---

- name: 'Install kanidm clients with pacman'
  kewlfft.aur.aur:
    use: paru
    aur_only: yes
    name: kanidm-unixd-clients
  become: yes
  become_user: aur_builder
  when: ansible_pkg_mgr == "pacman"

- name: 'Fetch kanidm PPA key'
  ansible.builtin.apt_key:
    url: >-
      https://kanidm.github.io/kanidm_ppa/KEY.gpg
    state: present
    id: 'EA20E95D68A65191FE8CE79576CC814060B23E66'
  when: ansible_pkg_mgr == "apt"

- name: 'Create kanidm PPA'
  ansible.builtin.apt_repository:
    repo: >-
      deb https://kanidm.github.io/kanidm_ppa/{{ ansible_distribution | lower }} ./
    state: present
  when: ansible_pkg_mgr == "apt"

- name: 'Install kanidm with apt'
  ansible.builtin.apt:
    name: kanidm-unixd-clients
    state: present
    update_cache: yes
  when: ansible_pkg_mgr == "apt"

- name: 'Ensure kanidm config directory exists'
  ansible.builtin.file:
    path: /etc/kanidm
    state: directory
    owner: root
    group: root
    mode: "0755"

- name: 'Install kanidm config files'
  ansible.builtin.template:
    src: '{{ item }}.j2'
    dest: '/etc/kanidm/{{ item }}'
    owner: root
    group: root
    mode: "0644"
  with_items:
    - unixd
    - config

- name: 'Enable kanidm daemons'
  ansible.builtin.systemd_service:
    state: started
    enabled: yes
    name: "{{ item }}"
    daemon_reload: yes
  with_items:
    - kanidm-unixd
    - kanidm-unixd-tasks


- name: 'Enable kanidm as a passwd db'
  ansible.builtin.replace:
    path: '/etc/nsswitch.conf'
    regexp: "^{{ item }}:.*$"
    replace: "{{ item }}: files {{ (item == 'group') | ternary('[SUCCESS=merge]', '') }} systemd compat kanidm"
    # This is a critical system file that could brick the OS. Back it up!
    backup: yes
  with_items:
    - passwd
    - group

- name: 'Deploy first-factor PAM configuration'
  ansible.builtin.copy:
    src: first-factor
    dest: /etc/pam.d/first-factor
    owner: root
    group: root
    mode: "0644"

- name: 'Deploy common PAM modules for kanidm'
  ansible.builtin.copy:
    src: '{{ item }}'
    dest: /etc/pam.d/
    owner: root
    group: root
    mode: "0644"
  with_fileglob:
    - "../files/common-*"

- name: 'Deploy SSH key handling'
  ansible.builtin.template:
    src: 10-kanidm-keys.conf.j2
    dest: /etc/ssh/sshd_config.d/
    owner: root
    group: root
    mode: "0644"
  notify: Restart SSH

- name: 'Deploy sleep fix hack'
  ansible.builtin.copy:
    src: kanidm-hack.sh
    dest: /usr/lib/systemd/system-sleep/
    owner: root
    group: root
    mode: "0755"