Fix typo in README-permission.md

There is a typo "Eure" instead of "Ensure" in the rename task.
Merge pull request #484 from t-woerner/permission_fix_attrs_drop_privilege
2026-05-14 21:42:17 +00:00 · 2021-01-11 12:21:30 +01:00 · 2021-01-08 16:12:01 -03:00 · 2021-01-08 14:17:23 +01:00 · 2021-01-08 13:59:37 +01:00 · 2021-01-08 13:49:34 +01:00
592 changed files with 45585 additions and 2192 deletions
--- a/.ansible-lint
+++ b/.ansible-lint
@@ -0,0 +1,23 @@
 exclude_paths:
  - roles
  - .tox
  - .venv
 parseable: true
 quiet: false
 skip_list:
  - '201'  # Trailing whitespace
  - '204'  # Lines should be no longer than 160 chars
  - '206'  # Variables should have spaces before and after: {{ var_name }}'
  - '208'  # File permissions not mentioned
  - '301'  # Commands should not change things if nothing needs doing'
  - '305'  # Use shell only when shell functionality is required'
  - '306'  # Shells that use pipes should set the pipefail option'
  - '502'  # All tasks should be named
  - '505'  # Referenced missing file
 use_default_rules: true
 verbosity: 1
--- a/.copr/Makefile
+++ b/.copr/Makefile
@@ -0,0 +1,9 @@
 srpm:
 	# Setup development environment
 	echo "Installing base development environment"
 	dnf install -y dnf-plugins-core git-all
 	echo "Call SRPM build Script"
 	./utils/build-srpm.sh
 	if [[ "${outdir}" != "" ]]; then \
 		mv /builddir/build/SRPMS/* ${outdir}; \
 	fi
--- a/.github/workflows/docs.yml
+++ b/.github/workflows/docs.yml
@@ -0,0 +1,16 @@
 ---
 name: Verify Ansible documentation.
 on:
  - push
  - pull_request
 jobs:
  check_docs:
    name: Check Ansible Documentation.
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
      - uses: actions/setup-python@v2
        with:
          python-version: '3.x'
      - name: Run ansible-doc-test
        run: ANSIBLE_LIBRARY="." python utils/ansible-doc-test roles plugins
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -0,0 +1,33 @@
 ---
 name: Run Linters
 on:
  - push
  - pull_request
 jobs:
  linters:
    name: Run Linters
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
      - uses: actions/setup-python@v2
        with:
          python-version: "3.6"
      - name: Run ansible-lint
        uses: ansible/ansible-lint-action@master
        with:
          targets: |
            tests/*.yml
            tests/*/*.yml
            tests/*/*/*.yml
            playbooks/*.yml
            playbooks/*/*.yml
        env:
          ANSIBLE_MODULE_UTILS: plugins/module_utils
          ANSIBLE_LIBRARY: plugins/modules
      - name: Run yaml-lint
        uses: ibiqlik/action-yamllint@v1
      - name: Run Python linters
        uses: rjeffman/python-lint-action@v2
--- a/.gitignore
+++ b/.gitignore
@@ -1,2 +1,8 @@
 *.pyc
 *.retry
 # ignore virtual environments
 /.tox/
 /.venv/
 tests/logs/
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -0,0 +1,31 @@
 ---
 repos:
 - repo: https://github.com/ansible/ansible-lint.git
  rev: v4.3.5
  hooks:
  - id: ansible-lint
    always_run: false
    pass_filenames: true
    files: \.(yaml|yml)$
    entry: env ANSIBLE_LIBRARY=./plugins/modules ANSIBLE_MODULE_UTILS=./plugins/module_utils ansible-lint --force-color
 - repo: https://github.com/adrienverge/yamllint.git
  rev: v1.25.0
  hooks:
  - id: yamllint
    files: \.(yaml|yml)$
 - repo: https://gitlab.com/pycqa/flake8
  rev: 3.8.4
  hooks:
  - id: flake8
 - repo: https://gitlab.com/pycqa/pydocstyle
  rev: 5.1.1
  hooks:
  - id: pydocstyle
 - repo: local
  hooks:
  - id: ansible-doc-test
    name: Verify Ansible roles and module documentation.
    language: script
    entry: utils/ansible-doc-test
    # args: ['-v', 'roles', 'plugins']
    files: ^.*.py$
--- a/.yamllint
+++ b/.yamllint
@@ -0,0 +1,28 @@
 ---
 ignore: |
  /.tox/
  /.venv/
  /.github/
 extends: default
 rules:
  braces:
    max-spaces-inside: 1
    level: error
  brackets:
    max-spaces-inside: 1
    level: error
  truthy:
    allowed-values: ["yes", "no", "true", "false", "True", "False"]
    level: error
  # Disabled rules
  document-start: disable
  indentation: disable
  line-length: disable
  colons: disable
  empty-lines: disable
  comments: disable
  comments-indentation: disable
  trailing-spaces: disable
  new-line-at-end-of-file: disable
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -0,0 +1,121 @@
 Contributing to ansible-freeipa
 ===============================
 As part of the [FreeIPA] project, ansible-freeipa follows
 [FreeIPA's Code of Conduct].
 Reporting bugs or Features
 --------------------------
 ansible-freeipa uses [Github issues] for the upstream development, so all RFEs
 and bug reports should be added there.
 If you have questions about the usage of ansible-freeipa modules and roles,
 you should also submit an issue, so that anyone that knows an answer can help.
 Development
 -----------
 Contribute code by submitting a [pull request]. All pull requests should be
 created against the `master` branch. If your PR fixes an open issue, please,
 add this information to the commit message, like _"Fix issue #num"_.
 Every PR will have to pass some automatic checks and be reviewed by another
 developer(s). Once they are approved, they will be merged.
 In your commits, use clear messages that include intent, summary of changes,
 and expected result. Use a template commit message [for modules] and
 [for roles].
 Upon review, it is fine to `force push` the changes.
 **Preparing the development environment**
 There are some useful tools that will help you develop for ansible-freeipa,
 and you should install, at least, the modules in `requirements.txt`. You
 can install the modules with your distribution package manager, or use pip,
 as in the example:
 ```
 python3 -m pip install --user -r requirements-dev.txt
 ```
 We recommend using [pre-commit] so that the basic checks that will be executed
 for your PR are executed locally, on your commits. To setup the pre-commit
 hooks, issue the command:
 ```
 pre-commit install
 ```
 **Developing new modules**
 When developing new modules use the script `utils/new_module`. If the module
 should have `action: member` support, use the flag `-m`.
 This script will create the basic structure for the module, the required files
 for tests, playbooks, documentation and source code, all at the appropriate
 places.
 **Other helpfull tools**
 Under directory `utils`, you will find other useful tools, like
 **lint-check.sh**, which will run the Python and YAML linters on your code,
 and **ansible-doc-test** which will verify if the documentation added to the
 roles and modules source code has the right format.
 Testing
 -------
 When testing ansible-freeipa's roles and modules, we aim to check if they
 do what they intend to do, report the results correctly, and if they are
 idempotent (although, sometimes the operation performed is not, like when
 renaming items). To achieve this, we use Ansible playbooks.
 The Ansible playbooks test can be found under the [tests] directory. They
 should test the behavior of the module or role, and, if possible, provide
 test cases for all attributes.
 There might be some limitation on the testing environment, as some attributes
 or operations are only available in some circumstances, like specific FreeIPA
 versions, or some more elaborate scenarios (for example, requiring a
 configured trust to an AD domain). For these cases, there are some `facts`
 available that will only enable the tests if the testing environment is
 enabled.
 The tests run automatically on every pull request, using Fedora, CentOS 7,
 and CentOS 8 environments.
 See the document [Running the tests] and also the section `Preparing the
 development environment`, to prepare your environment.
 Documentation
 -------------
 We do our best to provide a correct and complete documentation for the modules
 and roles we provide, but we sometimes miss something that users find it
 important to be documented.
 If you think something could be made easier to understand, or found an error
 or omission in the documentation, fixing it will help other users and make
 the experience on using the project much better.
 Also, the [playbooks] can be seen as part of the documentation, as they are
 examples of commonly performed tasks.
 ---
 [FreeIPA]: https://freeipa.org
 [FreeIPA's Code of Conduct]: https://github.com/freeipa/freeipa/blob/master/CODE_OF_CONDUCT.md
 [for modules]: https://github.com/freeipa/ansible-freeipa/pull/357
 [for roles]: https://github.com/freeipa/ansible-freeipa/pull/430
 [Github issues]: https://github.com/freeipa/ansible-freeipa/issues
 [pull request]: https://github.com/freeipa/ansible-freeipa/pulls
 [playbooks]: playbooks
 [pre-commit]: https://pre-commit.com
 [Running the tests]: tests/README.md
 [tests]: tests/
--- a/README-config.md
+++ b/README-config.md
@@ -0,0 +1,150 @@
 Config module
 ===========
 Description
 -----------
 The config module allows the setting of global config parameters within IPA. If no parameters are specified it returns the list of all current parameters.
 The config module is as compatible as possible to the Ansible upstream `ipa_config` module, but adds many additional parameters
 Features
 --------
 * IPA server configuration management
 Supported FreeIPA Versions
 --------------------------
 FreeIPA versions 4.4.0 and up are supported by the ipaconfig module.
 Some variables are only supported on newer versions of FreeIPA. Check `Variables` section for details.
 Requirements
 ------------
 **Controller**
 * Ansible version: 2.8+
 **Node**
 * Supported FreeIPA version (see above)
 Usage
 =====
 Example inventory file
 ```ini
 [ipaserver]
 ipaserver.test.local
 ```
 Example playbook to read config options:
 ```yaml
 ---
 - name: Playbook to handle global config options
  hosts: ipaserver
  become: true
  tasks:
    - name: return current values of the global configuration options
      ipaconfig:
        ipaadmin_password: password
      register: result
    - name: display default login shell
      debug:
        msg: '{{result.config.defaultlogin }}'
    - name: ensure defaultloginshell and maxusernamelength are set as required
      ipaconfig:
        ipaadmin_password: password
        defaultlogin: /bin/bash
        maxusername: 64
 ```
 ```yaml
 ---
 - name: Playbook to ensure some config options are set
  hosts: ipaserver
  become: true
  tasks:
    - name: set defaultlogin and maxusername
      ipaconfig:
        ipaadmin_password: password
        defaultlogin: /bin/bash
        maxusername: 64
 ```
 Variables
 =========
 ipauser
 -------
 **General Variables:**
 Variable | Description | Required
 -------- | ----------- | --------
 `ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
 `ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
 `maxusername` \| `ipamaxusernamelength` |  Set the maximum username length (1 to 255) | no
 `maxhostname` \| `ipamaxhostnamelength` |  Set the maximum hostname length between 64-255. Only usable with IPA versions 4.8.0 and up. | no
 `homedirectory` \| `ipahomesrootdir` |  Set the default location of home directories | no
 `defaultshell` \| `ipadefaultloginshell` |  Set the default shell for new users | no
 `defaultgroup` \| `ipadefaultprimarygroup` |  Set the default group for new users | no
 `emaildomain`\| `ipadefaultemaildomain`  |  Set the default e-mail domain | false
 `searchtimelimit` \| `ipasearchtimelimit` |  Set maximum amount of time (seconds) for a search -1 to 2147483647 (-1 or 0 is unlimited) | no
 `searchrecordslimit` \| `ipasearchrecordslimit` |  Set maximum number of records to search -1 to 2147483647 (-1 or 0 is unlimited) | no
 `usersearch` \| `ipausersearchfields` |  Set list of fields to search when searching for users | no
 `groupsearch` \| `ipagroupsearchfields` |  Set list of fields to search in when searching for groups | no
 `enable_migration` \| `ipamigrationenabled` |  Enable migration mode (choices: True, False ) | no
 `groupobjectclasses` \| `ipagroupobjectclasses` |  Set default group objectclasses (list) | no
 `userobjectclasses` \| `ipauserobjectclasses` |  Set default user objectclasses (list) | no
 `pwdexpnotify` \| `ipapwdexpadvnotify` |  Set number of days's notice of impending password expiration (0 to 2147483647) | no
 `configstring` \| `ipaconfigstring` |  Set extra hashes to generate in password plug-in (choices:`AllowNThash`, `KDC:Disable Last Success`, `KDC:Disable Lockout`, `KDC:Disable Default Preauth for SPNs`). Use `""` to clear this variable. | no
 `selinuxusermaporder` \| `ipaselinuxusermaporder`| Set ordered list in increasing priority of SELinux users | no
 `selinuxusermapdefault`\| `ipaselinuxusermapdefault` |  Set default SELinux user when no match is found in SELinux map rule | no
 `pac_type` \| `ipakrbauthzdata` |  set default types of PAC supported for services (choices: `MS-PAC`, `PAD`, `nfs:NONE`). Use `""` to clear this variable. | no
 `user_auth_type` \| `ipauserauthtype` |  set default types of supported user authentication (choices: `password`, `radius`, `otp`, `disabled`). Use `""` to clear this variable. | no
 `domain_resolution_order` \| `ipadomainresolutionorder` | Set list of domains used for short name qualification | no
 `ca_renewal_master_server` \| `ipacarenewalmasterserver`| Renewal master for IPA certificate authority. | no
 Return Values
 =============
 Variable | Description | Returned When
 -------- | ----------- | -------------
 `config` | config dict <br />Fields: | No values to configure are specified
 &nbsp; | `maxusername` | &nbsp;
 &nbsp; | `maxhostname` | &nbsp;
 &nbsp; | `homedirectory` | &nbsp;
 &nbsp; | `defaultshell` | &nbsp;
 &nbsp; | `defaultgroup` | &nbsp;
 &nbsp; | `emaildomain` | &nbsp;
 &nbsp; | `searchtimelimit` | &nbsp;
 &nbsp; | `searchrecordslimit` | &nbsp;
 &nbsp; | `usersearch` | &nbsp;
 &nbsp; | `groupsearch` | &nbsp;
 &nbsp; | `enable_migration` | &nbsp;
 &nbsp; | `groupobjectclasses` | &nbsp;
 &nbsp; | `userobjectclasses` | &nbsp;
 &nbsp; | `pwdexpnotify` | &nbsp;
 &nbsp; | `configstring` | &nbsp;
 &nbsp; | `selinuxusermapdefault` | &nbsp;
 &nbsp; | `selinuxusermaporder` | &nbsp;
 &nbsp; | `pac_type` | &nbsp;
 &nbsp; | `user_auth_type` | &nbsp;
 &nbsp; | `domain_resolution_order` | &nbsp;
 &nbsp; | `ca_renewal_master_server` | &nbsp;
 All returned fields take the same form as their namesake input parameters
 Authors
 =======
 Chris Procter
--- a/README-delegation.md
+++ b/README-delegation.md
@@ -0,0 +1,157 @@
 Delegation module
 =================
 Description
 -----------
 The delegation module allows to ensure presence, absence of delegations and delegation attributes.
 Features
 --------
 * Delegation management
 Supported FreeIPA Versions
 --------------------------
 FreeIPA versions 4.4.0 and up are supported by the ipadelegation module.
 Requirements
 ------------
 **Controller**
 * Ansible version: 2.8+
 **Node**
 * Supported FreeIPA version (see above)
 Usage
 =====
 Example inventory file
 ```ini
 [ipaserver]
 ipaserver.test.local
 ```
 Example playbook to make sure delegation "basic manager attributes" is present:
 ```yaml
 ---
 - name: Playbook to manage IPA delegation.
  hosts: ipaserver
  become: yes
  tasks:
  - ipadelegation:
      ipaadmin_password: SomeADMINpassword
      name: "basic manager attributes"
      permission: read
      attribute:
      - businesscategory
      - employeetype
      group: managers
      membergroup: employees
 ```
 Example playbook to make sure delegation "basic manager attributes" is absent:
 ```yaml
 ---
 - name: Playbook to manage IPA delegation.
  hosts: ipaserver
  become: yes
  tasks:
  - ipadelegation:
      ipaadmin_password: SomeADMINpassword
      name: "basic manager attributes"
      state: absent
 ```
 Example playbook to make sure "basic manager attributes" member attributes employeetype and employeenumber are present:
 ```yaml
 ---
 - name: Playbook to manage IPA delegation.
  hosts: ipaserver
  become: yes
  tasks:
  - ipadelegation:
      ipaadmin_password: SomeADMINpassword
      name: "basic manager attributes"
      attribute:
      - employeenumber
      - employeetype
      action: member
 ```
 Example playbook to make sure "basic manager attributes" member attributes employeetype and employeenumber are absent:
 ```yaml
 ---
 - name: Playbook to manage IPA delegation.
  hosts: ipaserver
  become: yes
  tasks:
  - ipadelegation:
      ipaadmin_password: SomeADMINpassword
      name: "basic manager attributes"
      attribute:
      - employeenumber
      - employeetype
      action: member
      state: absent
 ```
 Example playbook to make sure delegation "basic manager attributes" is absent:
 ```yaml
 ---
 - name: Playbook to manage IPA delegation.
  hosts: ipaserver
  become: yes
  tasks:
  - ipadelegation:
      ipaadmin_password: SomeADMINpassword
      name: "basic manager attributes"
      state: absent
 ```
 Variables
 ---------
 ipadelegation
 -------
 Variable | Description | Required
 -------- | ----------- | --------
 `ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
 `ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
 `name` \| `aciname` | The list of delegation name strings. | yes
 `permission` \| `permissions` |  The permission to grant `read`, `read,write`, `write`]. Default is `write`. | no
 `attribute` \| `attrs` | The attribute list to which the delegation applies. | no
 `membergroup` \| `memberof` | The user group to apply delegation to. | no
 `group` | User group ACI grants access to. | no
 `action` | Work on delegation or member level. It can be on of `member` or `delegation` and defaults to `delegation`. | no
 `state` | The state to ensure. It can be one of `present`, `absent`, default: `present`. | no
 Authors
 =======
 Thomas Woerner
--- a/README-dnsconfig.md
+++ b/README-dnsconfig.md
@@ -0,0 +1,140 @@
 DNSConfig module
 ============
 Description
 -----------
 The dnsconfig module allows to modify global DNS configuration.
 Features
 --------
 * Global DNS configuration
 Supported FreeIPA Versions
 --------------------------
 FreeIPA versions 4.4.0 and up are supported by the ipadnsconfig module.
 Requirements
 ------------
 **Controller**
 * Ansible version: 2.8+
 **Node**
 * Supported FreeIPA version (see above)
 Usage
 =====
 Example inventory file
 ```ini
 [ipaserver]
 ipaserver.test.local
 ```
 Example playbook to set global DNS configuration:
 ```yaml
 ---
 - name: Playbook to handle global DNS configuration
  hosts: ipaserver
  become: true
  tasks:
  # Set dnsconfig.
  - ipadnsconfig:
      forwarders:
        - ip_address: 8.8.4.4
        - ip_address: 2001:4860:4860::8888
          port: 53
      forward_policy: only
      allow_sync_ptr: yes
 ```
 Example playbook to ensure a global forwarder, with a custom port, is absent:
 ```yaml
 ---
 - name: Playbook to handle global DNS configuration
  hosts: ipaserver
  become: true
  tasks:
  # Ensure global forwarder with a custom port is absent.
  - ipadnsconfig:
      forwarders:
          - ip_address: 2001:4860:4860::8888
            port: 53
      state: absent
 ```
 Example playbook to disable global forwarders:
 ```yaml
 ---
 - name: Playbook to disable global DNS forwarders
  hosts: ipaserver
  become: true
  tasks:
  # Disable global forwarders.
  - ipadnsconfig:
      forward_policy: none
 ```
 Example playbook to change global forward policy:
 ```yaml
 ---
 - name: Playbook to change global forward policy
  hosts: ipaserver
  become: true
  tasks:
  # Disable global forwarders.
  - ipadnsconfig:
      forward_policy: first
 ```
 Example playbook to disallow synchronization of forward (A, AAAA) and reverse (PTR) records:
 ```yaml
 ---
 - name: Playbook to disallow reverse synchronization.
  hosts: ipaserver
  become: true
  tasks:
  # Disable global forwarders.
  - ipadnsconfig:
      allow_sync_ptr: no
 ```
 Variables
 =========
 ipadnsconfig
 ------------
 Variable | Description | Required
 -------- | ----------- | --------
 `ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
 `ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
 `forwarders` | The list of forwarders dicts. Each `forwarders` dict entry has:| no
 &nbsp; | `ip_address` - The IPv4 or IPv6 address of the DNS server. | yes
 &nbsp; | `port` - The custom port that should be used on this server. | no
 `forward_policy` | The global forwarding policy. It can be one of `only`, `first`, or `none`.  | no
 `allow_sync_ptr` | Allow synchronization of forward (A, AAAA) and reverse (PTR) records (bool). | yes
 `state` | The state to ensure. It can be one of `present` or `absent`, default: `present`. | yes
 Authors
 =======
 Rafael Guterres Jeffman
--- a/README-dnsforwardzone.md
+++ b/README-dnsforwardzone.md
@@ -0,0 +1,124 @@
 Dnsforwardzone module
 =====================
 Description
 -----------
 The dnsforwardzone module allows the addition and removal of dns forwarders from the IPA DNS config.
 It is desgined to follow the IPA api as closely as possible while ensuring ease of use.
 Features
 --------
 * DNS zone management
 Supported FreeIPA Versions
 --------------------------
 FreeIPA versions 4.4.0 and up are supported by the ipadnsforwardzone module.
 Requirements
 ------------
 **Controller**
 * Ansible version: 2.8+
 **Node**
 * Supported FreeIPA version (see above)
 Usage
 =====
 Example inventory file
 ```ini
 [ipaserver]
 ipaserver.test.local
 ```
 Example playbook to ensure presence of a forwardzone to ipa DNS:
 ```yaml
 ---
 - name: Playbook to handle add a forwarder
  hosts: ipaserver
  become: true
  tasks:
  - name: ensure presence of forwardzone with a single forwarder DNS server
    ipadnsforwardzone:
      ipaadmin_password: SomeADMINpassword
      state: present
      name: example.com
      forwarders:
        - ip_address: 8.8.8.8
      forwardpolicy: first
      skip_overlap_check: true
  - name: ensure the forward zone is disabled
    ipadnsforwardzone:
      ipaadmin_password: SomeADMINpassword
      name: example.com
      state: disabled
  - name: ensure presence of forwardzone with multiple forwarder DNS server
    ipadnsforwardzone:
      ipaadmin_password: SomeADMINpassword
      state: present
      name: example.com
      forwarders:
        - ip_address: 8.8.8.8
        - ip_address: 4.4.4.4
  - name: ensure presence of another forwarder to any existing ones for example.com
    ipadnsforwardzone:
      ipaadmin_password: SomeADMINpassword
      state: present
      name: example.com
      forwarders:
        - ip_address: 1.1.1.1
      action: member
  - name: ensure presence of forwardzone with single forwarder DNS server on non-stardard port
    ipadnsforwardzone:
      ipaadmin_password: SomeADMINpassword
      state: present
      name: example.com
      forwarders:
        - ip_address: 4.4.4.4
          port: 8053
  - name: ensure the forward zone is absent
    ipadnsforwardzone:
      ipaadmin_password: SomeADMINpassword
      name: example.com
      state: absent
 ```
 Variables
 =========
 ipagroup
 -------
 Variable | Description | Required
 -------- | ----------- | --------
 `ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
 `ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
 `name` \| `cn` | Zone name (FQDN). | yes if `state` == `present`
 `forwarders` \| `idnsforwarders` |  Per-zone forwarders. A custom port can be specified for each forwarder. Options | no
 &nbsp; | `ip_address`: The forwarder IP address. | yes
 &nbsp; | `port`: The forwarder IP port. | no
 `forwardpolicy` \| `idnsforwardpolicy` | Per-zone conditional forwarding policy. Possible values are `only`, `first`, `none`. Set to "none" to disable forwarding to global forwarder for this zone. In that case, conditional zone forwarders are disregarded. | no
 `skip_overlap_check` | Force DNS zone creation even if it will overlap with an existing zone. Defaults to False. | no
 `permission` | Allow DNS Forward Zone to be managed. (bool) | no
 `action` | Work on group or member level. It can be on of `member` or `dnsforwardzone` and defaults to `dnsforwardzone`. | no
 `state` | The state to ensure. It can be one of `present`, `absent`, `enabled` or `disabled`, default: `present`. | yes
 Authors
 =======
 Chris Procter
--- a/README-dnsrecord.md
+++ b/README-dnsrecord.md
@@ -0,0 +1,357 @@
 DNSRecord module
 ================
 Description
 -----------
 The dnsrecord module allows management of DNS records and is as compatible as possible with the Ansible upstream `ipa_dnsrecord` module, but provide some other features like multiple record management in one execution and support for more DNS record types.
