---

# tasks file for ipareplica

- block:

  - name: Install - Ensure IPA replica packages are installed

    package:

      name: "{{ ipareplica_packages }}"

      state: present

  - name: Install - Ensure IPA replica packages for dns are installed

    package:

      name: "{{ ipareplica_packages_dns }}"

      state: present

    when: ipareplica_setup_dns | bool

  - name: Install - Ensure IPA replica packages for adtrust are installed

    package:

      name: "{{ ipareplica_packages_adtrust }}"

      state: present

    when: ipareplica_setup_adtrust | bool

  - name: Install - Ensure that firewall packages installed

    package:

      name: "{{ ipareplica_packages_firewalld }}"

      state: present

    when: ipareplica_setup_firewalld | bool

  - name: Firewalld service - Ensure that firewalld is running

    systemd:

      name: firewalld

      enabled: yes

      state: started

    when: ipareplica_setup_firewalld | bool

  when: ipareplica_install_packages | bool

#- name: Install - Include Python2/3 import test

#  import_tasks: "{{ role_path }}/tasks/python_2_3_test.yml"

- name: Install - Set ipareplica_servers

  set_fact:

    ipareplica_servers: "{{ groups['ipaservers'] | list }}"

  when: groups.ipaservers is defined and ipareplica_servers is not defined

- name: Install - Set default principal if no keytab is given

  set_fact:

    ipaadmin_principal: admin

  when: ipaadmin_principal is undefined and ipaclient_keytab is undefined

- name: Install - Replica installation test

  ipareplica_test:

    ### basic ###

    # dm_password: "{{ ipadm_password | default(omit) }}"

    # password: "{{ ipaadmin_password | default(omit) }}"

    ip_addresses: "{{ ipareplica_ip_addresses | default([]) }}"

    domain: "{{ ipareplica_domain | default(ipaserver_domain) |

            default(omit) }}"

    servers: "{{ ipareplica_servers | default(omit) }}"

    realm: "{{ ipareplica_realm | default(ipaserver_realm) |default(omit) }}"

    hostname: "{{ ipareplica_hostname | default(ansible_fqdn) }}"

    ca_cert_files: "{{ ipareplica_ca_cert_files | default([]) }}"

    hidden_replica: "{{ ipareplica_hidden_replica }}"

    ### server ###

    setup_adtrust: "{{ ipareplica_setup_adtrust }}"

    setup_kra: "{{ ipareplica_setup_kra }}"

    setup_dns: "{{ ipareplica_setup_dns }}"

    no_pkinit: "{{ ipareplica_no_pkinit }}"

    dirsrv_config_file: "{{ ipareplica_dirsrv_config_file | default(omit) }}"

    ### ssl certificate ###

    dirsrv_cert_files: "{{ ipareplica_dirsrv_cert_files | default([]) }}"

    http_cert_files: "{{ ipareplica_http_cert_files | default([]) }}"

    pkinit_cert_files: "{{ ipareplica_pkinit_cert_files | default([]) }}"

    ### client ###

    no_ntp: "{{ ipaclient_no_ntp }}"

    ntp_servers: "{{ ipaclient_ntp_servers | default([]) }}"

    ntp_pool: "{{ ipaclient_ntp_pool | default(omit) }}"

    ### dns ###

    no_reverse: "{{ ipareplica_no_reverse }}"

    auto_reverse: "{{ ipareplica_auto_reverse }}"

    forwarders: "{{ ipareplica_forwarders | default([]) }}"

    no_forwarders: "{{ ipareplica_no_forwarders }}"

    auto_forwarders: "{{ ipareplica_auto_forwarders }}"

    forward_policy: "{{ ipareplica_forward_policy | default(omit) }}"

    no_dnssec_validation: "{{ ipareplica_no_dnssec_validation }}"

  register: result_ipareplica_test

- block:

  # This block is executed only when

  # not ansible_check_mode and

  # not (result_ipareplica_test.client_already_configured is defined or

  #      result_ipareplica_test.server_already_configured is defined)

  - name: Install - Setup client

    include_role:

      name: ipaclient

    vars:

      state: present

      ipaclient_domain: "{{ result_ipareplica_test.domain | default(omit) }}"

      ipaclient_realm: "{{ result_ipareplica_test.realm | default(omit) }}"

      ipaclient_servers: "{{ ipareplica_servers | default(omit) }}"

      ipaclient_hostname: "{{ result_ipareplica_test.hostname }}"

      ipaclient_no_ntp: "{{ result_ipareplica_test.ipa_python_version

                            < 40690 }}"

      ipaclient_install_packages: "{{ ipareplica_install_packages }}"

    when: not result_ipareplica_test.client_enrolled

  - name: Install - Configure firewalld

    command: >

      firewall-cmd

      --permanent

      --add-service=freeipa-ldap

      --add-service=freeipa-ldaps

      {{ "--add-service=freeipa-trust" if result_ipareplica_test.setup_adtrust

         else "" }}

      {{ "--add-service=dns" if ipareplica_setup_dns | bool else "" }}

      {{ "--add-service=ntp" if not ipaclient_no_ntp | bool else "" }}

    when: ipareplica_setup_firewalld | bool

  - name: Install - Configure firewalld runtime

    command: >

      firewall-cmd

      --add-service=freeipa-ldap

      --add-service=freeipa-ldaps

      {{ "--add-service=freeipa-trust" if result_ipareplica_test.setup_adtrust

         else "" }}

      {{ "--add-service=dns" if ipareplica_setup_dns | bool else "" }}

      {{ "--add-service=ntp" if not ipaclient_no_ntp | bool else "" }}

    when: ipareplica_setup_firewalld | bool

  - name: Install - Replica preparation

    ipareplica_prepare:

