Merge pull request #227 from rjeffman/fix_host_reverse

Fixes behavior for host module attribute `reverse`
Fixes behavior for host module attribute reverse
2026-03-29 14:53:06 +00:00 · 2020-03-16 12:48:06 +01:00 · 2020-03-13 11:54:49 -03:00 · 2020-03-12 06:32:25 -03:00 · 2020-03-10 15:19:22 -03:00 · 2020-03-10 15:18:26 -03:00
353 changed files with 37201 additions and 3381 deletions
--- a/README-dnsconfig.md
+++ b/README-dnsconfig.md
@@ -0,0 +1,140 @@
+DNSConfig module
+============
+
+Description
+-----------
+
+The dnsconfig module allows to modify global DNS configuration.
+
+
+Features
+--------
+* Global DNS configuration
+
+
+Supported FreeIPA Versions
+--------------------------
+
+FreeIPA versions 4.4.0 and up are supported by the ipadnsconfig module.
+
+
+Requirements
+------------
+
+**Controller**
+* Ansible version: 2.8+
+
+**Node**
+* Supported FreeIPA version (see above)
+
+
+Usage
+=====
+
+Example inventory file
+
+```ini
+[ipaserver]
+ipaserver.test.local
+```
+
+Example playbook to set global DNS configuration:
+
+```yaml
+---
+- name: Playbook to handle global DNS configuration
+  hosts: ipaserver
+  become: true
+
+  tasks:
+  # Set dnsconfig.
+  - ipadnsconfig:
+      forwarders:
+        - ip_address: 8.8.4.4
+        - ip_address: 2001:4860:4860::8888
+          port: 53
+      forward_policy: only
+      allow_sync_ptr: yes
+```
+
+Example playbook to ensure a global forwarder, with a custom port, is absent:
+
+```yaml
+---
+- name: Playbook to handle global DNS configuration
+  hosts: ipaserver
+  become: true
+
+  tasks:
+  # Ensure global forwarder with a custom port is absent.
+  - ipadnsconfig:
+      forwarders:
+          - ip_address: 2001:4860:4860::8888
+            port: 53
+      state: absent
+```
+
+Example playbook to disable global forwarders:
+
+```yaml
+---
+- name: Playbook to disable global DNS forwarders
+  hosts: ipaserver
+  become: true
+
+  tasks:
+  # Disable global forwarders.
+  - ipadnsconfig:
+      forward_policy: none
+```
+
+Example playbook to change global forward policy:
+
+```yaml
+---
+- name: Playbook to change global forward policy
+  hosts: ipaserver
+  become: true
+
+  tasks:
+  # Disable global forwarders.
+  - ipadnsconfig:
+      forward_policy: first
+```
+
+Example playbook to disallow synchronization of forward (A, AAAA) and reverse (PTR) records:
+
+```yaml
+---
+- name: Playbook to disallow reverse synchronization.
+  hosts: ipaserver
+  become: true
+
+  tasks:
+  # Disable global forwarders.
+  - ipadnsconfig:
+      allow_sync_ptr: no
+```
+
+Variables
+=========
+
+ipadnsconfig
+------------
+
+Variable | Description | Required
+-------- | ----------- | --------
+`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
+`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
+`forwarders` | The list of forwarders dicts. Each `forwarders` dict entry has:| no
+&nbsp; | `ip_address` - The IPv4 or IPv6 address of the DNS server. | yes
+&nbsp; | `port` - The custom port that should be used on this server. | no
+`forward_policy` | The global forwarding policy. It can be one of `only`, `first`, or `none`.  | no
+`allow_sync_ptr` | Allow synchronization of forward (A, AAAA) and reverse (PTR) records (bool). | yes
+`state` | The state to ensure. It can be one of `present` or `absent`, default: `present`. | yes
+
+
+Authors
+=======
+
+Rafael Guterres Jeffman
--- a/README-group.md
+++ b/README-group.md
@@ -0,0 +1,153 @@
+Group module
+============
+
+Description
+-----------
+
+The group module allows to ensure presence and absence of groups and members of groups.
+
+The group module is as compatible as possible to the Ansible upstream `ipa_group` module, but additionally offers to add users to a group and also to remove users from a group.
+
+
+Features
+--------
+* Group management
+
+
+Supported FreeIPA Versions
+--------------------------
+
+FreeIPA versions 4.4.0 and up are supported by the ipagroup module.
+
+
+Requirements
+------------
+
+**Controller**
+* Ansible version: 2.8+
+
+**Node**
+* Supported FreeIPA version (see above)
+
+
+Usage
+=====
+
+Example inventory file
+
+```ini
+[ipaserver]
+ipaserver.test.local
+```
+
+
+Example playbook to add groups:
+
+```yaml
+---
+- name: Playbook to handle groups
+  hosts: ipaserver
+  become: true
+
+  tasks:
+  # Create group ops with gid 1234
+  - ipagroup:
+      ipaadmin_password: SomeADMINpassword
+      name: ops
+      gidnumber: 1234
+
+  # Create group sysops
+  - ipagroup:
+      ipaadmin_password: SomeADMINpassword
+      name: sysops
+      user:
+      - pinky
+
+  # Create group appops
+  - ipagroup:
+      ipaadmin_password: SomeADMINpassword
+      name: appops
+```
+
+Example playbook to add users to a group:
+
+```yaml
+---
+- name: Playbook to handle groups
+  hosts: ipaserver
+  become: true
+
+  tasks:
+  # Add user member brain to group sysops
+  - ipagroup:
+      ipaadmin_password: SomeADMINpassword
+      name: sysops
+      action: member
+      user:
+      - brain
+```
+`action` controls if a the group or member will be handled. To add or remove members, set `action` to `member`.
+
+
+Example playbook to add group members to a group:
+
+```yaml
+---
+- name: Playbook to handle groups
+  hosts: ipaserver
+  become: true
+
+  tasks:
+  # Add group members sysops and appops to group sysops
+  - ipagroup:
+      ipaadmin_password: SomeADMINpassword
+      name: ops
+      group:
+      - sysops
+      - appops
+```
+
+Example playbook to remove groups:
+
+```yaml
+---
+- name: Playbook to handle groups
+  hosts: ipaserver
+  become: true
+
+  tasks:
+  # Remove goups sysops, appops and ops
+  - ipagroup:
+      ipaadmin_password: SomeADMINpassword
+      name: sysops,appops,ops
+      state: absent
+```
+
+
+Variables
+=========
+
+ipagroup
+-------
+
+Variable | Description | Required
+-------- | ----------- | --------
+`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
+`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
+`name` \| `cn` | The list of group name strings. | no
+`description` | The group description string. | no
+`gid` \| `gidnumber` | The GID integer. | no
+`nonposix` | Create as a non-POSIX group. (bool) | no
+`external` | Allow adding external non-IPA members from trusted domains. (bool) | no
+`nomembers` | Suppress processing of membership attributes. (bool) | no
+`user` | List of user name strings assigned to this group. | no
+`group` | List of group name strings assigned to this group. | no
+`service` | List of service name strings assigned to this group. Only usable with IPA versions 4.7 and up. | no
+`action` | Work on group or member level. It can be on of `member` or `group` and defaults to `group`. | no
+`state` | The state to ensure. It can be one of `present` or `absent`, default: `present`. | yes
+
+
+Authors
+=======
+
+Thomas Woerner
--- a/README-hbacrule.md
+++ b/README-hbacrule.md
@@ -0,0 +1,158 @@
+HBACrule module
+===============
+
+Description
+-----------
+
+The hbacrule (HBAC Rule) module allows to ensure presence and absence of HBAC Rules and host, hostgroups, HBAC Services, HBAC Service Groups, users, and user groups as members of HBAC Rule.
+
+
+Features
+--------
+* HBAC Rule management
+
+
+Supported FreeIPA Versions
+--------------------------
+
+FreeIPA versions 4.4.0 and up are supported by the ipahbacrule module.
+
+
+Requirements
+------------
+
+**Controller**
+* Ansible version: 2.8+
+
+**Node**
+* Supported FreeIPA version (see above)
+
+
+Usage
+=====
+
+Example inventory file
+
+```ini
+[ipaserver]
+ipaserver.test.local
+```
+
+
+Example playbook to make sure HBAC Rule login exists:
+
+```yaml
+---
+- name: Playbook to handle hbacrules
+  hbacsvcs: ipaserver
+  become: true
+
+  tasks:
+  # Ensure HBAC Rule login is present
+  - ipahbacrule:
+      ipaadmin_password: SomeADMINpassword
+      name: login
+```
+
+
+Example playbook to make sure HBAC Rule login exists with the only HBAC Service sshd:
+
+```yaml
+---
+- name: Playbook to handle hbacrules
+  hbacsvcs: ipaserver
+  become: true
+
+  tasks:
+  # Ensure HBAC Rule login is present with the only HBAC Service sshd
+  - ipahbacrule:
+      ipaadmin_password: SomeADMINpassword
+      name: login
+      hbacsvc:
+      - sshd
+```
+
+Example playbook to make sure HBAC Service sshd is present in HBAC Rule login:
+
+```yaml
+---
+- name: Playbook to handle hbacrules
+  hbacsvcs: ipaserver
+  become: true
+
+  tasks:
+  # Ensure HBAC Service sshd is present in HBAC Rule login
+  - ipahbacrule:
+      ipaadmin_password: SomeADMINpassword
+      name: login
+      hbacsvc:
+      - sshd
+      action: member
+```
+
+Example playbook to make sure HBAC Service sshd is absent in HBAC Rule login:
+
+```yaml
+---
+- name: Playbook to handle hbacrules
+  hbacsvcs: ipaserver
+  become: true
+
+  tasks:
+  # Ensure HBAC Service sshd is present in HBAC Rule login
+  - ipahbacrule:
+      ipaadmin_password: SomeADMINpassword
+      name: login
+      hbacsvc:
+      - sshd
+      action: member
+      state: absent
+```
+
+Example playbook to make sure HBAC Rule login is absent:
+
+```yaml
+---
+- name: Playbook to handle hbacrules
+  hbacsvcs: ipaserver
+  become: true
+
+  tasks:
+  # Ensure HBAC Rule login is present
+  - ipahbacrule:
+      ipaadmin_password: SomeADMINpassword
+      name: login
+      state: absent
+```
+
+
+Variables
+=========
+
+ipahbacrule
+---------------
+
+Variable | Description | Required
+-------- | ----------- | --------
+`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
+`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
+`name` \| `cn` | The list of hbacrule name strings. | yes
+`description` | The hbacrule description string. | no
+`usercategory` \| `usercat` | User category the rule applies to. Choices: ["all"] | no
+`hostcategory` \| `hostcat` | Host category the rule applies to. Choices: ["all"] | no
+`servicecategory` \| `servicecat` | HBAC service category the rule applies to. Choices: ["all"] | no
+`nomembers` | Suppress processing of membership attributes. (bool) | no
+`host` | List of host name strings assigned to this hbacrule. | no
+`hostgroup` | List of host group name strings assigned to this hbacrule. | no
+`hbacsvc` | List of HBAC Service name strings assigned to this hbacrule. | no
+`hbacsvcgroup` | List of HBAC Service Group name strings assigned to this hbacrule. | no
+`user` | List of user name strings assigned to this hbacrule. | no
+`group` | List of user group name strings assigned to this hbacrule. | no
+`action` | Work on hbacrule or member level. It can be on of `member` or `hbacrule` and defaults to `hbacrule`. | no
+`state` | The state to ensure. It can be one of `present`, `absent`, `enabled` or `disabled`, default: `present`. | no
+
+
+Authors
+=======
+
+Thomas Woerner
--- a/README-hbacsvc.md
+++ b/README-hbacsvc.md
@@ -0,0 +1,109 @@
+HBACsvc module
+==============
+
+Description
+-----------
+
+The hbacsvc (HBAC Service) module allows to ensure presence and absence of HBAC Services.
+
+
+Features
+--------
+* HBACsvc management
+
+
+Supported FreeIPA Versions
+--------------------------
+
+FreeIPA versions 4.4.0 and up are supported by the ipahbacsvc module.
+
+
+Requirements
+------------
+
+**Controller**
+* Ansible version: 2.8+
+
+**Node**
+* Supported FreeIPA version (see above)
+
+
+Usage
+=====
+
+Example inventory file
+
+```ini
+[ipaserver]
+ipaserver.test.local
+```
+
+
+Example playbook to make sure HBAC Service for http is present
+
+```yaml
+---
+- name: Playbook to handle HBAC Services
+  hosts: ipaserver
+  become: true
+
+  tasks:
+  # Ensure HBAC Service for http is present
+  - ipahbacsvc:
+      ipaadmin_password: SomeADMINpassword
+      name: http
+      description: Web service
+```
+
+Example playbook to make sure HBAC Service for tftp is present
+
+```yaml
+---
+- name: Playbook to handle HBAC Services
+  hosts: ipaserver
+  become: true
+
+  tasks:
+  # Ensure HBAC Service for tftp is present
+  - ipahbacsvc:
+      ipaadmin_password: SomeADMINpassword
+      name: tftp
+      description: TFTPWeb service
+```
+
+Example playbook to make sure HBAC Services for http and tftp are absent
+
+```yaml
+---
+- name: Playbook to handle HBAC Services
+  hosts: ipaserver
+  become: true
+
+  tasks:
+  # Ensure HBAC Service for http and tftp are absent
+  - ipahbacsvc:
+      ipaadmin_password: SomeADMINpassword
+      name: http,tftp
+      state: absent
+```
+
+
+Variables
+=========
+
+ipahbacsvc
+----------
+
+Variable | Description | Required
+-------- | ----------- | --------
+`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
+`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
+`name` \| `cn` \| `service` | The list of hbacsvc name strings. | no
+`description` | The hbacsvc description string. | no
+`state` | The state to ensure. It can be one of `present` or `absent`, default: `present`. | no
+
+
+Authors
+=======
+
+Thomas Woerner
--- a/README-hbacsvcgroup.md
+++ b/README-hbacsvcgroup.md
@@ -0,0 +1,150 @@
+HBACsvcgroup module
+===================
+
+Description
+-----------
+
+The hbacsvcgroup (HBAC Service Group) module allows to ensure presence and absence of HBAC Service Groups and members of the groups.
+
+
+Features
+--------
+* HBAC Service Group management
+
+
+Supported FreeIPA Versions
+--------------------------
+
+FreeIPA versions 4.4.0 and up are supported by the ipahbacsvcgroup module.
+
+
+Requirements
+------------
+
+**Controller**
+* Ansible version: 2.8+
+
+**Node**
+* Supported FreeIPA version (see above)
+
+
+Usage
+=====
+
+Example inventory file
+
+```ini
+[ipaserver]
+ipaserver.test.local
+```
+
+
+Example playbook to make sure HBAC Service Group login exists:
+
+```yaml
+---
+- name: Playbook to handle hbacsvcgroups
+  hbacsvcs: ipaserver
+  become: true
+
+  tasks:
+  # Ensure HBAC Service Group login is present
+  - ipahbacsvcgroup:
+      ipaadmin_password: SomeADMINpassword
+      name: login
+```
+
+
+Example playbook to make sure HBAC Service Group login exists with the only HBAC Service sshd:
+
+```yaml
+---
+- name: Playbook to handle hbacsvcgroups
+  hbacsvcs: ipaserver
+  become: true
+
+  tasks:
+  # Ensure HBAC Service Group login is present with the only HBAC Service sshd
+  - ipahbacsvcgroup:
+      ipaadmin_password: SomeADMINpassword
+      name: login
+      hbacsvc:
+      - sshd
+```
+
+Example playbook to make sure HBAC Service sshd is present in HBAC Service Group login:
+
+```yaml
+---
+- name: Playbook to handle hbacsvcgroups
+  hbacsvcs: ipaserver
+  become: true
+
+  tasks:
+  # Ensure HBAC Service sshd is present in HBAC Service Group login
+  - ipahbacsvcgroup:
+      ipaadmin_password: SomeADMINpassword
+      name: login
+      hbacsvc:
+      - sshd
+      action: member
+```
+
+Example playbook to make sure HBAC Service sshd is absent in HBAC Service Group login:
+
+```yaml
+---
+- name: Playbook to handle hbacsvcgroups
+  hbacsvcs: ipaserver
+  become: true
+
+  tasks:
+  # Ensure HBAC Service sshd is present in HBAC Service Group login
+  - ipahbacsvcgroup:
+      ipaadmin_password: SomeADMINpassword
+      name: login
+      hbacsvc:
+      - sshd
+      action: member
+      state: absent
+```
+
+Example playbook to make sure HBAC Service Group login is absent:
+
+```yaml
+---
+- name: Playbook to handle hbacsvcgroups
+  hbacsvcs: ipaserver
+  become: true
+
+  tasks:
+  # Ensure HBAC Service Group login is present
+  - ipahbacsvcgroup:
+      ipaadmin_password: SomeADMINpassword
+      name: login
+      state: absent
+```
+
+
+Variables
+=========
+
+ipahbacsvcgroup
+---------------
+
+Variable | Description | Required
+-------- | ----------- | --------
+`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
+`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
+`name` \| `cn` | The list of hbacsvcgroup name strings. | no
+`description` | The hbacsvcgroup description string. | no
+`nomembers` | Suppress processing of membership attributes. (bool) | no
+`hbacsvc` | List of hbacsvc name strings assigned to this hbacsvcgroup. | no
+`action` | Work on hbacsvcgroup or member level. It can be on of `member` or `hbacsvcgroup` and defaults to `hbacsvcgroup`. | no
+`state` | The state to ensure. It can be one of `present` or `absent`, default: `present`. | no
+
+
+Authors
+=======
+
+Thomas Woerner
--- a/README-host.md
+++ b/README-host.md
@@ -0,0 +1,384 @@
+Host module
+===========
+
+Description
+-----------
+
+The host module allows to ensure presence, absence and disablement of hosts.
+
+The host module is as compatible as possible to the Ansible upstream `ipa_host` module, but additionally offers to disable hosts.
+
+
+Features
+--------
+* Host management
+
+
+Supported FreeIPA Versions
+--------------------------
+
+FreeIPA versions 4.4.0 and up are supported by the ipahost module.
+
+
+Requirements
+------------
+
+**Controller**
+* Ansible version: 2.8+
+
+**Node**
+* Supported FreeIPA version (see above)
+
+
+Usage
+=====
+
+Example inventory file
+
+```ini
+[ipaserver]
+ipaserver.test.local
+```
+
+
+Example playbook to ensure host presence:
+
+```yaml
+---
+- name: Playbook to handle hosts
+  hosts: ipaserver
+  become: true
+
+  tasks:
+  # Ensure host is present
+  - ipahost:
+      ipaadmin_password: SomeADMINpassword
+      name: host01.example.com
+      description: Example host
+      ip_address: 192.168.0.123
+      locality: Lab
+      ns_host_location: Lab
+      ns_os_version: CentOS 7
+      ns_hardware_platform: Lenovo T61
+      mac_address:
+      - "08:00:27:E3:B1:2D"
+      - "52:54:00:BD:97:1E"
+      state: present
+```
+Compared to `ipa host-add` command no IP address conflict check is done as the ipahost module supports to have several IPv4 and IPv6 addresses for a host.
+
+
+Example playbook to ensure host presence with several IP addresses:
+
+```yaml
+---
+- name: Playbook to handle hosts
+  hosts: ipaserver
+  become: true
+
+  tasks:
+  # Ensure host is present
+  - ipahost:
+      ipaadmin_password: SomeADMINpassword
+      name: host01.example.com
+      description: Example host
+      ip_address:
+      - 192.168.0.123
+      - 192.168.0.124
+      - fe80::20c:29ff:fe02:a1b3
+      - fe80::20c:29ff:fe02:a1b4
+      locality: Lab
+      ns_host_location: Lab