 Features
 --------
 * DNS record management.
 Supported FreeIPA Versions
 --------------------------
 FreeIPA versions 4.4.0 and up are supported by the ipadnsrecord module.
 Requirements
 ------------
 **Controller**
 * Ansible version: 2.8+
 **Node**
 * Supported FreeIPA version (see above)
 Usage
 =====
 Example inventory file
 ```ini
 [ipaserver]
 ipaserver.example.com
 ```
 Example playbook to ensure an AAAA record is present:
 ```yaml
 ---
 - ipadnsrecord:
    ipaadmin_password: SomeADMINpassword
    name: host01
    zone_name: example.com
    record_type: 'AAAA'
    record_value: '::1'
 ```
 Example playbook to ensure an AAAA record is present, with a TTL of 300:
 ```yaml
 ---
 - ipadnsrecord:
    ipaadmin_password: SomeADMINpassword
    name: host01
    zone_name: example.com
    record_type: 'AAAA'
    record_value: '::1'
    record_ttl: 300
 ```
 Example playbook to ensure an AAAA record is present, with a reverse PTR record:
 ```yaml
 ---
 - ipadnsrecord:
    ipaadmin_password: SomeADMINpassword
    name: host02
    zone_name: example.com
    record_type: 'AAAA'
    record_value: 'fd00::0002'
    create_reverse: yes
 ```
 Example playbook to ensure a LOC record is present, given its individual attributes:
 ```yaml
 ---
 - ipadnsrecord:
    ipaadmin_password: SomeADMINpassword
    zone_name: example.com
    name: host03
    loc_lat_deg: 52
    loc_lat_min: 22
    loc_lat_sec: 23.000
    loc_lat_dir: N
    loc_lon_deg: 4
    loc_lon_min: 53
    loc_lon_sec: 32.00
    loc_lon_dir: E
    loc_altitude: -2.00
    loc_size: 1.00
    loc_h_precision: 10000
    loc_v_precision: 10
 ```
 Example playbook to ensure multiple DNS records are present:
 ```yaml
 ---
 ipadnsrecord:
  ipaadmin_password: SomeADMINpassword
  records:
    - name: host02
      zone_name: example.com
      record_type: A
      record_value:
        - "{{ ipv4_prefix }}.112"
        - "{{ ipv4_prefix }}.122"
    - name: host02
      zone_name: example.com
      record_type: AAAA
      record_value: ::1
 ```
 Example playbook to ensure multiple CNAME records are present:
 ```yaml
 ---
 - name: Ensure that 'host03' and 'host04' have CNAME records.
  ipadnsrecord:
    ipaadmin_password: SomeADMINpassword
    zone_name: example.com
    records:
    - name: host03
      cname_hostname: host03.example.com
    - name: host04
      cname_hostname: host04.example.com
 ```
 Example playbook to ensure NS record is absent:
 ```yaml
 ---
 - ipadnsrecord:
    ipaadmin_password: SomeADMINpassword
    zone_name: example.com
    name: host04
    ns_hostname: host04
    state: absent
 ```
 Example playbook to ensure LOC record is present, with fields:
 ```yaml
 ---
 - ipadnsrecord:
    ipaadmin_password: SomeADMINpassword
    zone_name: example.com
    name: host04
    loc_lat_deg: 52
    loc_lat_min: 22
    loc_lat_sec: 23.000
    loc_lat_dir: N
    loc_lon_deg: 4
    loc_lon_min: 53
    loc_lon_sec: 32.000
    loc_lon_dir: E
    loc_altitude: -2.00
    loc_size: 0.00
    loc_h_precision: 10000
    loc_v_precision: 10
 ```
 Change value of an existing LOC record:
 ```yaml
 ---
 - ipadnsrecord:
  ipaadmin_password: SomeADMINpassword
  zone_name: example.com
  name: host04
  loc_size: 1.00
  loc_rec: 52 22 23 N 4 53 32 E -2 0 10000 10
 ```
 Example playbook to ensure multiple A records are present:
 ```yaml
 - ipadnsrecord:
    ipaadmin_password: SomeADMINpassword
    zone_name: example.com
    name: host04
    a_rec:
      - 192.168.122.221
      - 192.168.122.222
      - 192.168.122.223
      - 192.168.122.224
 ```
 Example playbook to ensure A and AAAA records are present, with reverse records (PTR):
 ```yaml
 - ipadnsrecord:
    ipaadmin_password: SomeADMINpassword
    zone_name: example.com
    name: host01
    a_rec:
      - 192.168.122.221
      - 192.168.122.222
    aaaa_rec:
      - fd00:;0001
      - fd00::0002
    create_reverse: yes
 ```
 Example playbook to ensure multiple A and AAAA records are present, but only A records have reverse records:
 ```yaml
 - ipadnsrecord:
    ipaadmin_password: SomeADMINpassword
    zone_name: example.com
    name: host01
    a_ip_address: 192.168.122.221
    aaaa_ip_address: fd00::0001
    a_create_reverse: yes
 ```
 Example playbook to ensure multiple DNS records are absent:
 ```yaml
 ---
 - ipadnsrecord:
    ipaadmin_password: SomeADMINpassword
    zone_name: example.com
    records:
    - name: host01
      del_all: yes
    - name: host02
      del_all: yes
    - name: host03
      del_all: yes
    - name: host04
      del_all: yes
    - name: _ftp._tcp
      del_all: yes
    - name: _sip._udp
      del_all: yes
    state: absent
 ```
 Variables
 =========
 ipadnsrecord
 ------------
 Variable | Description | Required
 -------- | ----------- | --------
 `ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
 `ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
 `zone_name` \| `dnszone` | The DNS zone name to which DNS record needs to be managed. You can use one global zone name for multiple records. | no
  required: true
 `records` | The list of dns records dicts. Each `records` dict entry can contain **record variables**. | no
 &nbsp; | **Record variables** | no
 **Record variables** | Used when defining a single record. | no
 `state` | The state to ensure. It can be one of `present` or `absent`, and defaults to `present`. | yes
 **Record Variables:**
 Variable | Description | Required
 -------- | ----------- | --------
 `zone_name` \| `dnszone` | The DNS zone name to which DNS record needs to be managed. You can use one global zone name for multiple records. When used on a `records` dict, overrides the global `zone_name`. | yes
 `name` \| `record_name` | The DNS record name to manage. | yes
 `record_type` | The type of DNS record. Supported values are  `A`, `AAAA`, `A6`, `AFSDB`, `CERT`, `CNAME`, `DLV`, `DNAME`, `DS`, `KX`, `LOC`, `MX`, `NAPTR`, `NS`, `PTR`, `SRV`, `SSHFP`, `TLSA`, `TXT`, `URI`, and defaults to `A`. | no
 `record_value` | Manage DNS record name with this values. | no
 `record_ttl` | Set the TTL for the record. (int) | no
 `del_all` | Delete all associated records. (bool) | no
 `a_rec` \| `a_record` | Raw A record. | no
 `aaaa_rec` \| `aaaa_record` |  Raw AAAA record. | no
 `a6_rec` \| `a6_record` | Raw A6 record data. | no
 `afsdb_rec` \| `afsdb_record` | Raw AFSDB record. | no
 `cert_rec` \| `cert_record` | Raw CERT record. | no
 `cname_rec` \| `cname_record` | Raw CNAME record. | no
 `dlv_rec` \| `dlv_record` |  Raw DLV record. | no
 `dname_rec` \| `dname_record` | Raw DNAM record. | no
 `ds_rec` \| `ds_record` | Raw DS record. | no
 `kx_rec` \| `kx_record` |  Raw KX record. | no
 `loc_rec` \| `loc_record` | Raw LOC record. | no
 `mx_rec` \| `mx_record` | Raw MX record. | no
 `naptr_rec` \| `naptr_record` | Raw NAPTR record. | no
 `ns_rec` \| `ns_record` | Raw NS record. | no
 `ptr_rec` \| `ptr_record` | Raw PTR record. | no
 `srv_rec` \| `srv_record` | Raw SRV record. | no
 `sshfp_rec` \| `sshfp_record` | Raw SSHFP record. | no
 `tlsa_rec` \| `tlsa_record` | Raw TLSA record. | no
 `txt_rec` \| `txt_record` | Raw TXT record. | no
 `uri_rec` \| `uri_record` | Raw URI record. | no
 `ip_address` | IP adress for A or AAAA records. Set `record_type` to `A` or `AAAA`. | no
 `create_reverse` \| `reverse` | Create reverse records for `A` and `AAAA` record types. There is no equivalent to remove reverse records. (bool) | no
 `a_ip_address` | IP adress for A records. Set `record_type` to `A`. | no
 `a_create_reverse` | Create reverse records only for `A` records. There is no equivalent to remove reverse records. (bool) | no
 `aaaa_ip_address` | IP adress for AAAA records. Set `record_type` `AAAA`. | no
 `aaaa_create_reverse` | Create reverse records only for `AAAA` record types. There is no equivalent to remove reverse records. (bool) | no
 `a6_data` | A6 record. Set `record_type` to `A6`. | no
 `afsdb_subtype` | AFSDB Subtype. Set `record_type` to `AFSDB`. (int) | no
 `afsdb_hostname` | AFSDB Hostname. Set `record_type` to `AFSDB`. | no
 `cert_type` | CERT Certificate Type. Set `record_type` to `CERT`. (int) | no
 `cert_key_tag` | CERT Key Tag. Set `record_type` to `CERT`. (int) | no
 `cert_algorithm` | CERT Algorithm. Set `record_type` to `CERT`. (int) | no
 `cert_certificate_or_crl` | CERT Certificate or  Certificate Revocation List (CRL). Set `record_type` to `CERT`. | no
 `cname_hostname` | A hostname which this alias hostname points to. Set `record_type` to `CNAME`. | no
 `dlv_key_tag` | DS Key Tag. Set `record_type` to `DLV`. (int) | no
 `dlv_algorithm` | DLV Algorithm. Set `record_type` to `DLV`. (int) | no
 `dlv_digest_type` | DLV Digest Type. Set `record_type` to `DLV`. (int) | no
 `dlv_digest` | DLV Digest. Set `record_type` to `DLV`. | no
 `dname_target` | DNAME Target. Set `record_type` to `DNAME`. | no
 `ds_key_tag` | DS Key Tag. Set `record_type` to `DS`. (int) | no
 `ds_algorithm` | DS Algorithm. Set `record_type` to `DS`. (int) | no
 `ds_digest_type` | DS Digest Type. Set `record_type` to `DS`. (int) | no
 `ds_digest` | DS Digest. Set `record_type` to `DS`. | no
 `kx_preference` | Preference given to this exchanger. Lower values are more preferred. Set `record_type` to `KX`. (int) | no
 `kx_exchanger` | A host willing to act as a key exchanger.  Set `record_type` to `KX`. | no
 `loc_lat_deg` | LOC Degrees Latitude. Set `record_type` to `LOC`. (int) | no
 `loc_lat_min` | LOC Minutes Latitude. Set `record_type` to `LOC`. (int) | no
 `loc_lat_sec` | LOC Seconds Latitude. Set `record_type` to `LOC`. (float) | no
 `loc_lat_dir` | LOC Direction Latitude. Valid values are `N` or `S`. Set `record_type` to `LOC`. (int) | no
 `loc_lon_deg` | LOC Degrees Longitude. Set `record_type` to `LOC`. (int) | no
 `loc_lon_min` | LOC Minutes Longitude. Set `record_type` to `LOC`. (int) | no
 `loc_lon_sec` | LOC Seconds Longitude. Set `record_type` to `LOC`. (float) | no
 `loc_lon_dir` | LOC Direction Longitude. Valid values are `E` or `W`. Set `record_type` to `LOC`. (int) | no
 `loc_altitude` | LOC Altitude. Set `record_type` to `LOC`. (float) | no
 `loc_size` | LOC Size. Set `record_type` to `LOC`. (float) | no
 `loc_h_precision` | LOC Horizontal Precision. Set `record_type` to `LOC`. (float) | no
 `loc_v_precision` | LOC Vertical Precision. Set `record_type` to `LOC`. (float) | no
 `mx_preference` | Preference given to this exchanger. Lower values are more preferred. Set `record_type` to `MX`. (int) | no
 `mx_exchanger` | A host willing to act as a mail exchanger.  Set `record_type` to `LOC`. | no
 `naptr_order` | NAPTR Order. Set `record_type` to `NAPTR`. (int) | no
 `naptr_preference` | NAPTR Preference. Set `record_type` to `NAPTR`. (int) | no
 `naptr_flags` | NAPTR Flags. Set `record_type` to `NAPTR`. | no
 `naptr_service` | NAPTR Service. Set `record_type` to `NAPTR`. | no
 `naptr_regexp` | NAPTR Regular Expression. Set `record_type` to `NAPTR`. | no
 `naptr_replacement` | NAPTR Replacement. Set `record_type` to `NAPTR`. | no
 `ns_hostname` | NS Hostname. Set `record_type` to `NS`. | no
 `ptr_hostname` | The hostname this reverse record points to. . Set `record_type` to `PTR`. | no
 `srv_priority` | Lower number means higher priority. Clients will attempt to contact the server with the lowest-numbered priority they can reach. Set `record_type` to `SRV`. (int) | no
 `srv_weight` | Relative weight for entries with the same priority. Set `record_type` to `SRV`. (int) | no
 `srv_port` | SRV Port. Set `record_type` to `SRV`. (int) | no
 `srv_target` | The domain name of the target host or '.' if the service is decidedly not available at this domain. Set `record_type` to `SRV`. | no
 `sshfp_algorithm` | SSHFP Algorithm. Set `record_type` to `SSHFP`. (int) | no
 `sshfp_fp_type` | SSHFP Fingerprint Type. Set `record_type` to `SSHFP`. (int) | no
 `sshfp_fingerprint`| SSHFP Fingerprint. Set `record_type` to `SSHFP`. (int) | no
 `txt_data` | TXT Text Data. Set `record_type` to `TXT`. | no
 `tlsa_cert_usage` | TLSA Certificate Usage. Set `record_type` to `TLSA`. (int) | no
 `tlsa_selector` | TLSA Selector. Set `record_type` to `TLSA`. (int) | no
 `tlsa_matching_type` | TLSA Matching Type. Set `record_type` to `TLSA`. (int) | no
 `tlsa_cert_association_data` | TLSA Certificate Association Data. Set `record_type` to `TLSA`. | no
 `uri_target` | Target Uniform Resource Identifier according to RFC 3986. Set `record_type` to `URI`. | no
 `uri_priority` | Lower number means higher priority. Clients will attempt to contact the URI with the lowest-numbered priority they can reach. Set `record_type` to `URI`. (int) | no
 `uri_weight` | Relative weight for entries with the same priority. Set `record_type` to `URI`. (int) | no
 Authors
 =======
 Rafael Guterres Jeffman
--- a/README-dnszone.md
+++ b/README-dnszone.md
@@ -0,0 +1,247 @@
 DNSZone Module
 ==============
 Description
 -----------
 The dnszone module allows to configure zones in DNS server.
 Features
 --------
 * Add, remove, modify, enable or disable DNS zones.
 Supported FreeIPA Versions
 --------------------------
 FreeIPA versions 4.4.0 and up are supported by ipadnszone module.
 Requirements
 ------------
 **Controller**
 * Ansible version: 2.8+
 **Node**
 * Supported FreeIPA version (see above)
 Usage
 -----
 ```ini
 [ipaserver]
 ipaserver.test.local
 ```
 Example playbook to create a simple DNS zone:
 ```yaml
 ---
 - name: dnszone present
  hosts: ipaserver
  become: true
  tasks:
  - name: Ensure zone is present.
    ipadnszone:
      ipaadmin_password: SomeADMINpassword
      name: testzone.local
      state: present
 ```
 Example playbook to create a DNS zone with all currently supported variables:
 ```yaml
 ---
 - name: dnszone present
  hosts: ipaserver
  become: true
  tasks:
  - name: Ensure zone is present.
    ipadnszone:
      ipaadmin_password: SomeADMINpassword
      name: testzone.local
      allow_sync_ptr: true
      dynamic_update: true
      dnssec: true
      allow_transfer:
        - 1.1.1.1
        - 2.2.2.2
      allow_query:
        - 1.1.1.1
        - 2.2.2.2
      forwarders:
        - ip_address: 8.8.8.8
        - ip_address: 8.8.4.4
          port: 52
      serial: 1234
      refresh: 3600
      retry: 900
      expire: 1209600
      minimum: 3600
      ttl: 60
      default_ttl: 90
      name_server: ipaserver.test.local.
      admin_email: admin.admin@example.com
      nsec3param_rec: "1 7 100 0123456789abcdef"
      skip_overlap_check: true
      skip_nameserver_check: true
      state: present
 ```
 Example playbook to disable a zone:
 ```yaml
 ---
 - name: Playbook to disable DNS zone
  hosts: ipaserver
  become: true
  tasks:
  - name: Disable zone.
    ipadnszone:
      ipaadmin_password: SomeADMINpassword
      name: testzone.local
      state: disabled
 ```
 Example playbook to enable a zone:
 ```yaml
 ---
 - name: Playbook to enable DNS zone
  hosts: ipaserver
  become: true
  tasks:
  - name: Enable zone.
    ipadnszone:
      ipaadmin_password: SomeADMINpassword
      name: testzone.local
      state: enabled
 ```
 Example playbook to remove a zone:
 ```yaml
 ---
 - name: Playbook to remove DNS zone
  hosts: ipaserver
  become: true
  tasks:
  - name: Remove zone.
    ipadnszone:
      ipaadmin_password: SomeADMINpassword
      name: testzone.local
      state: absent
 ```
 Example playbook to create a zone for reverse DNS lookup, from an IP address:
 ```yaml
 ---
 - name: dnszone present
  hosts: ipaserver
  become: true
  tasks:
  - name: Ensure zone for reverse DNS lookup is present.
    ipadnszone:
      ipaadmin_password: SomeADMINpassword
      name_from_ip: 192.168.1.2
      state: present
 ```
 Note that, on the previous example the zone created with `name_from_ip` might be "1.168.192.in-addr.arpa.", "168.192.in-addr.arpa.", or "192.in-addr.arpa.", depending on the DNS response the system get while querying for zones, and for this reason, when creating a zone using `name_from_ip`, the inferred zone name is returned to the controller, in the attribute `dnszone.name`. Since the zone inferred might not be what a user expects, `name_from_ip` can only be used with `state: present`. To have more control over the zone name, the prefix length for the IP address can be provided.
 Example playbook to create a zone for reverse DNS lookup, from an IP address, given the prefix length and displaying the resulting zone name:
 ```yaml
 ---
 - name: dnszone present
  hosts: ipaserver
  become: true
  tasks:
  - name: Ensure zone for reverse DNS lookup is present.
    ipadnszone:
      ipaadmin_password: SomeADMINpassword
      name_from_ip: 192.168.1.2/24
      state: present
    register: result
  - name: Display inferred zone name.
    debug:
      msg: "Zone name: {{ result.dnszone.name }}"
 ```
 Variables
 =========
 ipadnszone
 ----------
 Variable | Description | Required
 -------- | ----------- | --------
 `ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
 `ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
 `name` \| `zone_name` | The zone name string or list of strings. | no
 `name_from_ip` | Derive zone name from reverse of IP (PTR). Can only be used with `state: present`. | no
 `forwarders` | The list of forwarders dicts. Each `forwarders` dict entry has:| no
 &nbsp; | `ip_address` - The IPv4 or IPv6 address of the DNS server. | yes
 &nbsp; | `port` - The custom port that should be used on this server. | no
 `forward_policy` | The global forwarding policy. It can be one of `only`, `first`, or `none`.  | no
 `allow_sync_ptr` | Allow synchronization of forward (A, AAAA) and reverse (PTR) records (bool). | no
 `state` | The state to ensure. It can be one of `present`, `enabled`, `disabled` or `absent`, default: `present`. | yes
 `name_server`| Authoritative nameserver domain name | no
 `admin_email`| Administrator e-mail address | no
 `update_policy`| BIND update policy | no
 `dynamic_update` \| `dynamicupdate` | Allow dynamic updates | no
 `dnssec`| Allow inline DNSSEC signing of records in the zone | no
 `allow_transfer`| List of IP addresses or networks which are allowed to transfer the zone | no
 `allow_query`| List of IP addresses or networks which are allowed to issue queries | no
 `serial`| SOA record serial number | no
 `refresh`| SOA record refresh time | no
 `retry`| SOA record retry time | no
 `expire`| SOA record expire time | no
 `minimum`| How long should negative responses be cached | no
 `ttl`| Time to live for records at zone apex | no
 `default_ttl`| Time to live for records without explicit TTL definition | no
 `nsec3param_rec`| NSEC3PARAM record for zone in format: hash_algorithm flags iterations salt | no
 `skip_overlap_check`| Force DNS zone creation even if it will overlap with an existing zone | no
 `skip_nameserver_check` | Force DNS zone creation even if nameserver is not resolvable | no
 Return Values
 =============
 ipadnszone
 ----------
 Variable | Description | Returned When
 -------- | ----------- | -------------
 `dnszone` | DNS Zone dict with zone name infered from `name_from_ip`. <br>Options: |  If `state` is `present`, `name_from_ip` is used, and a zone was created.
 &nbsp; | `name` - The name of the zone created, inferred from `name_from_ip`. | Always
 Authors
 =======
 Sergio Oliveira Campos
--- a/README-group.md
+++ b/README-group.md
@@ -4,9 +4,9 @@ Group module
 Description
 -----------
-The group module allows to add, remove, enable, disable, unlock und undelete groups.
+The group module allows to ensure presence and absence of groups and members of groups.
-The group module is as compatible as possible to the Ansible upstream `ipa_group` module, but addtionally offers to add users to a group and also to remove users from a group.
+The group module is as compatible as possible to the Ansible upstream `ipa_group` module, but additionally offers to add users to a group and also to remove users from a group.
 Features
@@ -19,6 +19,8 @@ Supported FreeIPA Versions
 FreeIPA versions 4.4.0 and up are supported by the ipagroup module.
 Some variables are only supported on newer versions of FreeIPA. Check `Variables` section for details.