      ### basic ###

      password: "{{ ipaadmin_password | default(omit) }}"

      ip_addresses: "{{ ipareplica_ip_addresses | default([]) }}"

      domain: "{{ result_ipareplica_test.domain }}"

      realm: "{{ result_ipareplica_test.realm }}"

      hostname: "{{ result_ipareplica_test.hostname }}"

      principal: "{{ ipaadmin_principal | default(omit) }}"

      ca_cert_files: "{{ ipareplica_ca_cert_files | default([]) }}"

      no_host_dns: "{{ ipareplica_no_host_dns }}"

      ### replica ###

      setup_adtrust: "{{ result_ipareplica_test.setup_adtrust }}"

      setup_ca: "{{ ipareplica_setup_ca }}"

      setup_kra: "{{ result_ipareplica_test.setup_kra }}"

      setup_dns: "{{ ipareplica_setup_dns }}"

      ### ssl certificate ###

      dirsrv_cert_files: "{{ ipareplica_dirsrv_cert_files | default([]) }}"

      dirsrv_cert_name: "{{ ipareplica_dirsrv_cert_name | default(omit) }}"

      dirsrv_pin: "{{ ipareplica_dirsrv_pin | default(omit) }}"

      http_cert_files: "{{ ipareplica_http_cert_files | default([]) }}"

      http_cert_name: "{{ ipareplica_http_cert_name | default(omit) }}"

      http_pin: "{{ ipareplica_http_pin | default(omit) }}"

      pkinit_cert_files: "{{ ipareplica_pkinit_cert_files | default([]) }}"

      pkinit_cert_name: "{{ ipareplica_pkinit_cert_name | default(omit) }}"

      pkinit_pin: "{{ ipareplica_pkinit_pin | default(omit) }}"

      ### client ###

      keytab: "{{ ipaclient_keytab | default(omit) }}"

      mkhomedir: "{{ ipaclient_mkhomedir | default(omit) }}"

      force_join: "{{ ipaclient_force_join | default(omit) }}"

      no_ntp: "{{ ipaclient_no_ntp | default(omit) }}"

      ssh_trust_dns: "{{ ipaclient_ssh_trust_dns | default(omit) }}"

      no_ssh: no

      no_sshd: no

      no_dns_sshfp: no

      ### dns ###

      allow_zone_overlap: "{{ ipareplica_allow_zone_overlap }}"

      reverse_zones: "{{ ipareplica_reverse_zones | default([]) }}"

      no_reverse: "{{ ipareplica_no_reverse }}"

      auto_reverse: "{{ ipareplica_auto_reverse }}"

      forwarders: "{{ ipareplica_forwarders | default([]) }}"

      no_forwarders: "{{ ipareplica_no_forwarders }}"

      auto_forwarders: "{{ ipareplica_auto_forwarders }}"

      forward_policy: "{{ ipareplica_forward_policy | default(omit) }}"

      no_dnssec_validation: "{{ ipareplica_no_dnssec_validation }}"

      ### ad trust ###

      enable_compat: "{{ ipareplica_enable_compat }}"

      netbios_name: "{{ ipareplica_netbios_name | default(omit) }}"

      rid_base: "{{ ipareplica_rid_base | default(omit) }}"

      secondary_rid_base: "{{ ipareplica_secondary_rid_base | default(omit) }}"

      ### additional ###

      server: "{{ result_ipareplica_test.server }}"

      skip_conncheck: "{{ ipareplica_skip_conncheck }}"

    register: result_ipareplica_prepare

  - name: Install - Add to ipaservers

    ipareplica_add_to_ipaservers:

      ### server ###

      setup_kra: "{{ result_ipareplica_test.setup_kra }}"

      ### additional ###

      config_master_host_name:

        "{{ result_ipareplica_prepare.config_master_host_name }}"

      ccache: "{{ result_ipareplica_prepare.ccache }}"

      installer_ccache: "{{ result_ipareplica_prepare.installer_ccache }}"

      _top_dir: "{{ result_ipareplica_prepare._top_dir }}"

    when: result_ipareplica_prepare._add_to_ipaservers

  - name: Install - Create dirman password

    no_log: yes

    ipareplica_master_password:

      master_password: "{{ ipareplica_master_password | default(omit) }}"

    register: result_ipareplica_master_password

  - name: Install - Set dirman password

    no_log: yes

    set_fact:

      ipareplica_dirman_password:

        "{{ result_ipareplica_master_password.password }}"

  - name: Install - Setup certmonger

    ipareplica_setup_certmonger:

    when: result_ipareplica_prepare._ca_enabled

  - name: Install - Install CA certs

    ipareplica_install_ca_certs:

      ### basic ###

      dm_password: "{{ ipadm_password | default(omit) }}"

      password: "{{ ipaadmin_password | default(omit) }}"

      ip_addresses: "{{ ipareplica_ip_addresses | default([]) }}"

      domain: "{{ result_ipareplica_test.domain }}"

      realm: "{{ result_ipareplica_test.realm }}"

      hostname: "{{ result_ipareplica_test.hostname }}"

      ca_cert_files: "{{ ipareplica_ca_cert_files | default([]) }}"

      no_host_dns: "{{ ipareplica_no_host_dns }}"

