---
- name: check if keytab exists
  stat:
    path: "{{ keytab }}"
  register: keytab_status
  check_mode: false

- block:
    - block:
        - name: "add principal to keytab"
          command: "kadmin.local ktadd -k /tmp/{{ inventory_hostname }}.kt \
            {{ item }}"
          with_items: "{{ principals }}"
        - name: get keytab
          command: "base64 /tmp/{{ inventory_hostname }}.kt"
          register: keytab_data
        - name: delete temporary file
          file:
            path: "/tmp/{{ inventory_hostname }}.kt"
            state: absent
      delegate_to: ldap01.home.foo.sh
    - name: deploy keytab file
      shell: "umask 077 && echo '{{ keytab_data.stdout }}' | base64 -d > {{keytab }}"
  when: not keytab_status.stat.exists

- name: check keytab permissions
  file:
    path: "{{ keytab }}"
    mode: "{% if group == ansible_wheel %}0600{% else %}0640{% endif %}"
    owner: root
    group: "{{ group }}"