---
# manage-sudo-rules.yml — create and maintain FreeIPA sudo rules.
#
# This playbook provisions the sudo rules that enrolled clients pick up via SSSD
# (configured by the --sudo flag in freeipa-enroll.sh).  Run it once when setting
# up the domain, and again whenever you add or change a rule.
#
# Default rules created:
#   allow_sudoers         Members of the 'sudoers' IPA group get full sudo (password required)
#   allow_sudo_nopasswd   Members of 'sudo-nopasswd' get full sudo (NOPASSWD)
#
# To grant a user sudo access:
#   ipa group-add-member sudoers --users=<username>
# To grant passwordless sudo:
#   ipa group-add-member sudo-nopasswd --users=<username>
#
# Prerequisites:
#   - Active admin Kerberos ticket on the target host: kinit admin
#   - ipa CLI available (run on the IPA server or any enrolled admin workstation)
#
# Usage:
#   kinit admin
#   ansible-playbook -i ipa-server.example.com, manage-sudo-rules.yml
#   # or, if 'ipa_server' is defined in your inventory:
#   ansible-playbook -i inventory manage-sudo-rules.yml

- name: Manage FreeIPA sudo rules
  hosts: "{{ ipa_admin_host | default('ipa_server') }}"
  become: no

  vars:
    sudo_rules:
      - rule_name: allow_sudoers
        group: sudoers
        description: "Full sudo access for members of the sudoers group (password required)"
        nopasswd: false

      - rule_name: allow_sudo_nopasswd
        group: sudo-nopasswd
        description: "Full sudo access for members of sudo-nopasswd group (no password)"
        nopasswd: true

  tasks:

    - name: Verify ipa command is available and authenticated
      command: ipa ping
      changed_when: false
      register: ipa_ping
      failed_when: ipa_ping.rc != 0

    - name: Ensure IPA user groups exist for each sudo rule
      shell: >
        ipa group-show "{{ item.group }}" >/dev/null 2>&1 ||
        ipa group-add "{{ item.group }}"
        --desc="{{ item.description }}"
      register: group_result
      changed_when: "'Added group' in group_result.stdout"
      loop: "{{ sudo_rules }}"

    - name: Ensure sudo rules exist
      shell: >
        ipa sudorule-show "{{ item.rule_name }}" >/dev/null 2>&1 ||
        ipa sudorule-add "{{ item.rule_name }}"
        --desc="{{ item.description }}"
        --cmdcat=all
        --hostcat=all
      register: rule_result
      changed_when: "'Added Sudo Rule' in rule_result.stdout"
      loop: "{{ sudo_rules }}"

    - name: Assign groups to their sudo rules
      shell: >
        ipa sudorule-show "{{ item.rule_name }}" --all 2>/dev/null |
        grep -q "{{ item.group }}" ||
        ipa sudorule-add-user "{{ item.rule_name }}" --groups="{{ item.group }}"
      register: assign_result
      changed_when: "'Number of members added' in assign_result.stdout"
      loop: "{{ sudo_rules }}"

    - name: Set NOPASSWD (sudooption !authenticate) on passwordless rules
      shell: >
        ipa sudorule-show "{{ item.rule_name }}" --all 2>/dev/null |
        grep -q "!authenticate" ||
        ipa sudorule-add-option "{{ item.rule_name }}" --sudooption "!authenticate"
      register: nopasswd_result
      changed_when: "'Added option' in nopasswd_result.stdout"
      loop: "{{ sudo_rules | selectattr('nopasswd', 'equalto', true) | list }}"

    - name: Show configured sudo rules
      command: ipa sudorule-find --all
      changed_when: false
      register: sudo_summary

    - name: Display sudo rules summary
      debug:
        msg: "{{ sudo_summary.stdout_lines }}"