utils/build-galaxy-release.sh: Use ansible-galaxy instead of mazer

ansible-galaxy needs to be used to build the Ansible collection. mazer should
not be used any more.

README-host.md

@@ -269,14 +269,14 @@ Variable | Description | Required
 `certificate` \| `usercertificate` | List of base-64 encoded host certificates | no
 `managedby` \| `principalname` \| `krbprincipalname` | List of hosts that can manage this host | no
 `principal` \| `principalname` \| `krbprincipalname` | List of principal aliases for this host | no
-`allow_create_keytab_user` \| `ipaallowedtoperform_write_keys_user` | Users allowed to create a keytab of this host. <br>Options: | no
-`allow_create_keytab_group` \| `ipaallowedtoperform_write_keys_group` | Groups allowed to create a keytab of this host. <br>Options: | no
-`allow_create_keytab_host` \| `ipaallowedtoperform_write_keys_host` | Hosts allowed to create a keytab of this host. <br>Options: | no
-`allow_create_keytab_hostgroup` \| `ipaallowedtoperform_write_keys_hostgroup` | Host groups allowed to create a keytab of this host. <br>Options: | no
-`allow_retrieve_keytab_user` \| `ipaallowedtoperform_read_keys_user` | Users allowed to retieve a keytab of this host. <br>Options: | no
-`allow_retrieve_keytab_group` \| `ipaallowedtoperform_read_keys_group` | Groups allowed to retieve a keytab of this host. <br>Options: | no
-`allow_retrieve_keytab_host` \| `ipaallowedtoperform_read_keys_host` | Hosts allowed to retieve a keytab of this host. <br>Options: | no
-`allow_retrieve_keytab_hostgroup` \| `ipaallowedtoperform_read_keys_hostgroup` | Host groups allowed to retieve a keytab of this host. <br>Options: | no
+`allow_create_keytab_user` \| `ipaallowedtoperform_write_keys_user` | Users allowed to create a keytab of this host. | no
+`allow_create_keytab_group` \| `ipaallowedtoperform_write_keys_group` | Groups allowed to create a keytab of this host. | no
+`allow_create_keytab_host` \| `ipaallowedtoperform_write_keys_host` | Hosts allowed to create a keytab of this host. | no
+`allow_create_keytab_hostgroup` \| `ipaallowedtoperform_write_keys_hostgroup` | Host groups allowed to create a keytab of this host. | no
+`allow_retrieve_keytab_user` \| `ipaallowedtoperform_read_keys_user` | Users allowed to retieve a keytab of this host. | no
+`allow_retrieve_keytab_group` \| `ipaallowedtoperform_read_keys_group` | Groups allowed to retieve a keytab of this host. | no
+`allow_retrieve_keytab_host` \| `ipaallowedtoperform_read_keys_host` | Hosts allowed to retieve a keytab of this host. | no
+`allow_retrieve_keytab_hostgroup` \| `ipaallowedtoperform_read_keys_hostgroup` | Host groups allowed to retieve a keytab of this host. | no
 `mac_address` \| `macaddress` | List of hardware MAC addresses. | no
 `sshpubkey` \| `ipasshpubkey` | List of SSH public keys | no
 `userclass` \| `class` | Host category (semantics placed on this attribute are for local interpretation) | no

README.md

@@ -155,6 +155,7 @@ ipaserver_install_packages=no
 ipaserver_setup_firewalld=no
 ```
 The installation of packages and also the configuration of the firewall are by default enabled.
+Note that it is not enough to mask systemd firewalld service to skip the firewalld configuration. You need to set the variable to `no`.
 
 For more server settings, please have a look at the [server role documentation](roles/ipaserver/README.md).
 
@@ -230,6 +231,7 @@ ipareplica_setup_firewalld=no
 ```
 
 The installation of packages and also the configuration of the firewall are by default enabled.
+Note that it is not enough to mask systemd firewalld service to skip the firewalld configuration. You need to set the variable to `no`.
 
 For more replica settings, please have a look at the [replica role documentation](roles/ipareplica/README.md).
 

galaxy.yml

@@ -15,6 +15,8 @@ readme: "README.md"
 license: "GPL-3.0-or-later"
 license_file: "COPYING"
 
+dependencies:
+
 tags:
   - "identity"
   - "ipa"

plugins/module_utils/ansible_freeipa_module.py

@@ -151,6 +151,13 @@ def api_command(module, command, name, args):
     return api.Command[command](name, **args)
 
 
+def api_command_no_name(module, command, args):
+    """
+    Call ipa.Command without a name.
+    """
+    return api.Command[command](**args)
+
+
 def api_check_param(command, name):
     """
     Return if param exists in command param list

plugins/modules/ipauser.py

@@ -460,7 +460,8 @@ from ansible.module_utils.basic import AnsibleModule
 from ansible.module_utils._text import to_text
 from ansible.module_utils.ansible_freeipa_module import temp_kinit, \
     temp_kdestroy, valid_creds, api_connect, api_command, date_format, \
-    compare_args_ipa, module_params_get, api_check_param, api_get_realm
+    compare_args_ipa, module_params_get, api_check_param, api_get_realm, \
+    api_command_no_name
 import six
 
 
@@ -646,6 +647,14 @@ def check_parameters(module, state, action,
                     module.fail_json(msg="certmapdata: subject is missing")
 