      ### replica ###

      setup_adtrust: "{{ result_ipareplica_test.setup_adtrust }}"

      setup_kra: "{{ result_ipareplica_test.setup_kra }}"

      setup_dns: "{{ ipareplica_setup_dns }}"

      ### ssl certificate ###

      dirsrv_cert_files: "{{ ipareplica_dirsrv_cert_files | default([]) }}"

      ### client ###

      force_join: "{{ ipaclient_force_join }}"

      ### ad trust ###

      netbios_name: "{{ ipareplica_netbios_name | default(omit) }}"

      rid_base: "{{ ipareplica_rid_base | default(omit) }}"

      secondary_rid_base: "{{ ipareplica_secondary_rid_base | default(omit) }}"

      ### additional ###

      server: "{{ result_ipareplica_test.server }}"

      ccache: "{{ result_ipareplica_prepare.ccache }}"

      installer_ccache: "{{ result_ipareplica_prepare.installer_ccache }}"

      subject_base: "{{ result_ipareplica_prepare.subject_base }}"

      _top_dir: "{{ result_ipareplica_prepare._top_dir }}"

      _add_to_ipaservers: "{{ result_ipareplica_prepare._add_to_ipaservers }}"

      _ca_subject: "{{ result_ipareplica_prepare._ca_subject }}"

      _subject_base: "{{ result_ipareplica_prepare._subject_base }}"

      dirman_password: "{{ ipareplica_dirman_password }}"

      config_setup_ca: "{{ result_ipareplica_prepare.config_setup_ca }}"

      config_master_host_name:

        "{{ result_ipareplica_prepare.config_master_host_name }}"

      config_ca_host_name: "{{ result_ipareplica_prepare.config_ca_host_name }}"

      config_ips: "{{ result_ipareplica_prepare.config_ips }}"

    register: result_ipareplica_install_ca_certs

  - name: Install - Setup DS

    ipareplica_setup_ds:

      ### basic ###

      dm_password: "{{ ipadm_password | default(omit) }}"

      password: "{{ ipaadmin_password | default(omit) }}"

      ip_addresses: "{{ ipareplica_ip_addresses | default([]) }}"

      domain: "{{ result_ipareplica_test.domain }}"

      realm: "{{ result_ipareplica_test.realm }}"

      hostname: "{{ result_ipareplica_test.hostname }}"

      ca_cert_files: "{{ ipareplica_ca_cert_files | default([]) }}"

      no_host_dns: "{{ ipareplica_no_host_dns }}"

      ### replica ###

      setup_adtrust: "{{ result_ipareplica_test.setup_adtrust }}"

      setup_kra: "{{ result_ipareplica_test.setup_kra }}"

      setup_dns: "{{ ipareplica_setup_dns }}"

      no_pkinit: "{{ ipareplica_no_pkinit }}"

      dirsrv_config_file: "{{ ipareplica_dirsrv_config_file | default(omit) }}"

      ### ssl certificate ###

      dirsrv_cert_files: "{{ ipareplica_dirsrv_cert_files | default([]) }}"

      ### client ###

      force_join: "{{ ipaclient_force_join }}"

      ### ad trust ###

      netbios_name: "{{ ipareplica_netbios_name | default(omit) }}"

      rid_base: "{{ ipareplica_rid_base | default(omit) }}"

      secondary_rid_base: "{{ ipareplica_secondary_rid_base | default(omit) }}"

      ### additional ###

      server: "{{ result_ipareplica_test.server }}"

      ccache: "{{ result_ipareplica_prepare.ccache }}"

      installer_ccache: "{{ result_ipareplica_prepare.installer_ccache }}"

      _ca_enabled: "{{ result_ipareplica_prepare._ca_enabled }}"

      _dirsrv_pkcs12_info: "{{ result_ipareplica_prepare._dirsrv_pkcs12_info  if result_ipareplica_prepare._dirsrv_pkcs12_info != None else omit }}"

      subject_base: "{{ result_ipareplica_prepare.subject_base }}"

      _top_dir: "{{ result_ipareplica_prepare._top_dir }}"

      _add_to_ipaservers: "{{ result_ipareplica_prepare._add_to_ipaservers }}"

      _ca_subject: "{{ result_ipareplica_prepare._ca_subject }}"

      _subject_base: "{{ result_ipareplica_prepare._subject_base }}"

      dirman_password: "{{ ipareplica_dirman_password }}"

      config_setup_ca: "{{ result_ipareplica_prepare.config_setup_ca }}"

      config_master_host_name:

        "{{ result_ipareplica_install_ca_certs.config_master_host_name }}"

      config_ca_host_name: "{{ result_ipareplica_prepare.config_ca_host_name }}"

      config_ips: "{{ result_ipareplica_prepare.config_ips }}"

    register: result_ipareplica_setup_ds

  - name: Install - Create IPA conf

    ipareplica_create_ipa_conf:

      ### basic ###

      dm_password: "{{ ipadm_password | default(omit) }}"

      password: "{{ ipaadmin_password | default(omit) }}"

      ip_addresses: "{{ ipareplica_ip_addresses | default([]) }}"

      domain: "{{ result_ipareplica_test.domain }}"

      realm: "{{ result_ipareplica_test.realm }}"

      hostname: "{{ result_ipareplica_test.hostname }}"

      ca_cert_files: "{{ ipareplica_ca_cert_files | default([]) }}"

      no_host_dns: "{{ ipareplica_no_host_dns }}"

