roles: Fix when, block and always key order.

ansible-lint warns if 'warn' key is used before block and always keys.
2026-05-08 22:34:26 +00:00 · 2023-01-03 18:21:07 -03:00
parent 292e2eb60e
commit 5062ac2b09
8 changed files with 58 additions and 88 deletions
--- a/roles/ipaclient/tasks/install.yml
+++ b/roles/ipaclient/tasks/install.yml
@@ -29,6 +29,8 @@
  when: ipaadmin_principal is undefined and ipaclient_keytab is undefined

 - name: Install - DNS resolver configuration
+  when: ipaclient_configure_dns_resolver | bool
+        and not ipaclient_on_master | bool
  block:

  - name: Install - Fail on missing ipaclient_domain and ipaserver_domain
@@ -47,9 +49,6 @@
      searchdomains: "{{ ipaserver_domain | default(ipaclient_domain) }}"
      state: present

-  when: ipaclient_configure_dns_resolver | bool
-        and not ipaclient_on_master | bool
-
 - name: Install - IPA client test
  ipaclient_test:
    ### basic ###
@@ -76,6 +75,9 @@
  register: result_ipaclient_test

 - name: Install - Client deployment
+  when: not ansible_check_mode and
+        not (result_ipaclient_test.client_already_configured and
+            not ipaclient_allow_repair | bool and not ipaclient_force_join | bool)
  block:
  - name: Install - Cleanup leftover ccache
    ansible.builtin.file:
@@ -130,6 +132,7 @@
  # If a keytab is specified in the hostent, then the hostent will be disabled
  # if ipaclient_use_otp is set.
  - name: Install - Obtain OTP
+    when: ipaclient_use_otp | bool and ipaclient_otp is not defined
    block:
    - name: Install - Keytab or password is required for getting otp
      ansible.builtin.fail:
@@ -175,9 +178,6 @@
        ipaadmin_orig_password: "{{ ipaadmin_password | default(omit) }}"
        ipaadmin_password: "{{ result_ipaclient_get_otp.host.randompassword
                               if result_ipaclient_get_otp.host is defined }}"
-
-    when: ipaclient_use_otp | bool and ipaclient_otp is not defined
-
    always:
    - name: Install - Remove keytab temporary file
      ansible.builtin.file:
@@ -194,7 +194,15 @@
    when: ipaclient_otp is defined

  - name: Install - Check keytab, principal and keytab
+    when: not ipaclient_on_master | bool
    block:
+    # This block is executed only when
+    # not (not ipaclient_on_master | bool and
+    #      not result_ipaclient_join.changed and
+    #      not ipaclient_allow_repair | bool and
+    #      (result_ipaclient_test_keytab.krb5_keytab_ok or
+    #       (result_ipaclient_join.already_joined is defined and
+    #        result_ipaclient_join.already_joined)))

    - name: Install - Check if principal and keytab are set
      ansible.builtin.fail:
@@ -208,7 +216,6 @@
            and ipaadmin_password is undefined
            and ipaadmin_keytab is undefined
            and ipaclient_keytab is undefined
-    when: not ipaclient_on_master | bool

  - name: Install - Purge {{ result_ipaclient_test.realm }} from host keytab
    ansible.builtin.command: >
@@ -254,16 +261,14 @@
              ipaclient_force_join)

  - name: Install - Allow repair checks
+    when: not ipaclient_on_master | bool and
+          not result_ipaclient_join.changed and
+          not ipaclient_allow_repair | bool and
+          (result_ipaclient_test_keytab.krb5_keytab_ok or
+              (result_ipaclient_join.already_joined is defined and
+                  result_ipaclient_join.already_joined))
    block:
-    # This block is executed only when
-    # not (not ipaclient_on_master | bool and
-    #      not result_ipaclient_join.changed and
-    #      not ipaclient_allow_repair | bool and
-    #      (result_ipaclient_test_keytab.krb5_keytab_ok or
-    #       (result_ipaclient_join.already_joined is defined and
-    #        result_ipaclient_join.already_joined)))
-
-    - name: krb5 configuration not correct
+    - name: The krb5 configuration is not correct
      ansible.builtin.fail:
        msg: >
          The krb5 configuration is not correct, please enable allow_repair
@@ -278,14 +283,14 @@
        msg: >
          The ca.crt file is missing, please enable allow_repair to fix this.
      when: not result_ipaclient_test_keytab.ca_crt_exists
-    when: not ipaclient_on_master | bool and
-          not result_ipaclient_join.changed and
-          not ipaclient_allow_repair | bool and
-          (result_ipaclient_test_keytab.krb5_keytab_ok or
-              (result_ipaclient_join.already_joined is defined and
-                  result_ipaclient_join.already_joined))

  - name: Install - Configuration
+    when: not (not ipaclient_on_master | bool and
+          not result_ipaclient_join.changed and
+          not ipaclient_allow_repair | bool
+              and (result_ipaclient_test_keytab.krb5_keytab_ok
+              or (result_ipaclient_join.already_joined is defined
+              and result_ipaclient_join.already_joined)))
    block:
    - name: Install - Configure IPA default.conf
      ipaclient_ipa_conf:
@@ -407,18 +412,6 @@
        domain: "{{ result_ipaclient_test.domain }}"
        nisdomain: "{{ ipaclient_nisdomain | default(omit) }}"
      when: not ipaclient_no_nisdomain | bool
-
-    when: not (not ipaclient_on_master | bool and
-          not result_ipaclient_join.changed and
-          not ipaclient_allow_repair | bool
-              and (result_ipaclient_test_keytab.krb5_keytab_ok
-              or (result_ipaclient_join.already_joined is defined
-              and result_ipaclient_join.already_joined)))
-
-  when: not ansible_check_mode and
-        not (result_ipaclient_test.client_already_configured and
-            not ipaclient_allow_repair | bool and not ipaclient_force_join | bool)
-
  always:
  - name: Install - Restore original admin password if overwritten by OTP
    no_log: yes