ansible-collection-core/roles/freeipa/tasks/main.yml

---
- name: FreeIPA | PATCH | Request or renew Let's Encrypt Certificates
  ansible.builtin.include_tasks:
    file: certs.yml

- name: FreeIPA | PATCH | Deploy first FreeIPA server
  ansible.builtin.include_role:
    role: freeipa.ansible_freeipa.ipaserver
  vars:
    ipaserver_ca_cert_files:
      - /root/isrgrootx1.pem
      - /root/isrg-root-x2.pem
    ipaserver_dirsrv_cert_name: "{{ ansible_inventory }}"
    ipaserver_dirsrv_cert_files: ["/root/server.p12"]
    ipaserver_dirsrv_pin: ""
    ipaserver_firewalld_zone: public
    ipaserver_http_cert_name: "{{ ansible_inventory }}"
    ipaserver_http_cert_files: ["/root/server.p12"]
    ipaserver_http_pin: ""
    ipaserver_no_hbac_allow: true
    ipaserver_no_pkinit: true
    ipaserver_setup_dns: false
  when: inventory_hostname == groups['ipaservers'][0]

- name: FreeIPA | PATCH | Deploy replica FreeIPA servers
  ansible.builtin.include_role:
    role: freeipa.ansible_freeipa.ipareplica
  vars:
    ipareplica_ca_cert_files:
      - /root/isrgrootx1.pem
      - /root/isrg-root-x2.pem
    ipareplica_dirsrv_cert_name: "{{ ansible_inventory }}"
    ipareplica_dirsrv_cert_files: ["/root/server.p12"]
    ipareplica_dirsrv_pin: ""
    ipareplica_firewalld_zone: public
    ipareplica_http_cert_name: "{{ ansible_inventory }}"
    ipareplica_http_cert_files: ["/root/server.p12"]
    ipareplica_http_pin: ""
    ipareplica_no_pkinit: true
    ipareplica_setup_dns: false

- name: FreeIPA | AUDIT | Check current authselect configuration
  ansible.builtin.command: authselect current
  register: freeipa_authselect_status
  changed_when: false

- name: FreeIPA | PATCH | Apply authselect profile with sssd, sudo, and mkhomedir if not set
  ansible.builtin.command: authselect select sssd with-sudo with-mkhomedir
  when: >
    'Profile ID: sssd' not in freeipa_authselect_status.stdout or
    'with-sudo' not in freeipa_authselect_status.stdout or
    'with-mkhomedir' not in freeipa_authselect_status.stdout
Initial import; migrate some roles from irl.wip 2025-10-31 22:36:32 +00:00			`---`
			`- name: FreeIPA \| PATCH \| Request or renew Let's Encrypt Certificates`
			`ansible.builtin.include_tasks:`
			`file: certs.yml`

			`- name: FreeIPA \| PATCH \| Deploy first FreeIPA server`
			`ansible.builtin.include_role:`
			`role: freeipa.ansible_freeipa.ipaserver`
			`vars:`
			`ipaserver_ca_cert_files:`
			`- /root/isrgrootx1.pem`
			`- /root/isrg-root-x2.pem`
			`ipaserver_dirsrv_cert_name: "{{ ansible_inventory }}"`
lint: ansible-lint suggested updates 2025-11-01 15:07:36 +00:00			`ipaserver_dirsrv_cert_files: ["/root/server.p12"]`
Initial import; migrate some roles from irl.wip 2025-10-31 22:36:32 +00:00			`ipaserver_dirsrv_pin: ""`
			`ipaserver_firewalld_zone: public`
			`ipaserver_http_cert_name: "{{ ansible_inventory }}"`
lint: ansible-lint suggested updates 2025-11-01 15:07:36 +00:00			`ipaserver_http_cert_files: ["/root/server.p12"]`
Initial import; migrate some roles from irl.wip 2025-10-31 22:36:32 +00:00			`ipaserver_http_pin: ""`
			`ipaserver_no_hbac_allow: true`
			`ipaserver_no_pkinit: true`
			`ipaserver_setup_dns: false`
			`when: inventory_hostname == groups['ipaservers'][0]`

			`- name: FreeIPA \| PATCH \| Deploy replica FreeIPA servers`
			`ansible.builtin.include_role:`
			`role: freeipa.ansible_freeipa.ipareplica`
			`vars:`
			`ipareplica_ca_cert_files:`
			`- /root/isrgrootx1.pem`
			`- /root/isrg-root-x2.pem`
			`ipareplica_dirsrv_cert_name: "{{ ansible_inventory }}"`
lint: ansible-lint suggested updates 2025-11-01 15:07:36 +00:00			`ipareplica_dirsrv_cert_files: ["/root/server.p12"]`
Initial import; migrate some roles from irl.wip 2025-10-31 22:36:32 +00:00			`ipareplica_dirsrv_pin: ""`
			`ipareplica_firewalld_zone: public`
			`ipareplica_http_cert_name: "{{ ansible_inventory }}"`
lint: ansible-lint suggested updates 2025-11-01 15:07:36 +00:00			`ipareplica_http_cert_files: ["/root/server.p12"]`
Initial import; migrate some roles from irl.wip 2025-10-31 22:36:32 +00:00			`ipareplica_http_pin: ""`
			`ipareplica_no_pkinit: true`
			`ipareplica_setup_dns: false`

			`- name: FreeIPA \| AUDIT \| Check current authselect configuration`
lint: ansible-lint suggested updates 2025-11-01 15:07:36 +00:00			`ansible.builtin.command: authselect current`
Initial import; migrate some roles from irl.wip 2025-10-31 22:36:32 +00:00			`register: freeipa_authselect_status`
			`changed_when: false`

			`- name: FreeIPA \| PATCH \| Apply authselect profile with sssd, sudo, and mkhomedir if not set`
lint: ansible-lint suggested updates 2025-11-01 15:07:36 +00:00			`ansible.builtin.command: authselect select sssd with-sudo with-mkhomedir`
Initial import; migrate some roles from irl.wip 2025-10-31 22:36:32 +00:00			`when: >`
			`'Profile ID: sssd' not in freeipa_authselect_status.stdout or`
			`'with-sudo' not in freeipa_authselect_status.stdout or`
			`'with-mkhomedir' not in freeipa_authselect_status.stdout`