      ### replica ###

      setup_adtrust: "{{ result_ipareplica_test.setup_adtrust }}"

      setup_kra: "{{ result_ipareplica_test.setup_kra }}"

      setup_dns: "{{ ipareplica_setup_dns }}"

      ### ssl certificate ###

      dirsrv_cert_files: "{{ ipareplica_dirsrv_cert_files | default([]) }}"

      ### client ###

      force_join: "{{ ipaclient_force_join }}"

      ### ad trust ###

      netbios_name: "{{ ipareplica_netbios_name | default(omit) }}"

      rid_base: "{{ ipareplica_rid_base | default(omit) }}"

      secondary_rid_base: "{{ ipareplica_secondary_rid_base | default(omit) }}"

      ### additional ###

      server: "{{ result_ipareplica_test.server }}"

      config_master_host_name:

        "{{ result_ipareplica_install_ca_certs.config_master_host_name }}"

      config_ca_host_name: "{{ result_ipareplica_prepare.config_ca_host_name }}"

      ccache: "{{ result_ipareplica_prepare.ccache }}"

      installer_ccache: "{{ result_ipareplica_prepare.installer_ccache }}"

      _ca_enabled: "{{ result_ipareplica_prepare._ca_enabled }}"

      subject_base: "{{ result_ipareplica_prepare.subject_base }}"

      _top_dir: "{{ result_ipareplica_prepare._top_dir }}"

      _add_to_ipaservers: "{{ result_ipareplica_prepare._add_to_ipaservers }}"

      _ca_subject: "{{ result_ipareplica_prepare._ca_subject }}"

      _subject_base: "{{ result_ipareplica_prepare._subject_base }}"

      dirman_password: "{{ ipareplica_dirman_password }}"

  - name: Install - Setup KRB

    ipareplica_setup_krb:

      ### server ###

      setup_ca: "{{ ipareplica_setup_ca }}"

      setup_kra: "{{ result_ipareplica_test.setup_kra }}"

      no_pkinit: "{{ ipareplica_no_pkinit }}"

      ### certificate system ###

      subject_base: "{{ result_ipareplica_prepare.subject_base }}"

      ### additional ###

      config_master_host_name:

        "{{ result_ipareplica_install_ca_certs.config_master_host_name }}"

      ccache: "{{ result_ipareplica_prepare.ccache }}"

      _pkinit_pkcs12_info: "{{ result_ipareplica_prepare._pkinit_pkcs12_info  if result_ipareplica_prepare._pkinit_pkcs12_info != None else omit }}"

      _top_dir: "{{ result_ipareplica_prepare._top_dir }}"

  # We need to point to the master in ipa default conf when certmonger

  # asks for HTTP certificate in newer ipa versions. In these versions

  # create_ipa_conf has the additional master argument.

  - name: Install - Create override IPA conf

    ipareplica_create_ipa_conf:

      ### basic ###

      dm_password: "{{ ipadm_password | default(omit) }}"

      password: "{{ ipaadmin_password | default(omit) }}"

      ip_addresses: "{{ ipareplica_ip_addresses | default([]) }}"

      domain: "{{ result_ipareplica_test.domain }}"

      realm: "{{ result_ipareplica_test.realm }}"

      hostname: "{{ result_ipareplica_test.hostname }}"

      ca_cert_files: "{{ ipareplica_ca_cert_files | default([]) }}"

      no_host_dns: "{{ ipareplica_no_host_dns }}"

      ### replica ###

      setup_adtrust: "{{ result_ipareplica_test.setup_adtrust }}"

      setup_kra: "{{ result_ipareplica_test.setup_kra }}"

      setup_dns: "{{ ipareplica_setup_dns }}"

      ### ssl certificate ###

      dirsrv_cert_files: "{{ ipareplica_dirsrv_cert_files | default([]) }}"

      ### client ###

      force_join: "{{ ipaclient_force_join }}"

      ### ad trust ###

      netbios_name: "{{ ipareplica_netbios_name | default(omit) }}"

      rid_base: "{{ ipareplica_rid_base | default(omit) }}"

      secondary_rid_base: "{{ ipareplica_secondary_rid_base | default(omit) }}"

      ### additional ###

      server: "{{ result_ipareplica_test.server }}"

      config_master_host_name:

        "{{ result_ipareplica_install_ca_certs.config_master_host_name }}"

      config_ca_host_name: "{{ result_ipareplica_prepare.config_ca_host_name }}"

      ccache: "{{ result_ipareplica_prepare.ccache }}"

      installer_ccache: "{{ result_ipareplica_prepare.installer_ccache }}"

      _ca_enabled: "{{ result_ipareplica_prepare._ca_enabled }}"

      subject_base: "{{ result_ipareplica_prepare.subject_base }}"

      _top_dir: "{{ result_ipareplica_prepare._top_dir }}"

      _add_to_ipaservers: "{{ result_ipareplica_prepare._add_to_ipaservers }}"

      _ca_subject: "{{ result_ipareplica_prepare._ca_subject }}"

      _subject_base: "{{ result_ipareplica_prepare._subject_base }}"

      dirman_password: "{{ ipareplica_dirman_password }}"

      master:

