---
- name: Deploy and update the FreeIPA servers
  hosts:
    - ipaservers
  vars:
    # Required for FreeIPA setup
    baseline_epel_packages_allowed:
      - certbot
      - python3-certbot
      - python3-pyrfc3339
      - python3-parsedatetime
      - python3-josepy
      - python3-importlib-metadata
      - python3-configargparse
      - python3-acme
      - python3-zipp
      - python3-pyOpenSSL
      - node-exporter
    rhel9cis_dns_server: true
    rhel9cis_httpd_server: true
    # TODO: Restricted umask breaks FreeIPA roles
    rhel9cis_rule_5_4_2_6: false
    rhel9cis_rule_5_4_3_3: false
  roles:
    - role: sr2c.core.baseline
      baseline_epel_packages_allowed:
        - node-exporter
      tags: bootstrap
    - role: sr2c.core.freeipa
      become: true
      tags: freeipa
    - role: sr2c.core.node_exporter
      tags: prometheus

- name: Deploy and update the Keycloak server
  hosts:
    - keycloak
  become: true
  roles:
    - role: sr2c.core.baseline
      baseline_epel_packages_allowed:
        - node-exporter
      tags: bootstrap
    - role: freeipa.ansible_freeipa.ipaclient
      state: present
      tags: bootstrap
    - role: sr2c.core.podman_keycloak
      tags: keycloak
    - role: sr2c.core.node_exporter
      tags: prometheus

- name: Deploy and update the Prometheus server
  hosts:
    - prometheus
  roles:
    - role: sr2c.core.baseline
      vars:
        baseline_epel_packages_allowed:
          - node-exporter
      tags: bootstrap
    - role: freeipa.ansible_freeipa.ipaclient
      become: true
      state: present
      tags: bootstrap
    - role: sr2c.core.node_exporter
      tags: prometheus
    - role: sr2c.core.podman_prometheus
      tags: prometheus

- name: Baseline for generic servers (manual or externally managed application deployment)
  hosts:
    - generic
  roles:
    - role: sr2c.core.baseline
      baseline_epel_packages_allowed:
        - node-exporter
      tags: bootstrap
    - role: sr2c.core.node_exporter
      tags: prometheus