---
- name: Check if principal name is defined
  ansible.builtin.fail:
    msg: 'Kerberos principal name is required'
  when: |
    kerberos_principal_name is undefined or
    kerberos_principal_name is none or
    (kerberos_principal_name | trim | length == 0)

- block:
    - name: Check if principal exists
      ansible.builtin.command:
        argv:
          - /sbin/kadmin.local
          - list_principals
          - "{{ principal }}"
      register: principal_check
      changed_when: "principal_check.stdout == ''"

    - name: Create principal with password
      ansible.builtin.command:
        argv:
          - /sbin/kadmin.local
          - addprinc
          - -pw
          - "{{ kerberos_principal_password }}"
          - "{{ principal }}"
      when: principal_check.changed and kerberos_principal_password

    - name: Create principal without password
      ansible.builtin.command:
        argv:
          - /sbin/kadmin.local
          - addprinc
          - -randkey
          - "{{ principal }}"
      when: principal_check.changed and not kerberos_principal_password

    - name: Generate principal keytab
      ansible.builtin.command:
        argv:
          - /sbin/kadmin.local
          - ktadd
          - -k
          - "{{ kerberos_principal_keytab_path }}"
          - -norandkey
          - "{{ principal }}"
        creates: "{{ kerberos_principal_keytab_path }}"
      when: kerberos_principal_keytab_path
  vars:
    principal: "{{ kerberos_principal_name }}{{ kerberos_principal_realm | ternary('@' + kerberos_principal_realm, '') }}"