+      ns_os_version: CentOS 7
+      ns_hardware_platform: Lenovo T61
+      mac_address:
+      - "08:00:27:E3:B1:2D"
+      - "52:54:00:BD:97:1E"
+      state: present
+```
+
+
+Example playbook to ensure IP addresses are present for a host:
+
+```yaml
+---
+- name: Playbook to handle hosts
+  hosts: ipaserver
+  become: true
+
+  tasks:
+  # Ensure host is present
+  - ipahost:
+      ipaadmin_password: SomeADMINpassword
+      name: host01.example.com
+      ip_address:
+      - 192.168.0.124
+      - fe80::20c:29ff:fe02:a1b4
+      action: member
+      state: present
+```
+
+
+Example playbook to ensure IP addresses are absent for a host:
+
+```yaml
+---
+- name: Playbook to handle hosts
+  hosts: ipaserver
+  become: true
+
+  tasks:
+  # Ensure host is present
+  - ipahost:
+      ipaadmin_password: SomeADMINpassword
+      name: host01.example.com
+      ip_address:
+      - 192.168.0.124
+      - fe80::20c:29ff:fe02:a1b4
+      action: member
+      state: absent
+```
+
+
+Example playbook to ensure host presence without DNS:
+
+```yaml
+---
+- name: Playbook to handle hosts
+  hosts: ipaserver
+  become: true
+
+  tasks:
+  # Ensure host is present without DNS
+  - ipahost:
+      ipaadmin_password: SomeADMINpassword
+      name: host02.example.com
+      description: Example host
+      force: yes
+```
+
+
+Example playbook to ensure host presence with a random password:
+
+```yaml
+---
+- name: Ensure host with random password
+  hosts: ipaserver
+  become: true
+
+  tasks:
+  - name: Host host01.example.com present with random password
+    ipahost:
+      ipaadmin_password: SomeADMINpassword
+      name: host01.example.com
+      random: yes
+      force: yes
+    register: ipahost
+
+  - name: Print generated random password
+    debug:
+      var: ipahost.host.randompassword
+```
+Please remember that the `force` tag will also force the generation of a new random password even if the host already exists and if `update_password` is limited to `on_create`.
+
+
+Example playbook to ensure presence of several hosts with a random password:
+
+```yaml
+---
+- name: Ensure hosts with random password
+  hosts: ipaserver
+  become: true
+
+  tasks:
+  - name: Hosts host01.example.com and host01.example.com present with random passwords
+    ipahost:
+      ipaadmin_password: SomeADMINpassword
+      hosts:
+      - name: host01.example.com
+        random: yes
+        force: yes
+      - name: host02.example.com
+        random: yes
+        force: yes
+    register: ipahost
+
+  - name: Print generated random password for host01.example.com
+    debug:
+      var: ipahost.host["host01.example.com"].randompassword
+
+  - name: Print generated random password for host02.example.com
+    debug:
+      var: ipahost.host["host02.example.com"].randompassword
+```
+Please remember that the `force` tag will also force the generation of a new random password even if the host alreay exists and if `update_password` is limited to `on_create`.
+
+
+Example playbook to ensure presence of host member principal:
+
+```yaml
+---
+- name: Host present with principal
+  hosts: ipaserver
+  become: true
+
+  tasks:
+  - name: Host host01.example.com present with principals host/testhost01.example.com and host/myhost01.example.com
+    ipahost:
+      ipaadmin_password: SomeADMINpassword
+      name: host01.example.com
+      principal:
+      - host/testhost01.example.com
+      - host/myhost01.example.com
+      action: member
+```
+
+
+Example playbook to ensure presence of host member certificate:
+
+```yaml
+- name: Host present with certificate
+  hosts: ipaserver
+  become: true
+
+  tasks:
+  - name: Host host01.example.com present with certificate
+    ipahost:
+      ipaadmin_password: SomeADMINpassword
+      name: host01.example.com
+      certificate:
+      - MIIC/zCCAeegAwIBAg...
+      action: member
+```
+
+
+Example playbook to ensure presence of member managedby_host for serveral hosts:
+
+```yaml
+---
+- name: Host present with managedby_host
+  hosts: ipaserver
+  become: true
+
+  tasks:
+    ipahost:
+      ipaadmin_password: SomeADMINpassword
+      hosts:
+      - name: host01.exmaple.com
+        managedby_host: server.exmaple.com
+      - name: host02.exmaple.com
+        managedby_host: server.exmaple.com
+      action: member
+```
+
+
+Example playbook to disable a host:
+
+```yaml
+---
+- name: Playbook to handle hosts
+  hosts: ipaserver
+  become: true
+
+  tasks:
+  # Ensure host is disabled
+  - ipahost:
+      ipaadmin_password: SomeADMINpassword
+      name: host01.example.com
+      update_dns: yes
+      state: disabled
+```
+`update_dns` controls if the DNS entries will be updated in this case. For `state` present it is controlling the update of the DNS SSHFP records, but not the the other DNS records.
+
+
+Example playbook to ensure a host is absent:
+
+```yaml
+---
+- name: Playbook to handle hosts
+  hosts: ipaserver
+  become: true
+
+  tasks:
+  # Ensure host is absent
+  - ipahost:
+      ipaadmin_password: password1
+      name: host01.example.com
+      state: absent
+```
+
+
+Variables
+=========
+
+ipahost
+-------
+
+Variable | Description | Required
+-------- | ----------- | --------
+`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
+`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
+`name` \| `fqdn` | The list of host name strings. `name` with *host variables* or `hosts` containing *host variables* need to be used. | no
+**Host variables** | Only used with `name` variable in the first level. | no
+`hosts` | The list of host dicts. Each `hosts` dict entry can contain **host variables**.<br>There is one required option in the `hosts` dict:| no
+&nbsp; | `name` \| `fqdn` - The user name string of the entry. | yes
+&nbsp; | **Host variables** | no
+`update_password` |  Set password for a host in present state only on creation or always. It can be one of `always` or `on_create` and defaults to `always`. | no
+`action` | Work on host or member level. It can be on of `member` or `host` and defaults to `host`. | no
+`state` | The state to ensure. It can be one of `present`, `absent` or `disabled`, default: `present`. | yes
+
+
+**Host Variables:**
+
+Variable | Description | Required
+-------- | ----------- | --------
+`description` | The host description. | no
+`locality` | Host locality (e.g. "Baltimore, MD"). | no
+`location` \| `ns_host_location` | Host location (e.g. "Lab 2"). | no
+`platform` \| `ns_hardware_platform` | Host hardware platform (e.g. "Lenovo T61"). | no
+`os` \| `ns_os_version` | Host operating system and version (e.g. "Fedora 9"). | no
+`password` \| `user_password` \| `userpassword` | Password used in bulk enrollment. | no
+`random` \| `random_password` |  Initiate the generation of a random password to be used in bulk enrollment. | no
+`certificate` \| `usercertificate` | List of base-64 encoded host certificates | no
+`managedby` \| `principalname` \| `krbprincipalname` | List of hosts that can manage this host | no
+`principal` \| `principalname` \| `krbprincipalname` | List of principal aliases for this host | no
+`allow_create_keytab_user` \| `ipaallowedtoperform_write_keys_user` | Users allowed to create a keytab of this host. | no
+`allow_create_keytab_group` \| `ipaallowedtoperform_write_keys_group` | Groups allowed to create a keytab of this host. | no
+`allow_create_keytab_host` \| `ipaallowedtoperform_write_keys_host` | Hosts allowed to create a keytab of this host. | no
+`allow_create_keytab_hostgroup` \| `ipaallowedtoperform_write_keys_hostgroup` | Host groups allowed to create a keytab of this host. | no
+`allow_retrieve_keytab_user` \| `ipaallowedtoperform_read_keys_user` | Users allowed to retieve a keytab of this host. | no
+`allow_retrieve_keytab_group` \| `ipaallowedtoperform_read_keys_group` | Groups allowed to retieve a keytab of this host. | no
+`allow_retrieve_keytab_host` \| `ipaallowedtoperform_read_keys_host` | Hosts allowed to retieve a keytab of this host. | no
+`allow_retrieve_keytab_hostgroup` \| `ipaallowedtoperform_read_keys_hostgroup` | Host groups allowed to retieve a keytab of this host. | no
+`mac_address` \| `macaddress` | List of hardware MAC addresses. | no
+`sshpubkey` \| `ipasshpubkey` | List of SSH public keys | no
+`userclass` \| `class` | Host category (semantics placed on this attribute are for local interpretation) | no
+`auth_ind` \| `krbprincipalauthind` | Defines a whitelist for Authentication Indicators. Use 'otp' to allow OTP-based 2FA authentications. Use 'radius' to allow RADIUS-based 2FA authentications. Use empty string to reset auth_ind to the initial value. Other values may be used for custom configurations. choices: ["radius", "otp", "pkinit", "hardened", ""] | no
+`requires_pre_auth` \| `ipakrbrequirespreauth` | Pre-authentication is required for the service (bool) | no
+`ok_as_delegate` \| `ipakrbokasdelegate` | Client credentials may be delegated to the service (bool) | no
+`ok_to_auth_as_delegate` \| `ipakrboktoauthasdelegate` | The service is allowed to authenticate on behalf of a client (bool) | no
+`force` | Force host name even if not in DNS. | no
+`reverse` | Reverse DNS detection. | no
+`ip_address` \| `ipaddress` | The host IP address list. It can contain IPv4 and IPv6 addresses. No conflict check for IP addresses is done. | no
+`update_dns` | For existing hosts: DNS SSHFP records are updated with `state` present and all DNS entries for a host removed with `state` absent. | no
+
+
+Return Values
+=============
+
+ipahost
+-------
+
+There are only return values if one or more random passwords have been generated.
+
+Variable | Description | Returned When
+-------- | ----------- | -------------
+`host` | Host dict with random password. (dict) <br>Options: | If random is yes and host did not exist or update_password is yes
+&nbsp; | `randompassword` - The generated random password | If only one host is handled by the module
+&nbsp; | `name` - The host name of the host that got a new random password. (dict) <br> Options: <br> &nbsp; `randompassword` - The generated random password | If several hosts are handled by the module
+
+
+Authors
+=======
+
+Thomas Woerner
--- a/README-hostgroup.md
+++ b/README-hostgroup.md
@@ -0,0 +1,147 @@
+Hostgroup module
+================
+
+Description
+-----------
+
+The hostgroup module allows to ensure presence and absence of hostgroups and members of hostgroups.
+
+The hostgroup module is as compatible as possible to the Ansible upstream `ipa_hostgroup` module, but additionally offers to make sure that hosts are present or absent in a hostgroup.
+
+
+Features
+--------
+* Hostgroup management
+
+
+Supported FreeIPA Versions
+--------------------------
+
+FreeIPA versions 4.4.0 and up are supported by the ipahostgroup module.
+
+
+Requirements
+------------
+
+**Controller**
+* Ansible version: 2.8+
+
+**Node**
+* Supported FreeIPA version (see above)
+
+
+Usage
+=====
+
+Example inventory file
+
+```ini
+[ipaserver]
+ipaserver.test.local
+```
+
+
+Example playbook to make sure hostgroup databases exists:
+
+```yaml
+---
+- name: Playbook to handle hostgroups
+  hosts: ipaserver
+  become: true
+
+  tasks:
+  # Ensure host-group databases is present
+  - ipahostgroup:
+      ipaadmin_password: SomeADMINpassword
+      name: databases
+      host:
+      - db.example.com
+      hostgroup:
+      - mysql-server
+      - oracle-server
+```
+
+Example playbook to make sure that hosts and hostgroups are present in existing databases hostgroup:
+
+```yaml
+---
+- name: Playbook to handle hostgroups
+  hosts: ipaserver
+  become: true
+
+  tasks:
+  # Ensure hosts and hostgroups are present in existing databases hostgroup
+  - ipahostgroup:
+      ipaadmin_password: SomeADMINpassword
+      name: databases
+      host:
+      - db.example.com
+      hostgroup:
+      - mysql-server
+      - oracle-server
+      action: member
+```
+`action` controls if a the hostgroup or member will be handled. To add or remove members, set `action` to `member`.
+
+Example playbook to make sure hosts and hostgroups are absent in databases hostgroup:
+
+```yaml
+---
+- name: Playbook to handle hostgroups
+  hosts: ipaserver
+  become: true
+
+  tasks:
+  # Ensure hosts and hostgroups are absent in databases hostgroup
+  - ipahostgroup:
+      ipaadmin_password: SomeADMINpassword
+      name: databases
+      host:
+      - db.example.com
+      hostgroup:
+      - mysql-server
+      - oracle-server
+      action: member
+      state: absent
+```
+
+Example playbook to make sure host-group databases is absent:
+
+```yaml
+---
+- name: Playbook to handle hostgroups
+  hosts: ipaserver
+  become: true
+
+  tasks:
+  # Ensure host-group databases is absent
+  - ipahostgroup:
+      ipaadmin_password: SomeADMINpassword
+      name: databases
+      state: absent
+```
+
+
+Variables
+=========
+
+ipahostgroup
+-------
+
+Variable | Description | Required
+-------- | ----------- | --------
+`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
+`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
+`name` \| `cn` | The list of hostgroup name strings. | no
+`description` | The hostgroup description string. | no
+`nomembers` | Suppress processing of membership attributes. (bool) | no
+`host` | List of host name strings assigned to this hostgroup. | no
+`hostgroup` | List of hostgroup name strings assigned to this hostgroup. | no
+`action` | Work on hostgroup or member level. It can be on of `member` or `hostgroup` and defaults to `hostgroup`. | no
+`state` | The state to ensure. It can be one of `present` or `absent`, default: `present`. | no
+
+
+Authors
+=======
+
+Thomas Woerner
--- a/README-pwpolicy.md
+++ b/README-pwpolicy.md
@@ -0,0 +1,117 @@
+Pwpolicy module
+===============
+
+Description
+-----------
+
+The pwpolicy module allows to ensure presence and absence of pwpolicies.
+
+
+Features
+--------
+* Pwpolicy management
+
+
+Supported FreeIPA Versions
+--------------------------
+
+FreeIPA versions 4.4.0 and up are supported by the ipapwpolicy module.
+
+
+Requirements
+------------
+
+**Controller**
+* Ansible version: 2.8+
+
+**Node**
+* Supported FreeIPA version (see above)
+
+
+Usage
+=====
+
+Example inventory file
+
+```ini
+[ipaserver]
+ipaserver.test.local
+```
+
+
+Example playbook to ensure presence of pwpolicies for exisiting group ops:
+
+```yaml
+  tasks:
+  - name: Ensure presence of pwpolicies for group ops
+    ipapwpolicy:
+      ipaadmin_password: SomeADMINpassword
+      name: ops
+      minlife: 7
+      maxlife: 49
+      history: 5
+      priority: 1
+      lockouttime: 300
+      minlength: 8
+      maxfail: 3
+```
+
+Example playbook to ensure absence of pwpolicies for group ops:
+
+```yaml
+---
+- name: Playbook to handle pwpolicies
+  hosts: ipaserver
+  become: true
+
+  tasks:
+  # Ensure absence of pwpolicies for group ops
+  - ipapwpolicy:
+      ipaadmin_password: SomeADMINpassword
+      name: ops
+      state: absent
+```
+
+Example playbook to ensure maxlife is set to 49 in global policy:
+
+```yaml
+---
+- name: Playbook to handle pwpolicies
+  hosts: ipaserver
+  become: true
+
+  tasks:
+  # Ensure absence of pwpolicies for group ops
+  - ipapwpolicy:
+      ipaadmin_password: SomeADMINpassword
+      maxlife: 49
+```
+
+
+Variables
+=========
+
+ipapwpolicy
+-------
+
+Variable | Description | Required
+-------- | ----------- | --------
+`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
+`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
+`name` \| `cn` | The list of pwpolicy name strings. If name is not given, `global_policy` will be used automatically. | no
+`maxlife` \| `krbmaxpwdlife` | Maximum password lifetime in days. (int) | no
+`minlife` \| `krbminpwdlife` | Minimum password lifetime in hours. (int) | no
+`history` \| `krbpwdhistorylength` | Password history size. (int) | no
+`minclasses` \| `krbpwdmindiffchars` | Minimum number of character classes. (int) | no
+`minlength` \| `krbpwdminlength` | Minimum length of password. (int) | no
+`priority` \| `cospriority` | Priority of the policy, higher number means lower priority. (int) | no
+`maxfail` \| `krbpwdmaxfailure` | Consecutive failures before lockout. (int) | no
+`failinterval` \| `krbpwdfailurecountinterval` | Period after which failure count will be reset in seconds. (int) | no
+`lockouttime` \| `krbpwdlockoutduration` | Period for which lockout is enforced in seconds. (int) | no
+`state` | The state to ensure. It can be one of `present` or `absent`, default: `present`. | yes
+
+
+Authors
+=======
+
+Thomas Woerner
--- a/README-service.md
+++ b/README-service.md
@@ -0,0 +1,320 @@
+Service module
+==============
+
+Description
+-----------
+
+The service module allows to ensure presence and absence of services.
+
+
+Features
+--------
+
+* Service management
+
+
+Supported FreeIPA Versions
+--------------------------
+
+FreeIPA versions 4.4.0 and up are supported by the ipaservice module.
+
+Option `skip_host_check` requires FreeIPA version 4.7.0 or later.
+
+
+Requirements
+------------
+
+**Controller**
+* Ansible version: 2.8+
+
+**Node**
+* Supported FReeIPA version (see above)
+
+
+Usage
+=====
+
+Example inventory file
+
+```ini
+[ipaserver]
+ipaserver.test.local
+```
+
+
+Example playbook to make sure service is present:
+
+```yaml
+---
+- name: Playbook to manage IPA service.
+  hosts: ipaserver
+  become: true
+  gather_facts: false
+
+  tasks:
+  # Ensure service is present
+  - ipaservice:
+      ipaadmin_password: SomeADMINpassword
+      name: HTTP/www.example.com
+      certificate:
+        - MIIC/zCCAeegAwIBAgIUMNHIbn+hhrOVew/2WbkteisV29QwDQYJKoZIhvcNAQELBQAw
+        DzENMAsGA1UEAwwEdGVzdDAeFw0yMDAyMDQxNDQxMDhaFw0zMDAyMDExNDQxMDhaMA8xDT
+        ALBgNVBAMMBHRlc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC+XVVGFYpH
+        VkcDfVnNInE1Y/pFciegdzqTjMwUWlRL4Zt3u96GhaMLRbtk+OfEkzLUAhWBOwEraELJzM
+        LJOMvjYF3C+TiGO7dStFLikZmccuSsSIXjnzIPwBXa8KvgRVRyGLoVvGbLJvmjfMXp0nIT
+        oTx/i74KF9S++WEes9H5ErJ99CDhLKFgq0amnvsgparYXhypHaRLnikn0vQINt55YoEd1s
+        4KrvEcD2VdZkIMPbLRu2zFvMprF3cjQQG4LT9ggfEXNIPZ1nQWAnAsu7OJEkNF+E4Mkmpc
+        xj9aGUVt5bsq1D+Tzj3GsidSX0nSNcZ2JltXRnL/5v63g5cZyE+nAgMBAAGjUzBRMB0GA1
