---
- name: Deploy and update the FreeIPA servers
  hosts:
    - ipaservers
  become: true  # Required by FreeIPA roles
  vars:
    # Required for FreeIPA setup
    baseline_epel_packages_allowed:
      - certbot
      - python3-certbot
      - python3-pyrfc3339
      - python3-parsedatetime
      - python3-josepy
      - python3-importlib-metadata
      - python3-configargparse
      - python3-acme
      - python3-zipp
      - python3-pyOpenSSL
    rhel9cis_dns_server: true
    rhel9cis_httpd_server: true
    # TODO: Restricted umask breaks FreeIPA roles
    rhel9cis_rule_5_4_2_6: false
    rhel9cis_rule_5_4_3_3: false
  roles:
    - role: sr2c.core.baseline
      tags: bootstrap
    - role: sr2c.core.freeipa
      tags: freeipa

- name: Deploy and update the Keycloak server
  hosts:
    - keycloak
  become: true
  roles:
    - role: sr2c.core.baseline
      tags: bootstrap
    - role: freeipa.ansible_freeipa.ipaclient
      state: present
      tags: bootstrap
    - role: sr2c.core.podman_keycloak
      tags: keycloak