        "{{ result_ipareplica_install_ca_certs.config_master_host_name }}"

    when: result_ipareplica_test.change_master_for_certmonger

  - name: Install - DS enable SSL

    ipareplica_ds_enable_ssl:

      ### server ###

      setup_ca: "{{ ipareplica_setup_ca }}"

      setup_kra: "{{ result_ipareplica_test.setup_kra }}"

      no_pkinit: "{{ ipareplica_no_pkinit }}"

      dirsrv_config_file: "{{ ipareplica_dirsrv_config_file | default(omit) }}"

      ### certificate system ###

      subject_base: "{{ result_ipareplica_prepare.subject_base }}"

      ### additional ###

      config_master_host_name:

        "{{ result_ipareplica_install_ca_certs.config_master_host_name }}"

      ccache: "{{ result_ipareplica_prepare.ccache }}"

      _ca_enabled: "{{ result_ipareplica_prepare._ca_enabled }}"

      _ca_file: "{{ result_ipareplica_prepare._ca_file }}"

      _dirsrv_pkcs12_info: "{{ result_ipareplica_prepare._dirsrv_pkcs12_info if result_ipareplica_prepare._dirsrv_pkcs12_info != None else omit }}"

      _pkinit_pkcs12_info: "{{ result_ipareplica_prepare._pkinit_pkcs12_info if result_ipareplica_prepare._pkinit_pkcs12_info != None else omit }}"

      _top_dir: "{{ result_ipareplica_prepare._top_dir }}"

      dirman_password: "{{ ipareplica_dirman_password }}"

      ds_ca_subject: "{{ result_ipareplica_setup_ds.ds_ca_subject }}"

  - name: Install - Setup http

    ipareplica_setup_http:

      ### server ###

      setup_ca: "{{ ipareplica_setup_ca }}"

      setup_kra: "{{ result_ipareplica_test.setup_kra }}"

      no_pkinit: "{{ ipareplica_no_pkinit }}"

      no_ui_redirect: "{{ ipareplica_no_ui_redirect }}"

      ### certificate system ###

      subject_base: "{{ result_ipareplica_prepare.subject_base }}"

      ### additional ###

      config_master_host_name:

        "{{ result_ipareplica_install_ca_certs.config_master_host_name }}"

      config_ca_host_name: "{{ result_ipareplica_prepare.config_ca_host_name }}"

      ccache: "{{ result_ipareplica_prepare.ccache }}"

      _ca_enabled: "{{ result_ipareplica_prepare._ca_enabled }}"

      _ca_file: "{{ result_ipareplica_prepare._ca_file }}"

      _http_pkcs12_info: "{{ result_ipareplica_prepare._http_pkcs12_info if result_ipareplica_prepare._http_pkcs12_info != None else omit }}"

      _top_dir: "{{ result_ipareplica_prepare._top_dir }}"

      dirman_password: "{{ ipareplica_dirman_password }}"

  # Need to point back to ourself after the cert for HTTP is obtained

  - name: Install - Create original IPA conf again

    ipareplica_create_ipa_conf:

      ### basic ###

      dm_password: "{{ ipadm_password | default(omit) }}"

      password: "{{ ipaadmin_password | default(omit) }}"

      ip_addresses: "{{ ipareplica_ip_addresses | default([]) }}"

      domain: "{{ result_ipareplica_test.domain }}"

      realm: "{{ result_ipareplica_test.realm }}"

      hostname: "{{ result_ipareplica_test.hostname }}"

      ca_cert_files: "{{ ipareplica_ca_cert_files | default([]) }}"

      no_host_dns: "{{ ipareplica_no_host_dns }}"

      ### replica ###

      setup_adtrust: "{{ result_ipareplica_test.setup_adtrust }}"

      setup_kra: "{{ result_ipareplica_test.setup_kra }}"

      setup_dns: "{{ ipareplica_setup_dns }}"

      ### ssl certificate ###

      dirsrv_cert_files: "{{ ipareplica_dirsrv_cert_files | default([]) }}"

      ### client ###

      force_join: "{{ ipaclient_force_join }}"

      ### ad trust ###

      netbios_name: "{{ ipareplica_netbios_name | default(omit) }}"

      rid_base: "{{ ipareplica_rid_base | default(omit) }}"

      secondary_rid_base: "{{ ipareplica_secondary_rid_base | default(omit) }}"

      ### additional ###

      server: "{{ result_ipareplica_test.server }}"

      config_master_host_name:

        "{{ result_ipareplica_install_ca_certs.config_master_host_name }}"

      config_ca_host_name: "{{ result_ipareplica_prepare.config_ca_host_name }}"

      ccache: "{{ result_ipareplica_prepare.ccache }}"

      installer_ccache: "{{ result_ipareplica_prepare.installer_ccache }}"

      _ca_enabled: "{{ result_ipareplica_prepare._ca_enabled }}"

      subject_base: "{{ result_ipareplica_prepare.subject_base }}"

      _top_dir: "{{ result_ipareplica_prepare._top_dir }}"

      _add_to_ipaservers: "{{ result_ipareplica_prepare._add_to_ipaservers }}"

      _ca_subject: "{{ result_ipareplica_prepare._ca_subject }}"

      _subject_base: "{{ result_ipareplica_prepare._subject_base }}"

      dirman_password: "{{ ipareplica_dirman_password }}"

    when: result_ipareplica_test.change_master_for_certmonger

  - name: Install - Setup otpd

    ipareplica_setup_otpd:

