{% set hostname=grains['host'] %}
{% set ip=grains['fqdn_ip4'][0] %}
install_sssd:
  pkg.installed:
    - name: sssd

/etc/sssd/sssd.conf:
  file.managed:
    - source: salt://productionize/freeipa/manual/sssd.conf
    - user: root
    - group: root
    - mode: 600
    - template: jinja
    - context:
      hostname: {{hostname}}

/etc/nsswitch.conf:
  file.managed:
    - source: salt://productionize/freeipa/manual/nsswitch.conf
    - user: root
    - group: root
    - mode: 644

/etc/nscd.conf:
  file.managed:
    - source: salt://productionize/freeipa/manual/nscd.conf
    - user: root
    - group: root
    - mode: 644

/etc/krb5.conf:
  file.managed:
    - source: salt://productionize/freeipa/manual/krb5.conf
    - user: root
    - group: root
    - mode: 644

/etc/pam.d:
  file.recurse:
    - source: salt://productionize/freeipa/manual/pam.d/
    - user: root
    - group: root
    - dir_mode: 755
    - file_mode: 644

freeipa_sshpass:
  pkg.installed:
    - name: sshpass

set_salt_ipa_password:
  environ.setenv:
    - name: SALT_PASSWORD
    - value: "{%- include 'secure/passwords/ipa_salt_password.txt' -%}"

create_host:
  cmd.run:
    - name: 'sshpass -p $SALT_PASSWORD ssh salt@ipa.actcur.com -oStrictHostKeyChecking=no "rm {{hostname}}.keytab;echo $SALT_PASSWORD | kinit salt;ipa host-add --force --ip-address={{ip}} {{hostname}}.actcur.com; ipa host-allow-create-keytab {{hostname}}.actcur.com --groups enroller;/usr/sbin/ipa-getkeytab -s ipa.actcur.com -p host/{{hostname}}.actcur.com -k ./{{hostname}}.keytab"'

grab_keytab:
  cmd.run:
    - name: 'sshpass -p $SALT_PASSWORD scp -oStrictHostKeyChecking=no salt@ipa.actcur.com:./{{hostname}}.keytab /etc/krb5.keytab'

delete_keytab:
    cmd.run:
      - name: 'sshpass -p $SALT_PASSWORD ssh salt@ipa.actcur.com -oStrictHostKeyChecking=no "rm {{hostname}}.keytab;"'

unset_salt_ipa_password:
  environ.setenv:
    - name: SALT_PASSWORD
    - value: "False"
    - false_unsets: true

freeipa_sssd_service:
  service.running:
    - name: sssd
    - enable: true
    - watch:
      - file: /etc/sssd/sssd.conf
      - file: /etc/nsswitch.conf
      - file: /etc/nscd.conf
      - file: /etc/krb5.conf
      - file: /etc/pam.d

freeipa_nscd_service:
  service.running:
    - name: nscd
    - enable: true
    - watch:
      - file: /etc/sssd/sssd.conf
      - file: /etc/nsswitch.conf
      - file: /etc/nscd.conf
      - file: /etc/krb5.conf
      - file: /etc/pam.d