 Requirements
 ------------
@@ -52,20 +54,20 @@ Example playbook to add groups:
  tasks:
  # Create group ops with gid 1234
  - ipagroup:
-      ipaadmin_password: MyPassword123
+      ipaadmin_password: SomeADMINpassword
      name: ops
      gidnumber: 1234
  # Create group sysops
  - ipagroup:
-      ipaadmin_password: MyPassword123
+      ipaadmin_password: SomeADMINpassword
      name: sysops
      user:
      - pinky
  # Create group appops
  - ipagroup:
-      ipaadmin_password: MyPassword123
+      ipaadmin_password: SomeADMINpassword
      name: appops
 ```
@@ -80,7 +82,7 @@ Example playbook to add users to a group:
  tasks:
  # Add user member brain to group sysops
  - ipagroup:
-      ipaadmin_password: MyPassword123
+      ipaadmin_password: SomeADMINpassword
      name: sysops
      action: member
      user:
@@ -100,13 +102,31 @@ Example playbook to add group members to a group:
  tasks:
  # Add group members sysops and appops to group sysops
  - ipagroup:
-      ipaadmin_password: MyPassword123
+      ipaadmin_password: SomeADMINpassword
      name: ops
      group:
      - sysops
      - appops
 ```
 Example playbook to add members from a trusted realm to an external group:
 ```yaml
 --
 - name: Playbook to handle groups.
  hosts: ipaserver
  became: true
  - name: Create an external group and add members from a trust to it.
    ipagroup:
      ipaadmin_password: SomeADMINpassword
      name: extgroup
      external: yes
      externalmember:
      - WINIPA\\Web Users
      - WINIPA\\Developers
 ```
 Example playbook to remove groups:
 ```yaml
@@ -118,7 +138,7 @@ Example playbook to remove groups:
  tasks:
  # Remove goups sysops, appops and ops
  - ipagroup:
-      ipaadmin_password: MyPassword123
+      ipaadmin_password: SomeADMINpassword
      name: sysops,appops,ops
      state: absent
 ```
@@ -137,14 +157,18 @@ Variable | Description | Required
 `name` \| `cn` | The list of group name strings. | no
 `description` | The group description string. | no
 `gid` \| `gidnumber` | The GID integer. | no
 `posix` | Create a non-POSIX group or change a non-POSIX to a posix group. (bool) | no
 `nonposix` | Create as a non-POSIX group. (bool) | no
-`external` | Allow adding external non-IPA members from trusted domains. (flag) | no
+`external` | Allow adding external non-IPA members from trusted domains. (bool) | no
 `nomembers` | Suppress processing of membership attributes. (bool) | no
 `user` | List of user name strings assigned to this group. | no
 `group` | List of group name strings assigned to this group. | no
-`service` | List of service name strings assigned to this group | no
+`service` | List of service name strings assigned to this group. Only usable with IPA versions 4.7 and up. | no
 `membermanager_user` | List of member manager users assigned to this group. Only usable with IPA versions 4.8.4 and up. | no
 `membermanager_group` | List of member manager groups assigned to this group. Only usable with IPA versions 4.8.4 and up. | no
 `externalmember` \| `ipaexternalmember`  \| `external_member`| List of members of a trusted domain in DOM\\name or name@domain form. | no
 `action` | Work on group or member level. It can be on of `member` or `group` and defaults to `group`. | no
-`state` | The state to ensure. It can be one of `present` or `absent`, defauilt: `present`. | yes
+`state` | The state to ensure. It can be one of `present` or `absent`, default: `present`. | yes
 Authors
--- a/README-hbacrule.md
+++ b/README-hbacrule.md
@@ -0,0 +1,158 @@
 HBACrule module
 ===============
 Description
 -----------
 The hbacrule (HBAC Rule) module allows to ensure presence and absence of HBAC Rules and host, hostgroups, HBAC Services, HBAC Service Groups, users, and user groups as members of HBAC Rule.
 Features
 --------
 * HBAC Rule management
 Supported FreeIPA Versions
 --------------------------
 FreeIPA versions 4.4.0 and up are supported by the ipahbacrule module.
 Requirements
 ------------
 **Controller**
 * Ansible version: 2.8+
 **Node**
 * Supported FreeIPA version (see above)
 Usage
 =====
 Example inventory file
 ```ini
 [ipaserver]
 ipaserver.test.local
 ```
 Example playbook to make sure HBAC Rule login exists:
 ```yaml
 ---
 - name: Playbook to handle hbacrules
  hbacsvcs: ipaserver
  become: true
  tasks:
  # Ensure HBAC Rule login is present
  - ipahbacrule:
      ipaadmin_password: SomeADMINpassword
      name: login
 ```
 Example playbook to make sure HBAC Rule login exists with the only HBAC Service sshd:
 ```yaml
 ---
 - name: Playbook to handle hbacrules
  hbacsvcs: ipaserver
  become: true
  tasks:
  # Ensure HBAC Rule login is present with the only HBAC Service sshd
  - ipahbacrule:
      ipaadmin_password: SomeADMINpassword
      name: login
      hbacsvc:
      - sshd
 ```
 Example playbook to make sure HBAC Service sshd is present in HBAC Rule login:
 ```yaml
 ---
 - name: Playbook to handle hbacrules
  hbacsvcs: ipaserver
  become: true
  tasks:
  # Ensure HBAC Service sshd is present in HBAC Rule login
  - ipahbacrule:
      ipaadmin_password: SomeADMINpassword
      name: login
      hbacsvc:
      - sshd
      action: member
 ```
 Example playbook to make sure HBAC Service sshd is absent in HBAC Rule login:
 ```yaml
 ---
 - name: Playbook to handle hbacrules
  hbacsvcs: ipaserver
  become: true
  tasks:
  # Ensure HBAC Service sshd is present in HBAC Rule login
  - ipahbacrule:
      ipaadmin_password: SomeADMINpassword
      name: login
      hbacsvc:
      - sshd
      action: member
      state: absent
 ```
 Example playbook to make sure HBAC Rule login is absent:
 ```yaml
 ---
 - name: Playbook to handle hbacrules
  hbacsvcs: ipaserver
  become: true
  tasks:
  # Ensure HBAC Rule login is present
  - ipahbacrule:
      ipaadmin_password: SomeADMINpassword
      name: login
      state: absent
 ```
 Variables
 =========
 ipahbacrule
 ---------------
 Variable | Description | Required
 -------- | ----------- | --------
 `ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
 `ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
 `name` \| `cn` | The list of hbacrule name strings. | yes
 `description` | The hbacrule description string. | no
 `usercategory` \| `usercat` | User category the rule applies to. Choices: ["all", ""] | no
 `hostcategory` \| `hostcat` | Host category the rule applies to. Choices: ["all", ""] | no
 `servicecategory` \| `servicecat` | HBAC service category the rule applies to. Choices: ["all", ""] | no
 `nomembers` | Suppress processing of membership attributes. (bool) | no
 `host` | List of host name strings assigned to this hbacrule. | no
 `hostgroup` | List of host group name strings assigned to this hbacrule. | no
 `hbacsvc` | List of HBAC Service name strings assigned to this hbacrule. | no
 `hbacsvcgroup` | List of HBAC Service Group name strings assigned to this hbacrule. | no
 `user` | List of user name strings assigned to this hbacrule. | no
 `group` | List of user group name strings assigned to this hbacrule. | no
 `action` | Work on hbacrule or member level. It can be on of `member` or `hbacrule` and defaults to `hbacrule`. | no
 `state` | The state to ensure. It can be one of `present`, `absent`, `enabled` or `disabled`, default: `present`. | no
 Authors
 =======
 Thomas Woerner
--- a/README-hbacsvc.md
+++ b/README-hbacsvc.md
@@ -0,0 +1,109 @@
 HBACsvc module
 ==============
 Description
 -----------
 The hbacsvc (HBAC Service) module allows to ensure presence and absence of HBAC Services.
 Features
 --------
 * HBACsvc management
 Supported FreeIPA Versions
 --------------------------
 FreeIPA versions 4.4.0 and up are supported by the ipahbacsvc module.
 Requirements
 ------------
 **Controller**
 * Ansible version: 2.8+
 **Node**
 * Supported FreeIPA version (see above)
 Usage
 =====
 Example inventory file
 ```ini
 [ipaserver]
 ipaserver.test.local
 ```
 Example playbook to make sure HBAC Service for http is present
 ```yaml
 ---
 - name: Playbook to handle HBAC Services
  hosts: ipaserver
  become: true
  tasks:
  # Ensure HBAC Service for http is present
  - ipahbacsvc:
      ipaadmin_password: SomeADMINpassword
      name: http
      description: Web service
 ```
 Example playbook to make sure HBAC Service for tftp is present
 ```yaml
 ---
 - name: Playbook to handle HBAC Services
  hosts: ipaserver
  become: true
  tasks:
  # Ensure HBAC Service for tftp is present
  - ipahbacsvc:
      ipaadmin_password: SomeADMINpassword
      name: tftp
      description: TFTPWeb service
 ```
 Example playbook to make sure HBAC Services for http and tftp are absent
 ```yaml
 ---
 - name: Playbook to handle HBAC Services
  hosts: ipaserver
  become: true
  tasks:
  # Ensure HBAC Service for http and tftp are absent
  - ipahbacsvc:
      ipaadmin_password: SomeADMINpassword
      name: http,tftp
      state: absent
 ```
 Variables
 =========
 ipahbacsvc
 ----------
 Variable | Description | Required
 -------- | ----------- | --------
 `ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
 `ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
 `name` \| `cn` \| `service` | The list of hbacsvc name strings. | no
 `description` | The hbacsvc description string. | no
 `state` | The state to ensure. It can be one of `present` or `absent`, default: `present`. | no
 Authors
 =======
 Thomas Woerner
--- a/README-hbacsvcgroup.md
+++ b/README-hbacsvcgroup.md
@@ -0,0 +1,150 @@
 HBACsvcgroup module
 ===================
 Description
 -----------
 The hbacsvcgroup (HBAC Service Group) module allows to ensure presence and absence of HBAC Service Groups and members of the groups.
 Features
 --------
 * HBAC Service Group management
 Supported FreeIPA Versions
 --------------------------
 FreeIPA versions 4.4.0 and up are supported by the ipahbacsvcgroup module.
 Requirements
 ------------
 **Controller**
 * Ansible version: 2.8+
 **Node**
 * Supported FreeIPA version (see above)
 Usage
 =====
 Example inventory file
 ```ini
 [ipaserver]
 ipaserver.test.local
 ```
 Example playbook to make sure HBAC Service Group login exists:
 ```yaml
 ---
 - name: Playbook to handle hbacsvcgroups
  hbacsvcs: ipaserver
  become: true
  tasks:
  # Ensure HBAC Service Group login is present
  - ipahbacsvcgroup:
      ipaadmin_password: SomeADMINpassword
      name: login
 ```
 Example playbook to make sure HBAC Service Group login exists with the only HBAC Service sshd:
 ```yaml
 ---
 - name: Playbook to handle hbacsvcgroups
  hbacsvcs: ipaserver
  become: true
  tasks:
  # Ensure HBAC Service Group login is present with the only HBAC Service sshd
  - ipahbacsvcgroup:
      ipaadmin_password: SomeADMINpassword
      name: login
      hbacsvc:
      - sshd
 ```
 Example playbook to make sure HBAC Service sshd is present in HBAC Service Group login:
 ```yaml
 ---
 - name: Playbook to handle hbacsvcgroups
  hbacsvcs: ipaserver
  become: true
  tasks:
  # Ensure HBAC Service sshd is present in HBAC Service Group login
  - ipahbacsvcgroup:
      ipaadmin_password: SomeADMINpassword
      name: login
      hbacsvc:
      - sshd
      action: member
 ```
 Example playbook to make sure HBAC Service sshd is absent in HBAC Service Group login:
 ```yaml
 ---
 - name: Playbook to handle hbacsvcgroups
  hbacsvcs: ipaserver
  become: true
  tasks:
  # Ensure HBAC Service sshd is present in HBAC Service Group login
  - ipahbacsvcgroup:
      ipaadmin_password: SomeADMINpassword
      name: login
      hbacsvc:
      - sshd
      action: member
      state: absent
 ```
 Example playbook to make sure HBAC Service Group login is absent:
 ```yaml
 ---
 - name: Playbook to handle hbacsvcgroups
  hbacsvcs: ipaserver
  become: true
  tasks:
  # Ensure HBAC Service Group login is present
  - ipahbacsvcgroup:
      ipaadmin_password: SomeADMINpassword
      name: login
      state: absent
 ```
 Variables
 =========
 ipahbacsvcgroup
 ---------------
 Variable | Description | Required
 -------- | ----------- | --------
 `ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
 `ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
 `name` \| `cn` | The list of hbacsvcgroup name strings. | no
 `description` | The hbacsvcgroup description string. | no
 `nomembers` | Suppress processing of membership attributes. (bool) | no
 `hbacsvc` | List of hbacsvc name strings assigned to this hbacsvcgroup. | no
 `action` | Work on hbacsvcgroup or member level. It can be on of `member` or `hbacsvcgroup` and defaults to `hbacsvcgroup`. | no
 `state` | The state to ensure. It can be one of `present` or `absent`, default: `present`. | no
 Authors
 =======
 Thomas Woerner
--- a/README-host.md
+++ b/README-host.md
@@ -0,0 +1,386 @@
 Host module
 ===========
 Description
 -----------
 The host module allows to ensure presence, absence and disablement of hosts.
 The host module is as compatible as possible to the Ansible upstream `ipa_host` module, but additionally offers to disable hosts.
 Features
 --------
 * Host management
 Supported FreeIPA Versions
 --------------------------
 FreeIPA versions 4.4.0 and up are supported by the ipahost module.
 Requirements
 ------------
 **Controller**
 * Ansible version: 2.8+
 **Node**
 * Supported FreeIPA version (see above)
 Usage
 =====
 Example inventory file
 ```ini
 [ipaserver]
 ipaserver.test.local
 ```
 Example playbook to ensure host presence:
 ```yaml
 ---
 - name: Playbook to handle hosts
  hosts: ipaserver
  become: true
  tasks:
  # Ensure host is present
  - ipahost:
      ipaadmin_password: SomeADMINpassword
      name: host01.example.com
      description: Example host
      ip_address: 192.168.0.123
      locality: Lab
      ns_host_location: Lab
      ns_os_version: CentOS 7
      ns_hardware_platform: Lenovo T61
      mac_address:
      - "08:00:27:E3:B1:2D"
      - "52:54:00:BD:97:1E"
      state: present
 ```
 Compared to `ipa host-add` command no IP address conflict check is done as the ipahost module supports to have several IPv4 and IPv6 addresses for a host.
 Example playbook to ensure host presence with several IP addresses:
 ```yaml
 ---
 - name: Playbook to handle hosts
  hosts: ipaserver
  become: true
  tasks:
  # Ensure host is present
  - ipahost:
      ipaadmin_password: SomeADMINpassword
      name: host01.example.com
      description: Example host
      ip_address:
      - 192.168.0.123
      - 192.168.0.124
      - fe80::20c:29ff:fe02:a1b3
      - fe80::20c:29ff:fe02:a1b4
      locality: Lab
      ns_host_location: Lab
      ns_os_version: CentOS 7
      ns_hardware_platform: Lenovo T61
      mac_address:
      - "08:00:27:E3:B1:2D"
      - "52:54:00:BD:97:1E"
      state: present
 ```
 Example playbook to ensure IP addresses are present for a host:
 ```yaml
 ---
 - name: Playbook to handle hosts
  hosts: ipaserver
  become: true
  tasks:
  # Ensure host is present
  - ipahost:
      ipaadmin_password: SomeADMINpassword
      name: host01.example.com
      ip_address:
      - 192.168.0.124
      - fe80::20c:29ff:fe02:a1b4
      action: member
      state: present
 ```
 Example playbook to ensure IP addresses are absent for a host:
 ```yaml
 ---
 - name: Playbook to handle hosts
  hosts: ipaserver
  become: true
  tasks:
  # Ensure host is present
  - ipahost:
      ipaadmin_password: SomeADMINpassword
      name: host01.example.com
      ip_address:
      - 192.168.0.124
      - fe80::20c:29ff:fe02:a1b4
      action: member
      state: absent
 ```
 Example playbook to ensure host presence without DNS:
 ```yaml
 ---
 - name: Playbook to handle hosts
  hosts: ipaserver
  become: true
  tasks:
  # Ensure host is present without DNS
  - ipahost:
      ipaadmin_password: SomeADMINpassword
      name: host02.example.com
      description: Example host
      force: yes
 ```
 Example playbook to ensure host presence with a random password:
 ```yaml
 ---
 - name: Ensure host with random password
  hosts: ipaserver
  become: true
  tasks:
  - name: Host host01.example.com present with random password
    ipahost:
      ipaadmin_password: SomeADMINpassword
      name: host01.example.com
      random: yes
      force: yes
      update_password: on_create
    register: ipahost
  - name: Print generated random password
    debug:
      var: ipahost.host.randompassword
 ```
 Please remember that a new random password will be generated for an existing but not enrolled host if `update_password` is not limited to `on_create`. For an already enrolled host the task will fail with `update_password` default setting `always`.
 Example playbook to ensure presence of several hosts with a random password:
 ```yaml
 ---
 - name: Ensure hosts with random password
  hosts: ipaserver
  become: true
  tasks:
  - name: Hosts host01.example.com and host01.example.com present with random passwords
    ipahost:
      ipaadmin_password: SomeADMINpassword
      hosts:
      - name: host01.example.com
        random: yes
        force: yes
        update_password: on_create
      - name: host02.example.com
        random: yes
        force: yes
        update_password: on_create
    register: ipahost
  - name: Print generated random password for host01.example.com
    debug:
      var: ipahost.host["host01.example.com"].randompassword
  - name: Print generated random password for host02.example.com
    debug:
      var: ipahost.host["host02.example.com"].randompassword
 ```
 Please remember that a new random password will be generated for an existing but not enrolled host if `update_password` is not limited to `on_create`. For an already enrolled host the task will fail with `update_password` default setting `always`.
 Example playbook to ensure presence of host member principal:
 ```yaml
 ---
 - name: Host present with principal
  hosts: ipaserver
  become: true
  tasks:
  - name: Host host01.example.com present with principals host/testhost01.example.com and host/myhost01.example.com
    ipahost:
      ipaadmin_password: SomeADMINpassword
      name: host01.example.com
      principal:
      - host/testhost01.example.com
      - host/myhost01.example.com
      action: member
 ```
 Example playbook to ensure presence of host member certificate:
 ```yaml
 - name: Host present with certificate
  hosts: ipaserver
  become: true
  tasks:
  - name: Host host01.example.com present with certificate
    ipahost:
      ipaadmin_password: SomeADMINpassword
      name: host01.example.com
      certificate:
      - MIIC/zCCAeegAwIBAg...
      action: member
 ```
 Example playbook to ensure presence of member managedby_host for serveral hosts:
 ```yaml
 ---
 - name: Host present with managedby_host
  hosts: ipaserver
  become: true
  tasks:
    ipahost:
      ipaadmin_password: SomeADMINpassword
      hosts:
      - name: host01.exmaple.com
        managedby_host: server.exmaple.com
      - name: host02.exmaple.com
        managedby_host: server.exmaple.com
      action: member
 ```
 Example playbook to disable a host:
 ```yaml
 ---
 - name: Playbook to handle hosts
  hosts: ipaserver
  become: true
  tasks:
  # Ensure host is disabled
  - ipahost:
      ipaadmin_password: SomeADMINpassword
      name: host01.example.com
      update_dns: yes
      state: disabled
 ```
 `update_dns` controls if the DNS entries will be updated in this case. For `state` present it is controlling the update of the DNS SSHFP records, but not the the other DNS records.
 Example playbook to ensure a host is absent:
 ```yaml
 ---
 - name: Playbook to handle hosts
  hosts: ipaserver
  become: true
  tasks:
  # Ensure host is absent
  - ipahost:
      ipaadmin_password: password1
      name: host01.example.com
      state: absent
 ```
 Variables
 =========
 ipahost
 -------
 Variable | Description | Required
 -------- | ----------- | --------
 `ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
 `ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
 `name` \| `fqdn` | The list of host name strings. `name` with *host variables* or `hosts` containing *host variables* need to be used. | no
 **Host variables** | Only used with `name` variable in the first level. | no
 `hosts` | The list of host dicts. Each `hosts` dict entry can contain **host variables**.<br>There is one required option in the `hosts` dict:| no
 &nbsp; | `name` \| `fqdn` - The user name string of the entry. | yes
 &nbsp; | **Host variables** | no
 `update_password` |  Set password for a host in present state only on creation or always. It can be one of `always` or `on_create` and defaults to `always`. | no
 `action` | Work on host or member level. It can be on of `member` or `host` and defaults to `host`. | no
 `state` | The state to ensure. It can be one of `present`, `absent` or `disabled`, default: `present`. | yes
 **Host Variables:**
 Variable | Description | Required
 -------- | ----------- | --------
 `description` | The host description. | no
 `locality` | Host locality (e.g. "Baltimore, MD"). | no
 `location` \| `ns_host_location` | Host location (e.g. "Lab 2"). | no
 `platform` \| `ns_hardware_platform` | Host hardware platform (e.g. "Lenovo T61"). | no
 `os` \| `ns_os_version` | Host operating system and version (e.g. "Fedora 9"). | no
 `password` \| `user_password` \| `userpassword` | Password used in bulk enrollment for absent or not enrolled hosts. | no
 `random` \| `random_password` |  Initiate the generation of a random password to be used in bulk enrollment for absent or not enrolled hosts. | no
 `certificate` \| `usercertificate` | List of base-64 encoded host certificates | no
 `managedby` \| `principalname` \| `krbprincipalname` | List of hosts that can manage this host | no
 `principal` \| `principalname` \| `krbprincipalname` | List of principal aliases for this host | no
 `allow_create_keytab_user` \| `ipaallowedtoperform_write_keys_user` | Users allowed to create a keytab of this host. | no
 `allow_create_keytab_group` \| `ipaallowedtoperform_write_keys_group` | Groups allowed to create a keytab of this host. | no
 `allow_create_keytab_host` \| `ipaallowedtoperform_write_keys_host` | Hosts allowed to create a keytab of this host. | no
 `allow_create_keytab_hostgroup` \| `ipaallowedtoperform_write_keys_hostgroup` | Host groups allowed to create a keytab of this host. | no
 `allow_retrieve_keytab_user` \| `ipaallowedtoperform_read_keys_user` | Users allowed to retieve a keytab of this host. | no
 `allow_retrieve_keytab_group` \| `ipaallowedtoperform_read_keys_group` | Groups allowed to retieve a keytab of this host. | no
 `allow_retrieve_keytab_host` \| `ipaallowedtoperform_read_keys_host` | Hosts allowed to retieve a keytab of this host. | no
 `allow_retrieve_keytab_hostgroup` \| `ipaallowedtoperform_read_keys_hostgroup` | Host groups allowed to retieve a keytab of this host. | no
 `mac_address` \| `macaddress` | List of hardware MAC addresses. | no
 `sshpubkey` \| `ipasshpubkey` | List of SSH public keys | no
 `userclass` \| `class` | Host category (semantics placed on this attribute are for local interpretation) | no
 `auth_ind` \| `krbprincipalauthind` | Defines an allow list for Authentication Indicators. Use 'otp' to allow OTP-based 2FA authentications. Use 'radius' to allow RADIUS-based 2FA authentications. Use empty string to reset auth_ind to the initial value. Other values may be used for custom configurations. choices: ["radius", "otp", "pkinit", "hardened", ""] | no
 `requires_pre_auth` \| `ipakrbrequirespreauth` | Pre-authentication is required for the service (bool) | no
 `ok_as_delegate` \| `ipakrbokasdelegate` | Client credentials may be delegated to the service (bool) | no
 `ok_to_auth_as_delegate` \| `ipakrboktoauthasdelegate` | The service is allowed to authenticate on behalf of a client (bool) | no
 `force` | Force host name even if not in DNS. | no
 `reverse` | Reverse DNS detection. | no
 `ip_address` \| `ipaddress` | The host IP address list. It can contain IPv4 and IPv6 addresses. No conflict check for IP addresses is done. | no
 `update_dns` | For existing hosts: DNS SSHFP records are updated with `state` present and all DNS entries for a host removed with `state` absent. | no
 Return Values
 =============
 ipahost
 -------
 There are only return values if one or more random passwords have been generated.