      ### server ###

      setup_ca: "{{ ipareplica_setup_ca }}"

      setup_kra: "{{ result_ipareplica_test.setup_kra }}"

      no_pkinit: "{{ ipareplica_no_pkinit }}"

      no_ui_redirect: "{{ ipareplica_no_ui_redirect }}"

      ### certificate system ###

      subject_base: "{{ result_ipareplica_prepare.subject_base }}"

      ### additional ###

      config_master_host_name:

        "{{ result_ipareplica_install_ca_certs.config_master_host_name }}"

      ccache: "{{ result_ipareplica_prepare.ccache }}"

      _ca_file: "{{ result_ipareplica_prepare._ca_file }}"

      _top_dir: "{{ result_ipareplica_prepare._top_dir }}"

      dirman_password: "{{ ipareplica_dirman_password }}"

  - name: Install - Setup custodia

    ipareplica_setup_custodia:

      ### server ###

      setup_ca: "{{ ipareplica_setup_ca }}"

      setup_kra: "{{ result_ipareplica_test.setup_kra }}"

      no_pkinit: "{{ ipareplica_no_pkinit }}"

      no_ui_redirect: "{{ ipareplica_no_ui_redirect }}"

      ### certificate system ###

      subject_base: "{{ result_ipareplica_prepare.subject_base }}"

      ### additional ###

      config_master_host_name:

        "{{ result_ipareplica_prepare.config_master_host_name }}"

      ccache: "{{ result_ipareplica_prepare.ccache }}"

      _ca_enabled: "{{ result_ipareplica_prepare._ca_enabled }}"

      _kra_enabled: "{{ result_ipareplica_prepare._kra_enabled }}"

      _kra_host_name: "{{ result_ipareplica_prepare.config_kra_host_name }}"

      _ca_file: "{{ result_ipareplica_prepare._ca_file }}"

      _pkinit_pkcs12_info: "{{ result_ipareplica_prepare._pkinit_pkcs12_info if result_ipareplica_prepare._pkinit_pkcs12_info != None else omit }}"

      _top_dir: "{{ result_ipareplica_prepare._top_dir }}"

      dirman_password: "{{ ipareplica_dirman_password }}"

  - name: Install - Setup CA

    ipareplica_setup_ca:

      ### server ###

      setup_ca: "{{ ipareplica_setup_ca }}"

      setup_kra: "{{ result_ipareplica_test.setup_kra }}"

      no_pkinit: "{{ ipareplica_no_pkinit }}"

      pki_config_override:

        "{{ ipareplica_pki_config_override | default(omit) }}"

      ### certificate system ###

      subject_base: "{{ result_ipareplica_prepare.subject_base }}"

      ### additional ###

      ccache: "{{ result_ipareplica_prepare.ccache }}"

      _ca_enabled: "{{ result_ipareplica_prepare._ca_enabled }}"

      _ca_file: "{{ result_ipareplica_prepare._ca_file }}"

      _ca_subject: "{{ result_ipareplica_prepare._ca_subject }}"

      _kra_enabled: "{{ result_ipareplica_prepare._kra_enabled }}"

      _kra_host_name: "{{ result_ipareplica_prepare.config_kra_host_name }}"

      _subject_base: "{{ result_ipareplica_prepare._subject_base }}"

      _pkinit_pkcs12_info: "{{ result_ipareplica_prepare._pkinit_pkcs12_info if result_ipareplica_prepare._pkinit_pkcs12_info != None else omit }}"

      _top_dir: "{{ result_ipareplica_prepare._top_dir }}"

      dirman_password: "{{ ipareplica_dirman_password }}"

      config_setup_ca: "{{ result_ipareplica_prepare.config_setup_ca }}"

      config_master_host_name:

        "{{ result_ipareplica_install_ca_certs.config_master_host_name }}"

      config_ca_host_name:

        "{{ result_ipareplica_install_ca_certs.config_ca_host_name }}"

      config_ips: "{{ result_ipareplica_prepare.config_ips }}"

    when: result_ipareplica_prepare._ca_enabled

  - name: Install - KRB enable SSL

    ipareplica_krb_enable_ssl:

      ### server ###

      setup_ca: "{{ ipareplica_setup_ca }}"

      setup_kra: "{{ result_ipareplica_test.setup_kra }}"

      no_pkinit: "{{ ipareplica_no_pkinit }}"

      ### certificate system ###

      subject_base: "{{ result_ipareplica_prepare.subject_base }}"

      ### additional ###

      config_master_host_name:

        "{{ result_ipareplica_install_ca_certs.config_master_host_name }}"

      ccache: "{{ result_ipareplica_prepare.ccache }}"

      _ca_enabled: "{{ result_ipareplica_prepare._ca_enabled }}"

      _ca_file: "{{ result_ipareplica_prepare._ca_file }}"

      _pkinit_pkcs12_info: "{{ result_ipareplica_prepare._pkinit_pkcs12_info if result_ipareplica_prepare._pkinit_pkcs12_info != None else omit }}"

      _top_dir: "{{ result_ipareplica_prepare._top_dir }}"

      dirman_password: "{{ ipareplica_dirman_password }}"

  - name: Install - DS apply updates

    ipareplica_ds_apply_updates:

      ### server ###

      setup_ca: "{{ ipareplica_setup_ca }}"

      setup_kra: "{{ result_ipareplica_test.setup_kra }}"

      no_pkinit: "{{ ipareplica_no_pkinit }}"

      no_ui_redirect: "{{ ipareplica_no_ui_redirect }}"

      dirsrv_config_file: "{{ ipareplica_dirsrv_config_file | default(omit) }}"

      ### certificate system ###

      subject_base: "{{ result_ipareplica_prepare.subject_base }}"

      ### additional ###

      config_master_host_name:

        "{{ result_ipareplica_install_ca_certs.config_master_host_name }}"

      ccache: "{{ result_ipareplica_prepare.ccache }}"

      _ca_enabled: "{{ result_ipareplica_prepare._ca_enabled }}"

      _ca_file: "{{ result_ipareplica_prepare._ca_file }}"

      _pkinit_pkcs12_info: "{{ result_ipareplica_prepare._pkinit_pkcs12_info if result_ipareplica_prepare._pkinit_pkcs12_info != None else omit }}"

      _top_dir: "{{ result_ipareplica_prepare._top_dir }}"

      dirman_password: "{{ ipareplica_dirman_password }}"

      ds_ca_subject: "{{ result_ipareplica_setup_ds.ds_ca_subject }}"

  - name: Install - Setup kra

    ipareplica_setup_kra:

      ### basic ###

      dm_password: "{{ ipadm_password | default(omit) }}"

      password: "{{ ipaadmin_password | default(omit) }}"

      ip_addresses: "{{ ipareplica_ip_addresses | default([]) }}"

      domain: "{{ result_ipareplica_test.domain }}"

      realm: "{{ result_ipareplica_test.realm }}"

      hostname: "{{ result_ipareplica_test.hostname }}"

      ca_cert_files: "{{ ipareplica_ca_cert_files | default([]) }}"

      no_host_dns: "{{ ipareplica_no_host_dns }}"

      pki_config_override:

        "{{ ipareplica_pki_config_override | default(omit) }}"

      ### replica ###

      setup_adtrust: "{{ result_ipareplica_test.setup_adtrust }}"

      setup_ca: "{{ ipareplica_setup_ca }}"

      setup_kra: "{{ result_ipareplica_test.setup_kra }}"

      setup_dns: "{{ ipareplica_setup_dns }}"

      ### ssl certificate ###

      dirsrv_cert_files: "{{ ipareplica_dirsrv_cert_files | default([]) }}"

      ### client ###

      force_join: "{{ ipaclient_force_join }}"

      ### certificate system ###

      subject_base: "{{ result_ipareplica_prepare.subject_base }}"

      ### additional ###

      server: "{{ result_ipareplica_test.server }}"

      config_master_host_name:

        "{{ result_ipareplica_prepare.config_master_host_name }}"

      installer_ccache: "{{ result_ipareplica_prepare.installer_ccache }}"

      _ca_enabled: "{{ result_ipareplica_prepare._ca_enabled }}"

      _kra_enabled: "{{ result_ipareplica_prepare._kra_enabled }}"

      _kra_host_name: "{{ result_ipareplica_prepare.config_kra_host_name }}"

      _top_dir: "{{ result_ipareplica_prepare._top_dir }}"

      _add_to_ipaservers: "{{ result_ipareplica_prepare._add_to_ipaservers }}"

      _ca_subject: "{{ result_ipareplica_prepare._ca_subject }}"

      _subject_base: "{{ result_ipareplica_prepare._subject_base }}"

    when: result_ipareplica_test.setup_kra

  - name: Install - Restart KDC

    ipareplica_restart_kdc:

      ### server ###

      setup_ca: "{{ ipareplica_setup_ca }}"

      setup_kra: "{{ result_ipareplica_test.setup_kra }}"

      no_pkinit: "{{ ipareplica_no_pkinit }}"

      no_ui_redirect: "{{ ipareplica_no_ui_redirect }}"

      ### certificate system ###

      subject_base: "{{ result_ipareplica_prepare.subject_base }}"

      ### additional ###

      config_master_host_name:

        "{{ result_ipareplica_install_ca_certs.config_master_host_name }}"

      ccache: "{{ result_ipareplica_prepare.ccache }}"

      _ca_file: "{{ result_ipareplica_prepare._ca_file }}"

      _top_dir: "{{ result_ipareplica_prepare._top_dir }}"

      dirman_password: "{{ ipareplica_dirman_password }}"

  - name: Install - Custodia import dm password

    ipareplica_custodia_import_dm_password:

      ### server ###

      setup_ca: "{{ ipareplica_setup_ca }}"

      setup_kra: "{{ result_ipareplica_test.setup_kra }}"

      no_pkinit: "{{ ipareplica_no_pkinit }}"

      no_ui_redirect: "{{ ipareplica_no_ui_redirect }}"

      ### certificate system ###

      subject_base: "{{ result_ipareplica_prepare.subject_base }}"

      ### additional ###

      config_master_host_name:

        "{{ result_ipareplica_prepare.config_master_host_name }}"

      config_ca_host_name: "{{ result_ipareplica_prepare.config_ca_host_name }}"

      ccache: "{{ result_ipareplica_prepare.ccache }}"

      _ca_enabled: "{{ result_ipareplica_prepare._ca_enabled }}"

      _ca_file: "{{ result_ipareplica_prepare._ca_file }}"

      _kra_enabled: "{{ result_ipareplica_prepare._kra_enabled }}"

      _kra_host_name: "{{ result_ipareplica_prepare.config_kra_host_name }}"

