- name: create user
  ipauser:
    ipaadmin_principal: '{{ ipa_user }}'
    ipaadmin_password: '{{ ipa_pass }}'
    name: '{{ vaultwarden_user }}'
    loginshell: /sbin/nologin
    homedir: '{{ vaultwarden_home }}'
    givenname: Vaultwarden
    sn: Service Account
    state: present
  run_once: yes

- name: retrieve user keytab
  include_role:
    name: freeipa_keytab
  vars:
    keytab_principal: '{{ vaultwarden_user }}'
    keytab_path: '{{ vaultwarden_keytab }}'

- name: configure gssproxy for kerberized postgres
  include_role:
    name: gssproxy_client
  vars:
    gssproxy_name: vaultwarden
    gssproxy_section: service/vaultwarden
    gssproxy_client_keytab: '{{ vaultwarden_keytab }}'
    gssproxy_cred_usage: initiate
    gssproxy_euid: '{{ vaultwarden_user }}'

- name: create admin group
  ipagroup:
    ipaadmin_principal: '{{ ipa_user }}'
    ipaadmin_password: '{{ ipa_pass }}'
    name: '{{ vaultwarden_admin_group }}'
    description: Bitwarden Administrators
    nonposix: yes
    state: present
  run_once: yes