 Variable | Description | Returned When
 -------- | ----------- | -------------
 `host` | Host dict with random password. (dict) <br>Options: | If random is yes and host did not exist or update_password is yes
 &nbsp; | `randompassword` - The generated random password | If only one host is handled by the module
 &nbsp; | `name` - The host name of the host that got a new random password. (dict) <br> Options: <br> &nbsp; `randompassword` - The generated random password | If several hosts are handled by the module
 Authors
 =======
 Thomas Woerner
--- a/README-hostgroup.md
+++ b/README-hostgroup.md
@@ -0,0 +1,168 @@
 Hostgroup module
 ================
 Description
 -----------
 The hostgroup module allows to ensure presence and absence of hostgroups and members of hostgroups.
 The hostgroup module is as compatible as possible to the Ansible upstream `ipa_hostgroup` module, but additionally offers to make sure that hosts are present or absent in a hostgroup.
 Features
 --------
 * Hostgroup management
 Supported FreeIPA Versions
 --------------------------
 FreeIPA versions 4.4.0 and up are supported by the ipahostgroup module.
 Some variables are only supported on newer versions of FreeIPA. Check `Variables` section for details.
 Requirements
 ------------
 **Controller**
 * Ansible version: 2.8+
 **Node**
 * Supported FreeIPA version (see above)
 Usage
 =====
 Example inventory file
 ```ini
 [ipaserver]
 ipaserver.test.local
 ```
 Example playbook to make sure hostgroup databases exists:
 ```yaml
 ---
 - name: Playbook to handle hostgroups
  hosts: ipaserver
  become: true
  tasks:
  # Ensure host-group databases is present
  - ipahostgroup:
      ipaadmin_password: SomeADMINpassword
      name: databases
      host:
      - db.example.com
      hostgroup:
      - mysql-server
      - oracle-server
 ```
 Example playbook to make sure that hosts and hostgroups are present in existing databases hostgroup:
 ```yaml
 ---
 - name: Playbook to handle hostgroups
  hosts: ipaserver
  become: true
  tasks:
  # Ensure hosts and hostgroups are present in existing databases hostgroup
  - ipahostgroup:
      ipaadmin_password: SomeADMINpassword
      name: databases
      host:
      - db.example.com
      hostgroup:
      - mysql-server
      - oracle-server
      action: member
 ```
 `action` controls if a the hostgroup or member will be handled. To add or remove members, set `action` to `member`.
 Example playbook to make sure hosts and hostgroups are absent in databases hostgroup:
 ```yaml
 ---
 - name: Playbook to handle hostgroups
  hosts: ipaserver
  become: true
  tasks:
  # Ensure hosts and hostgroups are absent in databases hostgroup
  - ipahostgroup:
      ipaadmin_password: SomeADMINpassword
      name: databases
      host:
      - db.example.com
      hostgroup:
      - mysql-server
      - oracle-server
      action: member
      state: absent
 ```
 Example playbook to rename an existing playbook:
 ```yaml
 ---
 - name: Playbook to handle hostgroups
  hosts: ipaserver
  become: true
  tasks:
  # Ensure host-group databases is absent
  - ipahostgroup:
      ipaadmin_password: SomeADMINpassword
      name: databases
      rename: datalake
      state: renamed
 ```
 Example playbook to make sure host-group databases is absent:
 ```yaml
 ---
 - name: Playbook to handle hostgroups
  hosts: ipaserver
  become: true
  tasks:
  # Ensure host-group databases is absent
  - ipahostgroup:
      ipaadmin_password: SomeADMINpassword
      name: databases
      state: absent
 ```
 Variables
 =========
 ipahostgroup
 -------
 Variable | Description | Required
 -------- | ----------- | --------
 `ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
 `ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
 `name` \| `cn` | The list of hostgroup name strings. | no
 `description` | The hostgroup description string. | no
 `nomembers` | Suppress processing of membership attributes. (bool) | no
 `host` | List of host name strings assigned to this hostgroup. | no
 `hostgroup` | List of hostgroup name strings assigned to this hostgroup. | no
 `membermanager_user` | List of member manager users assigned to this hostgroup. Only usable with IPA versions 4.8.4 and up. | no
 `membermanager_group` | List of member manager groups assigned to this hostgroup. Only usable with IPA versions 4.8.4 and up. | no
 `rename` \| `new_name` | Rename hostgroup to the provided name. Only usable with IPA versions 4.8.7 and up. | no
 `action` | Work on hostgroup or member level. It can be on of `member` or `hostgroup` and defaults to `hostgroup`. | no
 `state` | The state to ensure. It can be one of `present`, `absent` or `renamed`, default: `present`. | no
 Authors
 =======
 Thomas Woerner
--- a/README-location.md
+++ b/README-location.md
@@ -0,0 +1,92 @@
 Location module
 ===============
 Description
 -----------
 The location module allows to ensure presence and absence of locations.
 Features
 --------
 * Location management
 Supported FreeIPA Versions
 --------------------------
 FreeIPA versions 4.4.0 and up are supported by the ipalocation module.
 Requirements
 ------------
 **Controller**
 * Ansible version: 2.8+
 **Node**
 * Supported FreeIPA version (see above)
 Usage
 =====
 Example inventory file
 ```ini
 [ipaserver]
 ipaserver.test.local
 ```
 Example playbook to make sure location "my_location1" is present:
 ```yaml
 ---
 - name: Playbook to manage IPA location.
  hosts: ipaserver
  become: yes
  tasks:
  - ipalocation:
      ipaadmin_password: SomeADMINpassword
      name: my_location1
      description: My Location 1
 ```
 Example playbook to make sure location "my_location1" is absent:
 ```yaml
 ---
 - name: Playbook to manage IPA location.
  hosts: ipaserver
  become: yes
  tasks:
  - ipalocation:
      ipaadmin_password: SomeADMINpassword
      name: my_location1
      state: absent
 ```
 Variables
 ---------
 ipalocation
 -------
 Variable | Description | Required
 -------- | ----------- | --------
 `ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
 `ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
 `name` \| `idnsname` | The list of location name strings. | yes
 `description` | The IPA location string | false
 `state` | The state to ensure. It can be one of `present`, `absent`, default: `present`. | no
 Authors
 =======
 Thomas Woerner
--- a/README-permission.md
+++ b/README-permission.md
@@ -0,0 +1,188 @@
 Permission module
 ============
 Description
 -----------
 The permission module allows to ensure presence and absence of permissions and permission members.
 Features
 --------
 * Permission management
 Supported FreeIPA Versions
 --------------------------
 FreeIPA versions 4.4.0 and up are supported by the ipapermission module.
 Requirements
 ------------
 **Controller**
 * Ansible version: 2.8+
 **Node**
 * Supported FreeIPA version (see above)
 Usage
 =====
 Example inventory file
 ```ini
 [ipaserver]
 ipaserver.test.local
 ```
 Example playbook to make sure permission "MyPermission" is present:
 ```yaml
 ---
 - name: Playbook to handle IPA permissions
  hosts: ipaserver
  become: yes
  tasks:
  - name: Ensure permission MyPermission is present
    ipapermission:
      ipaadmin_password: SomeADMINpassword
      name: MyPermission
      object_type: host
      right: all
 ```
 Example playbook to ensure permission "MyPermission" is present with attr carlicense:
 ```yaml
 ---
 - name: Playbook to handle IPA permissions
  hosts: ipaserver
  become: yes
  tasks:
  - name: Ensure permission "MyPermission" is present with attr carlicense
    ipapermission:
      ipaadmin_password: SomeADMINpassword
      name: MyPermission
      object_type: host
      right: all
      attrs:
      - carlicense
 ```
 Example playbook to ensure attr gecos is present in permission "MyPermission":
 ```yaml
 ---
 - name: Playbook to handle IPA permissions
  hosts: ipaserver
  become: yes
  tasks:
  - name: Ensure attr gecos is present in permission "MyPermission"
    ipapermission:
      ipaadmin_password: SomeADMINpassword
      name: MyPermission
      attrs:
      - gecos
      action: member
 ```
 Example playbook to ensure attr gecos is absent in permission "MyPermission":
 ```yaml
 ---
 - name: Playbook to handle IPA permissions
  hosts: ipaserver
  become: yes
  tasks:
  - name: Ensure attr gecos is present in permission "MyPermission"
    ipapermission:
      ipaadmin_password: SomeADMINpassword
      name: MyPermission
      attrs:
      - gecos
      action: member
      state: absent
 ```
 Example playbook to make sure permission "MyPermission" is absent:
 ```yaml
 ---
 - name: Playbook to handle IPA permissions
  hosts: ipaserver
  become: yes
  tasks:
  - name: Ensure permission "MyPermission" is absent
    ipapermission:
      ipaadmin_password: SomeADMINpassword
      name: MyPermission
      state: absent
 ```
 Example playbook to make sure permission "MyPermission" is renamed to "MyNewPermission":
 ```yaml
 ---
 - name: Playbook to handle IPA permissions
  hosts: ipaserver
  become: yes
  tasks:
  - name: Ensure permission "MyPermission" is renamed to "MyNewPermission
    ipapermission:
      ipaadmin_password: SomeADMINpassword
      name: MyPermission
      rename: MyNewPermission
      state: renamed
 ```
 Variables
 ---------
 ipapermission
 -------
 Variable | Description | Required
 -------- | ----------- | --------
 `ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
 `ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
 `name` \| `cn` | The permission name string. | yes
 `right` \| `ipapermright` | Rights to grant. It can be a list of one or more of `read`, `search`, `compare`, `write`, `add`, `delete`, and `all` default: `all` | no
 `attrs` | All attributes to which the permission applies. | no
 `bindtype` \| `ipapermbindruletype` | Bind rule type. It can be one of `permission`, `all`, `self`, or `anonymous` defaults to `permission` for new permissions. Bind rule type `self` can only be used on IPA versions 4.8.7 or up.| no
 `subtree` \| `ipapermlocation` | Subtree to apply permissions to | no
 `filter` \| `extratargetfilter` | Extra target filter | no
 `rawfilter` \| `ipapermtargetfilter` | All target filters | no
 `target` \| `ipapermtarget` | Optional DN to apply the permission to | no
 `targetto` \| `ipapermtargetto` | Optional DN subtree where an entry can be moved to | no
 `targetfrom` \| `ipapermtargetfrom` | Optional DN subtree from where an entry can be moved | no
 `memberof` | Target members of a group (sets memberOf targetfilter) | no
 `targetgroup` | User group to apply permissions to (sets target) | no
 `object_type` | Type of IPA object (sets subtree and objectClass targetfilter) | no
 `no_members` | Suppress processing of membership | no
 `rename` | Rename the permission object | no
 `action` | Work on permission or member level. It can be on of `member` or `permission` and defaults to `permission`. | no
 `state` | The state to ensure. It can be one of `present`, `absent`, or `renamed` default: `present`. | no
 The `includedattrs` and `excludedattrs` variables are only usable for managed permisions and are not exposed by the module. Using `attrs` for managed permissions will result in the automatic generation of `includedattrs` and `excludedattrs` in the IPA server.
 Authors
 =======
 Seth Kress
--- a/README-privilege.md
+++ b/README-privilege.md
@@ -0,0 +1,147 @@
 Privilege module
 ================
 Description
 -----------
 The privilege module allows to ensure presence and absence of privileges and privilege members.
 Features
 --------
 * Privilege management
 Supported FreeIPA Versions
 --------------------------
 FreeIPA versions 4.4.0 and up are supported by the ipaprivilege module.
 Requirements
 ------------
 **Controller**
 * Ansible version: 2.8+
 **Node**
 * Supported FreeIPA version (see above)
 Usage
 =====
 Example inventory file
 ```ini
 [ipaserver]
 ipaserver.test.local
 ```
 Example playbook to make sure privilege "Broad Privilege" is present:
 ```yaml
 ---
 - name: Playbook to manage IPA privilege.
  hosts: ipaserver
  become: yes
  tasks:
  - ipaprivilege:
      ipaadmin_password: SomeADMINpassword
      name: Broad Privilege
      description: Broad Privilege
 ```
 Example playbook to make sure privilege "Broad Privilege" member permission has multiple values:
 ```yaml
 ---
 - name: Playbook to manage IPA privilege permission member.
  hosts: ipaserver
  become: yes
  tasks:
  - ipaprivilege:
      ipaadmin_password: SomeADMINpassword
      name: Broad Privilege
      permission:
      - "Write IPA Configuration"
      - "System: Write DNS Configuration"
      - "System: Update DNS Entries"
      action: member
 ```
 Example playbook to make sure privilege "Broad Privilege" member permission 'Write IPA Configuration' is absent:
 ```yaml
 ---
 - name: Playbook to manage IPA privilege permission member.
  hosts: ipaserver
  become: yes
  tasks:
  - ipaprivilege:
      ipaadmin_password: SomeADMINpassword
      name: Broad Privilege
      permission:
      - "Write IPA Configuration"
      action: member
      state: absent
 ```
 Example playbook to rename privilege "Broad Privilege" to "DNS Special Privilege":
 ```yaml
 ---
 - name: Playbook to manage IPA privilege.
  hosts: ipaserver
  become: yes
  tasks:
  - ipaprivilege:
      ipaadmin_password: SomeADMINpassword
      name: Broad Privilege
      rename: DNS Special Privilege
      state: renamed
 ```
 Example playbook to make sure privilege "DNS Special Privilege" is absent:
 ```yaml
 ---
 - name: Playbook to manage IPA privilege.
  hosts: ipaserver
  become: yes
  - name: Ensure privilege Broad Privilege is absent
      ipaadmin_password: SomeADMINpassword
      name: DNS Special Privilege
      state: absent
 ```
 Variables
 ---------
 ipaprivilege
 ------------
 Variable | Description | Required
 -------- | ----------- | --------
 `ipaadmin_principal` | The admin principal is a string and defaults to `admin`. | no
 `ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node. | no
 `name` \| `cn` | The list of privilege name strings. | yes
 `description` | Privilege description. | no
 `rename` \| `new_name` | Rename the privilege object. | no
 `permission` | Permissions to be added to the privilege. | no
 `action` | Work on privilege or member level. It can be one of `member` or `privilege` and defaults to `privilege`. | no
 `state` | The state to ensure. It can be one of `present`, `absent` or `renamed`, default: `present`. | no
 Authors
 =======
 Rafael Guterres Jeffman
--- a/README-pwpolicy.md
+++ b/README-pwpolicy.md
@@ -0,0 +1,117 @@
 Pwpolicy module
 ===============
 Description
 -----------
 The pwpolicy module allows to ensure presence and absence of pwpolicies.
 Features
 --------
 * Pwpolicy management
 Supported FreeIPA Versions
 --------------------------
 FreeIPA versions 4.4.0 and up are supported by the ipapwpolicy module.
 Requirements
 ------------
 **Controller**
 * Ansible version: 2.8+
 **Node**
 * Supported FreeIPA version (see above)
 Usage
 =====
 Example inventory file
 ```ini
 [ipaserver]
 ipaserver.test.local
 ```
 Example playbook to ensure presence of pwpolicies for exisiting group ops:
 ```yaml
  tasks:
  - name: Ensure presence of pwpolicies for group ops
    ipapwpolicy:
      ipaadmin_password: SomeADMINpassword
      name: ops
      minlife: 7
      maxlife: 49
      history: 5
      priority: 1
      lockouttime: 300
      minlength: 8
      maxfail: 3
 ```
 Example playbook to ensure absence of pwpolicies for group ops:
 ```yaml
 ---
 - name: Playbook to handle pwpolicies
  hosts: ipaserver
  become: true
  tasks:
  # Ensure absence of pwpolicies for group ops
  - ipapwpolicy:
      ipaadmin_password: SomeADMINpassword
      name: ops
      state: absent
 ```
 Example playbook to ensure maxlife is set to 49 in global policy:
 ```yaml
 ---
 - name: Playbook to handle pwpolicies
  hosts: ipaserver
  become: true
  tasks:
  # Ensure absence of pwpolicies for group ops
  - ipapwpolicy:
      ipaadmin_password: SomeADMINpassword
      maxlife: 49
 ```
 Variables
 =========
 ipapwpolicy
 -------
 Variable | Description | Required
 -------- | ----------- | --------
 `ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
 `ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
 `name` \| `cn` | The list of pwpolicy name strings. If name is not given, `global_policy` will be used automatically. | no
 `maxlife` \| `krbmaxpwdlife` | Maximum password lifetime in days. (int) | no
 `minlife` \| `krbminpwdlife` | Minimum password lifetime in hours. (int) | no
 `history` \| `krbpwdhistorylength` | Password history size. (int) | no
 `minclasses` \| `krbpwdmindiffchars` | Minimum number of character classes. (int) | no
 `minlength` \| `krbpwdminlength` | Minimum length of password. (int) | no
 `priority` \| `cospriority` | Priority of the policy, higher number means lower priority. (int) | no
 `maxfail` \| `krbpwdmaxfailure` | Consecutive failures before lockout. (int) | no
 `failinterval` \| `krbpwdfailurecountinterval` | Period after which failure count will be reset in seconds. (int) | no
 `lockouttime` \| `krbpwdlockoutduration` | Period for which lockout is enforced in seconds. (int) | no
 `state` | The state to ensure. It can be one of `present` or `absent`, default: `present`. | yes
 Authors
 =======
 Thomas Woerner
--- a/README-role.md
+++ b/README-role.md
@@ -0,0 +1,264 @@
 Role module
 ===========
 Description
 -----------
 The role module allows to ensure presence, absence of roles and members of roles.
 The role module is as compatible as possible to the Ansible upstream `ipa_role` module, but additionally offers role member management.
 Features
 --------
 * Role management
 Supported FreeIPA Versions
 --------------------------
 FreeIPA versions 4.4.0 and up are supported by the iparole module.
 Requirements
 ------------
 **Controller**
 * Ansible version: 2.8+
 **Node**
 * Supported FreeIPA version (see above)
 Usage
 =====
 Example inventory file
 ```ini
 [ipaserver]
 ipaserver.test.local
 ```
 Example playbook to make sure role is present with all members:
 ```yaml
 ---
 - name: Playbook to manage IPA role with members.
  hosts: ipaserver
  become: yes
  gather_facts: no
  tasks:
  - iparole:
      ipaadmin_password: SomeADMINpassword
      name: somerole
      user:
      - pinky
      group:
      - group01
      host:
      - host01.example.com
      hostgroup:
      - hostgroup01
      privilege:
      - Group Administrators
      - User Administrators
      service:
      - service01
 ```
 Example playbook to rename a role:
 ```yaml
 - iparole:
    ipaadmin_password: SomeADMINpassword
    name: somerole
    rename: anotherrole
 ```
 Example playbook to make sure role is absent:
 ```yaml
 ---
 - name: Playbook to manage IPA role.
  hosts: ipaserver
  become: yes
  gather_facts: no
  tasks:
  - iparole:
      ipaadmin_password: SomeADMINpassword
      name: somerole
      state: absent
 ```
 Example playbook to ensure a user is a member of a role:
 ```yaml
 ---
 - name: Playbook to manage IPA role member.
  hosts: ipaserver
  become: yes
  gather_facts: no
  tasks:
  - iparole:
      ipaadmin_password: SomeADMINpassword
      name: somerole
      user:
      - pinky
      action: member
 ```
 Example playbook to ensure a group is a member of a role:
 ```yaml
 ---
 - name: Playbook to manage IPA role member.
  hosts: ipaserver
  become: yes
  gather_facts: no
  tasks:
  - iparole:
      ipaadmin_password: SomeADMINpassword
      name: somerole
      host:
      - host01.example.com
      action: member
 ```
 Example playbook to ensure a host is a member of a role:
 ```yaml
 ---
 - name: Playbook to manage IPA role member.
  hosts: ipaserver
  become: yes
  gather_facts: no
  tasks:
  - iparole:
      ipaadmin_password: SomeADMINpassword
      name: somerole
      host:
      - host01.example.com
      action: member
 ```
 Example playbook to ensure a hostgroup is a member of a role:
 ```yaml
 ---
 - name: Playbook to manage IPA role member.
  hosts: ipaserver
  become: yes
  gather_facts: no
  tasks:
  - iparole:
      ipaadmin_password: SomeADMINpassword
      name: somerole
      hostgroup:
      - hostgroup01
      action: member
 ```
 Example playbook to ensure a service is a member of a role:
 ```yaml
 ---
 - name: Playbook to manage IPA role member.
  hosts: ipaserver
  become: yes
  gather_facts: no
  tasks:
  - iparole:
      ipaadmin_password: SomeADMINpassword
      name: somerole
      service:
      - service01
      action: member
 ```
 Example playbook to ensure a privilege is a member of a role:
 ```yaml
 ---
 - name: Playbook to manage IPA role member.
  hosts: ipaserver
  become: yes
  gather_facts: no
  tasks:
  - iparole:
      ipaadmin_password: SomeADMINpassword
      name: somerole
      privilege:
      - Group Administrators
      - User Administrators
      action: member
 ```
 Example playbook to ensure that different members are not associated with a role.
 ```yaml
 ---
 - name: Playbook to manage IPA role member.
  hosts: ipaserver
  become: yes
  gather_facts: no
  tasks:
  - iparole:
      ipaadmin_password: SomeADMINpassword
      name: somerole
      user:
      - pinky
      group:
      - group01
      host:
      - host01.example.com
      hostgroup:
      - hostgroup01
      privilege:
      - Group Administrators
      - User Administrators
      service:
      - service01
      action: member
      state: absent
 ```
 Variables
 ---------
 iparole
 -------
 Variable | Description | Required
 -------- | ----------- | --------
 `ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
 `ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
 `name` \| `cn` | The list of role name strings. | yes
 `description` | A description for the role. | no
 `rename` | Rename the role object. | no
 `privilege` | Privileges associated to this role. | no
 `user` | List of users to be assigned or not assigned to the role. | no
 `group` | List of groups to be assigned or not assigned to the role. | no
 `host` | List of hosts to be assigned or not assigned to the role. | no
 `hostgroup` | List of hostgroups to be assigned or not assigned to the role. | no
 `service` | List of services to be assigned or not assigned to the role. | no
 `action` | Work on role or member level. It can be on of `member` or `role` and defaults to `role`. | no
 `state` | The state to ensure. It can be one of `present`, `absent`, default: `present`. | no
 Authors
 =======
 Rafael Jeffman
--- a/README-selfservice.md
+++ b/README-selfservice.md
@@ -0,0 +1,151 @@
 Selfservice module
 =================
 Description
 -----------
 The selfservice module allows to ensure presence, absence of selfservices and selfservice attributes.
