---
- name: Check if keytab exists
  ansible.builtin.stat:
    path: "{{ keytab_path }}"
  register: keytab_status
  check_mode: false

- name: Create keytab
  block:
    - name: Create temporary file
      ansible.builtin.tempfile:
        state: file
      register: tempfile

    - name: Initialize keytab
      ansible.builtin.copy:
        dest: "{{ tempfile.path }}"
        src: empty.keytab
        mode: "0600"
        owner: root
        group: "{{ ansible_wheel }}"

    - name: Add principal to keytab
      ansible.builtin.command:
        argv:
          - kadmin.local
          - -x
          - host=ldaps://ldap01.foo.sh
          - ktadd
          - -k
          - "{{ tempfile.path }}"
          - "{{ item }}"
      with_items: "{{ keytab_principals }}"

    - name: Get keytab
      ansible.builtin.command:
        argv:
          - base64
          - "{{ tempfile.path }}"
      register: keytab_data

    - name: Delete temporary file
      ansible.builtin.file:
        path: "{{ tempfile.path }}"
        state: absent
  when: not keytab_status.stat.exists
  delegate_to: ldap01.home.foo.sh

- name: Deploy keytab file
  ansible.builtin.shell: >-
    set -o pipefail &&
    umask 077 &&
    echo '{{ keytab_data.stdout }}' | base64 -d > "{{ keytab_path }}"
  when: not keytab_status.stat.exists

- name: Check keytab permissions
  ansible.builtin.file:
    path: "{{ keytab_path }}"
    mode: "{% if keytab_group == ansible_wheel %}0600{% else %}0640{% endif %}"
    owner: root
    group: "{{ keytab_group }}"