- name: Install kerberos packages
  ansible.builtin.apt:
    name: krb5-user

- name: Kerberize sshd server
  ansible.builtin.copy:
    dest: /etc/ssh/sshd_config.d/kerberize.conf
    mode: '0644'
    content: |
      GSSAPIAuthentication yes
  notify: "Reload sshd"

- name: Kerberize ssh client, authenticate and delegate credentials
  ansible.builtin.copy:
    dest: /etc/ssh/ssh_config.d/kerberize.conf
    mode: '0644'
    content: |
      GSSAPIAuthentication yes
      GSSAPIDelegateCredentials yes

- name: Check if firefox is available
  ansible.builtin.stat:
    path: /etc/firefox-esr/firefox-esr.js
  register: firefox

- name: Kerberize firefox for sites in the local domain
  ansible.builtin.lineinfile:
    dest: /etc/firefox-esr/firefox-esr.js
    line: "{{ item }}"
  with_items:
    - '// kerberize for sites in the local domain:'
    - 'pref("network.negotiate-auth.delegation-uris", "{{ kerberize_uris | default(ansible_domain) }}");'
    - 'pref("network.negotiate-auth.trusted-uris", "{{ kerberize_uris | default(ansible_domain) }}");'
  when: firefox.stat.exists

- name: Ensures /etc/chromium/policies/managed dir exists
  ansible.builtin.file:
    path: "/etc/chromium/policies/managed"
    state: directory
    mode: '0755'

- name: Kerberize chromium for sites in the local domain
  ansible.builtin.copy:
    dest: /etc/chromium/policies/managed/idam.json
    mode: '0644'
    content: |
      {
        "AuthServerAllowlist": "{{ kerberize_uris | default(ansible_domain) }}"
      }