 Features
 --------
 * Selfservice management
 Supported FreeIPA Versions
 --------------------------
 FreeIPA versions 4.4.0 and up are supported by the ipaselfservice module.
 Requirements
 ------------
 **Controller**
 * Ansible version: 2.8+
 **Node**
 * Supported FreeIPA version (see above)
 Usage
 =====
 Example inventory file
 ```ini
 [ipaserver]
 ipaserver.test.local
 ```
 Example playbook to make sure selfservice "Users can manage their own name details" is present:
 ```yaml
 ---
 - name: Playbook to manage IPA selfservice.
  hosts: ipaserver
  become: yes
  tasks:
  - ipaselfservice:
      ipaadmin_password: SomeADMINpassword
      name: "Users can manage their own name details"
      permission: read
      attribute:
      - title
      - initials
 ```
 Example playbook to make sure selfservice "Users can manage their own name details" is absent:
 ```yaml
 ---
 - name: Playbook to manage IPA selfservice.
  hosts: ipaserver
  become: yes
  tasks:
  - ipaselfservice:
      ipaadmin_password: SomeADMINpassword
      name: "Users can manage their own name details"
      state: absent
 ```
 Example playbook to make sure "Users can manage their own name details" member attribute initials is present:
 ```yaml
 ---
 - name: Playbook to manage IPA selfservice.
  hosts: ipaserver
  become: yes
  tasks:
  - ipaselfservice:
      ipaadmin_password: SomeADMINpassword
      name: "Users can manage their own name details"
      attribute:
      - initials
      action: member
 ```
 Example playbook to make sure "Users can manage their own name details" member attribute initials is absent:
 ```yaml
 ---
 - name: Playbook to manage IPA selfservice.
  hosts: ipaserver
  become: yes
  tasks:
  - ipaselfservice:
      ipaadmin_password: SomeADMINpassword
      name: "Users can manage their own name details"
      attribute:
      - initials
      action: member
      state: absent
 ```
 Example playbook to make sure selfservice "Users can manage their own name details" is absent:
 ```yaml
 ---
 - name: Playbook to manage IPA selfservice.
  hosts: ipaserver
  become: yes
  tasks:
  - ipaselfservice:
      ipaadmin_password: SomeADMINpassword
      name: "Users can manage their own name details"
      state: absent
 ```
 Variables
 ---------
 ipaselfservice
 -------
 Variable | Description | Required
 -------- | ----------- | --------
 `ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
 `ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
 `name` \| `aciname` | The list of selfservice name strings. | yes
 `permission` \| `permissions` |  The permission to grant `read`, `read,write`, `write`]. Default is `write`. | no
 `attribute` \| `attrs` | The attribute list to which the selfservice applies. | no
 `action` | Work on selfservice or member level. It can be on of `member` or `selfservice` and defaults to `selfservice`. | no
 `state` | The state to ensure. It can be one of `present`, `absent`, default: `present`. | no
 Authors
 =======
 Thomas Woerner
--- a/README-service.md
+++ b/README-service.md
@@ -0,0 +1,321 @@
 Service module
 ==============
 Description
 -----------
 The service module allows to ensure presence and absence of services.
 Features
 --------
 * Service management
 Supported FreeIPA Versions
 --------------------------
 FreeIPA versions 4.4.0 and up are supported by the ipaservice module.
 Some variables are only supported on newer versions of FreeIPA. Check `Variables` section for details.
 Requirements
 ------------
 **Controller**
 * Ansible version: 2.8+
 **Node**
 * Supported FReeIPA version (see above)
 Usage
 =====
 Example inventory file
 ```ini
 [ipaserver]
 ipaserver.test.local
 ```
 Example playbook to make sure service is present:
 ```yaml
 ---
 - name: Playbook to manage IPA service.
  hosts: ipaserver
  become: true
  gather_facts: false
  tasks:
  # Ensure service is present
  - ipaservice:
      ipaadmin_password: SomeADMINpassword
      name: HTTP/www.example.com
      certificate: |
        - MIIC/zCCAeegAwIBAgIUMNHIbn+hhrOVew/2WbkteisV29QwDQYJKoZIhvcNAQELBQAw
        DzENMAsGA1UEAwwEdGVzdDAeFw0yMDAyMDQxNDQxMDhaFw0zMDAyMDExNDQxMDhaMA8xDT
        ALBgNVBAMMBHRlc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC+XVVGFYpH
        VkcDfVnNInE1Y/pFciegdzqTjMwUWlRL4Zt3u96GhaMLRbtk+OfEkzLUAhWBOwEraELJzM
        LJOMvjYF3C+TiGO7dStFLikZmccuSsSIXjnzIPwBXa8KvgRVRyGLoVvGbLJvmjfMXp0nIT
        oTx/i74KF9S++WEes9H5ErJ99CDhLKFgq0amnvsgparYXhypHaRLnikn0vQINt55YoEd1s
        4KrvEcD2VdZkIMPbLRu2zFvMprF3cjQQG4LT9ggfEXNIPZ1nQWAnAsu7OJEkNF+E4Mkmpc
        xj9aGUVt5bsq1D+Tzj3GsidSX0nSNcZ2JltXRnL/5v63g5cZyE+nAgMBAAGjUzBRMB0GA1
        UdDgQWBBRV0j7JYukuH/r/t9+QeNlRLXDlEDAfBgNVHSMEGDAWgBRV0j7JYukuH/r/t9+Q
        eNlRLXDlEDAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQCgVy1+1kNwHs
        5y1Zp0WjMWGCJC6/zw7FDG4OW5r2GJiCXZYdJ0UonY9ZtoVLJPrp2/DAv1m5DtnDhBYqic
        uPgLzEkOS1KdTi20Otm/J4yxLLrZC5W4x0XOeSVPXOJuQWfwQ5pPvKkn6WxYUYkGwIt1OH
        2nSMngkbami3CbSmKZOCpgQIiSlQeDJ8oGjWFMLDymYSHoVOIXHwNoooyEiaio3693l6no
        obyGv49zyCVLVR1DC7i6RJ186ql0av+D4vPoiF5mX7+sKC2E8xEj9uKQ5GTWRh59VnRBVC
        /SiMJ/H78tJnBAvoBwXxSEvj8Z3Kjm/BQqZfv4IBsA5yqV7MVq
      pac_type: PAD
      auth_ind: otp
      requires_pre_auth: false
      ok_as_delegate: false
      ok_to_auth_as_delegate: false
      skip_host_check: true
      force: true
 ```
 Example playbook to make sure service is absent:
 ```yaml
 ---
 - name: Playbook to manage IPA service.
  hosts: ipaserver
  become: true
  gather_facts: false
  tasks:
  # Ensure service is present
  - ipaservice:
      ipaadmin_password: SomeADMINpassword
      name: HTTP/www.example.com
      state: absent
 ```
 Example playbook to make sure service is disabled:
 ```yaml
 ---
 - name: Playbook to manage IPA service.
  hosts: ipaserver
  become: true
  gather_facts: false
  tasks:
  # Ensure service is present
  - ipaservice:
      ipaadmin_password: SomeADMINpassword
      name: HTTP/www.example.com
      state: disabled
 ```
 Example playbook to add a service even if the host object does not exist, but only if it does have a DNS entry:
 ```yaml
 ---
 - name: Playbook to manage IPA service.
  hosts: ipaserver
  become: true
  gather_facts: false
  tasks:
  # Ensure service is present
  - ipaservice:
      ipaadmin_password: SomeADMINpassword
      name: HTTP/www.example.com
      skip_host_check: true
      force: false
 ```
 Example playbook to add a service if it does have a DNS entry, but host object exits:
 ```yaml
 ---
 - name: Playbook to manage IPA service.
  hosts: ipaserver
  become: true
  gather_facts: false
  tasks:
  # Ensure service is present
  - ipaservice:
      ipaadmin_password: SomeADMINpassword
      name: HTTP/www.example.com
      skip_host_check: false
      force: true
 ```
 Example playbook to ensure service has a certificate:
 ```yaml
 ---
 - name: Playbook to manage IPA service.
  hosts: ipaserver
  become: true
  gather_facts: false
  tasks:
  # Ensure service member certificate is present.
  - ipaservice:
      ipaadmin_password: SomeADMINpassword
      name: HTTP/www.example.com
      certificate: |
        - MIIC/zCCAeegAwIBAgIUMNHIbn+hhrOVew/2WbkteisV29QwDQYJKoZIhvcNAQELBQAw
        DzENMAsGA1UEAwwEdGVzdDAeFw0yMDAyMDQxNDQxMDhaFw0zMDAyMDExNDQxMDhaMA8xDT
        ALBgNVBAMMBHRlc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC+XVVGFYpH
        VkcDfVnNInE1Y/pFciegdzqTjMwUWlRL4Zt3u96GhaMLRbtk+OfEkzLUAhWBOwEraELJzM
        LJOMvjYF3C+TiGO7dStFLikZmccuSsSIXjnzIPwBXa8KvgRVRyGLoVvGbLJvmjfMXp0nIT
        oTx/i74KF9S++WEes9H5ErJ99CDhLKFgq0amnvsgparYXhypHaRLnikn0vQINt55YoEd1s
        4KrvEcD2VdZkIMPbLRu2zFvMprF3cjQQG4LT9ggfEXNIPZ1nQWAnAsu7OJEkNF+E4Mkmpc
        xj9aGUVt5bsq1D+Tzj3GsidSX0nSNcZ2JltXRnL/5v63g5cZyE+nAgMBAAGjUzBRMB0GA1
        UdDgQWBBRV0j7JYukuH/r/t9+QeNlRLXDlEDAfBgNVHSMEGDAWgBRV0j7JYukuH/r/t9+Q
        eNlRLXDlEDAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQCgVy1+1kNwHs
        5y1Zp0WjMWGCJC6/zw7FDG4OW5r2GJiCXZYdJ0UonY9ZtoVLJPrp2/DAv1m5DtnDhBYqic
        uPgLzEkOS1KdTi20Otm/J4yxLLrZC5W4x0XOeSVPXOJuQWfwQ5pPvKkn6WxYUYkGwIt1OH
        2nSMngkbami3CbSmKZOCpgQIiSlQeDJ8oGjWFMLDymYSHoVOIXHwNoooyEiaio3693l6no
        obyGv49zyCVLVR1DC7i6RJ186ql0av+D4vPoiF5mX7+sKC2E8xEj9uKQ5GTWRh59VnRBVC
        /SiMJ/H78tJnBAvoBwXxSEvj8Z3Kjm/BQqZfv4IBsA5yqV7MVq
      action: member
      state: present
 ```
 Example playbook to add a principal to the service:
 ```yaml
 ---
 - name: Playbook to manage IPA service.
  hosts: ipaserver
  become: true
  gather_facts: false
  tasks:
    # Principal host/principal.example.com present in service.
    - ipaservice:
        ipaadmin_password: SomeADMINpassword
        name: HTTP/www.example.com
        principal: host/principal.example.com
        action: member
 ```
 Example playbook to enable a host to manage service:
 ```yaml
 ---
 - name: Playbook to manage IPA service.
  hosts: ipaserver
  become: true
  gather_facts: false
  tasks:
    # Ensure host can manage service, again.
    - ipaservice:
        ipaadmin_password: SomeADMINpassword
        name: HTTP/www.example.com
        host: host1.example.com
        action: member
 ```
 Example playbook to allow users, groups, hosts or hostgroups to create a keytab of this service:
 ```yaml
 ---
 - name: Playbook to manage IPA service.
  hosts: ipaserver
  become: true
  gather_facts: false
  tasks:
    # Allow users, groups, hosts or host groups to create a keytab of this service.
    - ipaservice:
        ipaadmin_password: SomeADMINpassword
        name: HTTP/www.example.com
        allow_create_keytab_user:
        - user01
        - user02
        allow_create_keytab_group:
        - group01
        - group02
        allow_create_keytab_host:
        - host1.example.com
        - host2.example.com
        allow_create_keytab_hostgroup:
        - hostgroup01
        - hostgroup02
        action: member
 ```
 Example playbook to allow users, groups, hosts or hostgroups to retrieve a keytab of this service:
 ```yaml
 ---
 - name: Playbook to manage IPA service.
  hosts: ipaserver
  become: true
  gather_facts: false
  tasks:
    # Allow users, groups, hosts or host groups to retrieve a keytab of this service.
    - ipaservice:
        ipaadmin_password: SomeADMINpassword
        name: HTTP/www.example.com
        allow_retrieve_keytab_user:
        - user01
        - user02
        allow_retrieve_keytab_group:
        - group01
        - group02
        allow_retrieve_keytab_host:
        - "{{ host1_fqdn }}"
        - "{{ host2_fqdn }}"
        allow_retrieve_keytab_hostgroup:
        - hostgroup01
        - hostgroup02
        action: member
 ```
 Variables
 ---------
 ipaservice
 Variable | Description | Required
 -------- | ----------- | --------
 `ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
 `ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
 `name` \| `service` | The list of service name strings. | yes
 `certificate` \| `usercertificate` | Base-64 encoded service certificate. | no
 `pac_type` \| `ipakrbauthzdata` | Supported PAC type. It can be one of `MS-PAC`, `PAD`, or `NONE`. | no
 `auth_ind` \| `krbprincipalauthind` | Defines an allow list for Authentication Indicators. It can be any of `otp`, `radius`, `pkinit`, or `hardened`. | no
 `requires_pre_auth` \| `ipakrbrequirespreauth` | Pre-authentication is required for the service. Default to true. (bool) | no
 `ok_as_delegate` \|  `ipakrbokasdelegate` | Client credentials may be delegated to the service. Default to false. (bool) | no
 `ok_to_auth_as_delegate` \|  `ipakrboktoauthasdelegate` | The service is allowed to authenticate on behalf of a client. Default to false. (bool) | no
 `skip_host_check` | Force service to be created even when host object does not exist to manage it. Only usable with IPA versions 4.7.0 and up. Default to false. (bool)| no
 `force` | Force principal name even if host not in DNS. Default to false. (bool) | no
 `host` \| `managedby_host`| Hosts that can manage the service. | no
 `principal` \| `krbprincipalname` | List of principal aliases for the service. | no
 `allow_create_keytab_user` \| `ipaallowedtoperform_write_keys_user` | Users allowed to create a keytab of this host. | no
 `allow_create_keytab_group` \| `ipaallowedtoperform_write_keys_group`| Groups allowed to create a keytab of this host. | no
 `allow_create_keytab_host` \| `ipaallowedtoperform_write_keys_host`| Hosts allowed to create a keytab of this host. | no
 `allow_create_keytab_hostgroup` \| `ipaallowedtoperform_write_keys_group`| Host groups allowed to create a keytab of this host. | no
 `allow_retrieve_keytab_user` \| `ipaallowedtoperform_read_keys_user` | Users allowed to retrieve a keytab of this host. | no
 `allow_retrieve_keytab_group` \| `ipaallowedtoperform_read_keys_group` | Groups allowed to retrieve a keytab of this host. | no
 `allow_retrieve_keytab_host` \| `ipaallowedtoperform_read_keys_host` | Hosts allowed to retrieve a keytab from of host. | no
 `allow_retrieve_keytab_hostgroup` \| `ipaallowedtoperform_read_keys_hostgroup` | Host groups allowed to retrieve a keytab of this host. | no
 `continue` | Continuous mode: don't stop on errors. Valid only if `state` is `absent`. Default: `no` (bool) | no
 `action` | Work on service or member level. It can be on of `member` or `service` and defaults to `service`. | no
 `state` | The state to ensure. It can be one of `present`, `absent`, or `disabled`, default: `present`. | no
 Authors
 =======
 Rafael Jeffman
--- a/README-sudocmd.md
+++ b/README-sudocmd.md
@@ -0,0 +1,95 @@
 Sudocmd module
 ================
 Description
 -----------
 The sudocmd module allows to ensure presence and absence of sudo command.
 The sudocmd module is as compatible as possible to the Ansible upstream `ipa_sudocmd` module.
 Features
 --------
 * Sudo command management
 Supported FreeIPA Versions
 --------------------------
 FreeIPA versions 4.4.0 and up are supported by the ipa_sudocmd module.
 Requirements
 ------------
 **Controller**
 * Ansible version: 2.8+
 **Node**
 * Supported FreeIPA version (see above)
 Usage
 =====
 Example inventory file
 ```ini
 [ipaserver]
 ipaserver.test.local
 ```
 Example playbook to make sure sudocmd exists:
 ```yaml
 ---
 - name: Playbook to handle sudocmd
  hosts: ipaserver
  become: true
  tasks:
  # Ensure sudocmd is present
  - ipasudocmd:
      ipaadmin_password: SomeADMINpassword
      name: /usr/bin/su
      state: present
 ```
 Example playbook to make sure sudocmd is absent:
 ```yaml
 ---
 - name: Playbook to handle sudocmd
  hosts: ipaserver
  become: true
  tasks:
  # Ensure sudocmd are absent
  - ipahostgroup:
      ipaadmin_password: SomeADMINpassword
      name: /usr/bin/su
      state: absent
 ```
 Variables
 =========
 ipasudocmd
 -------
 Variable | Description | Required
 -------- | ----------- | --------
 `ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
 `ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
 `name` \| `sudocmd` | The sudo command strings. | yes
 `description` | The command description string. | no
 `nomembers` | Suppress processing of membership attributes. (bool) | no
 `state` | The state to ensure. It can be one of `present` or `absent`, default: `present`. | no
 Authors
 =======
 Rafael Guterres Jeffman
--- a/README-sudocmdgroup.md
+++ b/README-sudocmdgroup.md
@@ -0,0 +1,137 @@
 Sudocmdgroup module
 ===================
 Description
 -----------
 The sudocmdgroup module allows to ensure presence and absence of sudocmdgroups and members of sudocmdgroups.
 The sudocmdgroup module is as compatible as possible to the Ansible upstream `ipa_sudocmdgroup` module, but additionally offers to make sure that sudocmds are present or absent in a sudocmdgroup.
 Features
 --------
 * Sudocmdgroup management
 Supported FreeIPA Versions
 --------------------------
 FreeIPA versions 4.4.0 and up are supported by the ipasudocmdgroup module.
 Requirements
 ------------
 **Controller**
 * Ansible version: 2.8+
 **Node**
 * Supported FreeIPA version (see above)
 Usage
 =====
 Example inventory file
 ```ini
 [ipaserver]
 ipaserver.test.local
 ```
 Example playbook to make sure sudocmdgroup is present:
 ```yaml
 ---
 - name: Playbook to handle sudocmdgroups
  hosts: ipaserver
  become: true
  tasks:
  # Ensure sudocmdgroup is present
  - ipasudocmdgroup:
      ipaadmin_password: SomeADMINpassword
      name: group01
      description: Group of important commands
 ```
 Example playbook to make sure that a sudo command and sudocmdgroups are present in existing sudocmdgroup:
 ```yaml
 ---
 - name: Playbook to handle sudocmdgroups
  hosts: ipaserver
  become: true
  tasks:
  # Ensure sudo commands are present in existing sudocmdgroup
  - ipasudocmdgroup:
      ipaadmin_password: SomeADMINpassword
      name: group01
      sudocmd:
      - /usr/bin/su
      - /usr/bin/less
      action: member
 ```
 `action` controls if the sudocmdgroup or member will be handled. To add or remove members, set `action` to `member`.
 Example playbook to make sure that a sudo command and sudocmdgroups are absent in sudocmdgroup:
 ```yaml
 ---
 - name: Playbook to handle sudocmdgroups
  hosts: ipaserver
  become: true
  tasks:
  # Ensure sudocmds are absent in existing sudocmdgroup
  - ipasudocmdgroup:
      ipaadmin_password: SomeADMINpassword
      name: group01
      sudocmd:
      - /usr/bin/su
      - /usr/bin/less
      action: member
      state: absent
 ```
 Example playbook to make sure sudocmdgroup is absent:
 ```yaml
 ---
 - name: Playbook to handle sudocmdgroups
  hosts: ipaserver
  become: true
  tasks:
  # Ensure sudocmdgroup is absent
  - ipasudocmdgroup:
      ipaadmin_password: SomeADMINpassword
      name: group01
      state: absent
 ```
 Variables
 =========
 ipasudocmdgroup
 -------
 Variable | Description | Required
 -------- | ----------- | --------
 `ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
 `ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
 `name` \| `cn` | The list of sudocmdgroup name strings. | no
 `description` | The sudocmdgroup description string. | no
 `nomembers` | Suppress processing of membership attributes. (bool) | no
 `sudocmd` | List of sudocmdgroup name strings assigned to this sudocmdgroup. | no
 `action` | Work on sudocmdgroup or member level. It can be on of `member` or `sudocmdgroup` and defaults to `sudocmdgroup`. | no
 `state` | The state to ensure. It can be one of `present` or `absent`, default: `present`. | no
 Authors
 =======
 Rafael Guterres Jeffman
--- a/README-sudorule.md
+++ b/README-sudorule.md
@@ -0,0 +1,150 @@
 Sudorule module
 ===============
 Description
 -----------
 The sudorule (Sudo Rule) module allows to ensure presence and absence of Sudo Rules and host, hostgroups, users, and user groups as members of Sudo Rule.
 Features
 --------
 * Sudo Rule management
 Supported FreeIPA Versions
 --------------------------
 FreeIPA versions 4.4.0 and up are supported by the ipasudorule module.