+        UdDgQWBBRV0j7JYukuH/r/t9+QeNlRLXDlEDAfBgNVHSMEGDAWgBRV0j7JYukuH/r/t9+Q
+        eNlRLXDlEDAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQCgVy1+1kNwHs
+        5y1Zp0WjMWGCJC6/zw7FDG4OW5r2GJiCXZYdJ0UonY9ZtoVLJPrp2/DAv1m5DtnDhBYqic
+        uPgLzEkOS1KdTi20Otm/J4yxLLrZC5W4x0XOeSVPXOJuQWfwQ5pPvKkn6WxYUYkGwIt1OH
+        2nSMngkbami3CbSmKZOCpgQIiSlQeDJ8oGjWFMLDymYSHoVOIXHwNoooyEiaio3693l6no
+        obyGv49zyCVLVR1DC7i6RJ186ql0av+D4vPoiF5mX7+sKC2E8xEj9uKQ5GTWRh59VnRBVC
+        /SiMJ/H78tJnBAvoBwXxSEvj8Z3Kjm/BQqZfv4IBsA5yqV7MVq
+      pac_type: PAD
+      auth_ind: otp
+      requires_pre_auth: false
+      ok_as_delegate: false
+      ok_to_auth_as_delegate: false
+      skip-host-check: true
+      force: true
+```
+
+
+Example playbook to make sure service is absent:
+
+```yaml
+---
+- name: Playbook to manage IPA service.
+  hosts: ipaserver
+  become: true
+  gather_facts: false
+
+  tasks:
+  # Ensure service is present
+  - ipaservice:
+      ipaadmin_password: SomeADMINpassword
+      name: HTTP/www.example.com
+      state: absent
+```
+
+
+Example playbook to make sure service is disabled:
+
+```yaml
+---
+- name: Playbook to manage IPA service.
+  hosts: ipaserver
+  become: true
+  gather_facts: false
+
+  tasks:
+  # Ensure service is present
+  - ipaservice:
+      ipaadmin_password: SomeADMINpassword
+      name: HTTP/www.example.com
+      state: disabled
+```
+
+Example playbook to add a service even if the host object does not exist, but only if it does have a DNS entry:
+
+```yaml
+---
+- name: Playbook to manage IPA service.
+  hosts: ipaserver
+  become: true
+  gather_facts: false
+
+  tasks:
+  # Ensure service is present
+  - ipaservice:
+      ipaadmin_password: SomeADMINpassword
+      name: HTTP/www.example.com
+      skip_host_check: true
+      force: false
+```
+
+Example playbook to add a service if it does have a DNS entry, but host object exits:
+
+```yaml
+---
+- name: Playbook to manage IPA service.
+  hosts: ipaserver
+  become: true
+  gather_facts: false
+
+  tasks:
+  # Ensure service is present
+  - ipaservice:
+      ipaadmin_password: SomeADMINpassword
+      name: HTTP/www.example.com
+      skip_host_check: false
+      force: true
+```
+
+Example playbook to ensure service has a certificate:
+
+```yaml
+---
+- name: Playbook to manage IPA service.
+  hosts: ipaserver
+  become: true
+  gather_facts: false
+
+  tasks:
+  # Ensure service member certificate is present.
+  - ipaservice:
+      ipaadmin_password: SomeADMINpassword
+      name: HTTP/www.example.com
+      certificate:
+        - MIIC/zCCAeegAwIBAgIUMNHIbn+hhrOVew/2WbkteisV29QwDQYJKoZIhvcNAQELBQAw
+        DzENMAsGA1UEAwwEdGVzdDAeFw0yMDAyMDQxNDQxMDhaFw0zMDAyMDExNDQxMDhaMA8xDT
+        ALBgNVBAMMBHRlc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC+XVVGFYpH
+        VkcDfVnNInE1Y/pFciegdzqTjMwUWlRL4Zt3u96GhaMLRbtk+OfEkzLUAhWBOwEraELJzM
+        LJOMvjYF3C+TiGO7dStFLikZmccuSsSIXjnzIPwBXa8KvgRVRyGLoVvGbLJvmjfMXp0nIT
+        oTx/i74KF9S++WEes9H5ErJ99CDhLKFgq0amnvsgparYXhypHaRLnikn0vQINt55YoEd1s
+        4KrvEcD2VdZkIMPbLRu2zFvMprF3cjQQG4LT9ggfEXNIPZ1nQWAnAsu7OJEkNF+E4Mkmpc
+        xj9aGUVt5bsq1D+Tzj3GsidSX0nSNcZ2JltXRnL/5v63g5cZyE+nAgMBAAGjUzBRMB0GA1
+        UdDgQWBBRV0j7JYukuH/r/t9+QeNlRLXDlEDAfBgNVHSMEGDAWgBRV0j7JYukuH/r/t9+Q
+        eNlRLXDlEDAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQCgVy1+1kNwHs
+        5y1Zp0WjMWGCJC6/zw7FDG4OW5r2GJiCXZYdJ0UonY9ZtoVLJPrp2/DAv1m5DtnDhBYqic
+        uPgLzEkOS1KdTi20Otm/J4yxLLrZC5W4x0XOeSVPXOJuQWfwQ5pPvKkn6WxYUYkGwIt1OH
+        2nSMngkbami3CbSmKZOCpgQIiSlQeDJ8oGjWFMLDymYSHoVOIXHwNoooyEiaio3693l6no
+        obyGv49zyCVLVR1DC7i6RJ186ql0av+D4vPoiF5mX7+sKC2E8xEj9uKQ5GTWRh59VnRBVC
+        /SiMJ/H78tJnBAvoBwXxSEvj8Z3Kjm/BQqZfv4IBsA5yqV7MVq
+      action: member
+      state: present
+```
+
+Example playbook to add a principal to the service:
+
+```yaml
+---
+- name: Playbook to manage IPA service.
+  hosts: ipaserver
+  become: true
+  gather_facts: false
+
+  tasks:
+    # Principal host/principal.example.com present in service.
+    - ipaservice:
+        ipaadmin_password: SomeADMINpassword
+        name: HTTP/www.example.com
+        principal: host/principal.example.com
+        action: member
+```
+
+Example playbook to enable a host to manage service:
+
+```yaml
+---
+- name: Playbook to manage IPA service.
+  hosts: ipaserver
+  become: true
+  gather_facts: false
+
+  tasks:
+    # Ensure host can manage service, again.
+    - ipaservice:
+        ipaadmin_password: SomeADMINpassword
+        name: HTTP/www.example.com
+        host: host1.example.com
+        action: member
+```
+
+Example playbook to allow users, groups, hosts or hostgroups to create a keytab of this service:
+
+```yaml
+---
+- name: Playbook to manage IPA service.
+  hosts: ipaserver
+  become: true
+  gather_facts: false
+
+  tasks:
+    # Allow users, groups, hosts or host groups to create a keytab of this service.
+    - ipaservice:
+        ipaadmin_password: SomeADMINpassword
+        name: HTTP/www.example.com
+        allow_create_keytab_user:
+        - user01
+        - user02
+        allow_create_keytab_group:
+        - group01
+        - group02
+        allow_create_keytab_host:
+        - host1.example.com
+        - host2.example.com
+        allow_create_keytab_hostgroup:
+        - hostgroup01
+        - hostgroup02
+        action: member
+```
+
+Example playbook to allow users, groups, hosts or hostgroups to retrieve a keytab of this service:
+
+```yaml
+---
+- name: Playbook to manage IPA service.
+  hosts: ipaserver
+  become: true
+  gather_facts: false
+
+  tasks:
+    # Allow users, groups, hosts or host groups to retrieve a keytab of this service.
+    - ipaservice:
+        ipaadmin_password: SomeADMINpassword
+        name: HTTP/www.example.com
+        allow_retrieve_keytab_user:
+        - user01
+        - user02
+        allow_retrieve_keytab_group:
+        - group01
+        - group02
+        allow_retrieve_keytab_host:
+        - "{{ host1_fqdn }}"
+        - "{{ host2_fqdn }}"
+        allow_retrieve_keytab_hostgroup:
+        - hostgroup01
+        - hostgroup02
+        action: member
+```
+
+
+Variables
+---------
+
+ipaservice
+
+Variable | Description | Required
+-------- | ----------- | --------
+`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
+`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
+`name` \| `service` | The list of service name strings. | yes
+`certificate` \| `usercertificate` | Base-64 encoded service certificate. | no
+`pac_type` \| `ipakrbauthzdata` | Supported PAC type. It can be one of `MS-PAC`, `PAD`, or `NONE`. | no
+`auth_ind` \| `krbprincipalauthind` | Defines a whitelist for Authentication Indicators. It can be any of `otp`, `radius`, `pkinit`, or `hardened`. | no
+`requires_pre_auth` \| `ipakrbrequirespreauth` | Pre-authentication is required for the service. Default to true. (bool) | no
+`ok_as_delegate` \|  `ipakrbokasdelegate` | Client credentials may be delegated to the service. Default to false. (bool) | no
+`ok_to_auth_as_delegate` \|  `ipakrboktoauthasdelegate` | The service is allowed to authenticate on behalf of a client. Default to false. (bool) | no
+`skip_host_check` | Force service to be created even when host object does not exist to manage it. Default to false. (bool)| no
+`force` | Force principal name even if host not in DNS. Default to false. (bool) | no
+`host` \| `managedby_host`| Hosts that can manage the service. | no
+`principal` \| `krbprincipalname` | List of principal aliases for the service. | no
+`allow_create_keytab_user` \| `ipaallowedtoperform_write_keys_user` | Users allowed to create a keytab of this host. | no
+`allow_create_keytab_group` \| `ipaallowedtoperform_write_keys_group`| Groups allowed to create a keytab of this host. | no
+`allow_create_keytab_host` \| `ipaallowedtoperform_write_keys_host`| Hosts allowed to create a keytab of this host. | no
+`allow_create_keytab_hostgroup` \| `ipaallowedtoperform_write_keys_group`| Host groups allowed to create a keytab of this host. | no
+`allow_retrieve_keytab_user` \| `ipaallowedtoperform_read_keys_user` | Users allowed to retrieve a keytab of this host. | no
+`allow_retrieve_keytab_group` \| `ipaallowedtoperform_read_keys_group` | Groups allowed to retrieve a keytab of this host. | no
+`allow_retrieve_keytab_host` \| `ipaallowedtoperform_read_keys_host` | Hosts allowed to retrieve a keytab from of host. | no
+`allow_retrieve_keytab_hostgroup` \| `ipaallowedtoperform_read_keys_hostgroup` | Host groups allowed to retrieve a keytab of this host. | no
+`action` | Work on service or member level. It can be on of `member` or `service` and defaults to `service`. | no
+`state` | The state to ensure. It can be one of `present`, `absent`, or `disabled`, default: `present`. | no
+
+
+Authors
+=======
+
+Rafael Jeffman
--- a/README-sudocmd.md
+++ b/README-sudocmd.md
@@ -0,0 +1,95 @@
+Sudocmd module
+================
+
+Description
+-----------
+
+The sudocmd module allows to ensure presence and absence of sudo command.
+
+The sudocmd module is as compatible as possible to the Ansible upstream `ipa_sudocmd` module.
+
+
+Features
+--------
+* Sudo command management
+
+
+Supported FreeIPA Versions
+--------------------------
+
+FreeIPA versions 4.4.0 and up are supported by the ipa_sudocmd module.
+
+
+Requirements
+------------
+
+**Controller**
+* Ansible version: 2.8+
+
+**Node**
+* Supported FreeIPA version (see above)
+
+
+Usage
+=====
+
+Example inventory file
+
+```ini
+[ipaserver]
+ipaserver.test.local
+```
+
+
+Example playbook to make sure sudocmd exists:
+
+```yaml
+---
+- name: Playbook to handle sudocmd
+  hosts: ipaserver
+  become: true
+
+  tasks:
+  # Ensure sudocmd is present
+  - ipasudocmd:
+      ipaadmin_password: SomeADMINpassword
+      name: /usr/bin/su
+      state: present
+```
+
+Example playbook to make sure sudocmd is absent:
+
+```yaml
+---
+- name: Playbook to handle sudocmd
+  hosts: ipaserver
+  become: true
+
+  tasks:
+  # Ensure sudocmd are absent
+  - ipahostgroup:
+      ipaadmin_password: SomeADMINpassword
+      name: /usr/bin/su
+      state: absent
+```
+
+Variables
+=========
+
+ipasudocmd
+-------
+
+Variable | Description | Required
+-------- | ----------- | --------
+`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
+`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
+`name` \| `sudocmd` | The sudo command strings. | yes
+`description` | The command description string. | no
+`nomembers` | Suppress processing of membership attributes. (bool) | no
+`state` | The state to ensure. It can be one of `present` or `absent`, default: `present`. | no
+
+
+Authors
+=======
+
+Rafael Guterres Jeffman
--- a/README-sudocmdgroup.md
+++ b/README-sudocmdgroup.md
@@ -0,0 +1,137 @@
+Sudocmdgroup module
+===================
+
+Description
+-----------
+
+The sudocmdgroup module allows to ensure presence and absence of sudocmdgroups and members of sudocmdgroups.
+
+The sudocmdgroup module is as compatible as possible to the Ansible upstream `ipa_sudocmdgroup` module, but additionally offers to make sure that sudocmds are present or absent in a sudocmdgroup.
+
+
+Features
+--------
+* Sudocmdgroup management
+
+
+Supported FreeIPA Versions
+--------------------------
+
+FreeIPA versions 4.4.0 and up are supported by the ipasudocmdgroup module.
+
+
+Requirements
+------------
+
+**Controller**
+* Ansible version: 2.8+
+
+**Node**
+* Supported FreeIPA version (see above)
+
+
+Usage
+=====
+
+Example inventory file
+
+```ini
+[ipaserver]
+ipaserver.test.local
+```
+
+
+Example playbook to make sure sudocmdgroup is present:
+
+```yaml
+---
+- name: Playbook to handle sudocmdgroups
+  hosts: ipaserver
+  become: true
+
+  tasks:
+  # Ensure sudocmdgroup is present
+  - ipasudocmdgroup:
+      ipaadmin_password: SomeADMINpassword
+      name: group01
+      description: Group of important commands
+```
+
+Example playbook to make sure that a sudo command and sudocmdgroups are present in existing sudocmdgroup:
+
+```yaml
+---
+- name: Playbook to handle sudocmdgroups
+  hosts: ipaserver
+  become: true
+
+  tasks:
+  # Ensure sudo commands are present in existing sudocmdgroup
+  - ipasudocmdgroup:
+      ipaadmin_password: SomeADMINpassword
+      name: group01
+      sudocmd:
+      - /usr/bin/su
+      - /usr/bin/less
+      action: member
+```
+`action` controls if the sudocmdgroup or member will be handled. To add or remove members, set `action` to `member`.
+
+Example playbook to make sure that a sudo command and sudocmdgroups are absent in sudocmdgroup:
+
+```yaml
+---
+- name: Playbook to handle sudocmdgroups
+  hosts: ipaserver
+  become: true
+
+  tasks:
+  # Ensure sudocmds are absent in existing sudocmdgroup
+  - ipasudocmdgroup:
+      ipaadmin_password: SomeADMINpassword
+      name: group01
+      sudocmd:
+      - /usr/bin/su
+      - /usr/bin/less
+      action: member
+      state: absent
+```
+
+Example playbook to make sure sudocmdgroup is absent:
+
+```yaml
+---
+- name: Playbook to handle sudocmdgroups
+  hosts: ipaserver
+  become: true
+
+  tasks:
+  # Ensure sudocmdgroup is absent
+  - ipasudocmdgroup:
+      ipaadmin_password: SomeADMINpassword
+      name: group01
+      state: absent
+```
+
+Variables
+=========
+
+ipasudocmdgroup
+-------
+
+Variable | Description | Required
+-------- | ----------- | --------
+`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
+`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
+`name` \| `cn` | The list of sudocmdgroup name strings. | no
+`description` | The sudocmdgroup description string. | no
+`nomembers` | Suppress processing of membership attributes. (bool) | no
+`sudocmd` | List of sudocmdgroup name strings assigned to this sudocmdgroup. | no
+`action` | Work on sudocmdgroup or member level. It can be on of `member` or `sudocmdgroup` and defaults to `sudocmdgroup`. | no
+`state` | The state to ensure. It can be one of `present` or `absent`, default: `present`. | no
+
+
+Authors
+=======
+
+Rafael Guterres Jeffman
--- a/README-sudorule.md
+++ b/README-sudorule.md
@@ -0,0 +1,150 @@
+Sudorule module
+===============
+
+Description
+-----------
+
+The sudorule (Sudo Rule) module allows to ensure presence and absence of Sudo Rules and host, hostgroups, users, and user groups as members of Sudo Rule.
+
+
+Features
+--------
+* Sudo Rule management
+
+
+Supported FreeIPA Versions
+--------------------------
+
+FreeIPA versions 4.4.0 and up are supported by the ipasudorule module.
+
+
+Requirements
+------------
+
+**Controller**
+* Ansible version: 2.8+
+
+**Node**
+* Supported FreeIPA version (see above)
+
+
+Usage
+=====
+
+Example inventory file
+
+```ini
+[ipaserver]
+ipaserver.test.local
+```
+
+
+Example playbook to make sure Sudo Rule is present:
+
+```yaml
+---
+- name: Playbook to handle sudorules
+  hosts: ipaserver
+  become: true
+
+  tasks:
+  # Ensure Sudo Rule is present
+  - ipasudorule:
+      ipaadmin_password: SomeADMINpassword
+      name: testrule1
+```
+
+
+Example playbook to make sure sudocmds are present in Sudo Rule:
+
+```yaml
+---
+- name: Playbook to handle sudorules
+  hosts: ipaserver
+  become: true
+
+  tasks:
+  # Ensure Sudo Rule is present
+  - ipasudorule:
+      ipaadmin_password: SomeADMINpassword
+      name: testrule1
+      allow_sudocmd:
+      - /sbin/ifconfig
+      action: member
+```
+
+
+Example playbook to make sure sudocmds are not present in Sudo Rule:
+
+```yaml
+---
+- name: Playbook to handle sudorules
+  hosts: ipaserver
+  become: true
+
+  tasks:
+  # Ensure Sudo Rule is present
+  - ipasudorule:
+      ipaadmin_password: SomeADMINpassword
+      name: testrule1
+      allow_sudocmd:
+      - /sbin/ifconfig
+      action: member
+      state: absent
+```
+
+Example playbook to make sure Sudo Rule is absent:
+
+```yaml
+---
+- name: Playbook to handle sudorules
+  hosts: ipaserver
+  become: true
+
+  tasks:
+  # Ensure Sudo Rule is present
+  - ipasudorule:
+      ipaadmin_password: SomeADMINpassword
+      name: testrule1
+      state: absent
+```
+
+
+Variables
+=========
+
+ipasudorule
+---------------
+
+Variable | Description | Required
+-------- | ----------- | --------
+`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
+`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
+`name` \| `cn` | The list of sudorule name strings. | yes
+`description` | The sudorule description string. | no
+`usercategory` | User category the rule applies to. Choices: ["all"] | no
+`hostcategory` | Host category the rule applies to. Choices: ["all"] | no
+`cmdcategory` | Command category the rule applies to. Choices: ["all"] | no
+`runasusercategory` | RunAs User category the rule applies to. Choices: ["all"] | no
+`runasgroupcategory` | RunAs Group category the rule applies to. Choices: ["all"] | no
+`nomembers` | Suppress processing of membership attributes. (bool) | no
+`host` | List of host name strings assigned to this sudorule. | no
+`hostgroup` | List of host group name strings assigned to this sudorule. | no
+`user` | List of user name strings assigned to this sudorule. | no
+`group` | List of user group name strings assigned to this sudorule. | no
+`allow_sudocmd` | List of sudocmd name strings assigned to the allow group of this sudorule. | no
+`deny_sudocmd` | List of sudocmd name strings assigned to the deny group of this sudorule. | no
+`allow_sudocmdgroup` | List of sudocmd groups name strings assigned to the allow group of this sudorule. | no
+`deny_sudocmdgroup` | List of sudocmd groups name strings assigned to the deny group of this sudorule. | no
+`sudooption` \| `option` | List of options to the sudorule | no
+`order` | Integer to order the sudorule | no
+`runasuser` | List of users for Sudo to execute as. | no
+`runasgroup` | List of groups for Sudo to execute as. | no
+`action` | Work on sudorule or member level. It can be on of `member` or `sudorule` and defaults to `sudorule`. | no
+`state` | The state to ensure. It can be one of `present`, `absent`, `enabled` or `disabled`, default: `present`. | no
+
+
+Authors
+=======
+
+Rafael Jeffman
--- a/README-topology.md
+++ b/README-topology.md
@@ -4,7 +4,7 @@ Topology modules
 Description
 -----------

