---
- name: Check if keytab exists
  ansible.builtin.stat:
    path: "{{ keytab_path }}"
  register: keytab_status
  check_mode: false

- name: Create temporary file
  ansible.builtin.tempfile:
    state: file
  register: tempfile
  when: not keytab_status.stat.exists

- name: Initialize keytab
  ansible.builtin.copy:
    dest: tempfile.path
    content: "\\0005\\0002\\c"
    mode: "0600"
    owner: root
    group: "{{ ansible_wheel }}"
  when: not keytab_status.stat.exists

- name: Add principal to keytab
  ansible.builtin.command:
    argv:
      - kadmin.local
      - -x
      - host=ldaps://ldap01.foo.sh
      - ktadd
      - -k
      - "{{ tempfile.path }}"
      - "{{ item }}"
  with_items: "{{ keytab_principals }}"
  delegate_to: ldap01.home.foo.sh
  when: not keytab_status.stat.exists

- name: Get keytab
  ansible.builtin.command:
    argv:
      - base64
      - "{{ tempfile.path }}"
  register: keytab_data
  delegate_to: ldap01.home.foo.sh
  when: not keytab_status.stat.exists

- name: Delete temporary file
  ansible.builtin.file:
    path: "{{ tempfile.path }}"
    state: absent
  delegate_to: ldap01.home.foo.sh
  when: not keytab_status.stat.exists

- name: Deploy keytab file
  ansible.builtin.shell: >-
    set -o pipefail &&
    umask 077 &&
    echo '{{ keytab_data.stdout }}' | base64 -d > "{{ keytab_path }}"
  when: not keytab_status.stat.exists

- name: Check keytab permissions
  ansible.builtin.file:
    path: "{{ keytab_path }}"
    mode: "{% if keytab_group == ansible_wheel %}0600{% else %}0640{% endif %}"
    owner: root
    group: "{{ keytab_group }}"