 Requirements
 ------------
 **Controller**
 * Ansible version: 2.8+
 **Node**
 * Supported FreeIPA version (see above)
 Usage
 =====
 Example inventory file
 ```ini
 [ipaserver]
 ipaserver.test.local
 ```
 Example playbook to make sure Sudo Rule is present:
 ```yaml
 ---
 - name: Playbook to handle sudorules
  hosts: ipaserver
  become: true
  tasks:
  # Ensure Sudo Rule is present
  - ipasudorule:
      ipaadmin_password: SomeADMINpassword
      name: testrule1
 ```
 Example playbook to make sure sudocmds are present in Sudo Rule:
 ```yaml
 ---
 - name: Playbook to handle sudorules
  hosts: ipaserver
  become: true
  tasks:
  # Ensure Sudo Rule is present
  - ipasudorule:
      ipaadmin_password: SomeADMINpassword
      name: testrule1
      allow_sudocmd:
      - /sbin/ifconfig
      action: member
 ```
 Example playbook to make sure sudocmds are not present in Sudo Rule:
 ```yaml
 ---
 - name: Playbook to handle sudorules
  hosts: ipaserver
  become: true
  tasks:
  # Ensure Sudo Rule is present
  - ipasudorule:
      ipaadmin_password: SomeADMINpassword
      name: testrule1
      allow_sudocmd:
      - /sbin/ifconfig
      action: member
      state: absent
 ```
 Example playbook to make sure Sudo Rule is absent:
 ```yaml
 ---
 - name: Playbook to handle sudorules
  hosts: ipaserver
  become: true
  tasks:
  # Ensure Sudo Rule is present
  - ipasudorule:
      ipaadmin_password: SomeADMINpassword
      name: testrule1
      state: absent
 ```
 Variables
 =========
 ipasudorule
 ---------------
 Variable | Description | Required
 -------- | ----------- | --------
 `ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
 `ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
 `name` \| `cn` | The list of sudorule name strings. | yes
 `description` | The sudorule description string. | no
 `usercategory` \| `usercat` | User category the rule applies to. Choices: ["all", ""] | no
 `hostcategory` \| `hostcat` | Host category the rule applies to. Choices: ["all", ""] | no
 `cmdcategory` \| `cmdcat` | Command category the rule applies to. Choices: ["all", ""] | no
 `runasusercategory` \| `rusasusercat` | RunAs User category the rule applies to. Choices: ["all", ""] | no
 `runasgroupcategory` \| `runasgroupcat` | RunAs Group category the rule applies to. Choices: ["all", ""] | no
 `nomembers` | Suppress processing of membership attributes. (bool) | no
 `host` | List of host name strings assigned to this sudorule. | no
 `hostgroup` | List of host group name strings assigned to this sudorule. | no
 `user` | List of user name strings assigned to this sudorule. | no
 `group` | List of user group name strings assigned to this sudorule. | no
 `allow_sudocmd` | List of sudocmd name strings assigned to the allow group of this sudorule. | no
 `deny_sudocmd` | List of sudocmd name strings assigned to the deny group of this sudorule. | no
 `allow_sudocmdgroup` | List of sudocmd groups name strings assigned to the allow group of this sudorule. | no
 `deny_sudocmdgroup` | List of sudocmd groups name strings assigned to the deny group of this sudorule. | no
 `sudooption` \| `option` | List of options to the sudorule | no
 `order` | Integer to order the sudorule | no
 `runasuser` | List of users for Sudo to execute as. | no
 `runasgroup` | List of groups for Sudo to execute as. | no
 `action` | Work on sudorule or member level. It can be on of `member` or `sudorule` and defaults to `sudorule`. | no
 `state` | The state to ensure. It can be one of `present`, `absent`, `enabled` or `disabled`, default: `present`. | no
 Authors
 =======
 Rafael Jeffman
--- a/README-topology.md
+++ b/README-topology.md
@@ -4,7 +4,7 @@ Topology modules
 Description
 -----------
-These modules allow to manage the topology. That means that topology segments can be added, removed and reinitialized. Also it is possible to verify topology suffixes.
+These modules allow to manage the topology. That means that it can made sure that topology segments are present, absent or reinitialized. Also it is possible to verify topology suffixes.
 Features
@@ -39,7 +39,7 @@ ipaserver.test.local
 ```
-Example playbook to add a topology segment wiht default name (cn):
+Example playbook to add a topology segment with default name (cn):
 ```yaml
 ---
@@ -50,13 +50,13 @@ Example playbook to add a topology segment wiht default name (cn):
  tasks:
  - name: Add topology segment
    ipatopologysegment:
-      ipaadmin_password: MyPassword123
+      ipaadmin_password: SomeADMINpassword
      suffix: domain
      left: ipareplica1.test.local
      right: ipareplica2.test.local
      state: present
 ```
-The name (cn) can also be set if it should not be the default `{left}-to-{rkight}`.
+The name (cn) can also be set if it should not be the default `{left}-to-{right}`.
 Example playbook to delete a topology segment:
@@ -70,7 +70,7 @@ Example playbook to delete a topology segment:
  tasks:
  - name: Delete topology segment
    ipatopologysegment:
-      ipaadmin_password: MyPassword123
+      ipaadmin_password: SomeADMINpassword
      suffix: domain
      left: ipareplica1.test.local
      right: ipareplica2.test.local
@@ -90,7 +90,7 @@ Example playbook to reinitialize a topology segment:
  tasks:
  - name: Reinitialize topology segment
    ipatopologysegment:
-      ipaadmin_password: MyPassword123
+      ipaadmin_password: SomeADMINpassword
      suffix: domain
      left: ipareplica1.test.local
      right: ipareplica2.test.local
@@ -111,7 +111,7 @@ Example playbook to verify a topology suffix:
  tasks:
  - name: Verify topology suffix
    ipatopologysuffix:
-      ipaadmin_password: MyPassword123
+      ipaadmin_password: SomeADMINpassword
      suffix: domain
      state: verified
 ```
--- a/README-trust.md
+++ b/README-trust.md
@@ -0,0 +1,119 @@
 Trust module
 ============
 Description
 -----------
 The trust module allows to ensure presence and absence of a domain trust.
 Features
 --------
 * Trust management
 Supported FreeIPA Versions
 --------------------------
 FreeIPA versions 4.4.0 and up are supported by the ipatrust module.
 Requirements
 ------------
 **Controller**
 * Ansible version: 2.8+
 **Node**
 * Supported FreeIPA version (see above)
 * samba-4
 * ipa-server-trust-ad
 Usage
 =====
 Example inventory file
 ```ini
 [ipaserver]
 ipaserver.test.local
 ```
 Example playbook to ensure a one-way trust is present:
 Omitting the two_way option implies the default of one-way
 ```yaml
 ---
 - name: Playbook to ensure a one-way trust is present
  hosts: ipaserver
  become: true
  tasks:
  - name: ensure the one-way trust present
    ipatrust:
      realm: ad.example.test
      admin: Administrator
      password: secret_password
      state: present
 ```
 Example playbook to ensure a two-way trust is present using a shared-secret:
 ```yaml
 ---
 - name: Playbook to ensure a two-way trust is present
  hosts: ipaserver
  become: true
  tasks:
  - name: ensure the two-way trust is present
    ipatrust:
      realm: ad.example.test
      trust_secret: my_share_Secret
      two_way: True
      state: present
 ```
 Example playbook to ensure a trust is absent:
 ```yaml
 ---
 - name: Playbook to ensure a trust is absent
  hosts: ipaserver
  become: true
  tasks:
  - name: ensure the trust is absent
    ipatrust:
      realm: ad.example.test
      state: absent
 ```
 This will only delete the ipa-side of the trust and it does NOT delete the id-range that matches the trust,
 Variables
 =========
 ipatrust
 -------
 Variable | Description | Required
 -------- | ----------- | --------
 `ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
 `ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
 `realm` | The realm name string. | yes
 `admin` | Active Directory domain administrator string. | no
 `password` | Active Directory domain administrator's password string. | no
 `server` | Domain controller for the Active Directory domain string. | no
 `trust_secret` | Shared secret for the trust string. | no
 `base_id` | First posix id for the trusted domain integer. | no
 `range_size` | Size of the ID range reserved for the trusted domain integer. | no
 `range_type` | Type of trusted domain ID range, It can be one of `ipa-ad-trust` or `ipa-ad-trust-posix`and defaults to `ipa-ad-trust`. | no
 `two_way` | Establish bi-directional trust. By default trust is inbound one-way only. (bool) | no
 `external` | Establish external trust to a domain in another forest. The trust is not transitive beyond the domain. (bool) | no
 `state` | The state to ensure. It can be one of `present` or `absent`, default: `present`. | yes
 Authors
 =======
 Rob Verduijn
--- a/README-user.md
+++ b/README-user.md
@@ -4,9 +4,9 @@ User module
 Description
 -----------
-The user module allows to add, remove, enable, disable, unlock und undelete users.
+The user module allows to ensure presence, absence, disablement, unlocking and undeletion of users.
-The user module is as compatible as possible to the Ansible upstream `ipa_user` module, but addtionally offers to preserve delete, enable, disable, unlock and undelete users.
+The user module is as compatible as possible to the Ansible upstream `ipa_user` module, but additionally offers to preserve delete, enable, disable, unlock and undelete users.
 Features
@@ -41,7 +41,7 @@ ipaserver.test.local
 ```
-Example playbook to add users:
+Example playbook to ensure a user is present:
 ```yaml
 ---
@@ -50,9 +50,9 @@ Example playbook to add users:
  become: true
  tasks:
-  # Create user pinky
+  # Ensure user pinky is present
  - ipauser:
-      ipaadmin_password: MyPassword123
+      ipaadmin_password: SomeADMINpassword
      name: pinky
      first: pinky
      last: Acme
@@ -64,9 +64,9 @@ Example playbook to add users:
      password: "no-brain"
      update_password: on_create
-  # Create user brain
+  # Ensure user brain is present
  - ipauser:
-      ipaadmin_password: MyPassword123
+      ipaadmin_password: SomeADMINpassword
      name: brain
      first: brain
      last: Acme
@@ -74,6 +74,133 @@ Example playbook to add users:
 `update_password` controls if a password for a user will be set in present state only on creation or every time (always).
 These two `ipauser` module calls can be combined into one with the `users` variable:
 ```yaml
 ---
 - name: Playbook to handle users
  hosts: ipaserver
  become: true
  tasks:
  # Ensure users pinky and brain are present
  - ipauser:
      ipaadmin_password: SomeADMINpassword
      users:
      - name: pinky
        first: pinky
        last: Acme
        uid: 10001
        gid: 100
        phone: "+555123457"
        email: pinky@acme.com
        passwordexpiration: "2023-01-19 23:59:59"
        password: "no-brain"
      - name: brain
        first: brain
        last: Acme
      update_password: on_create
 ```
 You can also alternatively use a json file containing the users, here `users_present.json`:
 ```json
 {
  "users": [
    {
      "name": "user1",
      "first": "First 1",
      "last": "Last 1"
    },
    {
      "name": "user2",
      "first": "First 2",
      "last": "Last 2"
    },
    ...
  ]
 }
 ```
 And ensure the presence of the users with this example playbook:
 ```yaml
 ---
 - name: Tests
  hosts: ipaserver
  become: true
  gather_facts: false
  tasks:
  - name: Include users_present.json
    include_vars:
      file: users_present.json
  - name: Users present
    ipauser:
      ipaadmin_password: SomeADMINpassword
      users: "{{ users }}"
 ```
 Ensure user pinky is present with a generated random password and print the random password:
 ```yaml
 ---
 - name: Playbook to handle users
  hosts: ipaserver
  become: true
  tasks:
  # Ensure user pinky is present with a random password
  - ipauser:
      ipaadmin_password: SomeADMINpassword
      name: brain
      first: brain
      last: Acme
      random: yes
    register: ipauser
  - name: Print generated random password
    debug:
      var: ipauser.user.randompassword
 ```
 Ensure users pinky and brain are present with a generated random password and print the random passwords:
 ```yaml
 ---
 - name: Playbook to handle users
  hosts: ipaserver
  become: true
  tasks:
  # Ensure users pinky and brain are present with random password
  - ipauser:
      ipaadmin_password: SomeADMINpassword
      users:
      - name: pinky
        first: pinky
        last: Acme
        uid: 10001
        gid: 100
        phone: "+555123457"
        email: pinky@acme.com
        passwordexpiration: "2023-01-19 23:59:59"
        password: "no-brain"
      - name: brain
        first: brain
        last: Acme
    register: ipauser
  - name: Print generated random password of pinky
    debug:
      var: ipauser.user.pinky.randompassword
  - name: Print generated random password of brain
    debug:
      var: ipauser.user.brain.randompassword
 ```
 Example playbook to delete a user, but preserve it:
 ```yaml
@@ -85,12 +212,34 @@ Example playbook to delete a user, but preserve it:
  tasks:
  # Remove but preserve user pinky
  - ipauser:
-      ipaadmin_password: MyPassword123
+      ipaadmin_password: SomeADMINpassword
      name: pinky
      preserve: yes
      state: absent
 ```
 This can also be done with the `users` variable containing only names, this can be combined into one module call:
 Example playbook to delete a user, but preserve it using the `users` variable:
 ```yaml
 ---
 - name: Playbook to handle users
  hosts: ipaserver
  become: true
  tasks:
  # Remove but preserve user pinky
  - ipauser:
      ipaadmin_password: SomeADMINpassword
      users:
      - name: pinky
      preserve: yes
      state: absent
 ```
 This can also be done as an alternative with the `users` variable containing only names.
 Example playbook to undelete a preserved user.
@@ -103,11 +252,13 @@ Example playbook to undelete a preserved user.
  tasks:
  # Undelete preserved user pinky
  - ipauser:
-      ipaadmin_password: MyPassword123
+      ipaadmin_password: SomeADMINpassword
      name: pinky
      state: undeleted
 ```
 This can also be done as an alternative with the `users` variable containing only names.
 Example playbook to disable a user:
@@ -120,11 +271,13 @@ Example playbook to disable a user:
  tasks:
  # Disable user pinky
  - ipauser:
-      ipaadmin_password: MyPassword123
+      ipaadmin_password: SomeADMINpassword
      name: pinky
      state: disabled
 ```
 This can also be done as an alternative with the `users` variable containing only names.
 Example playbook to enable users:
@@ -137,11 +290,13 @@ Example playbook to enable users:
  tasks:
  # Enable user pinky and brain
  - ipauser:
-      ipaadmin_password: MyPassword123
+      ipaadmin_password: SomeADMINpassword
      name: pinky,brain
      state: enabled
 ```
 This can also be done as an alternative with the `users` variable containing only names.
 Example playbook to unlock users:
@@ -154,13 +309,13 @@ Example playbook to unlock users:
  tasks:
  # Unlock user pinky and brain
  - ipauser:
-      ipaadmin_password: MyPassword123
+      ipaadmin_password: SomeADMINpassword
      name: pinky,brain
      state: unlocked
 ```
-Example playbook to delete users:
+Example playbook to ensure users are absent:
 ```yaml
 ---
@@ -169,13 +324,34 @@ Example playbook to delete users:
  become: true
  tasks:
-  # Remove user pinky and brain
+  # Ensure users pinky and brain are absent
  - ipauser:
-      ipaadmin_password: MyPassword123
+      ipaadmin_password: SomeADMINpassword
      name: pinky,brain
      state: absent
 ```
 This can also be done as an alternative with the `users` variable containing only names.
 Example playbook to ensure users are absent:
 ```yaml
 ---
 - name: Playbook to handle users
  hosts: ipaserver
  become: true
  tasks:
  # Ensure users pinky and brain are absent
  - ipauser:
      ipaadmin_password: SomeADMINpassword
      users:
      - name: pinky
      - name: brain
      state: absent
 ```
 Variables
 =========
@@ -183,29 +359,87 @@ Variables
 ipauser
 -------
 **General Variables:**
 Variable | Description | Required
 -------- | ----------- | --------
 `ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
 `ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
-`name` | The list of user name strings. | no
+`name` | The list of user name strings. `name` with *user variables* or `users` containing *user variables* need to be used. | no
 **User variables** | Only used with `name` variable in the first level. | no
 `users` | The list of user dicts. Each `users` dict entry can contain **user variables**.<br>There is one required option in the `users` dict:| no
 &nbsp; | `name` - The user name string of the entry. | yes
 &nbsp; | **User variables** | no
 `preserve` | Delete a user, keeping the entry available for future use. (bool) | no
 `update_password` | Set password for a user in present state only on creation or always. It can be one of `always` or `on_create` and defaults to `always`. | no
 `preserve` | Delete a user, keeping the entry available for future use. (bool)  | no
 `action` | Work on user or member level. It can be on of `member` or `user` and defaults to `user`. | no
 `state` | The state to ensure. It can be one of `present`, `absent`, `enabled`, `disabled`, `unlocked` or `undeleted`, default: `present`. Only `names` or `users` with only `name` set are allowed if state is not `present`. | yes
 **User Variables:**
 Variable | Description | Required
 -------- | ----------- | --------
 `first` \| `givenname` | The first name string. | no
-`last` | The last name | no
+`last` \| `sn` | The last name string. | no
 `fullname` \| `cn` | The full name string. | no
 `displayname` | The display name string. | no
 `homedir` | The home directory string. | no
 `shell` \| `loginshell` | The login shell string. | no
 `email` | List of email address strings. | no
-`principalname` \| `krbprincipalname` | The kerberos principal sptring. | no
+`principal` \| `principalnam` \| `krbprincipalname` | The kerberos principal sptring. | no
-`passwordexpiration` \| `krbpasswordexpiration` | The kerberos password expiration date. Possible formats: `YYYYMMddHHmmssZ`, `YYYY-MM-ddTHH:mm:ssZ`, `YYYY-MM-ddTHH:mmZ`, `YYYY-MM-ddZ`, `YYYY-MM-dd HH:mm:ssZ` or `YYYY-MM-dd HH:mmZ`. The trailing 'Z' can be skipped. | no
+`principalexpiration` \| `krbprincipalexpiration` | The kerberos principal expiration date. Possible formats: `YYYYMMddHHmmssZ`, `YYYY-MM-ddTHH:mm:ssZ`, `YYYY-MM-ddTHH:mmZ`, `YYYY-MM-ddZ`, `YYYY-MM-dd HH:mm:ssZ` or `YYYY-MM-dd HH:mmZ`. The trailing 'Z' can be skipped. | no
 `passwordexpiration` \| `krbpasswordexpiration` | The kerberos password expiration date. Possible formats: `YYYYMMddHHmmssZ`, `YYYY-MM-ddTHH:mm:ssZ`, `YYYY-MM-ddTHH:mmZ`, `YYYY-MM-ddZ`, `YYYY-MM-dd HH:mm:ssZ` or `YYYY-MM-dd HH:mmZ`. The trailing 'Z' can be skipped. Only usable with IPA versions 4.7 and up. | no
 `password` | The user password string. | no
 `random` | Generate a random user password | no
 `uid` \| `uidnumber` | The UID integer. | no
 `gid` \| `gidnumber` | The GID integer. | no
 `city` | City | no
 `userstate` \| `st` | State/Province | no
 `postalcode` \| `zip` | Postalcode/ZIP | no
 `phone` \| `telephonenumber` | List of telephone number strings, | no
 `mobile` | List of mobile telephone number strings. | no
 `pager` | List of pager number strings. | no
 `fax` \| `facsimiletelephonenumber` | List of fax number strings. | no
 `orgunit` | The Organisation unit. | no
 `title` | The job title string. | no
-~~`sshpubkey` \| `ipasshpubkey`~~ | ~~List of SSH public keys.~~ | ~~no~~
+`manager` | List of manager user names. | no
-`update_password` | Set password for a user in present state only on creation or always. It can be one of `always` or `on_create` and defaults to `always`. | no
+`carlicense` | List of car licenses. | no
-`preserve` | Delete a user, keeping the entry available for future use. (bool)  | no
+`sshpubkey` \| `ipasshpubkey` | List of SSH public keys. | no
-`state` | The state to ensure. It can be one of `present`, `absent`, `enabled`, `disabled`, `unlocked` or `undeleted`, default: `present`. | yes
+`userauthtype` | List of supported user authentication types. Choices: `password`, `radius`, `otp` and ``. Use empty string to reset userauthtype to the initial value. | no
 `userclass` | User category. (semantics placed on this attribute are for local interpretation). | no
 `radius` | RADIUS proxy configuration  | no
 `radiususer` | RADIUS proxy username | no
 `departmentnumber` | Department Number | no
 `employeenumber` | Employee Number | no
 `employeetype` | Employee Type | no
 `preferredlanguage` | Preferred Language | no
 `certificate` | List of base-64 encoded user certificates. | no
 `certmapdata` | List of certificate mappings. Either `data` or `certificate` or `issuer` together with `subject` need to be specified. Only usable with IPA versions 4.5 and up. <br>Options: | no
 &nbsp; | `certificate` - Base-64 encoded user certificate, not usable with other certmapdata options. | no
 &nbsp; | `issuer` - Issuer of the certificate, only usable together with `usbject` option. | no
 &nbsp; | `subject` - Subject of the certificate, only usable together with `issuer` option. | no
 &nbsp; | `data` - Certmap data, not usable with other certmapdata options. | no
 `noprivate` | Do not create user private group. (bool) | no
 `nomembers` | Suppress processing of membership attributes. (bool) | no
 Return Values
 =============
 ipauser
 -------
 There are only return values if one or more random passwords have been generated.
 Variable | Description | Returned When
 -------- | ----------- | -------------
 `user` | User dict with random password. (dict) <br>Options: | If random is yes and user did not exist or update_password is yes
 &nbsp; | `randompassword` - The generated random password | If only one user is handled by the module
 &nbsp; | `name` - The user name of the user that got a new random password. (dict) <br> Options: <br> &nbsp; `randompassword` - The generated random password | If several users are handled by the module
 Authors
--- a/README-vault.md
+++ b/README-vault.md
@@ -0,0 +1,269 @@
 Vault module
 ===================
 Description
 -----------
 The vault module allows to ensure presence and absence of vault and members of vaults.
 The vault module is as compatible as possible to the Ansible upstream `ipa_vault` module, and additionally offers to make sure that vault members, groups and owners are present or absent in a vault, and allow the archival of data in vaults.
 Features
 --------
 * Vault management
 Supported FreeIPA Versions
 --------------------------
 FreeIPA versions 4.4.0 and up are supported by the ipavault module.
 Requirements
 ------------
 **Controller**
 * Ansible version: 2.8+
 **Node**
 * Supported FreeIPA version (see above)
 * KRA service must be enabled
 Usage
 =====
 Example inventory file
 ```ini
 [ipaserver]
 ipaserver.test.local
 ```
 Example playbook to make sure vault is present (by default, vault type is `symmetric`):
 ```yaml
 ---
 - name: Playbook to handle vaults
  hosts: ipaserver
  become: true
  tasks:
  - ipavault:
      ipaadmin_password: SomeADMINpassword
      name: symvault
      password: SomeVAULTpassword
      description: A standard private vault.
 ```
 Example playbook to make sure that a vault and its members are present:
 ```yaml
 ---
 - name: Playbook to handle vaults
  hosts: ipaserver
  become: true
  tasks:
  - ipavault:
      ipaadmin_password: SomeADMINpassword
      name: symvault
      username: admin
      users: user01
 ```
 `action` controls if the vault, data, member or owner will be handled. To add or remove members or vault data, set `action` to `member`.
 Example playbook to make sure that a vault member is present in vault:
 ```yaml
 ---
 - name: Playbook to handle vaults
  hosts: ipaserver
  become: true
  tasks:
  - ipavault:
      ipaadmin_password: SomeADMINpassword
      name: symvault
      username: admin
      users: user01
      action: member
 ```
 Example playbook to make sure that a vault owner is absent in vault:
 ```yaml
 ---
 - name: Playbook to handle vaults
  hosts: ipaserver
  become: true
  tasks:
  - ipavault:
      ipaadmin_password: SomeADMINpassword
      name: symvault
      username: admin
      owner: user01
      action: member
      state: absent
 ```
 Example playbook to make sure vault data is present in a symmetric vault:
 ```yaml
 ---
 - name: Playbook to handle vaults
  hosts: ipaserver
  become: true
  tasks:
  - ipavault:
      ipaadmin_password: SomeADMINpassword
      name: symvault
      username: admin
      password: SomeVAULTpassword
      data: >
        Data archived.
