---
- name: "Install realmd and dependencies"
  ansible.builtin.apt:
    update_cache: yes
    state: present
    name:
     - realmd
     - sssd
     - sssd-tools
     - libnss-sss
     - libpam-sss
     - adcli
     - samba-common-bin
     - oddjob
     - oddjob-mkhomedir
     - packagekit

- name: Check if computer is joined to domain
  ansible.builtin.lineinfile:
    state: absent
    path: /etc/sssd/sssd.conf
    line: "^ad_access_filter"
  check_mode: true
  changed_when: false
  register: checkjoined

- name: "Get join password from local environment variable"
  ansible.builtin.set_fact:
    join_passw: "{{ lookup('env', 'JOIN_PASSW') }}"
  delegate_to: localhost
  when: checkjoined.found == 0

- name: Join to AD with realmd
  ansible.builtin.shell:
    cmd: echo {{ join_passw }} | realm join -v -U Administrator intra.tormakris.dev
  when: checkjoined.found == 0

- name: Enable pam homedir create on first logon
  ansible.builtin.command:
    cmd: pam-auth-update --enable mkhomedir

- name: Check if ad_gpo_access_control is disabled
  ansible.builtin.lineinfile:
    state: absent
    path: /etc/sssd/sssd.conf
    regexp: "^ad_gpo_access_control"
  check_mode: true
  changed_when: false
  register: checkadgpoac

- name: Set ad_gpo_access_control to disabled
  ansible.builtin.lineinfile:
    state: present
    path: /etc/sssd/sssd.conf
    line: "ad_gpo_access_control = disabled"
  when: checkadgpoac.found == 0

- name: Check if ad_access_filter is set
  ansible.builtin.lineinfile:
    state: absent
    path: /etc/sssd/sssd.conf
    regexp: "^ad_access_filter"
  check_mode: true
  changed_when: false
  register: checkadaf

- name: Set ad_gpo_access_control to disabled
  ansible.builtin.lineinfile:
    state: present
    path: /etc/sssd/sssd.conf
    line: "ad_access_filter = memberOf=CN=LinuxUsers,OU=Service Groups,DC=intra,DC=tormakris,DC=dev"
  when: checkadaf.found == 0

- name: "Restart sssd"
  ansible.builtin.service:
    name: sssd
    state: restarted

- name: Check if group is presend in sudoers
  ansible.builtin.lineinfile:
    state: absent
    path: /etc/sudoers
    regexp: "^%linuxadmins"
  check_mode: true
  changed_when: false
  register: checksudoers

- name: Define group in sudoers
  ansible.builtin.lineinfile:
    state: present
    path: /etc/sudoers
    line: "%linuxadmins@intra.tormakris.dev ALL=(ALL) NOPASSWD: ALL"
  when: checksudoers.found == 0
...