---
- name: check if domain already provisioned
  ansible.builtin.stat:
    path: /var/lib/samba/private/adsync.conf
  register: samba_provisioned

- name: Remove smb.conf if server role conflicts
  ansible.builtin.shell: |
    if grep -q 'server role = standalone server' /etc/samba/smb.conf 2>/dev/null; then
      mv /etc/samba/smb.conf /etc/samba/smb.conf.bak.$(date +%s)
    fi
  args:
    executable: /bin/bash
  changed_when: false
  when: not samba_provisioned.stat.exists

- name: Provision the Samba AD DC
  ansible.builtin.command: >
    samba-tool domain provision
    --use-rfc2307
    --realm={{ samba_domain_info.realm }}
    --domain={{ samba_domain_info.domain }}
    --server-role={{ samba_domain_info.server_role }}
    --dns-backend={{ samba_domain_info.dns_backend }}
    --adminpass='{{ addc_admin_password }}'
    --option='interfaces={{ samba_domain_info.interfaces }}'
    --option='bind interfaces only={{ samba_domain_info.bind_interfaces_only }}'
  when: not samba_provisioned.stat.exists
  register: samba_provision_output
  changed_when: samba_provision_output.rc == 0
  no_log: false  # You may toggle this if password should be hidden