From b3c7a683e2cfd8c37f4942d20f6fa88fa2ad865c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Aur=C3=A9lien=20Bompard?= <aurelien@bompard.org>
Date: Wed, 19 Feb 2025 12:15:47 +0100
Subject: [PATCH] IPA: setup a toddlers service to remove users from groups
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Aurélien Bompard <aurelien@bompard.org>
---
 roles/ipa/server/tasks/main.yml     |  8 ++++++
 roles/ipa/server/tasks/toddlers.yml | 43 +++++++++++++++++++++++++++++
 2 files changed, 51 insertions(+)
 create mode 100644 roles/ipa/server/tasks/toddlers.yml

diff --git a/roles/ipa/server/tasks/main.yml b/roles/ipa/server/tasks/main.yml
index 80721ffeb1..cf07aa9223 100644
--- a/roles/ipa/server/tasks/main.yml
+++ b/roles/ipa/server/tasks/main.yml
@@ -794,3 +794,11 @@
   tags:
     - ipa/server
     - config
+
+- name: Include toddlers setup
+  ansible.builtin.import_tasks: toddlers.yml
+  when: env == 'staging'
+  tags:
+  - ipa/server
+  - config
+  - toddlers
diff --git a/roles/ipa/server/tasks/toddlers.yml b/roles/ipa/server/tasks/toddlers.yml
new file mode 100644
index 0000000000..5904c89b2e
--- /dev/null
+++ b/roles/ipa/server/tasks/toddlers.yml
@@ -0,0 +1,43 @@
+# Toddlers capabilities
+
+- name: Create toddlers toddlers-sync-groups service
+  ansible.builtin.include_role:
+    name: "keytab/service" # noqa role-name[path]
+  vars:
+    host: os-control01{{ env_suffix }}.fedoraproject.org # noqa: var-naming[no-role-prefix]
+    service: toddlers-sync-group # noqa: var-naming[no-role-prefix]
+
+- name: Create the privilege
+  ansible.builtin.command:
+    argv:
+      - ipa
+      - privilege-add
+      - Group Membership Synchronization
+      - --desc=Toddler to synchronize group memberships
+  register: output
+  changed_when: "'already exists' not in output.stderr"
+  failed_when: "'already exists' not in output.stderr and output.rc != 0"
+
+- name: Setup the privilege
+  ansible.builtin.command:
+    argv:
+      - ipa
+      - privilege-add-permission
+      - Group Membership Synchronization
+      - "--permissions=System: Modify Group Membership"
+  register: output
+  changed_when: "'Number of permissions added 0' not in output.stdout"
+  failed_when: "'Number of permissions added 0' not in output.stdout and output.rc != 0"
+
+- name: Create the role
+  community.general.ipa_role:
+    name: Group Membership Synchronization
+    description: "Toddler role to synchronize group memberships"
+    privilege:
+    - Group Membership Synchronization
+    service:
+    - os-control01{{ env_suffix }}.fedoraproject.org/toddlers-sync-group
+    ipa_host: "{{ inventory_hostname }}"
+    ipa_user: admin
+    ipa_pass: "{{ ipa_admin_password }}"
+    validate_certs: no