-These modules allow to manage the topology. That means that topology segments can be added, removed and reinitialized. Also it is possible to verify topology suffixes.
+These modules allow to manage the topology. That means that it can made sure that topology segments are present, absent or reinitialized. Also it is possible to verify topology suffixes.


 Features
@@ -39,7 +39,7 @@ ipaserver.test.local
 ```


-Example playbook to add a topology segment wiht default name (cn):
+Example playbook to add a topology segment with default name (cn):

 ```yaml
 ---
@@ -50,13 +50,13 @@ Example playbook to add a topology segment wiht default name (cn):
  tasks:
  - name: Add topology segment
    ipatopologysegment:
-      password: MyPassword123
+      ipaadmin_password: SomeADMINpassword
      suffix: domain
      left: ipareplica1.test.local
      right: ipareplica2.test.local
      state: present
 ```
-The name (cn) can also be set if it should not be the default `{left}-to-{rkight}`.
+The name (cn) can also be set if it should not be the default `{left}-to-{right}`.


 Example playbook to delete a topology segment:
@@ -70,7 +70,7 @@ Example playbook to delete a topology segment:
  tasks:
  - name: Delete topology segment
    ipatopologysegment:
-      password: MyPassword123
+      ipaadmin_password: SomeADMINpassword
      suffix: domain
      left: ipareplica1.test.local
      right: ipareplica2.test.local
@@ -90,7 +90,7 @@ Example playbook to reinitialize a topology segment:
  tasks:
  - name: Reinitialize topology segment
    ipatopologysegment:
-      password: MyPassword123
+      ipaadmin_password: SomeADMINpassword
      suffix: domain
      left: ipareplica1.test.local
      right: ipareplica2.test.local
@@ -111,12 +111,12 @@ Example playbook to verify a topology suffix:
  tasks:
  - name: Verify topology suffix
    ipatopologysuffix:
-      password: MyPassword123
+      ipaadmin_password: SomeADMINpassword
      suffix: domain
      state: verified
 ```

-Example playbook to add a list of topology segments:
+Example playbook to add or remove or check or reinitialize a list of topology segments:

 ```yaml
 ---
@@ -136,15 +136,15 @@ Example playbook to add a list of topology segments:
  tasks:
  - name: Add topology segment
    ipatopologysegment:
-      password: "{{ ipaadmin_password }}"
+      ipaadmin_password: "{{ ipaadmin_password }}"
      suffix: "{{ item.suffix }}"
      name: "{{ item.name | default(omit) }}"
      left: "{{ item.left }}"
      right: "{{ item.right }}"
-      #state: present
+      state: present
      #state: absent
      #state: checked
-      state: reinitialized
+      #state: reinitialized
    loop: "{{ ipatopology_segments | default([]) }}"
 ```

@@ -157,8 +157,8 @@ ipatopologysegment

 Variable | Description | Required
 -------- | ----------- | --------
-`principal` | The admin principal is a string and defaults to `admin` | no
-`password` | The admin password is a string and is required if there is no admin ticket available on the node | no
+`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
+`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
 `suffix` | The topology suffix to be used, this can either be `domain`, `ca` or `domain+ca` | yes
 `name` \| `cn` | The topology segment name (cn) is the unique identifier for a segment. | no
 `left` \| `leftnode` | The left replication node string - an IPA server | no
@@ -174,8 +174,8 @@ Verify FreeIPA topology suffix

 Variable | Description | Required
 -------- | ----------- | --------
-`principal` | The admin principal is a string and defaults to `admin` | no
-`password` | The admin password is a string and is required if there is no admin ticket available on the node | no
+`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
+`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
 `suffix` | The topology suffix to be used, this can either be `domain` or `ca` | yes
 `state` | The state to ensure. It can only be `verified` | yes

--- a/README-user.md
+++ b/README-user.md
@@ -0,0 +1,447 @@
+User module
+===========
+
+Description
+-----------
+
+The user module allows to ensure presence, absence, disablement, unlocking and undeletion of users.
+
+The user module is as compatible as possible to the Ansible upstream `ipa_user` module, but additionally offers to preserve delete, enable, disable, unlock and undelete users.
+
+
+Features
+--------
+* User management
+
+
+Supported FreeIPA Versions
+--------------------------
+
+FreeIPA versions 4.4.0 and up are supported by the ipauser module.
+
+
+Requirements
+------------
+
+**Controller**
+* Ansible version: 2.8+
+
+**Node**
+* Supported FreeIPA version (see above)
+
+
+Usage
+=====
+
+Example inventory file
+
+```ini
+[ipaserver]
+ipaserver.test.local
+```
+
+
+Example playbook to ensure a user is present:
+
+```yaml
+---
+- name: Playbook to handle users
+  hosts: ipaserver
+  become: true
+
+  tasks:
+  # Ensure user pinky is present
+  - ipauser:
+      ipaadmin_password: SomeADMINpassword
+      name: pinky
+      first: pinky
+      last: Acme
+      uid: 10001
+      gid: 100
+      phone: "+555123457"
+      email: pinky@acme.com
+      passwordexpiration: "2023-01-19 23:59:59"
+      password: "no-brain"
+      update_password: on_create
+
+  # Ensure user brain is present
+  - ipauser:
+      ipaadmin_password: SomeADMINpassword
+      name: brain
+      first: brain
+      last: Acme
+```
+`update_password` controls if a password for a user will be set in present state only on creation or every time (always).
+
+
+These two `ipauser` module calls can be combined into one with the `users` variable:
+
+```yaml
+---
+- name: Playbook to handle users
+  hosts: ipaserver
+  become: true
+
+  tasks:
+  # Ensure users pinky and brain are present
+  - ipauser:
+      ipaadmin_password: SomeADMINpassword
+      users:
+      - name: pinky
+        first: pinky
+        last: Acme
+        uid: 10001
+        gid: 100
+        phone: "+555123457"
+        email: pinky@acme.com
+        passwordexpiration: "2023-01-19 23:59:59"
+        password: "no-brain"
+      - name: brain
+        first: brain
+        last: Acme
+      update_password: on_create
+```
+
+You can also alternatively use a json file containing the users, here `users_present.json`:
+
+```json
+{
+  "users": [
+    {
+      "name": "user1",
+      "first": "First 1",
+      "last": "Last 1"
+    },
+    {
+      "name": "user2",
+      "first": "First 2",
+      "last": "Last 2"
+    },
+    ...
+  ]
+}
+```
+
+And ensure the presence of the users with this example playbook:
+
+```yaml
+---
+- name: Tests
+  hosts: ipaserver
+  become: true
+  gather_facts: false
+
+  tasks:
+  - name: Include users_present.json
+    include_vars:
+      file: users_present.json
+
+  - name: Users present
+    ipauser:
+      ipaadmin_password: SomeADMINpassword
+      users: "{{ users }}"
+```
+
+Ensure user pinky is present with a generated random password and print the random password:
+
+```yaml
+---
+- name: Playbook to handle users
+  hosts: ipaserver
+  become: true
+
+  tasks:
+  # Ensure user pinky is present with a random password
+  - ipauser:
+      ipaadmin_password: SomeADMINpassword
+      name: brain
+      first: brain
+      last: Acme
+      random: yes
+    register: ipauser
+
+  - name: Print generated random password
+    debug:
+      var: ipauser.user.randompassword
+```
+
+Ensure users pinky and brain are present with a generated random password and print the random passwords:
+
+```yaml
+---
+- name: Playbook to handle users
+  hosts: ipaserver
+  become: true
+
+  tasks:
+  # Ensure users pinky and brain are present with random password
+  - ipauser:
+      ipaadmin_password: SomeADMINpassword
+      users:
+      - name: pinky
+        first: pinky
+        last: Acme
+        uid: 10001
+        gid: 100
+        phone: "+555123457"
+        email: pinky@acme.com
+        passwordexpiration: "2023-01-19 23:59:59"
+        password: "no-brain"
+      - name: brain
+        first: brain
+        last: Acme
+    register: ipauser
+
+  - name: Print generated random password of pinky
+    debug:
+      var: ipauser.user.pinky.randompassword
+
+  - name: Print generated random password of brain
+    debug:
+      var: ipauser.user.brain.randompassword
+```
+
+Example playbook to delete a user, but preserve it:
+
+```yaml
+---
+- name: Playbook to handle users
+  hosts: ipaserver
+  become: true
+
+  tasks:
+  # Remove but preserve user pinky
+  - ipauser:
+      ipaadmin_password: SomeADMINpassword
+      name: pinky
+      preserve: yes
+      state: absent
+```
+
+This can also be done with the `users` variable containing only names, this can be combined into one module call:
+
+Example playbook to delete a user, but preserve it using the `users` variable:
+
+```yaml
+---
+- name: Playbook to handle users
+  hosts: ipaserver
+  become: true
+
+  tasks:
+  # Remove but preserve user pinky
+  - ipauser:
+      ipaadmin_password: SomeADMINpassword
+      users:
+      - name: pinky
+      preserve: yes
+      state: absent
+```
+
+This can also be done as an alternative with the `users` variable containing only names.
+
+
+Example playbook to undelete a preserved user.
+
+```yaml
+---
+- name: Playbook to handle users
+  hosts: ipaserver
+  become: true
+
+  tasks:
+  # Undelete preserved user pinky
+  - ipauser:
+      ipaadmin_password: SomeADMINpassword
+      name: pinky
+      state: undeleted
+```
+
+This can also be done as an alternative with the `users` variable containing only names.
+
+
+Example playbook to disable a user:
+
+```yaml
+---
+- name: Playbook to handle users
+  hosts: ipaserver
+  become: true
+
+  tasks:
+  # Disable user pinky
+  - ipauser:
+      ipaadmin_password: SomeADMINpassword
+      name: pinky
+      state: disabled
+```
+
+This can also be done as an alternative with the `users` variable containing only names.
+
+
+Example playbook to enable users:
+
+```yaml
+---
+- name: Playbook to handle users
+  hosts: ipaserver
+  become: true
+
+  tasks:
+  # Enable user pinky and brain
+  - ipauser:
+      ipaadmin_password: SomeADMINpassword
+      name: pinky,brain
+      state: enabled
+```
+
+This can also be done as an alternative with the `users` variable containing only names.
+
+
+Example playbook to unlock users:
+
+```yaml
+---
+- name: Playbook to handle users
+  hosts: ipaserver
+  become: true
+
+  tasks:
+  # Unlock user pinky and brain
+  - ipauser:
+      ipaadmin_password: SomeADMINpassword
+      name: pinky,brain
+      state: unlocked
+```
+
+
+Example playbook to ensure users are absent:
+
+```yaml
+---
+- name: Playbook to handle users
+  hosts: ipaserver
+  become: true
+
+  tasks:
+  # Ensure users pinky and brain are absent
+  - ipauser:
+      ipaadmin_password: SomeADMINpassword
+      name: pinky,brain
+      state: absent
+```
+
+This can also be done as an alternative with the `users` variable containing only names.
+
+
+Example playbook to ensure users are absent:
+
+```yaml
+---
+- name: Playbook to handle users
+  hosts: ipaserver
+  become: true
+
+  tasks:
+  # Ensure users pinky and brain are absent
+  - ipauser:
+      ipaadmin_password: SomeADMINpassword
+      users:
+      - name: pinky
+      - name: brain
+      state: absent
+```
+
+
+Variables
+=========
+
+ipauser
+-------
+
+**General Variables:**
+
+Variable | Description | Required
+-------- | ----------- | --------
+`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
+`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
+`name` | The list of user name strings. `name` with *user variables* or `users` containing *user variables* need to be used. | no
+**User variables** | Only used with `name` variable in the first level. | no
+`users` | The list of user dicts. Each `users` dict entry can contain **user variables**.<br>There is one required option in the `users` dict:| no
+&nbsp; | `name` - The user name string of the entry. | yes
+&nbsp; | **User variables** | no
+`preserve` | Delete a user, keeping the entry available for future use. (bool) | no
+`update_password` | Set password for a user in present state only on creation or always. It can be one of `always` or `on_create` and defaults to `always`. | no
+`preserve` | Delete a user, keeping the entry available for future use. (bool)  | no
+`action` | Work on user or member level. It can be on of `member` or `user` and defaults to `user`. | no
+`state` | The state to ensure. It can be one of `present`, `absent`, `enabled`, `disabled`, `unlocked` or `undeleted`, default: `present`. Only `names` or `users` with only `name` set are allowed if state is not `present`. | yes
+
+
+
+**User Variables:**
+
+Variable | Description | Required
+-------- | ----------- | --------
+`first` \| `givenname` | The first name string. | no
+`last` \| `sn` | The last name string. | no
+`fullname` \| `cn` | The full name string. | no
+`displayname` | The display name string. | no
+`homedir` | The home directory string. | no
+`shell` \| `loginshell` | The login shell string. | no
+`email` | List of email address strings. | no
+`principal` \| `principalnam` \| `krbprincipalname` | The kerberos principal sptring. | no
+`principalexpiration` \| `krbprincipalexpiration` | The kerberos principal expiration date. Possible formats: `YYYYMMddHHmmssZ`, `YYYY-MM-ddTHH:mm:ssZ`, `YYYY-MM-ddTHH:mmZ`, `YYYY-MM-ddZ`, `YYYY-MM-dd HH:mm:ssZ` or `YYYY-MM-dd HH:mmZ`. The trailing 'Z' can be skipped. | no
+`passwordexpiration` \| `krbpasswordexpiration` | The kerberos password expiration date. Possible formats: `YYYYMMddHHmmssZ`, `YYYY-MM-ddTHH:mm:ssZ`, `YYYY-MM-ddTHH:mmZ`, `YYYY-MM-ddZ`, `YYYY-MM-dd HH:mm:ssZ` or `YYYY-MM-dd HH:mmZ`. The trailing 'Z' can be skipped. Only usable with IPA versions 4.7 and up. | no
+`password` | The user password string. | no
+`random` | Generate a random user password | no
+`uid` \| `uidnumber` | The UID integer. | no
+`gid` \| `gidnumber` | The GID integer. | no
+`city` | City | no
+`userstate` \| `st` | State/Province | no
+`postalcode` \| `zip` | Postalcode/ZIP | no
+`phone` \| `telephonenumber` | List of telephone number strings, | no
+`mobile` | List of mobile telephone number strings. | no
+`pager` | List of pager number strings. | no
+`fax` \| `facsimiletelephonenumber` | List of fax number strings. | no
+`orgunit` | The Organisation unit. | no
+`title` | The job title string. | no
+`manager` | List of manager user names. | no
+`carlicense` | List of car licenses. | no
+`sshpubkey` \| `ipasshpubkey` | List of SSH public keys. | no
+`userauthtype` | List of supported user authentication types. Choices: `password`, `radius`, `otp` and ``. Use empty string to reset userauthtype to the initial value. | no
+`userclass` | User category. (semantics placed on this attribute are for local interpretation). | no
+`radius` | RADIUS proxy configuration  | no
+`radiususer` | RADIUS proxy username | no
+`departmentnumber` | Department Number | no
+`employeenumber` | Employee Number | no
+`employeetype` | Employee Type | no
+`preferredlanguage` | Preferred Language | no
+`certificate` | List of base-64 encoded user certificates. | no
+`certmapdata` | List of certificate mappings. Either `certificate` or `issuer` together with `subject` need to be specified. <br>Options: | no
+&nbsp; | `certificate` - Base-64 encoded user certificate | no
+&nbsp; | `issuer` - Issuer of the certificate | no
+&nbsp; | `subject` - Subject of the certificate | no
+`noprivate` | Do not create user private group. (bool) | no
+`nomembers` | Suppress processing of membership attributes. (bool) | no
+
+
+
+Return Values
+=============
+
+ipauser
+-------
+
+There are only return values if one or more random passwords have been generated.
+
+Variable | Description | Returned When
+-------- | ----------- | -------------
+`host` | Host dict with random password. (dict) <br>Options: | If random is yes and user did not exist or update_password is yes
+&nbsp; | `randompassword` - The generated random password | If only one user is handled by the module
+&nbsp; | `name` - The user name of the user that got a new random password. (dict) <br> Options: <br> &nbsp; `randompassword` - The generated random password | If several users are handled by the module
+
+
+Authors
+=======
+
+Thomas Woerner
--- a/README-vault.md
+++ b/README-vault.md
@@ -0,0 +1,203 @@
+Vault module
+===================
+
+Description
+-----------
+
+The vault module allows to ensure presence and absence of vault and members of vaults.
+
+The vault module is as compatible as possible to the Ansible upstream `ipa_vault` module, and additionally offers to make sure that vault members, groups and owners are present or absent in a vault, and allow the archival of data in vaults.
+
+
+Features
+--------
+* Vault management
+
+
+Supported FreeIPA Versions
+--------------------------
+
+FreeIPA versions 4.4.0 and up are supported by the ipavault module.
+
+
+Requirements
+------------
+
+**Controller**
+* Ansible version: 2.8+
+
+**Node**
+* Supported FreeIPA version (see above)
+* KRA service must be enabled
+
+
+Usage
+=====
+
+Example inventory file
+
+```ini
+[ipaserver]
+ipaserver.test.local
+```
+
+Example playbook to make sure vault is present:
+
+```yaml
+---
+- name: Playbook to handle vaults
+  hosts: ipaserver
+  become: true
+
+  tasks:
+  - ipavault:
+      ipaadmin_password: SomeADMINpassword
+      name: symvault
+      username: admin
+      vault_password: MyVaultPassword123
+      description: A standard private vault.
+```
+
+Example playbook to make sure that a vault and its members are present:
+
+```yaml
+---
+- name: Playbook to handle vaults
+  hosts: ipaserver
+  become: true
+
+  tasks:
+  - ipavault:
+      ipaadmin_password: SomeADMINpassword
+      name: symvault
+      username: admin
+      users: user01
+```
+
+`action` controls if the vault, data, member or owner will be handled. To add or remove members or vault data, set `action` to `member`.
+
+Example playbook to make sure that a vault member is present in vault:
+
+```yaml
+---
+- name: Playbook to handle vaults
+  hosts: ipaserver
+  become: true
+
+  tasks:
+  - ipavault:
+      ipaadmin_password: SomeADMINpassword
+      name: symvault
+      username: admin
+      users: user01
+      action: member
+```
+
+Example playbook to make sure that a vault owner is absent in vault:
+
+```yaml
+---
+- name: Playbook to handle vaults
+  hosts: ipaserver
+  become: true
+
+  tasks:
+  - ipavault:
+      ipaadmin_password: SomeADMINpassword
+      name: symvault
+      username: admin
+      owner: user01
+      action: member
+      state: absent
+```
+
+Example playbook to make sure vault data is present in a symmetric vault:
+
+```yaml
+---
+- name: Playbook to handle vaults
+  hosts: ipaserver
+  become: true
+
+  tasks:
+  - ipavault:
+      ipaadmin_password: SomeADMINpassword
+      name: symvault
+      username: admin
+      vault_password: MyVaultPassword123
+      vault_data: >
+        Data archived.
+        More data archived.
+      action: member
+```
+
+Example playbook to make sure vault data is absent in a symmetric vault:
+
+```yaml
+---
+- name: Playbook to handle vaults
+  hosts: ipaserver
+  become: true
+
+  tasks:
+  - ipavault:
+      ipaadmin_password: SomeADMINpassword
+      name: symvault
+      username: admin
+      vault_password: MyVaultPassword123
+      action: member
+      state: absent
+```
+
+Example playbook to make sure vault is absent:
+
+```yaml
+---
+- name: Playbook to handle vaults
+  hosts: ipaserver
+  become: true
+
+  tasks:
+  - ipavault:
+      ipaadmin_password: SomeADMINpassword
+      name: symvault
+      username: admin
+      state: absent
+```
+
+Variables
+=========
+
+ipavault
+-------
+
+Variable | Description | Required
+-------- | ----------- | --------
+`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
+`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
+`name` \| `cn` | The list of vault name strings. | yes
+`description` | The vault description string. | no
+`nomembers` | Suppress processing of membership attributes. (bool) | no
+`vault_public_key` \| `ipavaultpublickey` | Vault public key. | no
+`vault_salt` \| `ipavaultsalt` | Vault salt. | no
+`vault_type` \| `ipavaulttype` | Vault types are based on security level. It can be one of `standard`, `symmetric` or `asymmetric`, default: `symmetric` | no
+`service` | Any service can own one or more service vaults. | no
+`user` | Any user can own one or more user vaults. | no
+`shared` | Vault is shared. Default to false. (bool) | no
+`users` | Users that are members of the vault. | no
+`groups` | Groups that are member of the vault. | no
+`vault_data` \| `ipavaultdata` | Data to be stored in the vault. | no
+`action` | Work on vault or member level. It can be on of `member` or `vault` and defaults to `vault`. | no
+`state` | The state to ensure. It can be one of `present` or `absent`, default: `present`. | no
+
+
+Notes
+=====
+
+ipavault uses a client context to execute, and it might affect execution time.
+
+
+Authors
+=======
+
+Rafael Jeffman
--- a/README.md
+++ b/README.md
@@ -1,7 +1,7 @@
-FreeIPA Ansible roles
-=====================
+FreeIPA Ansible collection
+==========================

-This repository contains [Ansible](https://www.ansible.com/) roles and playbooks to install and uninstall [FreeIPA](https://www.freeipa.org/) `servers`, `replicas` and `clients`. Also modules for topology management.
+This repository contains [Ansible](https://www.ansible.com/) roles and playbooks to install and uninstall [FreeIPA](https://www.freeipa.org/) `servers`, `replicas` and `clients`. Also modules for group, host, topology and user management.

