---
- hosts: fs00
  # TODO: add more users
  vars:
    users:
      - ctdalek
      - regular1
  tasks:
    - name: setup networking
      import_role:
        name: ../roles/network_setup
      vars:
        ipv4_addr: "{{ fs00_ipv4_addr }}"
    - name: install NFS packages
      apt:
        name: "{{ item }}"
      loop:
        - nfs-kernel-server
        - rpcbind
    # TODO: put this in an Ansible role
    - name: install LDAP packages
      apt:
        name: "{{ item }}"
      loop:
        - libnss-ldapd
        - ldap-utils
    - name: stop and disable nscd
      systemd:
        name: nscd
        state: stopped
        enabled: no
    - name: copy ldap.conf
      template:
        src: ../auth1/ldap/ldap.conf.j2
        dest: /etc/ldap/ldap.conf
      notify:
        - restart nslcd
    - name: add member->uniqueMember map
      lineinfile:
        line: map group member uniqueMember
        path: /etc/nslcd.conf
      notify: restart nslcd
    - name: copy nsswitch.conf
      copy:
        src: ../auth1/ldap/nsswitch.conf
        dest: /etc/nsswitch.conf
      notify: restart nslcd
    - name: create /users directory
      file:
        path: /users
        state: directory
        mode: 0755
    - name: create skel directory
      file:
        path: /users/skel
        state: directory
        mode: 0755
    - name: add files to skel directory
      copy:
        src: "{{ item }}"
        dest: /users/skel/
      with_fileglob:
        - "/etc/skel/.*"
    - meta: flush_handlers
    - name: create home directories for users
      shell:
        cmd: |
          mkdir -p /users/{{ item }}
          cp /users/skel/.* /users/{{ item }}/
          chown -R {{ item }}:{{ item }} /users/{{ item }}
        warn: false
      loop: "{{ users }}"
    - name: export /users directory
      lineinfile:
        path: /etc/exports
        line: >-
          /users  {{ ipv4_subnet }}(sec=sys,rw) phosphoric-acid.{{ base_domain }}(sec=sys,rw,no_root_squash) cobalamin.{{ base_domain }}(sec=krb5p,rw)
      notify:
        - export all
        - restart nfs-server
    - name: disable NFSv4
      # see https://unix.stackexchange.com/questions/205403/disable-nfsv4-server-on-debian-allow-nfsv3/289324
      replace:
        path: /etc/default/nfs-kernel-server
        regexp: '^RPCNFSDCOUNT=.*$'
        replace: 'RPCNFSDCOUNT="8 --no-nfs-version 4"'
      notify:
        - restart nfs-server
    - name: install Kerberos packages
      apt:
        name: krb5-user
    - name: add NFS server principal
      command:
        cmd: kadmin -p sysadmin/admin
        stdin: |
          krb5
          addprinc -randkey nfs/{{ ansible_fqdn }}
          ktadd nfs/{{ ansible_fqdn }}
        creates: /etc/krb5.keytab
      notify: restart nfs-server
  handlers:
    - name: export all
      command: exportfs -ra
    - name: restart nfs-server
      systemd:
        name: nfs-server
        state: restarted
    - name: restart nslcd
      systemd:
        name: nslcd
        state: restarted