' not in _baseline_freeipa_authselect_status.stdout or
    'with-faillock' not in _baseline_freeipa_authselect_status.stdout or
    'with-pwhistory' not in _baseline_freeipa_authselect_status.stdout or
    'without-nullok' not in _baseline_freeipa_authselect_status.stdout

- name: FreeIPA Client | PATCH | Enable oddjobd.service (for with-mkhomedir feature)
  become: true
  ansible.builtin.systemd_service:
    name: oddjobd.service
    state: started
    enabled: true
    masked: false