system-config/playbooks/roles/kerberos-kdc/tasks/replica.yaml

- name: Install packages
  package:
    name:
      - krb5-kdc
      - krb5-kpropd
    state: present

# This is the key to unencrypt the database pushed by the primary
- name: Install stash file from primary
  shell:
    cmd: 'echo "{{ hostvars[groups["kerberos-kdc-primary"][0]]["kerberos_kdc_stash_file_contents"].content }}" | base64 -d > /etc/krb5kdc/stash'
    creates: '/etc/krb5kdc/stash'

- name: Ensure stash file permsissions
  file:
    path: /etc/krb5kdc/stash
    owner: root
    group: root
    mode: '0600'

# Use the admin user to write out our host keytab
- name: Create host keytab
  shell:
    cmd: |
        echo "ktadd host/{{ inventory_hostname }}" | kadmin -p admin/admin -w '{{ hostvars[groups["kerberos-kdc-primary"][0]]["kerberos_kdc_admin_password"] }}'
    creates: '/etc/krb5.keytab'

# This specifies servers that are allowed to send us updates;
# i.e. the primary server
- name: Install kpropd ACL
  template:
    src: 'kpropd.acl.j2'
    dest: '/etc/krb5kdc/kpropd.acl'
    mode: 0644
    owner: root
    group: root

- name: Install kpropd service
  copy:
    src: krb5-kpropd.service
    dest: /etc/systemd/system/krb5-kpropd.service
    mode: 0644
    owner: root
    group: root
  register: _kpropd_service_installed

- name: Reload systemd
  systemd:
    daemon_reload: yes
  when: _kpropd_service_installed.changed

- name: Ensure kpropd running
  systemd:
    state: started
    name: krb5-kpropd
    enabled: yes

# Note we can't start until replicas are distributed; the main
# service-kerberos.yaml playbook handles this.
- name: Ensure krb5-kdc is enabled
  systemd:
    name: krb5-kdc
    enabled: yes
    masked: no