 **Note**: The ansible playbooks and roles require a configured ansible environment where the ansible nodes are reachable and are properly set up to have an IP address and a working package manager.

@@ -11,12 +11,25 @@ Features
 * Cluster deployments: Server, replicas and clients in one playbook
 * One-time-password (OTP) support for client installation
 * Repair mode for clients
+* Modules for group management
+* Modules for hbacrule management
+* Modules for hbacsvc management
+* Modules for hbacsvcgroup management
+* Modules for host management
+* Modules for hostgroup management
+* Modules for pwpolicy management
+* Modules for service management
+* Modules for sudocmd management
+* Modules for sudocmdgroup management
+* Modules for sudorule management
 * Modules for topology management
+* Modules for user management
+* Modules for vault management

 Supported FreeIPA Versions
 --------------------------

-FreeIPA versions 4.6 and up are supported by all roles. 
+FreeIPA versions 4.6 and up are supported by all roles.

 The client role supports versions 4.4 and up, the server role is working with versions 4.5 and up, the replica role is currently only working with versions 4.6 and up.

@@ -26,12 +39,14 @@ Supported Distributions
 * RHEL/CentOS 7.4+
 * Fedora 26+
 * Ubuntu
+* Debian 10+ (ipaclient only, no server or replica!)

 Requirements
 ------------

 **Controller**
 * Ansible version: 2.8+ (ansible-freeipa is an Ansible Collection)
+* /usr/bin/kinit is required on the controller if a one time password (OTP) is used
 * python3-gssapi is required on the controller if a one time password (OTP) is used with keytab to install the client.

 **Node**
@@ -41,11 +56,11 @@ Requirements
 Limitations
 -----------

-**External CA**
+**External signed CA**

-External CA support is not supported or working. The currently needed two step process is an issue for the processing in the role. The configuration of the server is partly done already and needs to be continued after the CSR has been handled. This is for example breaking the deployment of a server with replicas or clients in one playbook.
+External signed CA is now supported. But the currently needed two step process is an issue for the processing in a simple playbook.

-Work is planned to have a new method to handle CSR for external CAs in a separate step before starting the server installation.
+Work is planned to have a new method to handle CSR for external signed CAs in a separate step before starting the server installation.


 Usage
@@ -54,19 +69,61 @@ Usage
 How to use ansible-freeipa
 --------------------------

-The simplest method for now is to clone this repository on the contoller from github directly and to start the deployment from the ansible-freeipa directory:
+**GIT repo**
+
+The simplest method for now is to clone this repository on the controller from github directly and to start the deployment from the ansible-freeipa directory:

 ```bash
 git clone https://github.com/freeipa/ansible-freeipa.git
 cd ansible-freeipa
 ```
+You can use the roles directly within the top directory of the git repo, but to be able to use the management modules in the plugins subdirectory, you have to either adapt `ansible.cfg` or create links for the roles, modules or directories.
+
+You can either adapt ansible.cfg:
+
+```
+roles_path   = /my/dir/ansible-freeipa/roles
+library      = /my/dir/ansible-freeipa/plugins/modules
+module_utils = /my/dir/ansible-freeipa/plugins/module_utils
+```
+
+Or you can link the directories:
+
+```
+ansible-freeipa/roles to ~/.ansible/
+ansible-freeipa/plugins/modules to ~/.ansible/plugins/
+ansible-freeipa/plugins/module_utils to ~/.ansible/plugins/
+```
+
+**RPM package**
+
+There are RPM packages available for Fedora 29+. These are installing the roles and modules into the global Ansible directories for `roles`, `plugins/modules` and `plugins/module_utils` in the `/usr/share/ansible` directory. Therefore is it possible to use the roles and modules without adapting the names like it is done in the example playbooks.
+
+**Ansible galaxy**
+
+This command will get the whole collection from galaxy:
+
+```bash
+ansible-galaxy collection install freeipa.ansible_freeipa
+```
+
+Installing collections using the ansible-galaxy command is only supported with ansible 2.9+.
+
+The mazer tool can be used for to install the collection for ansible 2.8:
+
+```bash
+mazer install freeipa.ansible_freeipa
+```
+
+Ansible galaxy does not support the use of dash ('-') in a name and is automatically replacing this with an underscore ('\_'). Therefore the name is `ansible_freeipa`. The ansible_freeipa collection will be placed in the directory `~/.ansible/collections/ansible_collections/freeipa/ansible_freeipa` where it will be automatically be found for this user.
+
+The needed adaptions of collection prefixes for `modules` and `module_utils` will be done with ansible-freeipa release `0.1.6` for galaxy.

-The roles provided by ansible-freeipa are not available in ansible galaxy so far.

 Ansible inventory file
 ----------------------

-The most important parts of the inventory file is the definition of the nodes, settings and the topology. Please remember to use [Ansible vault](https://docs.ansible.com/ansible/latest/user_guide/vault.html) for passwords. The examples here are not using vault for better readability.
+The most important parts of the inventory file is the definition of the nodes, settings and the management modules. Please remember to use [Ansible vault](https://docs.ansible.com/ansible/latest/user_guide/vault.html) for passwords. The examples here are not using vault for better readability.

 **Master server**

@@ -100,8 +157,9 @@ ipaserver_install_packages=no
 ipaserver_setup_firewalld=no
 ```
 The installation of packages and also the configuration of the firewall are by default enabled.
+Note that it is not enough to mask systemd firewalld service to skip the firewalld configuration. You need to set the variable to `no`.

-For more server settings, please have a look at the [server role documentation](SERVER.md).
+For more server settings, please have a look at the [server role documentation](roles/ipaserver/README.md).

 **Replica**

@@ -175,8 +233,9 @@ ipareplica_setup_firewalld=no
 ```

 The installation of packages and also the configuration of the firewall are by default enabled.
+Note that it is not enough to mask systemd firewalld service to skip the firewalld configuration. You need to set the variable to `no`.

-For more replica settings, please have a look at the [replica role documentation](REPLICA.md).
+For more replica settings, please have a look at the [replica role documentation](roles/ipareplica/README.md).


 **Client**
@@ -215,7 +274,7 @@ To enable the generation of the one-time-password:
 ipaclient_use_otp=yes
 ```

-For more client settings, please have a look at the [client role documentation](CLIENT.md).
+For more client settings, please have a look at the [client role documentation](roles/ipaclient/README.md).

 **Cluster**

@@ -308,7 +367,7 @@ If Ansible vault is used for passwords, then it is needed to adapt the playbooks
    state: present
 ```

-It is also needed to provide the vault passowrd file on the ansible-playbook command line:
+It is also needed to provide the vault password file on the ansible-playbook command line:
 ```bash
 ansible-playbook -v -i inventory/hosts --vault-password-file .vaul_pass.txt install-server.yml
 ```
@@ -348,5 +407,19 @@ Roles
 Modules in plugin/modules
 =========================

+* [ipadnsconfig](README-dnsconfig.md)
+* [ipagroup](README-group.md)
+* [ipahbacrule](README-hbacrule.md)
+* [ipahbacsvc](README-hbacsvc.md)
+* [ipahbacsvcgroup](README-hbacsvc.md)
+* [ipahost](README-host.md)
+* [ipahostgroup](README-hostgroup.md)
+* [ipapwpolicy](README-pwpolicy.md)
+* [ipaservice](README-service.md)
+* [ipasudocmd](README-sudocmd.md)
+* [ipasudocmdgroup](README-sudocmdgroup.md)
+* [ipasudorule](README-sudorule.md)
 * [ipatopologysegment](README-topology.md)
 * [ipatopologysuffix](README-topology.md)
+* [ipauser](README-user.md)
+* [ipavault](README-vault.md)
--- a/galaxy.yml
+++ b/galaxy.yml
@@ -1,7 +1,7 @@
 namespace: "freeipa"
 name: "ansible_freeipa"
-version: "0.1.1"
-description: ""
+version: "A.B.C"
+description: "Ansible roles and modules for FreeIPA"

 authors:
  - "Thomas Woerner <twoerner@redhat.com>"
@@ -11,12 +11,12 @@ documentation: "https://github.com/freeipa/ansible-freeipa/blob/master/README.md
 homepage: "https://github.com/freeipa/ansible-freeipa"
 issues: "https://github.com/freeipa/ansible-freeipa/issues"

-dependencies: {}
-
 readme: "README.md"
 license: "GPL-3.0-or-later"
 license_file: "COPYING"