        More data archived.
      action: member
 ```
 When retrieving data from a vault, it is recommended that `no_log: yes` is used, so that sensitive data stored in a vault is not logged by Ansible. The data is returned in a dict `vault`, in the field `data` (e.g. `result.vault.data`). An example playbook to retrieve data from a symmetric vault:
 ```yaml
 ---
 - name: Playbook to handle vaults
  hosts: ipaserver
  become: true
  tasks:
  - name: Retrieve data from vault and register it in 'ipavault'
    ipavault:
      ipaadmin_password: SomeADMINpassword
      name: symvault
      username: admin
      password: SomeVAULTpassword
      state: retrieved
    no_log: yes
    register: ipavault
  - name: Print retrieved data from vault
    debug:
      var: ipavault.vault.data
 ```
 Example playbook to make sure vault data is absent in a symmetric vault:
 ```yaml
 ---
 - name: Playbook to handle vaults
  hosts: ipaserver
  become: true
  tasks:
  - ipavault:
      ipaadmin_password: SomeADMINpassword
      name: symvault
      username: admin
      password: SomeVAULTpassword
      action: member
      state: absent
 ```
 Example playbook to change the password of a symmetric:
 ```yaml
 ---
 - name: Playbook to handle vaults
  hosts: ipaserver
  become: true
  tasks:
  - ipavault:
      ipaadmin_password: SomeADMINpassword
      name: symvault
      old_password: SomeVAULTpassword
      new_password: SomeNEWpassword
 ```
 Example playbook to make sure vault is absent:
 ```yaml
 ---
 - name: Playbook to handle vaults
  hosts: ipaserver
  become: true
  tasks:
  - ipavault:
      ipaadmin_password: SomeADMINpassword
      name: symvault
      username: admin
      state: absent
    register: result
  - debug:
      msg: "{{ result.vault.data }}"
 ```
 Variables
 =========
 ipavault
 -------
 Variable | Description | Required
 -------- | ----------- | --------
 `ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
 `ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
 `name` \| `cn` | The list of vault name strings. | yes
 `description` | The vault description string. | no
 `nomembers` | Suppress processing of membership attributes. (bool) | no
 `password` \| `vault_password` \| `ipavaultpassword` \| `old_password`| Vault password. | no
 `password_file` \| `vault_password_file` \| `old_password_file`| File containing Base64 encoded Vault password. | no
 `new_password` | Vault new password. | no
 `new_password_file` | File containing Base64 encoded new Vault password. | no
 `public_key ` \| `vault_public_key` \| `old_password_file` | Base64 encoded vault public key. | no
 `public_key_file` \| `vault_public_key_file` | Path to file with public key. | no
 `private_key `\| `vault_private_key` | Base64 encoded vault private key. Used only to retrieve data. | no
 `private_key_file` \| `vault_private_key_file` | Path to file with private key. Used only to retrieve data. | no
 `salt` \| `vault_salt` \| `ipavaultsalt` | Vault salt. | no
 `vault_type` \| `ipavaulttype` | Vault types are based on security level. It can be one of `standard`, `symmetric` or `asymmetric`, default: `symmetric` | no
 `user` \| `username` | Any user can own one or more user vaults. | no
 `service` | Any service can own one or more service vaults. | no
 `shared` | Vault is shared. Default to false. (bool) | no
 `users` | Users that are members of the vault. | no
 `groups` | Groups that are member of the vault. | no
 `services` | Services that are member of the vault. | no
 `data` \|`vault_data` \| `ipavaultdata` | Data to be stored in the vault. | no
 `in` \| `datafile_in` | Path to file with data to be stored in the vault. | no
 `out` \| `datafile_out` | Path to file to store data retrieved from the vault. | no
 `action` | Work on vault or member level. It can be on of `member` or `vault` and defaults to `vault`. | no
 `state` | The state to ensure. It can be one of `present`, `absent` or `retrieved`, default: `present`. | no
 Return Values
 =============
 ipavault
 --------
 There is only a return value if `state` is `retrieved`.
 Variable | Description | Returned When
 -------- | ----------- | -------------
 `vault` | Vault dict with archived data. (dict) <br>Options: | If `state` is `retrieved` and `out` is not defined.
 &nbsp; | `data` - The vault data. | Always
 Notes
 =====
 ipavault uses a client context to execute, and it might affect execution time.
 Authors
 =======
 Rafael Jeffman
--- a/README.md
+++ b/README.md
@@ -1,7 +1,7 @@
 FreeIPA Ansible collection
 ==========================
-This repository contains [Ansible](https://www.ansible.com/) roles and playbooks to install and uninstall [FreeIPA](https://www.freeipa.org/) `servers`, `replicas` and `clients`. Also modules for group, topology and user management.
+This repository contains [Ansible](https://www.ansible.com/) roles and playbooks to install and uninstall [FreeIPA](https://www.freeipa.org/) `servers`, `replicas` and `clients`. Also modules for group, host, topology and user management.
 **Note**: The ansible playbooks and roles require a configured ansible environment where the ansible nodes are reachable and are properly set up to have an IP address and a working package manager.
@@ -11,14 +11,38 @@ Features
 * Cluster deployments: Server, replicas and clients in one playbook
 * One-time-password (OTP) support for client installation
 * Repair mode for clients
 * Backup and restore, also to and from controller
 * Modules for config management
 * Modules for delegation management
 * Modules for dns config management
 * Modules for dns forwarder management
 * Modules for dns record management
 * Modules for dns zone management
 * Modules for group management
 * Modules for hbacrule management
 * Modules for hbacsvc management
 * Modules for hbacsvcgroup management
 * Modules for host management
 * Modules for hostgroup management
 * Modules for location management
 * Modules for permission management
 * Modules for privilege management
 * Modules for pwpolicy management
 * Modules for role management
 * Modules for self service management
 * Modules for service management
 * Modules for sudocmd management
 * Modules for sudocmdgroup management
 * Modules for sudorule management
 * Modules for topology management
 * Modules fot trust management
 * Modules for user management
 * Modules for vault management
 Supported FreeIPA Versions
 --------------------------
-FreeIPA versions 4.6 and up are supported by all roles. 
+FreeIPA versions 4.6 and up are supported by all roles.
 The client role supports versions 4.4 and up, the server role is working with versions 4.5 and up, the replica role is currently only working with versions 4.6 and up.
@@ -28,6 +52,7 @@ Supported Distributions
 * RHEL/CentOS 7.4+
 * Fedora 26+
 * Ubuntu
 * Debian 10+ (ipaclient only, no server or replica!)
 Requirements
 ------------
@@ -59,17 +84,18 @@ How to use ansible-freeipa
 **GIT repo**
-The simplest method for now is to clone this repository on the contoller from github directly and to start the deployment from the ansible-freeipa directory:
+The simplest method for now is to clone this repository on the controller from github directly and to start the deployment from the ansible-freeipa directory:
 ```bash
 git clone https://github.com/freeipa/ansible-freeipa.git
 cd ansible-freeipa
 ```
-You can use the roles directly within the top directory of the git repo, but to be able to use the management modules in the plugins subdirectory, you have to either adapt `anisble.cfg` or create links for the modules or directories.
+You can use the roles directly within the top directory of the git repo, but to be able to use the management modules in the plugins subdirectory, you have to either adapt `ansible.cfg` or create links for the roles, modules or directories.
 You can either adapt ansible.cfg:
 ```
 roles_path   = /my/dir/ansible-freeipa/roles
 library      = /my/dir/ansible-freeipa/plugins/modules
 module_utils = /my/dir/ansible-freeipa/plugins/module_utils
 ```
@@ -77,18 +103,27 @@ module_utils = /my/dir/ansible-freeipa/plugins/module_utils
 Or you can link the directories:
 ```
 ansible-freeipa/roles to ~/.ansible/
 ansible-freeipa/plugins/modules to ~/.ansible/plugins/
 ansible-freeipa/plugins/module_utils to ~/.ansible/plugins/
 ```
 **RPM package**
-There are RPM packages available for Fedora 29+. These are installing the roles and modules into the global Ansible directories for `roles`, `plugins/modules` and `plugings/module_utils` in the `/usr/share/ansible` directory. Therefore is it possible to use the roles and modules without adapting the names like it is done in the example playbooks.
+There are RPM packages available for Fedora 29+. These are installing the roles and modules into the global Ansible directories for `roles`, `plugins/modules` and `plugins/module_utils` in the `/usr/share/ansible` directory. Therefore is it possible to use the roles and modules without adapting the names like it is done in the example playbooks.
 **Ansible galaxy**
 This command will get the whole collection from galaxy:
 ```bash
 ansible-galaxy collection install freeipa.ansible_freeipa
 ```
 Installing collections using the ansible-galaxy command is only supported with ansible 2.9+.
 The mazer tool can be used for to install the collection for ansible 2.8:
 ```bash
 mazer install freeipa.ansible_freeipa
 ```
@@ -119,7 +154,7 @@ ipaserver_domain=test.local
 ipaserver_realm=TEST.LOCAL
 ```
-The admin principle is ```admin``` by default. Please set ```ipaadmin_principal``` if you need to change it.
+The admin principal is ```admin``` by default. Please set ```ipaadmin_principal``` if you need to change it.
 You can also add more setting here, like for example to enable the DNS server or to set auto-forwarders:
 ```yaml
@@ -135,6 +170,7 @@ ipaserver_install_packages=no
 ipaserver_setup_firewalld=no
 ```
 The installation of packages and also the configuration of the firewall are by default enabled.
 Note that it is not enough to mask systemd firewalld service to skip the firewalld configuration. You need to set the variable to `no`.
 For more server settings, please have a look at the [server role documentation](roles/ipaserver/README.md).
@@ -210,6 +246,7 @@ ipareplica_setup_firewalld=no
 ```
 The installation of packages and also the configuration of the firewall are by default enabled.
 Note that it is not enough to mask systemd firewalld service to skip the firewalld configuration. You need to set the variable to `no`.
 For more replica settings, please have a look at the [replica role documentation](roles/ipareplica/README.md).
@@ -343,7 +380,7 @@ If Ansible vault is used for passwords, then it is needed to adapt the playbooks
    state: present
 ```
-It is also needed to provide the vault passowrd file on the ansible-playbook command line:
+It is also needed to provide the vault password file on the ansible-playbook command line:
 ```bash
 ansible-playbook -v -i inventory/hosts --vault-password-file .vaul_pass.txt install-server.yml
 ```
@@ -379,11 +416,37 @@ Roles
 * [Server](roles/ipaserver/README.md)
 * [Replica](roles/ipareplica/README.md)
 * [Client](roles/ipaclient/README.md)
 * [Backup](roles/ipabackup/README.md)
 Modules in plugin/modules
 =========================
 * [ipaconfig](README-config.md)
 * [ipadelegation](README-delegation.md)
 * [ipadnsconfig](README-dnsconfig.md)
 * [ipadnsforwardzone](README-dnsforwardzone.md)
 * [ipadnsrecord](README-dnsrecord.md)
 * [ipadnszone](README-dnszone.md)
 * [ipagroup](README-group.md)
 * [ipahbacrule](README-hbacrule.md)
 * [ipahbacsvc](README-hbacsvc.md)
 * [ipahbacsvcgroup](README-hbacsvc.md)
 * [ipahost](README-host.md)
 * [ipahostgroup](README-hostgroup.md)
 * [ipalocation](README-ipalocation.md)
 * [ipapermission](README-ipapermission.md)
 * [ipaprivilege](README-ipaprivilege.md)
 * [ipapwpolicy](README-pwpolicy.md)
 * [iparole](README-role.md)
 * [ipaselfservice](README-ipaselfservice.md)
 * [ipaservice](README-service.md)
 * [ipasudocmd](README-sudocmd.md)
 * [ipasudocmdgroup](README-sudocmdgroup.md)
 * [ipasudorule](README-sudorule.md)
 * [ipatopologysegment](README-topology.md)
 * [ipatopologysuffix](README-topology.md)
 * [ipatrust](README-trust.md)
 * [ipauser](README-user.md)
 * [ipavault](README-vault.md)
 If you want to write a new module please read [writing a new module](plugins/modules/README.md).
--- a/galaxy.yml
+++ b/galaxy.yml
@@ -1,7 +1,7 @@
 namespace: "freeipa"
 name: "ansible_freeipa"
 version: "A.B.C"
-description: ""
+description: "Ansible roles and modules for FreeIPA"
 authors:
  - "Thomas Woerner <twoerner@redhat.com>"
@@ -11,13 +11,13 @@ documentation: "https://github.com/freeipa/ansible-freeipa/blob/master/README.md
 homepage: "https://github.com/freeipa/ansible-freeipa"
 issues: "https://github.com/freeipa/ansible-freeipa/issues"
 dependencies: {}
 readme: "README.md"
 license: "GPL-3.0-or-later"
-license_file: "COPYING"
+
 dependencies:
 tags:
  - "system"
  - "identity"
  - "ipa"
  - "freeipa"
--- a/molecule/centos-7-build/molecule.yml
+++ b/molecule/centos-7-build/molecule.yml
@@ -0,0 +1,18 @@
 ---
 driver:
  name: docker
 platforms:
  - name: centos-7-build
    image: centos/systemd
    pre_build_image: true
    hostname: ipaserver.test.local
    dns_servers:
      - 8.8.8.8
    volumes:
      - /sys/fs/cgroup:/sys/fs/cgroup:ro
    command: /usr/sbin/init
    privileged: true
 provisioner:
  name: ansible
  playbooks:
    prepare: ../resources/playbooks/prepare-build.yml
--- a/molecule/centos-7/molecule.yml
+++ b/molecule/centos-7/molecule.yml
@@ -0,0 +1,18 @@
 ---
 driver:
  name: docker
 platforms:
  - name: centos-7
    image: quay.io/ansible-freeipa/upstream-tests:centos-7
    pre_build_image: true
    hostname: ipaserver.test.local
    dns_servers:
      - 127.0.0.1
    volumes:
      - /sys/fs/cgroup:/sys/fs/cgroup:ro
    command: /usr/sbin/init
    privileged: true
 provisioner:
  name: ansible
  playbooks:
    prepare: ../resources/playbooks/prepare.yml
--- a/molecule/centos-8-build/molecule.yml
+++ b/molecule/centos-8-build/molecule.yml
@@ -0,0 +1,18 @@
 ---
 driver:
  name: docker
 platforms:
  - name: centos-8-build
    image: centos:8
    pre_build_image: true
    hostname: ipaserver.test.local
    dns_servers:
      - 8.8.8.8
    volumes:
      - /sys/fs/cgroup:/sys/fs/cgroup:ro
    command: /usr/sbin/init
    privileged: true
 provisioner:
  name: ansible
  playbooks:
    prepare: ../resources/playbooks/prepare-build.yml
--- a/molecule/centos-8/molecule.yml
+++ b/molecule/centos-8/molecule.yml
@@ -0,0 +1,18 @@
 ---
 driver:
  name: docker
 platforms:
  - name: centos-8
    image: quay.io/ansible-freeipa/upstream-tests:centos-8
    pre_build_image: true
    hostname: ipaserver.test.local
    dns_servers:
      - 127.0.0.1
    volumes:
      - /sys/fs/cgroup:/sys/fs/cgroup:ro
    command: /usr/sbin/init
    privileged: true
 provisioner:
  name: ansible
  playbooks:
    prepare: ../resources/playbooks/prepare.yml
--- a/molecule/default
+++ b/molecule/default
@@ -0,0 +1 @@
 centos-8
--- a/molecule/fedora-latest-build/Dockerfile
+++ b/molecule/fedora-latest-build/Dockerfile
@@ -0,0 +1,30 @@
 FROM fedora:latest
 ENV container=docker
 RUN rm -fv /var/cache/dnf/metadata_lock.pid; \
 dnf makecache; \
 dnf --assumeyes install \
    /usr/bin/python3 \
    /usr/bin/python3-config \
    /usr/bin/dnf-3 \
    sudo \
    bash \
    systemd \
    procps-ng \
    iproute && \
 dnf clean all; \
 (cd /lib/systemd/system/sysinit.target.wants/; for i in *; do [ $i == systemd-tmpfiles-setup.service ] || rm -f $i; done); \
 rm -f /lib/systemd/system/multi-user.target.wants/*;\
 rm -f /etc/systemd/system/*.wants/*;\
 rm -f /lib/systemd/system/local-fs.target.wants/*; \
 rm -f /lib/systemd/system/sockets.target.wants/*udev*; \
 rm -f /lib/systemd/system/sockets.target.wants/*initctl*; \
 rm -f /lib/systemd/system/basic.target.wants/*;\
 rm -f /lib/systemd/system/anaconda.target.wants/*; \
 rm -rf /var/cache/dnf/;
 STOPSIGNAL RTMIN+3
 VOLUME ["/sys/fs/cgroup"]
 CMD ["/usr/sbin/init"]
--- a/molecule/fedora-latest-build/molecule.yml
+++ b/molecule/fedora-latest-build/molecule.yml
@@ -0,0 +1,18 @@
 ---
 driver:
  name: docker
 platforms:
  - name: fedora-latest-build
    image: fedora-latest
    dockerfile: Dockerfile
    hostname: ipaserver.test.local
    dns_servers:
      - 8.8.8.8
    volumes:
      - /sys/fs/cgroup:/sys/fs/cgroup:ro
    command: /usr/sbin/init
    privileged: true
 provisioner:
  name: ansible
  playbooks:
    prepare: ../resources/playbooks/prepare-build.yml
--- a/molecule/fedora-latest/molecule.yml
+++ b/molecule/fedora-latest/molecule.yml
@@ -0,0 +1,18 @@
 ---
 driver:
  name: docker
 platforms:
  - name: fedora-latest
    image: quay.io/ansible-freeipa/upstream-tests:fedora-latest
    pre_build_image: true
    hostname: ipaserver.test.local
    dns_servers:
      - 127.0.0.1
    volumes:
      - /sys/fs/cgroup:/sys/fs/cgroup:ro
    command: /usr/sbin/init
    privileged: true
 provisioner:
  name: ansible
  playbooks:
    prepare: ../resources/playbooks/prepare.yml
--- a/molecule/resources/playbooks/library
+++ b/molecule/resources/playbooks/library
@@ -0,0 +1 @@
 ../../../plugins/modules/
--- a/molecule/resources/playbooks/module_utils
+++ b/molecule/resources/playbooks/module_utils
@@ -0,0 +1 @@
 ../../../plugins/module_utils/
--- a/molecule/resources/playbooks/prepare-build.yml
+++ b/molecule/resources/playbooks/prepare-build.yml
@@ -0,0 +1,27 @@
 ---
 - name: Converge
  hosts: all
  tasks:
  - include_tasks: prepare-common.yml
  - name: Ensure sudo package is installed
    package:
      name: sudo
  - name: Ensure nss package is updated
    package:
      name: nss
      state: latest  # noqa 403
  - include_role:
      name: ipaserver
    vars:
      ipaserver_setup_dns: yes
      ipaserver_setup_kra: yes
      ipaserver_auto_forwarders: yes
      ipaserver_no_dnssec_validation: yes
      ipaserver_auto_reverse: yes
      ipaadmin_password: SomeADMINpassword
      ipadm_password: SomeDMpassword
      ipaserver_domain: test.local
      ipaserver_realm: TEST.LOCAL
--- a/molecule/resources/playbooks/prepare-common.yml
+++ b/molecule/resources/playbooks/prepare-common.yml
@@ -0,0 +1,33 @@
 # IPA depends on IPv6 and without it dirsrv service won't start.
 - name: Ensure IPv6 is ENABLED
  sysctl:
    name: "{{ item.name }}"
    value: "{{ item.value }}"
    sysctl_set: yes
    state: present
    reload: yes
  with_items :
    - name: net.ipv6.conf.all.disable_ipv6
      value: 0
    - name: net.ipv6.conf.lo.disable_ipv6
      value: 0
    - name: net.ipv6.conf.eth0.disable_ipv6
      value: 1
 # Set fs.protected_regular to 0
 #   This is needed in some IPA versions in order to get KRA enabled.
 #   See https://pagure.io/freeipa/issue/7906 for more information.
 - name: stat protected_regular
  stat:
    path: /proc/sys/fs/protected_regular
  register: result
 - name: Ensure fs.protected_regular is disabled
  sysctl:
    name: fs.protected_regular
    value: 0
    sysctl_set: yes
    state: present
    reload: yes
  when: result.stat.exists
--- a/molecule/resources/playbooks/prepare.yml
+++ b/molecule/resources/playbooks/prepare.yml
@@ -0,0 +1,26 @@
 ---
 - name: Converge
  hosts: all
  tasks:
  - include_tasks: prepare-common.yml
  # In some distros DS won't start up after reboot
  #   This is due to a problem in 389-ds. See tickets:
  #   * https://pagure.io/389-ds-base/issue/47429
  #   * https://pagure.io/389-ds-base/issue/51039
  #
  # To avoid this problem we create the directories before starting IPA.
  - name: Ensure lock dirs for DS exists
    file:
      state: directory
      owner: dirsrv
      group: dirsrv
      path: "{{ item }}"
    loop:
      - /var/lock/dirsrv/
      - /var/lock/dirsrv/slapd-TEST-LOCAL/
  - name: Ensure IPA server is up an running
    service:
      name: ipa
      state: started
--- a/molecule/resources/playbooks/roles
+++ b/molecule/resources/playbooks/roles
@@ -0,0 +1 @@
 ../../../roles/
--- a/playbooks/backup-server-to-controller.yml
+++ b/playbooks/backup-server-to-controller.yml
@@ -0,0 +1,12 @@
 ---
 - name: Playbook to backup IPA server to controller
  hosts: ipaserver
  become: true
  vars:
    ipabackup_to_controller: yes
    # ipabackup_keep_on_server: yes
  roles:
  - role: ipabackup
    state: present
--- a/playbooks/backup-server.yml
+++ b/playbooks/backup-server.yml
@@ -0,0 +1,8 @@
 ---
 - name: Playbook to backup IPA server
  hosts: ipaserver
  become: true
  roles:
  - role: ipabackup
    state: present
--- a/playbooks/config/retrieve-config.yml
+++ b/playbooks/config/retrieve-config.yml
@@ -0,0 +1,14 @@
 ---
 - name: Playbook to handle global DNS configuration
  hosts: ipaserver
  become: no
  gather_facts: no
  tasks:
  - name: Query IPA global configuration
    ipaconfig:
      ipaadmin_password: SomeADMINpassword
    register: serverconfig
  - debug:
      msg: "{{ serverconfig }}"
--- a/playbooks/config/set-ca-renewal-master-server.yml
+++ b/playbooks/config/set-ca-renewal-master-server.yml
@@ -0,0 +1,11 @@
 ---
 - name: Playbook to handle global DNS configuration
  hosts: ipaserver
  become: no
  gather_facts: no
  tasks:
  - name: set ca_renewal_master_server
    ipaconfig:
      ipaadmin_password: SomeADMINpassword
      ca_renewal_master_server: carenewal.example.com
--- a/playbooks/copy-all-backups-from-server.yml
+++ b/playbooks/copy-all-backups-from-server.yml
@@ -0,0 +1,12 @@
 ---
 - name: Playbook to copy all backups from IPA server
  hosts: ipaserver
  become: true
  vars:
    ipabackup_name: all
    ipabackup_to_controller: yes
  roles:
  - role: ipabackup
    state: copied
--- a/playbooks/copy-backup-from-controller.yml
+++ b/playbooks/copy-backup-from-controller.yml
@@ -0,0 +1,12 @@
 ---
 - name: Playbook to copy a backup from controller to the IPA server
  hosts: ipaserver
  become: true
  vars:
    ipabackup_name: ipaserver.test.local_ipa-full-2020-10-22-11-11-44
    ipabackup_from_controller: yes
  roles:
  - role: ipabackup
    state: copied
--- a/playbooks/copy-backup-from-server.yml
+++ b/playbooks/copy-backup-from-server.yml
@@ -0,0 +1,12 @@
 ---
 - name: Playbook to copy backup from IPA server
  hosts: ipaserver
  become: true
  vars:
    ipabackup_name: ipa-full-2020-10-22-11-11-44
    ipabackup_to_controller: yes
  roles:
  - role: ipabackup
    state: copied
--- a/playbooks/delegation/delegation-absent.yml
+++ b/playbooks/delegation/delegation-absent.yml
@@ -0,0 +1,11 @@
 ---
 - name: Delegation absent
  hosts: ipaserver
  become: true
  tasks:
  - name: Ensure delegation "basic manager attributes" is absent
    ipadelegation:
      ipaadmin_password: SomeADMINpassword
      name: "basic manager attributes"
      state: absent
--- a/playbooks/delegation/delegation-member-absent.yml
+++ b/playbooks/delegation/delegation-member-absent.yml
@@ -0,0 +1,15 @@
 ---
 - name: Delegation member absent
  hosts: ipaserver
  become: true
  tasks:
  - name: Ensure delegation "basic manager attributes" member attributes employeenumber and employeetype are absent
    ipadelegation:
      ipaadmin_password: SomeADMINpassword
      name: "basic manager attributes"
      attribute:
      - employeenumber
      - employeetype
      action: member
      state: absent
--- a/playbooks/delegation/delegation-member-present.yml
+++ b/playbooks/delegation/delegation-member-present.yml
@@ -0,0 +1,13 @@
 ---
 - name: Delegation member present
  hosts: ipaserver
  become: true
  tasks:
  - name: Ensure delegation "basic manager attributes" member attribute departmentnumber is present
    ipadelegation:
      ipaadmin_password: SomeADMINpassword
      name: "basic manager attributes"
      attribute:
      - departmentnumber
      action: member
--- a/playbooks/delegation/delegation-present.yml
+++ b/playbooks/delegation/delegation-present.yml
@@ -0,0 +1,15 @@
 ---
 - name: Delegation present
  hosts: ipaserver
  become: true
  tasks:
  - name: Ensure delegation "basic manager attributes" is present
    ipadelegation:
      ipaadmin_password: SomeADMINpassword
      name: "basic manager attributes"
      permission: read
      attribute:
      - businesscategory
      group: managers
      membergroup: employees
--- a/playbooks/dnsconfig/disable-global-forwarders.yml
+++ b/playbooks/dnsconfig/disable-global-forwarders.yml
@@ -0,0 +1,9 @@
 ---
 - name: Playbook to disable global DNS forwarders
  hosts: ipaserver
  become: true
  tasks:
  - name: Disable global forwarders.