      _top_dir: "{{ result_ipareplica_prepare._top_dir }}"

      dirman_password: "{{ ipareplica_dirman_password }}"

      config_setup_ca: "{{ result_ipareplica_prepare.config_setup_ca }}"

  - name: Install - Promote SSSD

    ipareplica_promote_sssd:

      ### replica ###

      setup_kra: "{{ result_ipareplica_test.setup_kra }}"

      ### certificate system ###

      subject_base: "{{ result_ipareplica_prepare.subject_base }}"

      ### additional ###

      ccache: "{{ result_ipareplica_prepare.ccache }}"

      _top_dir: "{{ result_ipareplica_prepare._top_dir }}"

      config_setup_ca: "{{ result_ipareplica_prepare.config_setup_ca }}"

      config_master_host_name:

        "{{ result_ipareplica_prepare.config_master_host_name }}"

  - name: Install - Promote openldap.conf

    ipareplica_promote_openldap_conf:

      ### replica ###

      setup_kra: "{{ result_ipareplica_test.setup_kra }}"

      ### certificate system ###

      subject_base: "{{ result_ipareplica_prepare.subject_base }}"

      ### additional ###

      ccache: "{{ result_ipareplica_prepare.ccache }}"

      _top_dir: "{{ result_ipareplica_prepare._top_dir }}"

      config_setup_ca: "{{ result_ipareplica_prepare.config_setup_ca }}"

      config_master_host_name:

        "{{ result_ipareplica_prepare.config_master_host_name }}"

  - name: Install - Setup DNS

    ipareplica_setup_dns:

      ### server ###

      setup_dns: "{{ ipareplica_setup_dns }}"

      ### replica ###

      setup_kra: "{{ result_ipareplica_test.setup_kra }}"

      ### certificate system ###

      subject_base: "{{ result_ipareplica_prepare.subject_base }}"

      ### dns ###

      zonemgr: "{{ ipareplica_zonemgr | default(omit) }}"

      forwarders: "{{ ipareplica_forwarders | default([]) }}"

      forward_policy: "{{ result_ipareplica_prepare.forward_policy if

                          result_ipareplica_prepare.forward_policy is

                          not none else omit }}"

      no_dnssec_validation: "{{ ipareplica_no_dnssec_validation }}"

      ### additional ###

      dns_ip_addresses: "{{ result_ipareplica_prepare.dns_ip_addresses }}"

      dns_reverse_zones: "{{ result_ipareplica_prepare.dns_reverse_zones }}"

      ccache: "{{ result_ipareplica_prepare.ccache }}"

      _top_dir: "{{ result_ipareplica_prepare._top_dir }}"

      setup_ca: "{{ result_ipareplica_prepare.config_setup_ca }}"

      config_master_host_name:

        "{{ result_ipareplica_prepare.config_master_host_name }}"

  - name: Install - Setup adtrust

    ipareplica_setup_adtrust:

      ### replica ###

      setup_kra: "{{ result_ipareplica_test.setup_kra }}"

      ### certificate system ###

      subject_base: "{{ result_ipareplica_prepare.subject_base }}"

      ### ad trust ###

      enable_compat: "{{ ipareplica_enable_compat }}"

      rid_base: "{{ result_ipareplica_prepare.rid_base }}"

      secondary_rid_base: "{{ result_ipareplica_prepare.secondary_rid_base }}"

      ### additional ###

      ccache: "{{ result_ipareplica_prepare.ccache }}"

      _top_dir: "{{ result_ipareplica_prepare._top_dir }}"

      setup_ca: "{{ result_ipareplica_prepare.config_setup_ca }}"

      config_master_host_name:

        "{{ result_ipareplica_prepare.config_master_host_name }}"

      adtrust_netbios_name:

        "{{ result_ipareplica_prepare.adtrust_netbios_name }}"

      adtrust_reset_netbios_name:

        "{{ result_ipareplica_prepare.adtrust_reset_netbios_name }}"

    when: result_ipareplica_test.setup_adtrust

  - name: Install - Enable IPA

    ipareplica_enable_ipa:

      hostname: "{{ result_ipareplica_test.hostname }}"

      hidden_replica: "{{ ipareplica_hidden_replica }}"

      ### server ###

      ### replica ###

      setup_kra: "{{ result_ipareplica_test.setup_kra }}"

      ### certificate system ###

      subject_base: "{{ result_ipareplica_prepare.subject_base }}"

      ### additional ###

      ccache: "{{ result_ipareplica_prepare.ccache }}"

      _top_dir: "{{ result_ipareplica_prepare._top_dir }}"

      setup_ca: "{{ result_ipareplica_prepare.config_setup_ca }}"

      config_master_host_name:

        "{{ result_ipareplica_prepare.config_master_host_name }}"

    register: result_ipareplica_enable_ipa

  - name: Install - Cleanup root IPA cache

    file:

      path: "/root/.ipa_cache"

      state: absent

    when: result_ipareplica_enable_ipa.changed

  always:

  - name: Cleanup temporary files

    file:

      path: "{{ item }}"

      state: absent

    with_items:

    - "/etc/ipa/.tmp_pkcs12_dirsrv"

    - "/etc/ipa/.tmp_pkcs12_http"

    - "/etc/ipa/.tmp_pkcs12_pkinit"

  when: not ansible_check_mode and

        not (result_ipareplica_test.client_already_configured is defined or

             result_ipareplica_test.server_already_configured is defined)