+dependencies:
+
 tags:
  - "identity"
  - "ipa"
--- a/playbooks/dnsconfig/disable-global-forwarders.yml
+++ b/playbooks/dnsconfig/disable-global-forwarders.yml
@@ -0,0 +1,9 @@
+---
+- name: Playbook to disable global DNS forwarders
+  hosts: ipaserver
+  become: true
+
+  tasks:
+  - name: Disable global forwarders.
+    ipadnsconfig:
+      forward_policy: none
--- a/playbooks/dnsconfig/disallow-reverse-sync.yml
+++ b/playbooks/dnsconfig/disallow-reverse-sync.yml
@@ -0,0 +1,9 @@
+---
+- name: Playbook to disallow reverse record synchronization.
+  hosts: ipaserver
+  become: true
+
+  tasks:
+  - name: Disallow reverse record synchronization.
+    ipadnsconfig:
+      allow_sync_ptr: no
--- a/playbooks/dnsconfig/forwarders-absent.yml
+++ b/playbooks/dnsconfig/forwarders-absent.yml
@@ -0,0 +1,13 @@
+---
+- name: Playbook to handle global DNS configuration
+  hosts: ipaserver
+  become: true
+
+  tasks:
+  - name: Set dnsconfig.
+    ipadnsconfig:
+      forwarders:
+        - ip_address: 8.8.4.4
+        - ip_address: 2001:4860:4860::8888
+          port: 53
+      state: absent
--- a/playbooks/dnsconfig/set-configuration.yml
+++ b/playbooks/dnsconfig/set-configuration.yml
@@ -0,0 +1,14 @@
+---
+- name: Playbook to handle global DNS configuration
+  hosts: ipaserver
+  become: true
+
+  tasks:
+  - name: Set dnsconfig.
+    ipadnsconfig:
+      forwarders:
+        - ip_address: 8.8.4.4
+        - ip_address: 2001:4860:4860::8888
+          port: 53
+      forward_policy: only
+      allow_sync_ptr: yes
--- a/playbooks/hbacrule/ensure-hbarule-allhosts-absent.yml
+++ b/playbooks/hbacrule/ensure-hbarule-allhosts-absent.yml
@@ -0,0 +1,12 @@
+---
+- name: Tests
+  hosts: ipaserver
+  become: true
+  gather_facts: false
+
+  tasks:
+  - name: Ensure HBAC Rule allhosts is absent
+    ipahbacrule:
+      ipaadmin_password: SomeADMINpassword
+      name: allhosts
+      state: absent
--- a/playbooks/hbacrule/ensure-hbarule-allhosts-disabled.yml
+++ b/playbooks/hbacrule/ensure-hbarule-allhosts-disabled.yml
@@ -0,0 +1,12 @@
+---
+- name: Tests
+  hosts: ipaserver
+  become: true
+  gather_facts: false
+
+  tasks:
+  - name: Ensure HBAC Rule allhosts is disabled
+    ipahbacrule:
+      ipaadmin_password: SomeADMINpassword
+      name: allhosts
+      state: disabled
--- a/playbooks/hbacrule/ensure-hbarule-allhosts-enabled.yml
+++ b/playbooks/hbacrule/ensure-hbarule-allhosts-enabled.yml
@@ -0,0 +1,12 @@
+---
+- name: Tests
+  hosts: ipaserver
+  become: true
+  gather_facts: false
+
+  tasks:
+  - name: Ensure HBAC Rule allhosts is enabled
+    ipahbacrule:
+      ipaadmin_password: SomeADMINpassword
+      name: allhosts
+      state: enabled
--- a/playbooks/hbacrule/ensure-hbarule-allhosts-present.yml
+++ b/playbooks/hbacrule/ensure-hbarule-allhosts-present.yml
@@ -0,0 +1,12 @@
+---
+- name: Tests
+  hosts: ipaserver
+  become: true
+  gather_facts: false
+
+  tasks:
+  - name: Ensure HBAC Rule allhosts is present
+    ipahbacrule:
+      ipaadmin_password: SomeADMINpassword
+      name: allhosts
+      usercategory: all
--- a/playbooks/hbacrule/ensure-hbarule-allhosts-server-member-absent.yml
+++ b/playbooks/hbacrule/ensure-hbarule-allhosts-server-member-absent.yml
@@ -0,0 +1,14 @@
+---
+- name: Tests
+  hosts: ipaserver
+  become: true
+  gather_facts: false
+
+  tasks:
+  - name: Ensure host server is absent in HBAC Rule allhosts
+    ipahbacrule:
+      ipaadmin_password: SomeADMINpassword
+      name: allhosts
+      host: server
+      action: member
+      state: absent
--- a/playbooks/hbacrule/ensure-hbarule-allhosts-server-member-present.yml
+++ b/playbooks/hbacrule/ensure-hbarule-allhosts-server-member-present.yml
@@ -0,0 +1,13 @@
+---
+- name: Tests
+  hosts: ipaserver
+  become: true
+  gather_facts: false
+
+  tasks:
+  - name: Ensure host server is present in HBAC Rule allhosts
+    ipahbacrule:
+      ipaadmin_password: SomeADMINpassword
+      name: allhosts
+      host: server
+      action: member
--- a/playbooks/hbacsvc/ensure-hbacsvc-absent.yml
+++ b/playbooks/hbacsvc/ensure-hbacsvc-absent.yml
@@ -0,0 +1,12 @@
+---
+- name: Tests
+  hosts: ipaserver
+  become: true
+  gather_facts: false
+
+  tasks:
+  - name: Ensure HBAC Services for http and tftp are absent
+    ipahbacsvc:
+      ipaadmin_password: SomeADMINpassword
+      name: http,tftp
+      state: absent
--- a/playbooks/hbacsvc/ensure-hbacsvc-present.yml
+++ b/playbooks/hbacsvc/ensure-hbacsvc-present.yml
@@ -0,0 +1,18 @@
+---
+- name: Tests
+  hosts: ipaserver
+  become: true
+  gather_facts: false
+
+  tasks:
+  - name: Ensure HBAC Service for http is present
+    ipahbacsvc:
+      ipaadmin_password: SomeADMINpassword
+      name: http
+      description: Web service
+
+  - name: Ensure HBAC Service for tftp is present
+    ipahbacsvc:
+      ipaadmin_password: SomeADMINpassword
+      name: tftp
+      description: TFTP service
--- a/playbooks/hbacsvcgroup/ensure-hbacsvcgroup-absent.yml
+++ b/playbooks/hbacsvcgroup/ensure-hbacsvcgroup-absent.yml
@@ -0,0 +1,14 @@
+---
+- name: Tests
+  hosts: ipaserver
+  become: true
+  gather_facts: false
+
+  tasks:
+  - name: Ensure HBAC Service Group login is absent
+    ipahbacsvcgroup:
+      ipaadmin_password: SomeADMINpassword
+      name: login
+      hbacsvc:
+      - sshd
+      state: absent
--- a/playbooks/hbacsvcgroup/ensure-hbacsvcgroup-member-absent.yml
+++ b/playbooks/hbacsvcgroup/ensure-hbacsvcgroup-member-absent.yml
@@ -0,0 +1,15 @@
+---
+- name: Tests
+  hosts: ipaserver
+  become: true
+  gather_facts: false
+
+  tasks:
+  - name: Ensure HBAC Services sshd is absent in HBAC Service Group login
+    ipahbacsvcgroup:
+      ipaadmin_password: SomeADMINpassword
+      name: login
+      hbacsvc:
+      - sshd
+      action: member
+      state: absent
--- a/playbooks/hbacsvcgroup/ensure-hbacsvcgroup-member-present.yml
+++ b/playbooks/hbacsvcgroup/ensure-hbacsvcgroup-member-present.yml
@@ -0,0 +1,14 @@
+---
+- name: Tests
+  hosts: ipaserver
+  become: true
+  gather_facts: false
+
+  tasks:
+  - name: Ensure HBAC Service sshd is present in HBAC Service Group login
+    ipahbacsvcgroup:
+      ipaadmin_password: SomeADMINpassword
+      name: login
+      hbacsvc:
+      - sshd
+      action: member
--- a/playbooks/hbacsvcgroup/ensure-hbacsvcgroup-present.yml
+++ b/playbooks/hbacsvcgroup/ensure-hbacsvcgroup-present.yml
@@ -0,0 +1,14 @@
+---
+- name: Tests
+  hosts: ipaserver
+  become: true
+  gather_facts: false
+
+  tasks:
+  - name: Ensure HBAC Service sshd is present in HBAC Service Group login
+    ipahbacsvcgroup:
+      ipaadmin_password: SomeADMINpassword
+      name: login
+      hbacsvc:
+      - sshd
+      action: member
--- a/playbooks/host/add-host.yml
+++ b/playbooks/host/add-host.yml
@@ -0,0 +1 @@
+host-present.yml
--- a/playbooks/host/delete-host.yml
+++ b/playbooks/host/delete-host.yml
@@ -0,0 +1,11 @@
+---
+- name: Playbook to handle hosts
+  hosts: ipaserver
+  become: true
+
+  tasks:
+  - name: Ensure host host01.example.com is absent
+    ipahost:
+      ipaadmin_password: SomeADMINpassword
+      name: host01.example.com
+      state: absent
--- a/playbooks/host/disable-host.yml
+++ b/playbooks/host/disable-host.yml
@@ -0,0 +1,11 @@
+---
+- name: Playbook to handle hosts
+  hosts: ipaserver
+  become: true
+
+  tasks:
+  - name: Disable host host01.example.com
+    ipahost:
+      ipaadmin_password: SomeADMINpassword
+      name: host01.example.com
+      state: disabled
--- a/playbooks/host/ensure_host_with_randompassword.yml
+++ b/playbooks/host/ensure_host_with_randompassword.yml
@@ -0,0 +1,18 @@
+---
+- name: Ensure host with random password
+  hosts: ipaserver
+  become: true
+
+  tasks:
+  - name: Host "{{ 'host1.' + ipaserver_domain }}" present with random password
+    ipahost:
+      ipaadmin_password: SomeADMINpassword
+      name: "{{ 'host1.' + ipaserver_domain }}"
+      random: yes
+      force: yes
+      update_password: on_create
+    register: ipahost
+
+  - name: Print generated random password
+    debug:
+      var: ipahost.host.randompassword
--- a/playbooks/host/host-member-allow_create_keytab-absent.yml
+++ b/playbooks/host/host-member-allow_create_keytab-absent.yml
@@ -0,0 +1,24 @@
+---
+- name: Host member allow_create_keytab absent
+  hosts: ipaserver
+  become: true
+
+  tasks:
+  - name: Host host1.example.com members allow_create_keytab absent for users, groups, hosts and hostgroups
+    ipahost:
+      ipaadmin_password: SomeADMINpassword
+      name: host01.exmaple.com
+      allow_create_keytab_user:
+      - user01
+      - user02
+      allow_create_keytab_group:
+      - group01
+      - group02
+      allow_create_keytab_host:
+      - host02.exmaple.com
+      - host03.exmaple.com
+      allow_create_keytab_hostgroup:
+      - hostgroup01
+      - hostgroup02
+      action: member
+      state: absent
--- a/playbooks/host/host-member-allow_create_keytab-present.yml
+++ b/playbooks/host/host-member-allow_create_keytab-present.yml
@@ -0,0 +1,23 @@
+---
+- name: Host member allow_create_keytab present
+  hosts: ipaserver
+  become: true
+
+  tasks:
+  - name: Host host1.example.com members allow_create_keytab present for users, groups, hosts and hostgroups
+    ipahost:
+      ipaadmin_password: SomeADMINpassword
+      name: host01.exmaple.com
+      allow_create_keytab_user:
+      - user01
+      - user02
+      allow_create_keytab_group:
+      - group01
+      - group02
+      allow_create_keytab_host:
+      - host02.exmaple.com
+      - host03.exmaple.com
+      allow_create_keytab_hostgroup:
+      - hostgroup01
+      - hostgroup02
+      action: member
--- a/playbooks/host/host-member-allow_retrieve_keytab-absent.yml
+++ b/playbooks/host/host-member-allow_retrieve_keytab-absent.yml
@@ -0,0 +1,24 @@
+---
+- name: Host member allow_retrieve_keytab absent
+  hosts: ipaserver
+  become: true
+
+  tasks:
+  - name: Host host1.example.com members allow_retrieve_keytab absent for users, groups, hosts and hostgroups
+    ipahost:
+      ipaadmin_password: SomeADMINpassword
+      name: host01.exmaple.com
+      allow_retrieve_keytab_user:
+      - user01
+      - user02
+      allow_retrieve_keytab_group:
+      - group01
+      - group02
+      allow_retrieve_keytab_host:
+      - host02.exmaple.com
+      - host03.exmaple.com
+      allow_retrieve_keytab_hostgroup:
+      - hostgroup01
+      - hostgroup02
+      action: member
+      state: absent
--- a/playbooks/host/host-member-allow_retrieve_keytab-present.yml
+++ b/playbooks/host/host-member-allow_retrieve_keytab-present.yml
@@ -0,0 +1,23 @@
+---
+- name: Host member allow_retrieve_keytab present
+  hosts: ipaserver
+  become: true
+
+  tasks:
+  - name: Host host1.example.com members allow_retrieve_keytab present for users, groups, hosts and hostgroups
+    ipahost:
+      ipaadmin_password: SomeADMINpassword
+      name: host01.exmaple.com
+      allow_retrieve_keytab_user:
+      - user01
+      - user02
+      allow_retrieve_keytab_group:
+      - group01
+      - group02
+      allow_retrieve_keytab_host:
+      - host02.exmaple.com
+      - host03.exmaple.com
+      allow_retrieve_keytab_hostgroup:
+      - hostgroup01
+      - hostgroup02
+      action: member
--- a/playbooks/host/host-member-certificate-absent.yml
+++ b/playbooks/host/host-member-certificate-absent.yml
@@ -0,0 +1,13 @@
+- name: Host member certificate absent
+  hosts: ipaserver
+  become: true
+
+  tasks:
+  - name: Host host01.example.com member certificate absent
+    ipahost:
+      ipaadmin_password: SomeADMINpassword
+      name: host01.example.com
+      certificate:
+      - MIIC/zCCAeegAwIBAgIUZGHLaSYg1myp6EI4VGWSC27vOrswDQYJKoZIhvcNAQELBQAwDzENMAsGA1UEAwwEdGVzdDAeFw0xOTEwMTQxNjI4MzVaFw0yMDEwMTMxNjI4MzVaMA8xDTALBgNVBAMMBHRlc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDER/lB8wUAmPTSwSc/NOXNlzdpPOQDSwrhKH6XsqZF4KpQoSY/nmCjAhJmOVpOUo4K2fGRZ0yAH9fkGv6yJP6c7IAFjLeec7GPHVwN4bZrP1DXfTAmfmXhcRQbCYkV+wmq8Puzw/+xA9EJrrodnJPPsE6E8HnSVLF6Ys9+cJMJ7HuwOI+wYt3gkmspsir1tccmf4x1PP+yHJWdcXyetlFRcmZ8gspjqOR2jb89xSQsh8gcyDW6rPNlSTzYZ2FmNtjES6ZhCsYL31fQbF2QglidlLGpAlvHUUS+xCigW73cvhFPMWXcfO51Mr15RcgYTckY+7QZ2nYqplRBoDlQl6DnAgMBAAGjUzBRMB0GA1UdDgQWBBTPG99XVRdxpOXMZo3Nhy+ldnf13TAfBgNVHSMEGDAWgBTPG99XVRdxpOXMZo3Nhy+ldnf13TAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAjWTcnIl2mpNbfHAN8DB4Kk+RNRmhsH0y+r/47MXVTMMMToCfofeNY3Jeohu+2lIXMPQfTvXUbDTkNAGsGLv6LtQEUfSREqgk1eY7bT9BFfpH1uV2ZFhCO9jBA+E4bf55Kx7bgUNG31ykBshOsOblOJM1lS/0q4TWHAxrsU2PNwPi8X0ten+eGeB8aRshxS17Ij2cH0fdAMmSA+jMAvTIZl853Bxe0HuozauKwOFWL4qHm61c4O/j1mQCLqJKYfJ9mBDWFQLszd/tF+ePKiNhZCQly60F8Lumn2CDZj5UIkl8wk9Wls5n1BIQs+M8AN65NAdv7+js8jKUKCuyji8r3
+      action: member
+      state: absent
--- a/playbooks/host/host-member-certificate-present.yml
+++ b/playbooks/host/host-member-certificate-present.yml
@@ -0,0 +1,12 @@
+- name: Host member certificate present
+  hosts: ipaserver
+  become: true
+
+  tasks:
+  - name: Host host01.example.com member certificate present
+    ipahost:
+      ipaadmin_password: SomeADMINpassword
+      name: host01.example.com
+      certificate:
+      - MIIC/zCCAeegAwIBAgIUZGHLaSYg1myp6EI4VGWSC27vOrswDQYJKoZIhvcNAQELBQAwDzENMAsGA1UEAwwEdGVzdDAeFw0xOTEwMTQxNjI4MzVaFw0yMDEwMTMxNjI4MzVaMA8xDTALBgNVBAMMBHRlc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDER/lB8wUAmPTSwSc/NOXNlzdpPOQDSwrhKH6XsqZF4KpQoSY/nmCjAhJmOVpOUo4K2fGRZ0yAH9fkGv6yJP6c7IAFjLeec7GPHVwN4bZrP1DXfTAmfmXhcRQbCYkV+wmq8Puzw/+xA9EJrrodnJPPsE6E8HnSVLF6Ys9+cJMJ7HuwOI+wYt3gkmspsir1tccmf4x1PP+yHJWdcXyetlFRcmZ8gspjqOR2jb89xSQsh8gcyDW6rPNlSTzYZ2FmNtjES6ZhCsYL31fQbF2QglidlLGpAlvHUUS+xCigW73cvhFPMWXcfO51Mr15RcgYTckY+7QZ2nYqplRBoDlQl6DnAgMBAAGjUzBRMB0GA1UdDgQWBBTPG99XVRdxpOXMZo3Nhy+ldnf13TAfBgNVHSMEGDAWgBTPG99XVRdxpOXMZo3Nhy+ldnf13TAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAjWTcnIl2mpNbfHAN8DB4Kk+RNRmhsH0y+r/47MXVTMMMToCfofeNY3Jeohu+2lIXMPQfTvXUbDTkNAGsGLv6LtQEUfSREqgk1eY7bT9BFfpH1uV2ZFhCO9jBA+E4bf55Kx7bgUNG31ykBshOsOblOJM1lS/0q4TWHAxrsU2PNwPi8X0ten+eGeB8aRshxS17Ij2cH0fdAMmSA+jMAvTIZl853Bxe0HuozauKwOFWL4qHm61c4O/j1mQCLqJKYfJ9mBDWFQLszd/tF+ePKiNhZCQly60F8Lumn2CDZj5UIkl8wk9Wls5n1BIQs+M8AN65NAdv7+js8jKUKCuyji8r3
+      action: member
--- a/playbooks/host/host-member-ipaddresses-absent.yml
+++ b/playbooks/host/host-member-ipaddresses-absent.yml
@@ -0,0 +1,17 @@
+---
+- name: Host member IP addresses absent
+  hosts: ipaserver
+  become: true
+
+  tasks:
+  - name: Ensure host01.example.com IP addresses absent
+    ipahost:
+      ipaadmin_password: SomeADMINpassword
+      name: host01.example.com
+      ip_address:
+      - 192.168.0.123
+      - fe80::20c:29ff:fe02:a1b3
+      - 192.168.0.124
+      - fe80::20c:29ff:fe02:a1b4
+      action: member
+      state: absent
--- a/playbooks/host/host-member-ipaddresses-present.yml
+++ b/playbooks/host/host-member-ipaddresses-present.yml
@@ -0,0 +1,16 @@
+---
+- name: Host member IP addresses present
+  hosts: ipaserver
+  become: true
+
+  tasks:
+  - name: Ensure host01.example.com IP addresses present
+    ipahost:
+      ipaadmin_password: SomeADMINpassword
+      name: host01.example.com
+      ip_address:
+      - 192.168.0.123
+      - fe80::20c:29ff:fe02:a1b3
+      - 192.168.0.124
+      - fe80::20c:29ff:fe02:a1b4
+      action: member
--- a/playbooks/host/host-member-managedby_host-absent.yml
+++ b/playbooks/host/host-member-managedby_host-absent.yml
@@ -0,0 +1,12 @@
+---
+- name: Host member managedby_host absent
+  hosts: ipaserver
+  become: true
+
+  tasks:
+    ipahost:
+      ipaadmin_password: SomeADMINpassword
+      name: host01.exmaple.com
+      managedby_host: server.exmaple.com
+      action: member
+      state: absent
--- a/playbooks/host/host-member-managedby_host-present.yml
+++ b/playbooks/host/host-member-managedby_host-present.yml
@@ -0,0 +1,11 @@
+---
+- name: Host member managedby_host present
+  hosts: ipaserver
+  become: true
+
+  tasks:
+    ipahost:
+      ipaadmin_password: SomeADMINpassword
+      name: host01.exmaple.com
+      managedby_host: server.exmaple.com
+      action: member
--- a/playbooks/host/host-member-principal-absent.yml
+++ b/playbooks/host/host-member-principal-absent.yml
@@ -0,0 +1,15 @@
+---
+- name: Host member principal absent
+  hosts: ipaserver
+  become: true
+
+  tasks:
+  - name: Host host01.example.com principals host/testhost01.example.com and host/myhost01.example.com absent
+    ipahost:
+      ipaadmin_password: SomeADMINpassword
+      name: host01.example.com
+      principal:
+      - host/testhost01.example.com
+      - host/myhost01.example.com
+      action: member
+      state: absent
--- a/playbooks/host/host-member-principal-present.yml
+++ b/playbooks/host/host-member-principal-present.yml
@@ -0,0 +1,14 @@
+---
+- name: Host member principal present
+  hosts: ipaserver
+  become: true
+
+  tasks:
+  - name: Host host01.example.com principals host/testhost01.example.com and host/myhost01.example.com present
+    ipahost:
+      ipaadmin_password: SomeADMINpassword
+      name: host01.example.com
+      principal:
+      - host/testhost01.example.com
+      - host/myhost01.example.com
+      action: member
--- a/playbooks/host/host-present-with-allow_create_keytab.yml
+++ b/playbooks/host/host-present-with-allow_create_keytab.yml
@@ -0,0 +1,23 @@
+---
+- name: Host present with allow_create_keytab
+  hosts: ipaserver
+  become: true
+
+  tasks:
+  - name: Host host1.example.com present with allow_create_keytab for users, groups, hosts and hostgroups
+    ipahost:
+      ipaadmin_password: SomeADMINpassword
+      name: host01.exmaple.com
+      allow_create_keytab_user:
+      - user01
+      - user02
+      allow_create_keytab_group:
+      - group01
+      - group02
+      allow_create_keytab_host:
+      - host02.exmaple.com
+      - host03.exmaple.com
+      allow_create_keytab_hostgroup:
+      - hostgroup01
+      - hostgroup02
+      ip_address: 192.168.0.123
--- a/playbooks/host/host-present-with-allow_retrieve_keytab.yml
+++ b/playbooks/host/host-present-with-allow_retrieve_keytab.yml
@@ -0,0 +1,23 @@
+---
+- name: Host present with allow_retrieve_keytab
+  hosts: ipaserver
+  become: true
+
+  tasks:
+  - name: Host host1.example.com present with allow_retrieve_keytab for users, groups, hosts and hostgroups
+    ipahost:
+      ipaadmin_password: SomeADMINpassword
+      name: host01.exmaple.com
+      allow_retrieve_keytab_user:
+      - user01
+      - user02
+      allow_retrieve_keytab_group:
+      - group01
+      - group02
+      allow_retrieve_keytab_host:
+      - host02.exmaple.com
+      - host03.exmaple.com
+      allow_retrieve_keytab_hostgroup:
+      - hostgroup01
+      - hostgroup02
+      ip_address: 192.168.0.123
--- a/playbooks/host/host-present-with-certificate.yml
+++ b/playbooks/host/host-present-with-certificate.yml
@@ -0,0 +1,12 @@
+- name: Host present with certificate
+  hosts: ipaserver
+  become: true
+
+  tasks:
+  - name: Host host01.example.com present with certificate
+    ipahost:
+      ipaadmin_password: SomeADMINpassword
+      name: host01.example.com
+      certificate:
+      - MIIC/zCCAeegAwIBAgIUZGHLaSYg1myp6EI4VGWSC27vOrswDQYJKoZIhvcNAQELBQAwDzENMAsGA1UEAwwEdGVzdDAeFw0xOTEwMTQxNjI4MzVaFw0yMDEwMTMxNjI4MzVaMA8xDTALBgNVBAMMBHRlc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDER/lB8wUAmPTSwSc/NOXNlzdpPOQDSwrhKH6XsqZF4KpQoSY/nmCjAhJmOVpOUo4K2fGRZ0yAH9fkGv6yJP6c7IAFjLeec7GPHVwN4bZrP1DXfTAmfmXhcRQbCYkV+wmq8Puzw/+xA9EJrrodnJPPsE6E8HnSVLF6Ys9+cJMJ7HuwOI+wYt3gkmspsir1tccmf4x1PP+yHJWdcXyetlFRcmZ8gspjqOR2jb89xSQsh8gcyDW6rPNlSTzYZ2FmNtjES6ZhCsYL31fQbF2QglidlLGpAlvHUUS+xCigW73cvhFPMWXcfO51Mr15RcgYTckY+7QZ2nYqplRBoDlQl6DnAgMBAAGjUzBRMB0GA1UdDgQWBBTPG99XVRdxpOXMZo3Nhy+ldnf13TAfBgNVHSMEGDAWgBTPG99XVRdxpOXMZo3Nhy+ldnf13TAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAjWTcnIl2mpNbfHAN8DB4Kk+RNRmhsH0y+r/47MXVTMMMToCfofeNY3Jeohu+2lIXMPQfTvXUbDTkNAGsGLv6LtQEUfSREqgk1eY7bT9BFfpH1uV2ZFhCO9jBA+E4bf55Kx7bgUNG31ykBshOsOblOJM1lS/0q4TWHAxrsU2PNwPi8X0ten+eGeB8aRshxS17Ij2cH0fdAMmSA+jMAvTIZl853Bxe0HuozauKwOFWL4qHm61c4O/j1mQCLqJKYfJ9mBDWFQLszd/tF+ePKiNhZCQly60F8Lumn2CDZj5UIkl8wk9Wls5n1BIQs+M8AN65NAdv7+js8jKUKCuyji8r3
+      force: yes
--- a/playbooks/host/host-present-with-managedby_host.yml
+++ b/playbooks/host/host-present-with-managedby_host.yml
@@ -0,0 +1,11 @@
+---
+- name: Host present with managedby_host
+  hosts: ipaserver
+  become: true
+
+  tasks:
+    ipahost:
+      ipaadmin_password: SomeADMINpassword
+      name: host01.exmaple.com
+      managedby_host: server.exmaple.com
+      force: yes
--- a/playbooks/host/host-present-with-principal.yml
+++ b/playbooks/host/host-present-with-principal.yml
@@ -0,0 +1,14 @@
+---
+- name: Host present with principal
+  hosts: ipaserver
+  become: true
+
+  tasks:
+  - name: Host host01.example.com present with principals host/testhost01.example.com and host/myhost01.example.com
+    ipahost:
+      ipaadmin_password: SomeADMINpassword
+      name: host01.example.com
+      principal:
+      - host/testhost01.example.com
+      - host/myhost01.example.com
+      force: yes
--- a/playbooks/host/host-present-with-randompassword.yml
+++ b/playbooks/host/host-present-with-randompassword.yml
@@ -0,0 +1,17 @@
+---
+- name: Host present with random password
+  hosts: ipaserver
+  become: true
+
+  tasks:
+  - name: Host host01.example.com present with random password
+    ipahost:
+      ipaadmin_password: SomeADMINpassword
+      name: host01.example.com
+      random: yes
+      force: yes
+    register: ipahost
+
+  - name: Print generated random password
+    debug:
+      var: ipahost.host.randompassword
--- a/playbooks/host/host-present-with-several-ip-addresses.yml
+++ b/playbooks/host/host-present-with-several-ip-addresses.yml
@@ -0,0 +1,24 @@
+---
+- name: Host present with several IP addresses
+  hosts: ipaserver
+  become: true
+
+  tasks:
+  - name: Ensure host is present
+    ipahost:
+      ipaadmin_password: SomeADMINpassword
+      name: host01.example.com
+      description: Example host
+      ip_address:
+      - 192.168.0.123
+      - fe80::20c:29ff:fe02:a1b3
+      - 192.168.0.124
+      - fe80::20c:29ff:fe02:a1b4
+      locality: Lab
+      ns_host_location: Lab
+      ns_os_version: CentOS 7
+      ns_hardware_platform: Lenovo T61
+      mac_address:
+      - "08:00:27:E3:B1:2D"
+      - "52:54:00:BD:97:1E"
+      state: present
--- a/playbooks/host/host-present.yml
+++ b/playbooks/host/host-present.yml
@@ -0,0 +1,20 @@
+---
+- name: Host present
+  hosts: ipaserver
+  become: true
+
+  tasks:
+  - name: Ensure host is present
+    ipahost:
+      ipaadmin_password: SomeADMINpassword
+      name: host01.example.com
+      description: Example host
+      ip_address: 192.168.0.123
+      locality: Lab
+      ns_host_location: Lab
+      ns_os_version: CentOS 7
+      ns_hardware_platform: Lenovo T61
+      mac_address:
+      - "08:00:27:E3:B1:2D"
+      - "52:54:00:BD:97:1E"
+      state: present
--- a/playbooks/host/hosts-member-certificate-absent.yml
+++ b/playbooks/host/hosts-member-certificate-absent.yml
@@ -0,0 +1,18 @@
+---
+- name: Hosts member certificate absent
+  hosts: ipaserver
+  become: true
+
+  tasks:
+  - name: Hosts host01.example.com and host01.exmaple.com member certificate absent
+    ipahost:
+      ipaadmin_password: SomeADMINpassword
+      hosts:
+      - name: host01.example.com
+        certificate:
+        - MIIC/zCCAeegAwIBAgIUZGHLaSYg1myp6EI4VGWSC27vOrswDQYJKoZIhvcNAQELBQAwDzENMAsGA1UEAwwEdGVzdDAeFw0xOTEwMTQxNjI4MzVaFw0yMDEwMTMxNjI4MzVaMA8xDTALBgNVBAMMBHRlc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDER/lB8wUAmPTSwSc/NOXNlzdpPOQDSwrhKH6XsqZF4KpQoSY/nmCjAhJmOVpOUo4K2fGRZ0yAH9fkGv6yJP6c7IAFjLeec7GPHVwN4bZrP1DXfTAmfmXhcRQbCYkV+wmq8Puzw/+xA9EJrrodnJPPsE6E8HnSVLF6Ys9+cJMJ7HuwOI+wYt3gkmspsir1tccmf4x1PP+yHJWdcXyetlFRcmZ8gspjqOR2jb89xSQsh8gcyDW6rPNlSTzYZ2FmNtjES6ZhCsYL31fQbF2QglidlLGpAlvHUUS+xCigW73cvhFPMWXcfO51Mr15RcgYTckY+7QZ2nYqplRBoDlQl6DnAgMBAAGjUzBRMB0GA1UdDgQWBBTPG99XVRdxpOXMZo3Nhy+ldnf13TAfBgNVHSMEGDAWgBTPG99XVRdxpOXMZo3Nhy+ldnf13TAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAjWTcnIl2mpNbfHAN8DB4Kk+RNRmhsH0y+r/47MXVTMMMToCfofeNY3Jeohu+2lIXMPQfTvXUbDTkNAGsGLv6LtQEUfSREqgk1eY7bT9BFfpH1uV2ZFhCO9jBA+E4bf55Kx7bgUNG31ykBshOsOblOJM1lS/0q4TWHAxrsU2PNwPi8X0ten+eGeB8aRshxS17Ij2cH0fdAMmSA+jMAvTIZl853Bxe0HuozauKwOFWL4qHm61c4O/j1mQCLqJKYfJ9mBDWFQLszd/tF+ePKiNhZCQly60F8Lumn2CDZj5UIkl8wk9Wls5n1BIQs+M8AN65NAdv7+js8jKUKCuyji8r3
+      - name: host02.example.com
+        certificate:
+        - MIIC/zCCAeegAwIBAgIUAWE1vaA+mZd3nwZqwWH64EbHvR0wDQYJKoZIhvcNAQELBQAwDzENMAsGA1UEAwwEdGVzdDAeFw0xOTEwMTQxNjI4NDVaFw0yMDEwMTMxNjI4NDVaMA8xDTALBgNVBAMMBHRlc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCWzJibKtN8Zf7LgandINhFonx99AKi44iaZkrlMKEObE6Faf8NTUbUgK3VfJNYmCbA1baLVJ0YZJijJ7S/4o7h7eeqcJVXJkEhWNTimWXNW/YCzTHe3SSapnSYOKmdHHRClplysL8OyyEG7pbX/aB9iAfFb/+vUFCX5sMwFFrYxOimKJ9Pc/NRFtdv1wNw1rqWKF1ZzagWRlG4QgzRGwQ4quc7yO98TKikj2OPiIt7Zd46hbqQxmgGBtCkVOZIhxu77OmNrFsXmM4rZZpmqh0UdqcpwkRojVnGXmNqeMCd6dNTnLhr9wukUYw0KgE57zCDVr9Ix+p/dA5R1mG4RJ2XAgMBAAGjUzBRMB0GA1UdDgQWBBSbuiH2lNVrID3yt1SsFwtOFKOnpTAfBgNVHSMEGDAWgBSbuiH2lNVrID3yt1SsFwtOFKOnpTAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQBCVWd293wWyohFqMFMHRBBg97T2Uc1yeT0dMH4BpuOaCqQp4q5ep+uLcXEI6+3mEwm8pa/ULQCD8yLLdotIWlG3+h/4boFpdiPFcBDgT8kGe+0KOzB8Nt7E13QYOu12MNi10qwGrjKhdhu1xBe4fpY5VCetVU1OLyuTsUyucQsFrtZI0SR83h+blbyoMZ7IhMngCfGUe1bnYeWnLbpFbigKfPuVDWsMH2kgj05EAd5EgHkWbX8QA8hmcmDKfNT3YZM8kiGQwmFrnQdq8bN0uHR8Nz+24cbmdbHcD65wlDW6GmYxi8mW+V6bAqn9pir/J14r4YFnqMGgjmdt81tscJV
+      action: member
+      state: absent
--- a/playbooks/host/hosts-member-certificate-present.yml
+++ b/playbooks/host/hosts-member-certificate-present.yml
@@ -0,0 +1,17 @@
+---
+- name: Hosts member certificate present
+  hosts: ipaserver
+  become: true
+
+  tasks:
+  - name: Hosts host01.example.com and host01.exmaple.com member certificate present
+    ipahost:
+      ipaadmin_password: SomeADMINpassword
+      hosts:
+      - name: host01.example.com
+        certificate:
+        - MIIC/zCCAeegAwIBAgIUZGHLaSYg1myp6EI4VGWSC27vOrswDQYJKoZIhvcNAQELBQAwDzENMAsGA1UEAwwEdGVzdDAeFw0xOTEwMTQxNjI4MzVaFw0yMDEwMTMxNjI4MzVaMA8xDTALBgNVBAMMBHRlc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDER/lB8wUAmPTSwSc/NOXNlzdpPOQDSwrhKH6XsqZF4KpQoSY/nmCjAhJmOVpOUo4K2fGRZ0yAH9fkGv6yJP6c7IAFjLeec7GPHVwN4bZrP1DXfTAmfmXhcRQbCYkV+wmq8Puzw/+xA9EJrrodnJPPsE6E8HnSVLF6Ys9+cJMJ7HuwOI+wYt3gkmspsir1tccmf4x1PP+yHJWdcXyetlFRcmZ8gspjqOR2jb89xSQsh8gcyDW6rPNlSTzYZ2FmNtjES6ZhCsYL31fQbF2QglidlLGpAlvHUUS+xCigW73cvhFPMWXcfO51Mr15RcgYTckY+7QZ2nYqplRBoDlQl6DnAgMBAAGjUzBRMB0GA1UdDgQWBBTPG99XVRdxpOXMZo3Nhy+ldnf13TAfBgNVHSMEGDAWgBTPG99XVRdxpOXMZo3Nhy+ldnf13TAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAjWTcnIl2mpNbfHAN8DB4Kk+RNRmhsH0y+r/47MXVTMMMToCfofeNY3Jeohu+2lIXMPQfTvXUbDTkNAGsGLv6LtQEUfSREqgk1eY7bT9BFfpH1uV2ZFhCO9jBA+E4bf55Kx7bgUNG31ykBshOsOblOJM1lS/0q4TWHAxrsU2PNwPi8X0ten+eGeB8aRshxS17Ij2cH0fdAMmSA+jMAvTIZl853Bxe0HuozauKwOFWL4qHm61c4O/j1mQCLqJKYfJ9mBDWFQLszd/tF+ePKiNhZCQly60F8Lumn2CDZj5UIkl8wk9Wls5n1BIQs+M8AN65NAdv7+js8jKUKCuyji8r3
+      - name: host02.example.com
+        certificate:
+        - MIIC/zCCAeegAwIBAgIUAWE1vaA+mZd3nwZqwWH64EbHvR0wDQYJKoZIhvcNAQELBQAwDzENMAsGA1UEAwwEdGVzdDAeFw0xOTEwMTQxNjI4NDVaFw0yMDEwMTMxNjI4NDVaMA8xDTALBgNVBAMMBHRlc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCWzJibKtN8Zf7LgandINhFonx99AKi44iaZkrlMKEObE6Faf8NTUbUgK3VfJNYmCbA1baLVJ0YZJijJ7S/4o7h7eeqcJVXJkEhWNTimWXNW/YCzTHe3SSapnSYOKmdHHRClplysL8OyyEG7pbX/aB9iAfFb/+vUFCX5sMwFFrYxOimKJ9Pc/NRFtdv1wNw1rqWKF1ZzagWRlG4QgzRGwQ4quc7yO98TKikj2OPiIt7Zd46hbqQxmgGBtCkVOZIhxu77OmNrFsXmM4rZZpmqh0UdqcpwkRojVnGXmNqeMCd6dNTnLhr9wukUYw0KgE57zCDVr9Ix+p/dA5R1mG4RJ2XAgMBAAGjUzBRMB0GA1UdDgQWBBSbuiH2lNVrID3yt1SsFwtOFKOnpTAfBgNVHSMEGDAWgBSbuiH2lNVrID3yt1SsFwtOFKOnpTAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQBCVWd293wWyohFqMFMHRBBg97T2Uc1yeT0dMH4BpuOaCqQp4q5ep+uLcXEI6+3mEwm8pa/ULQCD8yLLdotIWlG3+h/4boFpdiPFcBDgT8kGe+0KOzB8Nt7E13QYOu12MNi10qwGrjKhdhu1xBe4fpY5VCetVU1OLyuTsUyucQsFrtZI0SR83h+blbyoMZ7IhMngCfGUe1bnYeWnLbpFbigKfPuVDWsMH2kgj05EAd5EgHkWbX8QA8hmcmDKfNT3YZM8kiGQwmFrnQdq8bN0uHR8Nz+24cbmdbHcD65wlDW6GmYxi8mW+V6bAqn9pir/J14r4YFnqMGgjmdt81tscJV
+      action: member
--- a/playbooks/host/hosts-member-managedby_host-absent.yml
+++ b/playbooks/host/hosts-member-managedby_host-absent.yml
@@ -0,0 +1,15 @@
+---
+- name: Hosts member managedby_host absent
+  hosts: ipaserver
+  become: true
+
+  tasks:
+    ipahost:
+      ipaadmin_password: SomeADMINpassword
+      hosts:
+      - name: host01.exmaple.com
+        managedby_host: server.exmaple.com
+      - name: host02.exmaple.com
+        managedby_host: server.exmaple.com
+      action: member
+      state: absent
--- a/playbooks/host/hosts-member-managedby_host-present.yml
+++ b/playbooks/host/hosts-member-managedby_host-present.yml
@@ -0,0 +1,14 @@
+---
+- name: Hosts member managedby_host present
+  hosts: ipaserver
+  become: true
+
+  tasks:
+    ipahost:
+      ipaadmin_password: SomeADMINpassword
+      hosts:
+      - name: host01.exmaple.com
+        managedby_host: server.exmaple.com
+      - name: host02.exmaple.com
+        managedby_host: server.exmaple.com
+      action: member
--- a/playbooks/host/hosts-member-principal-absent.yml
+++ b/playbooks/host/hosts-member-principal-absent.yml
@@ -0,0 +1,18 @@
+---
+- name: Host member principal absent
+  hosts: ipaserver
+  become: true
+
+  tasks:
+  - name: Hosts host01.exmaple.com and host02.exmaple.com member principals host/testhost0X.exmaple.com absent
+    ipahost:
+      ipaadmin_password: SomeADMINpassword
+      hosts:
+      - name: host01.exmaple.com
+        principal:
+        - host/testhost01.exmaple.com
+      - name: host02.exmaple.com
+        principal:
+        - host/testhost02.exmaple.com
+      action: member
+      state: absent
--- a/playbooks/host/hosts-member-principal-present.yml
+++ b/playbooks/host/hosts-member-principal-present.yml
@@ -0,0 +1,17 @@
+---
+- name: Hosts member principal present
+  hosts: ipaserver
+  become: true
+
+  tasks:
+  - name: Hosts host01.exmaple.com and host02.exmaple.com member principals host/testhost0X.exmaple.com present
+    ipahost:
+      ipaadmin_password: SomeADMINpassword
+      hosts:
+      - name: host01.exmaple.com
+        principal:
+        - host/testhost01.exmaple.com
+      - name: host02.exmaple.com
+        principal:
+        - host/testhost02.exmaple.com
+      action: member
--- a/playbooks/host/hosts-present-with-certificate.yml
+++ b/playbooks/host/hosts-present-with-certificate.yml
@@ -0,0 +1,17 @@
+---
+- name: Hosts present with certificate
+  hosts: ipaserver
+  become: true
+
+  tasks:
+  - name: Hosts host01.example.com and host01.exmaple.com present with certificate
+    ipahost:
+      ipaadmin_password: SomeADMINpassword
+      hosts:
+      - name: host01.example.com
+        certificate:
+        - MIIC/zCCAeegAwIBAgIUZGHLaSYg1myp6EI4VGWSC27vOrswDQYJKoZIhvcNAQELBQAwDzENMAsGA1UEAwwEdGVzdDAeFw0xOTEwMTQxNjI4MzVaFw0yMDEwMTMxNjI4MzVaMA8xDTALBgNVBAMMBHRlc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDER/lB8wUAmPTSwSc/NOXNlzdpPOQDSwrhKH6XsqZF4KpQoSY/nmCjAhJmOVpOUo4K2fGRZ0yAH9fkGv6yJP6c7IAFjLeec7GPHVwN4bZrP1DXfTAmfmXhcRQbCYkV+wmq8Puzw/+xA9EJrrodnJPPsE6E8HnSVLF6Ys9+cJMJ7HuwOI+wYt3gkmspsir1tccmf4x1PP+yHJWdcXyetlFRcmZ8gspjqOR2jb89xSQsh8gcyDW6rPNlSTzYZ2FmNtjES6ZhCsYL31fQbF2QglidlLGpAlvHUUS+xCigW73cvhFPMWXcfO51Mr15RcgYTckY+7QZ2nYqplRBoDlQl6DnAgMBAAGjUzBRMB0GA1UdDgQWBBTPG99XVRdxpOXMZo3Nhy+ldnf13TAfBgNVHSMEGDAWgBTPG99XVRdxpOXMZo3Nhy+ldnf13TAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAjWTcnIl2mpNbfHAN8DB4Kk+RNRmhsH0y+r/47MXVTMMMToCfofeNY3Jeohu+2lIXMPQfTvXUbDTkNAGsGLv6LtQEUfSREqgk1eY7bT9BFfpH1uV2ZFhCO9jBA+E4bf55Kx7bgUNG31ykBshOsOblOJM1lS/0q4TWHAxrsU2PNwPi8X0ten+eGeB8aRshxS17Ij2cH0fdAMmSA+jMAvTIZl853Bxe0HuozauKwOFWL4qHm61c4O/j1mQCLqJKYfJ9mBDWFQLszd/tF+ePKiNhZCQly60F8Lumn2CDZj5UIkl8wk9Wls5n1BIQs+M8AN65NAdv7+js8jKUKCuyji8r3
+      - name: host02.example.com
+        certificate:
+        - MIIC/zCCAeegAwIBAgIUAWE1vaA+mZd3nwZqwWH64EbHvR0wDQYJKoZIhvcNAQELBQAwDzENMAsGA1UEAwwEdGVzdDAeFw0xOTEwMTQxNjI4NDVaFw0yMDEwMTMxNjI4NDVaMA8xDTALBgNVBAMMBHRlc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCWzJibKtN8Zf7LgandINhFonx99AKi44iaZkrlMKEObE6Faf8NTUbUgK3VfJNYmCbA1baLVJ0YZJijJ7S/4o7h7eeqcJVXJkEhWNTimWXNW/YCzTHe3SSapnSYOKmdHHRClplysL8OyyEG7pbX/aB9iAfFb/+vUFCX5sMwFFrYxOimKJ9Pc/NRFtdv1wNw1rqWKF1ZzagWRlG4QgzRGwQ4quc7yO98TKikj2OPiIt7Zd46hbqQxmgGBtCkVOZIhxu77OmNrFsXmM4rZZpmqh0UdqcpwkRojVnGXmNqeMCd6dNTnLhr9wukUYw0KgE57zCDVr9Ix+p/dA5R1mG4RJ2XAgMBAAGjUzBRMB0GA1UdDgQWBBSbuiH2lNVrID3yt1SsFwtOFKOnpTAfBgNVHSMEGDAWgBSbuiH2lNVrID3yt1SsFwtOFKOnpTAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQBCVWd293wWyohFqMFMHRBBg97T2Uc1yeT0dMH4BpuOaCqQp4q5ep+uLcXEI6+3mEwm8pa/ULQCD8yLLdotIWlG3+h/4boFpdiPFcBDgT8kGe+0KOzB8Nt7E13QYOu12MNi10qwGrjKhdhu1xBe4fpY5VCetVU1OLyuTsUyucQsFrtZI0SR83h+blbyoMZ7IhMngCfGUe1bnYeWnLbpFbigKfPuVDWsMH2kgj05EAd5EgHkWbX8QA8hmcmDKfNT3YZM8kiGQwmFrnQdq8bN0uHR8Nz+24cbmdbHcD65wlDW6GmYxi8mW+V6bAqn9pir/J14r4YFnqMGgjmdt81tscJV
+      force: yes
--- a/playbooks/host/hosts-present-with-managedby_host.yml
+++ b/playbooks/host/hosts-present-with-managedby_host.yml
@@ -0,0 +1,15 @@
+---
+- name: Host present with managedby_host
+  hosts: ipaserver
+  become: true
+
+  tasks:
+    ipahost:
+      ipaadmin_password: SomeADMINpassword
+      hosts:
+      - name: host01.exmaple.com
+        managedby_host: server.exmaple.com
+        force: yes
+      - name: host02.exmaple.com
+        managedby_host: server.exmaple.com
+        force: yes
--- a/playbooks/host/hosts-present-with-randompasswords.yml
+++ b/playbooks/host/hosts-present-with-randompasswords.yml
@@ -0,0 +1,26 @@
+---
+- name: Hosts present with random passwords
+  hosts: ipaserver
+  become: true
+
+  tasks:
+  - name: Hosts host01.example.com and host01.example.com present with random passwords
+    ipahost:
+      ipaadmin_password: SomeADMINpassword
+      hosts:
+      - name: host01.example.com
+        random: yes
+        force: yes
+      - name: host02.example.com
+        random: yes
+        force: yes
+    register: ipahost
+
+  - name: Print generated random password for host01.example.com
+    debug:
+      var: ipahost.host["host01.example.com"].randompassword
+
+  - name: Print generated random password for host02.example.com
+    debug:
+      var: ipahost.host["host02.example.com"].randompassword
+
--- a/playbooks/hostgroup/ensure-hostgroup-is-absent.yml
+++ b/playbooks/hostgroup/ensure-hostgroup-is-absent.yml
@@ -0,0 +1,11 @@
+---
+- name: Playbook to handle hostgroups
+  hosts: ipaserver
+  become: true
+
+  tasks:
+  # Ensure host-group databases is present
+  - ipahostgroup:
+      ipaadmin_password: SomeADMINpassword
+      name: databases
+      state: absent
--- a/playbooks/hostgroup/ensure-hostgroup-is-present.yml
+++ b/playbooks/hostgroup/ensure-hostgroup-is-present.yml
@@ -0,0 +1,15 @@
+---
+- name: Playbook to handle hostgroups
+  hosts: ipaserver
+  become: true
+
+  tasks:
+  # Ensure host-group databases is present
+  - ipahostgroup:
+      ipaadmin_password: SomeADMINpassword
+      name: databases
+      host:
+      - db.example.com
+      hostgroup:
+      - mysql-server
+      - oracle-server
--- a/playbooks/hostgroup/ensure-hosts-and-hostgroups-are-absent-in-hostgroup.yml
+++ b/playbooks/hostgroup/ensure-hosts-and-hostgroups-are-absent-in-hostgroup.yml
@@ -0,0 +1,17 @@
+---
+- name: Playbook to handle hostgroups
+  hosts: ipaserver
+  become: true
+
+  tasks:
+  # Ensure hosts and hostgroups are present in existing databases hostgroup
+  - ipahostgroup:
+      ipaadmin_password: SomeADMINpassword
