system-config/playbooks/service-kerberos.yaml

# Setting up a fresh realm, as done in CI, is a five step process of:
#
#  1. setup common packages/config
#  2. setup primary; create db, setup kprop pushes, start services.
#  3. configure replica to accept db updates via kpropd
#  4. do a db replication
#  5. start replica daemons now they have a db copy
#
# In production this is largely a no-op just ensuring things are
# running.

- hosts: "kerberos-kdc:!disabled"
  name: "Configure common KDC components"
  roles:
    - kerberos-client
    - kerberos-kdc

- hosts: "kerberos-kdc-primary:!disabled"
  name: "Configure Kerberos Primary"
  tasks:
    - name: Configure primary KDC
      include_role:
        name: kerberos-kdc
        tasks_from: primary

- hosts: "kerberos-kdc-replica:!disabled"
  name: "Configure Kerberos Replicas"
  tasks:
    - name: Configure replica KDC
      include_role:
        name: kerberos-kdc
        tasks_from: replica

- hosts: "kerberos-kdc-primary:!disabled"
  name: "Run replication"
  tasks:
    - name: Run a DB replication
      shell: |
        /usr/local/bin/run-kprop.sh        

- hosts: "kerberos-kdc-replica:!disabled"
  name: "Ensure krb5-kdc running"
  tasks:
    - name: Start krb5-kdc
      systemd:
        name: krb5-kdc
        state: started