---
- name: install needed packages
  apt:
    name:
      - sssd-ldap
      - libpam-mount
      - cifs-utils
      - sshfs
      - hxtools
    state: latest # noqa package-latest

- name: add URI to ldap.conf
  lineinfile:
    dest: /etc/ldap/ldap.conf
    line: "URI ldap://ldap/"
    insertafter: "#URI.*"

- name: add BASE to ldap.conf
  lineinfile:
    dest: /etc/ldap/ldap.conf
    line: "BASE {{ basedn }}"
    insertafter: "#BASE.*"

- name: enable pam_umask
  lineinfile:
    dest: /etc/pam.d/common-session
    line: "session optional pam_umask.so usergroups"

- name: provide identities from directory
  template:
    src: sssd.conf.j2
    dest: /etc/sssd/sssd.conf
    mode: 0600
  notify: restart sssd

- name: configure pam_mount # interesting options: posix,mfsymlinks,nomapposix,noperm
  blockinfile:
    dest: /etc/security/pam_mount.conf.xml
    block: |
      <!-- volume
        fstype="cifs"
        server="{{ home_server }}"
        path="%(USER)"
        mountpoint="/home/lan/%(USER)"
        options="idsfromsid,modefromsid,mfsymlinks"
      ><not><or><user>root</user><user>ansible</user><user>Debian-gdm</user></or></not></volume -->
      <volume
        fstype="fuse"
        path="sshfs#%(USER)@{{ home_server }}:"
        mountpoint="/home/lan/%(USER)"
        options="allow_other,default_permissions,reconnect,password_stdin"
        ssh="0" noroot="0"
      ><not><or><user>root</user><user>ansible</user><user>Debian-gdm</user></or></not></volume>
    insertafter: "<!-- Volume definitions -->"

- name: make sure umount is not blocked
  replace:
    path: /etc/security/pam_mount.conf.xml
    regexp: '<logout wait="0".*'
    replace: '<logout wait="3000" hup="yes" term="yes" kill="yes"/>'

- name: make sure .ssh exists
  file:
    path: /root/.ssh
    state: directory
    mode: '0700'

- name: fetch homes server host key for sshfs
  shell:
    cmd: ssh-keyscan -H {{ home_server }} >> /root/.ssh/known_hosts
    creates: /root/.ssh/known_hosts

## gnome-keyring fails with sshfs:
- name: disable gnome-keyring-daemon
  command:
    cmd: dpkg-divert --divert /usr/bin/gnome-keyring-daemon.distrib --rename /usr/bin/gnome-keyring-daemon
    creates: /usr/bin/gnome-keyring-daemon.distrib