+      name: databases
+      host:
+      - db.example.com
+      hostgroup:
+      - mysql-server
+      - oracle-server
+      action: member
+      state: absent
--- a/playbooks/hostgroup/ensure-hosts-and-hostgroups-are-present-in-hostgroup.yml
+++ b/playbooks/hostgroup/ensure-hosts-and-hostgroups-are-present-in-hostgroup.yml
@@ -0,0 +1,16 @@
+---
+- name: Playbook to handle hostgroups
+  hosts: ipaserver
+  become: true
+
+  tasks:
+  # Ensure hosts and hostgroups are present in existing databases hostgroup
+  - ipahostgroup:
+      ipaadmin_password: SomeADMINpassword
+      name: databases
+      host:
+      - db.example.com
+      hostgroup:
+      - mysql-server
+      - oracle-server
+      action: member
--- a/playbooks/pwpolicy/pwpolicy_absent.yml
+++ b/playbooks/pwpolicy/pwpolicy_absent.yml
@@ -0,0 +1,12 @@
+---
+- name: Tests
+  hosts: ipaserver
+  become: true
+  gather_facts: false
+
+  tasks:
+  - name: Ensure absence of pwpolicies for group ops
+    ipapwpolicy:
+      ipaadmin_password: SomeADMINpassword
+      name: ops
+      state: absent
--- a/playbooks/pwpolicy/pwpolicy_present.yml
+++ b/playbooks/pwpolicy/pwpolicy_present.yml
@@ -0,0 +1,20 @@
+---
+- name: Tests
+  hosts: ipaserver
+  become: true
+  gather_facts: false
+
+  tasks:
+  - name: Ensure presence of pwpolicies for group ops
+    ipapwpolicy:
+      ipaadmin_password: SomeADMINpassword
+      name: ops
+      minlife: 7
+      maxlife: 49
+      history: 5
+      priority: 1
+      lockouttime: 300
+      minlength: 8
+      minclasses: 5
+      maxfail: 3
+      failinterval: 5
--- a/playbooks/service/service-host-is-absent.yml
+++ b/playbooks/service/service-host-is-absent.yml
@@ -0,0 +1,14 @@
+---
+- name: Playbook to manage IPA service.
+  hosts: ipaserver
+  become: true
+  gather_facts: false
+
+  tasks:
+  # Ensure management host is absent.
+  - ipaservice:
+      ipaadmin_password: MyPassword123
+      name: HTTP/www.example.com
+      host: "{{ groups.ipaserver[0] }}"
+      action: member
+      state: absent
--- a/playbooks/service/service-host-is-present.yml
+++ b/playbooks/service/service-host-is-present.yml
@@ -0,0 +1,13 @@
+---
+- name: Playbook to manage IPA service.
+  hosts: ipaserver
+  become: true
+  gather_facts: false
+
+  tasks:
+  # Ensure management host is present.
+  - ipaservice:
+      ipaadmin_password: MyPassword123
+      name: HTTP/www.example.com
+      host: "{{ groups.ipaserver[0] }}"
+      action: member
--- a/playbooks/service/service-is-absent.yml
+++ b/playbooks/service/service-is-absent.yml
@@ -0,0 +1,12 @@
+---
+- name: Playbook to manage IPA service.
+  hosts: ipaserver
+  become: true
+  gather_facts: false
+
+  tasks:
+  # Ensure service is absent
+  - ipaservice:
+      ipaadmin_password: MyPassword123
+      name: HTTP/www.example.com
+      state: absent
--- a/playbooks/service/service-is-disabled.yml
+++ b/playbooks/service/service-is-disabled.yml
@@ -0,0 +1,12 @@
+---
+- name: Playbook to disable IPA service.
+  hosts: ipaserver
+  become: true
+  gather_facts: false
+
+  tasks:
+  # Ensure service is disabled
+  - ipaservice:
+      ipaadmin_password: MyPassword123
+      name: HTTP/www.example.com
+      state: disabled
--- a/playbooks/service/service-is-present-with-all-attributes.yml
+++ b/playbooks/service/service-is-present-with-all-attributes.yml
@@ -0,0 +1,23 @@
+---
+- name: Playbook to manage IPA service.
+  hosts: ipaserver
+  become: true
+  gather_facts: false
+
+  tasks:
+  # Ensure service is present
+  - ipaservice:
+      ipaadmin_password: MyPassword123
+      name: HTTP/www.example.com
+      certificate:
+        - MIICBjCCAW8CFHnm32VcXaUDGfEGdDL/erPSijUAMA0GCSqGSIb3DQEBCwUAMEIxCzAJBgNVBAYTAlhYMRUwEwYDVQQHDAxEZWZhdWx0IENpdHkxHDAaBgNVBAoME0RlZmF1bHQgQ29tcGFueSBMdGQwHhcNMjAwMTIzMDA1NjQ2WhcNMjEwMTIyMDA1NjQ2WjBCMQswCQYDVQQGEwJYWDEVMBMGA1UEBwwMRGVmYXVsdCBDaXR5MRwwGgYDVQQKDBNEZWZhdWx0IENvbXBhbnkgTHRkMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDYrdVmsr7iT3f67DM5bb1osSEe5/c91UUMEIcFq5wrgBhzVfs8iIMDVC1yiUGTsDLJNJc4nb1tUxeR9K5fh25E6n/eWDBP75NStotjAXRU4Ahi3FNRhWFOKesds5xNqgDk5/dY8UekJv2yUblQuZzeF8b2XFrmHuCaYuFctzPfWwIDAQABMA0GCSqGSIb3DQEBCwUAA4GBACF+5RS8Ce0HRixGPu4Xd51i+Kzblg++lx8fDJ8GW5G16/Z1AsB72Hc7etJL2PksHlue/xCq6SA9fIfHc4TBNCiWjPSP1NhHJeYyoPiSkcYsqXuxWyoyRLbnAhBVvhoiqZbUt3u3tGB0uMMA0yJvj07mP7Nea2KdBYVH8X1pM0V+
+      pac_type:
+        - MS-PAC
+        - PAD
+      auth_ind: otp
+      force: no
+      requires_pre_auth: yes
+      ok_as_delegate: no
+      ok_to_auth_as_delegate: no
+      action: service
+      state: present
--- a/playbooks/service/service-is-present-with-host-force.yml
+++ b/playbooks/service/service-is-present-with-host-force.yml
@@ -0,0 +1,13 @@
+---
+- name: Playbook to manage IPA service.
+  hosts: ipaserver
+  become: true
+  gather_facts: false
+
+  tasks:
+  # Ensure service is present
+  - ipaservice:
+      ipaadmin_password: MyPassword123
+      name: HTTP/ihavenodns.info
+      force: yes
+      # state: absent
--- a/playbooks/service/service-is-present-without-host-object.yml
+++ b/playbooks/service/service-is-present-without-host-object.yml
@@ -0,0 +1,12 @@
+---
+- name: Playbook to manage IPA service.
+  hosts: ipaserver
+  become: true
+  gather_facts: false
+
+  tasks:
+  # Ensure service is present
+  - ipaservice:
+      ipaadmin_password: MyPassword123
+      name: HTTP/www.ansible.com
+      skip_host_check: yes
--- a/playbooks/service/service-is-present.yml
+++ b/playbooks/service/service-is-present.yml
@@ -0,0 +1,11 @@
+---
+- name: Playbook to manage IPA service.
+  hosts: ipaserver
+  become: true
+  gather_facts: false
+
+  tasks:
+  # Ensure service is present
+  - ipaservice:
+      ipaadmin_password: MyPassword123
+      name: HTTP/www.example.com
--- a/playbooks/service/service-member-allow_create_keytab-absent.yml
+++ b/playbooks/service/service-member-allow_create_keytab-absent.yml
@@ -0,0 +1,24 @@
+---
+- name: Service member allow_create_keytab absent
+  hosts: ipaserver
+  become: true
+
+  tasks:
+  - name: Service HTTP/www.example.com members allow_create_keytab absent for users, groups, hosts and hostgroups
+    ipaservice:
+      ipaadmin_password: MyPassword123
+      name: HTTP/www.example.com
+      allow_create_keytab_user:
+      - user01
+      - user02
+      allow_create_keytab_group:
+      - group01
+      - group02
+      allow_create_keytab_host:
+      - host01.example.com
+      - host02.example.com
+      allow_create_keytab_hostgroup:
+      - hostgroup01
+      - hostgroup02
+      action: member
+      state: absent
--- a/playbooks/service/service-member-allow_create_keytab-present.yml
+++ b/playbooks/service/service-member-allow_create_keytab-present.yml
@@ -0,0 +1,23 @@
+---
+- name: Service member allow_create_keytab present
+  hosts: ipaserver
+  become: true
+
+  tasks:
+  - name: Service HTTP/www.example.com members allow_create_keytab present for users, groups, hosts and hostgroups
+    ipaservice:
+      ipaadmin_password: MyPassword123
+      name: HTTP/www.example.com
+      allow_create_keytab_user:
+      - user01
+      - user02
+      allow_create_keytab_group:
+      - group01
+      - group02
+      allow_create_keytab_host:
+      - host01.example.com
+      - host02.example.com
+      allow_create_keytab_hostgroup:
+      - hostgroup01
+      - hostgroup02
+      action: member
--- a/playbooks/service/service-member-allow_retrieve_keytab-absent.yml
+++ b/playbooks/service/service-member-allow_retrieve_keytab-absent.yml
@@ -0,0 +1,24 @@
+---
+- name: Service member allow_retrieve_keytab absent
+  hosts: ipaserver
+  become: true
+
+  tasks:
+  - name: Service HTTP/www.example.com members allow_retrieve_keytab absent for users, groups, hosts and hostgroups
+    ipaservice:
+      ipaadmin_password: MyPassword123
+      name: HTTP/www.example.com
+      allow_retrieve_keytab_user:
+      - user01
+      - user02
+      allow_retrieve_keytab_group:
+      - group01
+      - group02
+      allow_retrieve_keytab_host:
+      - host01.example.com
+      - host02.example.com
+      allow_retrieve_keytab_hostgroup:
+      - hostgroup01
+      - hostgroup02
+      action: member
+      state: absent
--- a/playbooks/service/service-member-allow_retrieve_keytab-present.yml
+++ b/playbooks/service/service-member-allow_retrieve_keytab-present.yml
@@ -0,0 +1,23 @@
+---
+- name: Service member allow_retrieve_keytab present
+  hosts: ipaserver
+  become: true
+
+  tasks:
+  - name: Service HTTP/www.example.com members allow_retrieve_keytab present for users, groups, hosts and hostgroups
+    ipaservice:
+      ipaadmin_password: MyPassword123
+      name: HTTP/www.example.com
+      allow_retrieve_keytab_user:
+      - user01
+      - user02
+      allow_retrieve_keytab_group:
+      - group01
+      - group02
+      allow_retrieve_keytab_host:
+      - host01.example.com
+      - host02.example.com
+      allow_retrieve_keytab_hostgroup:
+      - hostgroup01
+      - hostgroup02
+      action: member
--- a/playbooks/service/service-member-certificate-absent.yml
+++ b/playbooks/service/service-member-certificate-absent.yml
@@ -0,0 +1,16 @@
+---
+- name: Service certificate absent.
+  hosts: ipaserver
+  become: true
+  gather_facts: false
+
+  tasks:
+  # Ensure service certificate is absent
+  - ipaservice:
+      ipaadmin_password: MyPassword123
+      name: HTTP/www.example.com
+
+      certificate:
+        - MIICBjCCAW8CFHnm32VcXaUDGfEGdDL/erPSijUAMA0GCSqGSIb3DQEBCwUAMEIxCzAJBgNVBAYTAlhYMRUwEwYDVQQHDAxEZWZhdWx0IENpdHkxHDAaBgNVBAoME0RlZmF1bHQgQ29tcGFueSBMdGQwHhcNMjAwMTIzMDA1NjQ2WhcNMjEwMTIyMDA1NjQ2WjBCMQswCQYDVQQGEwJYWDEVMBMGA1UEBwwMRGVmYXVsdCBDaXR5MRwwGgYDVQQKDBNEZWZhdWx0IENvbXBhbnkgTHRkMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDYrdVmsr7iT3f67DM5bb1osSEe5/c91UUMEIcFq5wrgBhzVfs8iIMDVC1yiUGTsDLJNJc4nb1tUxeR9K5fh25E6n/eWDBP75NStotjAXRU4Ahi3FNRhWFOKesds5xNqgDk5/dY8UekJv2yUblQuZzeF8b2XFrmHuCaYuFctzPfWwIDAQABMA0GCSqGSIb3DQEBCwUAA4GBACF+5RS8Ce0HRixGPu4Xd51i+Kzblg++lx8fDJ8GW5G16/Z1AsB72Hc7etJL2PksHlue/xCq6SA9fIfHc4TBNCiWjPSP1NhHJeYyoPiSkcYsqXuxWyoyRLbnAhBVvhoiqZbUt3u3tGB0uMMA0yJvj07mP7Nea2KdBYVH8X1pM0V+
+      action: member
+      state: absent
--- a/playbooks/service/service-member-certificate-present.yml
+++ b/playbooks/service/service-member-certificate-present.yml
@@ -0,0 +1,15 @@
+---
+- name: Service certificate present.
+  hosts: ipaserver
+  become: true
+  gather_facts: false
+
+  tasks:
+  # Ensure service certificate is present
+  - ipaservice:
+      ipaadmin_password: MyPassword123
+      name: HTTP/www.example.com
+      certificate:
+        - MIICBjCCAW8CFHnm32VcXaUDGfEGdDL/erPSijUAMA0GCSqGSIb3DQEBCwUAMEIxCzAJBgNVBAYTAlhYMRUwEwYDVQQHDAxEZWZhdWx0IENpdHkxHDAaBgNVBAoME0RlZmF1bHQgQ29tcGFueSBMdGQwHhcNMjAwMTIzMDA1NjQ2WhcNMjEwMTIyMDA1NjQ2WjBCMQswCQYDVQQGEwJYWDEVMBMGA1UEBwwMRGVmYXVsdCBDaXR5MRwwGgYDVQQKDBNEZWZhdWx0IENvbXBhbnkgTHRkMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDYrdVmsr7iT3f67DM5bb1osSEe5/c91UUMEIcFq5wrgBhzVfs8iIMDVC1yiUGTsDLJNJc4nb1tUxeR9K5fh25E6n/eWDBP75NStotjAXRU4Ahi3FNRhWFOKesds5xNqgDk5/dY8UekJv2yUblQuZzeF8b2XFrmHuCaYuFctzPfWwIDAQABMA0GCSqGSIb3DQEBCwUAA4GBACF+5RS8Ce0HRixGPu4Xd51i+Kzblg++lx8fDJ8GW5G16/Z1AsB72Hc7etJL2PksHlue/xCq6SA9fIfHc4TBNCiWjPSP1NhHJeYyoPiSkcYsqXuxWyoyRLbnAhBVvhoiqZbUt3u3tGB0uMMA0yJvj07mP7Nea2KdBYVH8X1pM0V+
+      action: member
+      state: present
--- a/playbooks/service/service-member-principal-absent.yml
+++ b/playbooks/service/service-member-principal-absent.yml
@@ -0,0 +1,14 @@
+---
+- name: Service member principal absent
+  hosts: ipaserver
+  become: true
+
+  tasks:
+  - name: Service HTTP/www.exmaple.com member principals host/test.exmaple.com absent
+    ipaservice:
+      ipaadmin_password: MyPassword123
+      name: HTTP/www.example.com
+      principal:
+        - host/test.exmaple.com
+      action: member
+      state: absent
--- a/playbooks/service/service-member-principal-present.yml
+++ b/playbooks/service/service-member-principal-present.yml
@@ -0,0 +1,13 @@
+---
+- name: Service member principal present
+  hosts: ipaserver
+  become: true
+
+  tasks:
+  - name: Service HTTP/www.exmaple.com member principals host/test.exmaple.com present
+    ipaservice:
+      ipaadmin_password: MyPassword123
+      name: HTTP/www.example.com
+      principal:
+        - host/test.exmaple.com
+      action: member
--- a/playbooks/sudocmd/ensure-sudocmd-is-absent.yml
+++ b/playbooks/sudocmd/ensure-sudocmd-is-absent.yml
@@ -0,0 +1,11 @@
+---
+- name: Playbook to manage sudo command
+  hosts: ipaserver
+  become: true
+
+  tasks:
+  # Ensure sudo command is absent
+  - ipasudocmd:
+      ipaadmin_password: SomeADMINpassword
+      name: /usr/bin/su
+      state: absent
--- a/playbooks/sudocmd/ensure-sudocmd-is-present.yml
+++ b/playbooks/sudocmd/ensure-sudocmd-is-present.yml
@@ -0,0 +1,11 @@
+---
+- name: Playbook to manage sudo command
+  hosts: ipaserver
+  become: true
+
+  tasks:
+  # Ensure sudo command is present
+  - ipasudocmd:
+      ipaadmin_password: SomeADMINpassword
+      name: /usr/bin/su
+      state: present
--- a/playbooks/sudocmdgroup/ensure-sudocmd-are-absent-in-sudocmdgroup.yml
+++ b/playbooks/sudocmdgroup/ensure-sudocmd-are-absent-in-sudocmdgroup.yml
@@ -0,0 +1,15 @@
+---
+- name: Playbook to handle sudocmdgroups
+  hosts: ipaserver
+  become: true
+
+  tasks:
+  # Ensure sudocmds are absent in sudocmdgroup
+  - ipasudocmdgroup:
+      ipaadmin_password: SomeADMINpassword
+      name: network
+      sudocmd:
+      - /usr/sbin/ifconfig
+      - /usr/sbin/iwlist
+      action: member
+      state: absent
--- a/playbooks/sudocmdgroup/ensure-sudocmd-are-present-in-sudocmdgroup.yml
+++ b/playbooks/sudocmdgroup/ensure-sudocmd-are-present-in-sudocmdgroup.yml
@@ -0,0 +1,22 @@
+---
+- name: Playbook to handle sudocmdgroups
+  hosts: ipaserver
+  become: true
+
+  tasks:
+  # Ensure sudo commands are present
+  - ipasudocmd:
+     ipaadmin_password: SomeADMINpassword
+     name:
+     - /usr/sbin/ifconfig
+     - /usr/sbin/iwlist
+     state: present
+
+  # Ensure sudo commands are present in existing sudocmdgroup
+  - ipasudocmdgroup:
+     ipaadmin_password: SomeADMINpassword
+     name: network
+     sudocmd:
+     - /usr/sbin/ifconfig
+     - /usr/sbin/iwlist
+     action: member
--- a/playbooks/sudocmdgroup/ensure-sudocmdgroup-is-absent.yml
+++ b/playbooks/sudocmdgroup/ensure-sudocmdgroup-is-absent.yml
@@ -0,0 +1,12 @@
+---
+- name: Playbook to handle sudocmdgroups
+  hosts: ipaserver
+  become: true
+
+  tasks:
+  # Ensure sudocmdgroup is absent
+  - ipasudocmdgroup:
+     ipaadmin_password: pass1234
+     name: network
+     state: absent
+     action: sudocmdgroup
--- a/playbooks/sudocmdgroup/ensure-sudocmdgroup-is-present.yml
+++ b/playbooks/sudocmdgroup/ensure-sudocmdgroup-is-present.yml
@@ -0,0 +1,15 @@
+---
+- name: Playbook to handle sudocmdgroups
+  hosts: ipaserver
+  become: true
+
+  tasks:
+  # Ensure sudocmdgroup sudocmds are present
+  - ipasudocmdgroup:
+      ipaadmin_password: pass1234
+      name: network
+      description: Group of important commands.
+      sudocmd:
+      - /usr/sbin/ifconfig
+      - /usr/sbin/iwlist
+      state: present
--- a/playbooks/sudorule/ensure-sudorule-does-not-have-sudooption.yml
+++ b/playbooks/sudorule/ensure-sudorule-does-not-have-sudooption.yml
@@ -0,0 +1,14 @@
+---
+- name: Tests
+  hosts: ipaserver
+  become: true
+  gather_facts: false
+
+  tasks:
+  # Ensure sudooption is absent in sudorule
+  - ipasudorule:
+      ipaadmin_password: SomeADMINpassword
+      name: testrule1
+      sudooption: "!root"
+      action: member
+      state: absent
--- a/playbooks/sudorule/ensure-sudorule-has-sudooption.yml
+++ b/playbooks/sudorule/ensure-sudorule-has-sudooption.yml
@@ -0,0 +1,13 @@
+---
+- name: Tests
+  hosts: ipaserver
+  become: true
+  gather_facts: false
+
+  tasks:
+  # Ensure sudooption is present in sudorule
+  - ipasudorule:
+      ipaadmin_password: SomeADMINpassword
+      name: testrule1
+      sudooption: "!root"
+      action: member
--- a/playbooks/sudorule/ensure-sudorule-host-member-is-absent.yml
+++ b/playbooks/sudorule/ensure-sudorule-host-member-is-absent.yml
@@ -0,0 +1,14 @@
+---
+- name: Tests
+  hosts: ipaserver
+  become: true
+  gather_facts: false
+
+  tasks:
+  # Ensure host server is absent in Sudo Rule
+  - ipasudorule:
+      ipaadmin_password: SomeADMINpassword
+      name: testrule1
+      host: server
+      action: member
+      state: absent
--- a/playbooks/sudorule/ensure-sudorule-host-member-is-present.yml
+++ b/playbooks/sudorule/ensure-sudorule-host-member-is-present.yml
@@ -0,0 +1,13 @@
+---
+- name: Tests
+  hosts: ipaserver
+  become: true
+  gather_facts: false
+
+  tasks:
+  # Ensure host server is present in Sudo Rule
+  - ipasudorule:
+      ipaadmin_password: SomeADMINpassword
+      name: testrule1
+      host: server
+      action: member
--- a/playbooks/sudorule/ensure-sudorule-hostgroup-member-is-absent.yml
+++ b/playbooks/sudorule/ensure-sudorule-hostgroup-member-is-absent.yml
@@ -0,0 +1,14 @@
+---
+- name: Tests
+  hosts: ipaserver
+  become: true
+  gather_facts: false
+
+  tasks:
+  # Ensure hostgroup cluster is absent in Sudo Rule
+  - ipasudorule:
+      ipaadmin_password: SomeADMINpassword
+      name: testrule1
+      hostgroup: cluster
+      action: member
+      state: absent
--- a/playbooks/sudorule/ensure-sudorule-hostgroup-member-is-present.yml
+++ b/playbooks/sudorule/ensure-sudorule-hostgroup-member-is-present.yml
@@ -0,0 +1,13 @@
+---
+- name: Tests
+  hosts: ipaserver
+  become: true
+  gather_facts: false
+
+  tasks:
+  # Ensure hostgrep cluster is present in Sudo Rule
+  - ipasudorule:
+      ipaadmin_password: SomeADMINpassword
+      name: testrule1
+      hostgroup: cluster
+      action: member
--- a/Show More
+++ b/Show More