    ipadnsconfig:
      forward_policy: none
--- a/playbooks/dnsconfig/disallow-reverse-sync.yml
+++ b/playbooks/dnsconfig/disallow-reverse-sync.yml
@@ -0,0 +1,9 @@
 ---
 - name: Playbook to disallow reverse record synchronization.
  hosts: ipaserver
  become: true
  tasks:
  - name: Disallow reverse record synchronization.
    ipadnsconfig:
      allow_sync_ptr: no
--- a/playbooks/dnsconfig/forwarders-absent.yml
+++ b/playbooks/dnsconfig/forwarders-absent.yml
@@ -0,0 +1,13 @@
 ---
 - name: Playbook to handle global DNS configuration
  hosts: ipaserver
  become: true
  tasks:
  - name: Set dnsconfig.
    ipadnsconfig:
      forwarders:
        - ip_address: 8.8.4.4
        - ip_address: 2001:4860:4860::8888
          port: 53
      state: absent
--- a/playbooks/dnsconfig/set-configuration.yml
+++ b/playbooks/dnsconfig/set-configuration.yml
@@ -0,0 +1,14 @@
 ---
 - name: Playbook to handle global DNS configuration
  hosts: ipaserver
  become: true
  tasks:
  - name: Set dnsconfig.
    ipadnsconfig:
      forwarders:
        - ip_address: 8.8.4.4
        - ip_address: 2001:4860:4860::8888
          port: 53
      forward_policy: only
      allow_sync_ptr: yes
--- a/playbooks/dnsforwardzone/ensure-dnsforwardzone-is-absent.yml
+++ b/playbooks/dnsforwardzone/ensure-dnsforwardzone-is-absent.yml
@@ -0,0 +1,11 @@
 ---
 - name: Playbook to manage DNS forward zone
  hosts: ipaserver
  become: true
  gather_facts: false
  tasks:
  # Ensure DNS zone is present
  - ipadnsforwardzone:
      ipaadmin_password: SomeADMINpassword
      state: absent
--- a/playbooks/dnsforwardzone/ensure-dnsforwardzone-is-present.yml
+++ b/playbooks/dnsforwardzone/ensure-dnsforwardzone-is-present.yml
@@ -0,0 +1,16 @@
 ---
 - name: Playbook to manage DNS forward zone
  hosts: ipaserver
  become: true
  gather_facts: false
  tasks:
  # Ensure DNS zone is present
  - ipadnsforwardzone:
      ipaadmin_password: SomeADMINpassword
      name: example.com
      forwarders:
        - ip_address: 8.8.8.8
      forwardpolicy: first
      skip_overlap_check: true
      permission: yes
--- a/playbooks/dnsforwardzone/ensure-dnsforwardzone-with-forwarder-port.yml
+++ b/playbooks/dnsforwardzone/ensure-dnsforwardzone-with-forwarder-port.yml
@@ -0,0 +1,14 @@
 ---
 - name: Playbook to manage DNS forward zone
  hosts: ipaserver
  become: true
  gather_facts: false
  tasks:
  # Ensure DNS zone is present
  - ipadnsforwardzone:
      ipaadmin_password: SomeADMINpassword
      name: example.com
      forwarders:
        - ip_address: 192.168.100.123
          port: 8063
--- a/playbooks/dnsrecord/ensure-A-and-AAAA-records-are-absent.yml
+++ b/playbooks/dnsrecord/ensure-A-and-AAAA-records-are-absent.yml
@@ -0,0 +1,18 @@
 ---
 - name: Test PTR Record is present.
  hosts: ipaserver
  become: true
  gather_facts: false
  tasks:
  # Ensure a PTR record is present
  - name: Ensure that 'host04' has A and AAAA records.
    ipadnsrecord:
      ipaadmin_password: SomeADMINpassword
      zone_name: ipatest.local
      records:
      - name: host04
        a_ip_address: 192.168.122.104
      - name: host04
        aaaa_ip_address: ::1
      state: absent
--- a/playbooks/dnsrecord/ensure-A-and-AAAA-records-are-present.yml
+++ b/playbooks/dnsrecord/ensure-A-and-AAAA-records-are-present.yml
@@ -0,0 +1,17 @@
 ---
 - name: Test PTR Record is present.
  hosts: ipaserver
  become: true
  gather_facts: false
  tasks:
  # Ensure a PTR record is present
  - name: Ensure that 'host04' has A and AAAA records.
    ipadnsrecord:
      ipaadmin_password: SomeADMINpassword
      zone_name: ipatest.local
      records:
      - name: host04
        a_ip_address: 192.168.122.104
      - name: host04
        aaaa_ip_address: ::1
--- a/playbooks/dnsrecord/ensure-CNAME-record-is-absent.yml
+++ b/playbooks/dnsrecord/ensure-CNAME-record-is-absent.yml
@@ -0,0 +1,13 @@
 ---
 - name: Test CNAME Record is present.
  hosts: ipaserver
  become: true
  gather_facts: false
  tasks:
  # Ensure that 'host04' has CNAME, with cname_hostname
  - ipadnsrecord:
      zone_name: example.com
      name: host04
      cname_hostname: host04.example.com
      state: absent
--- a/playbooks/dnsrecord/ensure-CNAME-record-is-present.yml
+++ b/playbooks/dnsrecord/ensure-CNAME-record-is-present.yml
@@ -0,0 +1,12 @@
 ---
 - name: Test CNAME Record is present.
  hosts: ipaserver
  become: true
  gather_facts: false
  tasks:
  # Ensure that 'host04' has CNAME, with cname_hostname
  - ipadnsrecord:
      zone_name: example.com
      name: host04
      cname_hostname: host04.example.com
--- a/playbooks/dnsrecord/ensure-MX-record-is-present.yml
+++ b/playbooks/dnsrecord/ensure-MX-record-is-present.yml
@@ -0,0 +1,15 @@
 ---
 - name: Ensure MX Record is present.
  hosts: ipaserver
  become: true
  gather_facts: false
  tasks:
  # Ensure an MX record is absent
  - ipadnsrecord:
      ipaadmin_password: SomeADMINpassword
      name: '@'
      record_type: 'MX'
      record_value: '1 mailserver.example.com'
      zone_name: example.com
      state: present
--- a/playbooks/dnsrecord/ensure-PTR-record-is-present.yml
+++ b/playbooks/dnsrecord/ensure-PTR-record-is-present.yml
@@ -0,0 +1,15 @@
 ---
 - name: Test PTR Record is present.
  hosts: ipaserver
  become: true
  gather_facts: false
  tasks:
  # Ensure a PTR record is present
  - ipadnsrecord:
      ipaadmin_password: SomeADMINpassword
      name: 5
      record_type: 'PTR'
      record_value: 'internal.ipa.example.com'
      zone_name: 2.168.192.in-addr.arpa
      state: present
--- a/playbooks/dnsrecord/ensure-SRV-record-is-present.yml
+++ b/playbooks/dnsrecord/ensure-SRV-record-is-present.yml
@@ -0,0 +1,15 @@
 ---
 - name: Test SRV Record is present.
  hosts: ipaserver
  become: true
  gather_facts: false
  tasks:
  # Ensure a SRV record is present
  - ipadnsrecord:
      ipaadmin_password: SomeADMINpassword
      name: _kerberos._udp.example.com
      record_type: 'SRV'
      record_value: '10 50 88 ipa.example.com'
      zone_name: example.com
      state: present
--- a/playbooks/dnsrecord/ensure-SSHFP-record-is-present.yml
+++ b/playbooks/dnsrecord/ensure-SSHFP-record-is-present.yml
@@ -0,0 +1,16 @@
 ---
 - name: Test SSHFP Record is present.
  hosts: ipaserver
  become: true
  gather_facts: false
  tasks:
  # Ensure a SSHFP record is present
  # SSHFP fingerprint generated with `ssh-keygen -r host04.testzone.local`
  - ipadnsrecord:
      ipaadmin_password: SomeADMINpassword
      zone_name: example.com
      name: host04
      sshfp_algorithm: 1
      sshfp_fp_type: 1
      sshfp_fingerprint: d21802c61733e055b8d16296cbce300efb8a167a
--- a/playbooks/dnsrecord/ensure-TLSA-record-is-present.yml
+++ b/playbooks/dnsrecord/ensure-TLSA-record-is-present.yml
@@ -0,0 +1,16 @@
 ---
 - name: Test SSHFP Record is present.
  hosts: ipaserver
  become: true
  gather_facts: false
  tasks:
  # Ensure a SSHFP record is present
  - ipadnsrecord:
      ipaadmin_password: SomeADMINpassword
      zone_name: example.com
      name: host04
      tlsa_cert_usage: 3
      tlsa_selector: 1
      tlsa_matching_type: 1
      tlsa_cert_association_data: 9c0ad776dbeae8d9d55b0ad42899d30235c114d5f918fd69746e4279e47bdaa2
--- a/playbooks/dnsrecord/ensure-TXT-record-is-present.yml
+++ b/playbooks/dnsrecord/ensure-TXT-record-is-present.yml
@@ -0,0 +1,15 @@
 ---
 - name: Test TXT Record is present.
  hosts: ipaserver
  become: true
  gather_facts: false
  tasks:
  # Ensure a TXT record is absent
  - ipadnsrecord:
      ipaadmin_password: SomeADMINpassword
      name: _kerberos
      record_type: 'TXT'
      record_value: 'EXAMPLE.COM'
      zone_name: example.com
      state: present
--- a/playbooks/dnsrecord/ensure-URI-record-is-present.yml
+++ b/playbooks/dnsrecord/ensure-URI-record-is-present.yml
@@ -0,0 +1,17 @@
 ---
 - name: Test URI Record is present.
  hosts: ipaserver
  become: true
  gather_facts: false
  tasks:
  # Ensure a URI record is absent
  - ipadnsrecord:
      ipaadmin_password: SomeADMINpassword
      name: _ftp._tcp
      record_type: 'URI'
      uri_priority: 10
      uri_weight: 1
      uri_target: ftp://ftp.example.com/public
      zone_name: example.com
      state: present
--- a/playbooks/dnsrecord/ensure-dnsrecord-is-absent.yml
+++ b/playbooks/dnsrecord/ensure-dnsrecord-is-absent.yml
@@ -0,0 +1,15 @@
 ---
 - name: Test DNS Record is absent.
  hosts: ipaserver
  become: true
  gather_facts: false
  tasks:
  # Ensure that dns record is absent
  - ipadnsrecord:
      ipaadmin_password: SomeADMINpassword
      name: host01
      zone_name: example.com
      record_type: 'AAAA'
      record_value: '::1'
      state: absent
--- a/playbooks/dnsrecord/ensure-dnsrecord-is-present.yml
+++ b/playbooks/dnsrecord/ensure-dnsrecord-is-present.yml
@@ -0,0 +1,15 @@
 ---
 - name: Test DNS Record is present.
  hosts: ipaserver
  become: true
  gather_facts: false
  tasks:
  # Ensure that dns record is present
  - ipadnsrecord:
      ipaadmin_password: SomeADMINpassword
      name: host01
      zone_name: example.com
      record_type: 'AAAA'
      record_value: '::1'
      state: present
--- a/playbooks/dnsrecord/ensure-dnsrecord-with-reverse-is-present.yml
+++ b/playbooks/dnsrecord/ensure-dnsrecord-with-reverse-is-present.yml
@@ -0,0 +1,15 @@
 ---
 - name: Test DNS Record is present.
  hosts: ipaserver
  become: true
  gather_facts: false
  tasks:
  # Ensure that dns record is present
  - ipadnsrecord:
      ipaadmin_password: SomeADMINpassword
      name: host01
      zone_name: example.com
      ip_address: 192.160.123.45
      create_reverse: yes
      state: present
--- a/playbooks/dnsrecord/ensure-multiple-A-records-are-present.yml
+++ b/playbooks/dnsrecord/ensure-multiple-A-records-are-present.yml
@@ -0,0 +1,17 @@
 ---
 - name: Playbook to manage DNS records.
  hosts: ipaserver
  become: yes
  gather_facts: no
  tasks:
  - name: Ensure that 'host04' has multiple A records.
    ipadnsrecord:
      ipaadmin_password: SomeADMINpassword
      zone_name: ipatest.local
      name: host01
      a_rec:
        - 192.168.122.221
        - 192.168.122.222
        - 192.168.122.223
        - 192.168.122.224
--- a/playbooks/dnsrecord/ensure-presence-multiple-records.yml
+++ b/playbooks/dnsrecord/ensure-presence-multiple-records.yml
@@ -0,0 +1,21 @@
 ---
 - name: Test multiple DNS Records are present.
  hosts: ipaserver
  become: true
  gather_facts: false
  tasks:
  # Ensure that multiple dns records are present
  - ipadnsrecord:
      ipaadmin_password: SomeADMINpassword
      records:
        - name: host01
          zone_name: example.com
          record_type: A
          record_value:
            - 192.168.122.112
            - 192.168.122.122
        - name: host01
          zone_name: testzone.local
          record_type: AAAA
          record_value: ::1
--- a/playbooks/dnszone/disable-zone-forwarders.yml
+++ b/playbooks/dnszone/disable-zone-forwarders.yml
@@ -0,0 +1,11 @@
 ---
 - name: Playbook to disable DNS zone forwarders
  hosts: ipaserver
  become: true
  tasks:
  - name: Disable zone forwarders.
    ipadnszone:
      ipaadmin_password: SomeADMINpassword
      name: testzone.local
      forward_policy: none
--- a/playbooks/dnszone/dnszone-absent.yml
+++ b/playbooks/dnszone/dnszone-absent.yml
@@ -0,0 +1,11 @@
 ---
 - name: Playbook to ensure DNS zone is absent
  hosts: ipaserver
  become: true
  tasks:
  - name: Remove zone.
    ipadnszone:
      ipaadmin_password: SomeADMINpassword
      name: testzone.local
      state: absent
--- a/playbooks/dnszone/dnszone-all-params.yml
+++ b/playbooks/dnszone/dnszone-all-params.yml
@@ -0,0 +1,35 @@
 - name: dnszone present
  hosts: ipaserver
  become: true
  tasks:
  - name: Ensure zone is present.
    ipadnszone:
      ipaadmin_password: SomeADMINpassword
      name: testzone.local
      allow_sync_ptr: true
      dynamic_update: true
      dnssec: true
      allow_transfer:
        - 1.1.1.1
        - 2.2.2.2
      allow_query:
        - 1.1.1.1
        - 2.2.2.2
      forwarders:
        - ip_address: 8.8.8.8
        - ip_address: 8.8.4.4
          port: 52
      #serial: 1234
      refresh: 3600
      retry: 900
      expire: 1209600
      minimum: 3600
      ttl: 60
      default_ttl: 90
      name_server: ipaserver.test.local.
      admin_email: admin.admin@example.com
      nsec3param_rec: "1 7 100 0123456789abcdef"
      skip_overlap_check: true
      skip_nameserver_check: true
      state: present
--- a/playbooks/dnszone/dnszone-disable.yml
+++ b/playbooks/dnszone/dnszone-disable.yml
@@ -0,0 +1,11 @@
 ---
 - name: Playbook to disable DNS zone
  hosts: ipaserver
  become: true
  tasks:
  - name: Disable zone.
    ipadnszone:
      ipaadmin_password: SomeADMINpassword
      name: testzone.local
      state: disabled
--- a/playbooks/dnszone/dnszone-enable.yml
+++ b/playbooks/dnszone/dnszone-enable.yml
@@ -0,0 +1,11 @@
 ---
 - name: Playbook to enable DNS zone
  hosts: ipaserver
  become: true
  tasks:
  - name: Enable zone.
    ipadnszone:
      ipaadmin_password: SomeADMINpassword
      name: testzone.local
      state: enabled
--- a/playbooks/dnszone/dnszone-present.yml
+++ b/playbooks/dnszone/dnszone-present.yml
@@ -0,0 +1,10 @@
 - name: dnszone present
  hosts: ipaserver
  become: true
  tasks:
  - name: Ensure zone is present.
    ipadnszone:
      ipaadmin_password: SomeADMINpassword
      name: testzone.local
      state: present
--- a/playbooks/dnszone/dnszone-reverse-from-ip.yml
+++ b/playbooks/dnszone/dnszone-reverse-from-ip.yml
@@ -0,0 +1,15 @@
 ---
 - name: Playbook to ensure DNS zone exist
  hosts: ipaserver
  become: true
  tasks:
  - name: Ensure zone exist, finding zone name from IP address.
    ipadnszone:
      ipaadmin_password: SomeADMINpassword
      name_from_ip: 10.1.2.3/24
    register: result
  - name: Zone name inferred from `name_from_ip`
    debug:
      msg: "Zone created: {{ result.dnszone.name }}"
--- a/playbooks/hbacrule/ensure-hbarule-allhosts-absent.yml
+++ b/playbooks/hbacrule/ensure-hbarule-allhosts-absent.yml
@@ -0,0 +1,12 @@
 ---
 - name: Tests
  hosts: ipaserver
  become: true
  gather_facts: false
  tasks:
  - name: Ensure HBAC Rule allhosts is absent
    ipahbacrule:
      ipaadmin_password: SomeADMINpassword
      name: allhosts
      state: absent
--- a/playbooks/hbacrule/ensure-hbarule-allhosts-disabled.yml
+++ b/playbooks/hbacrule/ensure-hbarule-allhosts-disabled.yml
@@ -0,0 +1,12 @@
 ---
 - name: Tests
  hosts: ipaserver
  become: true
  gather_facts: false
  tasks:
  - name: Ensure HBAC Rule allhosts is disabled
    ipahbacrule:
      ipaadmin_password: SomeADMINpassword
      name: allhosts
      state: disabled
--- a/playbooks/hbacrule/ensure-hbarule-allhosts-enabled.yml
+++ b/playbooks/hbacrule/ensure-hbarule-allhosts-enabled.yml
@@ -0,0 +1,12 @@
 ---
 - name: Tests
  hosts: ipaserver
  become: true
  gather_facts: false
  tasks:
  - name: Ensure HBAC Rule allhosts is enabled
    ipahbacrule:
      ipaadmin_password: SomeADMINpassword
      name: allhosts
      state: enabled
--- a/playbooks/hbacrule/ensure-hbarule-allhosts-present.yml
+++ b/playbooks/hbacrule/ensure-hbarule-allhosts-present.yml
@@ -0,0 +1,12 @@
 ---
 - name: Tests
  hosts: ipaserver
  become: true
  gather_facts: false
  tasks:
  - name: Ensure HBAC Rule allhosts is present
    ipahbacrule:
      ipaadmin_password: SomeADMINpassword
      name: allhosts
      usercategory: all
--- a/playbooks/hbacrule/ensure-hbarule-allhosts-server-member-absent.yml
+++ b/playbooks/hbacrule/ensure-hbarule-allhosts-server-member-absent.yml
@@ -0,0 +1,14 @@
 ---
 - name: Tests
  hosts: ipaserver
  become: true
  gather_facts: false
  tasks:
  - name: Ensure host server is absent in HBAC Rule allhosts
    ipahbacrule:
      ipaadmin_password: SomeADMINpassword
      name: allhosts
      host: server
      action: member
      state: absent
--- a/playbooks/hbacrule/ensure-hbarule-allhosts-server-member-present.yml
+++ b/playbooks/hbacrule/ensure-hbarule-allhosts-server-member-present.yml
@@ -0,0 +1,13 @@
 ---
 - name: Tests
  hosts: ipaserver
  become: true
  gather_facts: false
  tasks:
  - name: Ensure host server is present in HBAC Rule allhosts
    ipahbacrule:
      ipaadmin_password: SomeADMINpassword
      name: allhosts
      host: server
      action: member
--- a/playbooks/hbacsvc/ensure-hbacsvc-absent.yml
+++ b/playbooks/hbacsvc/ensure-hbacsvc-absent.yml
@@ -0,0 +1,12 @@
 ---
 - name: Tests
  hosts: ipaserver
  become: true
  gather_facts: false
  tasks:
  - name: Ensure HBAC Services for http and tftp are absent
    ipahbacsvc:
      ipaadmin_password: SomeADMINpassword
      name: http,tftp
      state: absent
--- a/playbooks/hbacsvc/ensure-hbacsvc-present.yml
+++ b/playbooks/hbacsvc/ensure-hbacsvc-present.yml
@@ -0,0 +1,18 @@
 ---
 - name: Tests
  hosts: ipaserver
  become: true
  gather_facts: false
  tasks:
  - name: Ensure HBAC Service for http is present
    ipahbacsvc:
      ipaadmin_password: SomeADMINpassword
      name: http
      description: Web service
  - name: Ensure HBAC Service for tftp is present
    ipahbacsvc:
      ipaadmin_password: SomeADMINpassword
      name: tftp
      description: TFTP service
--- a/playbooks/hbacsvcgroup/ensure-hbacsvcgroup-absent.yml
+++ b/playbooks/hbacsvcgroup/ensure-hbacsvcgroup-absent.yml
@@ -0,0 +1,14 @@
 ---
 - name: Tests
  hosts: ipaserver
  become: true
  gather_facts: false
  tasks:
  - name: Ensure HBAC Service Group login is absent
    ipahbacsvcgroup:
      ipaadmin_password: SomeADMINpassword
      name: login
      hbacsvc:
      - sshd
      state: absent
--- a/Show More
+++ b/Show More