 
+def extend_emails(email, default_email_domain):
+    if email is not None:
+        return [ "%s@%s" % (_email, default_email_domain)
+                 if "@" not in _email else _email
+                 for _email in email]
+    return email
+
+
 def gen_certmapdata_args(certmapdata):
     certificate = certmapdata.get("certificate")
     issuer = certmapdata.get("issuer")
@@ -883,6 +892,17 @@ def main():
 
         server_realm = api_get_realm()
 
+        # Default email domain
+
+        result = api_command_no_name(ansible_module, "config_show", {})
+        default_email_domain = result["result"]["ipadefaultemaildomain"][0]
+
+        # Extend email addresses
+
+        email = extend_emails(email, default_email_domain)
+
+        # commands
+
         commands = []
 
         for user in names:
@@ -949,6 +969,10 @@ def main():
                     certmapdata, noprivate, nomembers, preserve,
                     update_password)
 
+                # Extend email addresses
+
+                email = extend_emails(email, default_email_domain)
+
             elif isinstance(user, str) or isinstance(user, unicode):
                 name = user
             else:

roles/ipaclient/README.md

@@ -195,6 +195,7 @@ Special Variables
 Variable | Description | Required
 -------- | ----------- | --------
 `ipaclient_use_otp` | The bool value defines if a one-time password will be generated to join a new or existing host. `ipaclient_use_otp` defaults to `no`. The enforcement on an existing host is not done if there is a working krb5.keytab on the host. If the generation of an otp is enforced for an existing host entry, then the host gets disabled and the containing keytab gets removed. | no
+`ipaclient_otp` | The string value sets an already generated one-time password for the host. The role will use it and not try to generate a new one. Do not enable `ipaclient_use_otp` additionally. | no
 `ipaclient_allow_repair` | The bool value defines if an already joined or partly set-up client can be repaired. `ipaclient_allow_repair` defaults to `no`. Contrary to `ipaclient_force_join=yes` the host entry will not be changed on the server. | no
 `ipaclient_install_packages` | The bool value defines if the needed packages are installed on the node. `ipaclient_install_packages` defaults to `yes`. | no
 `ipaclient_on_master` | The bool value is only used in the server and replica installation process to install the client part. It should not be set otherwise. `ipaclient_on_master` defaults to `no`. | no

roles/ipareplica/tasks/install.yml

@@ -20,6 +20,19 @@
       state: present
     when: ipareplica_setup_adtrust | bool
 
+  - name: Install - Ensure that firewall packages installed
+    package:
+      name: "{{ ipareplica_packages_firewalld }}"
+      state: present
+    when: ipareplica_setup_firewalld | bool
+
+  - name: Firewalld service - Ensure that firewalld is running
+    systemd:
+      name: firewalld
+      enabled: yes
+      state: started
+    when: ipareplica_setup_firewalld | bool
+
   when: ipareplica_install_packages | bool
 
 #- name: Install - Include Python2/3 import test

roles/ipareplica/vars/CentOS-7.yml

@@ -2,4 +2,5 @@
 # vars/RedHat-7.yml
 ipareplica_packages: [ "ipa-server", "libselinux-python" ]
 ipareplica_packages_dns: [ "ipa-server-dns" ]
-ipareplica_packages_adtrust: [ "ipa-server-trust-ad" ]
+ipareplica_packages_adtrust: [ "ipa-server-trust-ad" ]
+ipareplica_packages_firewalld: [ "firewalld" ]

roles/ipareplica/vars/Fedora-25.yml

@@ -2,4 +2,5 @@
 # vars/Fedora-25.yml
 ipareplica_packages: [ "ipa-server", "libselinux-python" ]
 ipareplica_packages_dns: [ "ipa-server-dns" ]
-ipareplica_packages_adtrust: [ "ipa-server-trust-ad" ]
+ipareplica_packages_adtrust: [ "ipa-server-trust-ad" ]
+ipareplica_packages_firewalld: [ "firewalld" ]

roles/ipareplica/vars/Fedora-26.yml

@@ -2,4 +2,5 @@
 # vars/Fedora-26.yml
 ipareplica_packages: [ "ipa-server", "libselinux-python" ]
 ipareplica_packages_dns: [ "ipa-server-dns" ]
-ipareplica_packages_adtrust: [ "ipa-server-trust-ad" ]
+ipareplica_packages_adtrust: [ "ipa-server-trust-ad" ]
+ipareplica_packages_firewalld: [ "firewalld" ]

roles/ipareplica/vars/Fedora-27.yml

@@ -2,4 +2,5 @@
 # vars/Fedora.yml
 ipareplica_packages: [ "ipa-server", "libselinux-python" ]
 ipareplica_packages_dns: [ "ipa-server-dns" ]
-ipareplica_packages_adtrust: [ "ipa-server-trust-ad" ]
+ipareplica_packages_adtrust: [ "ipa-server-trust-ad" ]
+ipareplica_packages_firewalld: [ "firewalld" ]

roles/ipareplica/vars/Fedora.yml

@@ -2,4 +2,5 @@
 # vars/Fedora.yml
 ipareplica_packages: [ "freeipa-server", "python3-libselinux" ]
 ipareplica_packages_dns: [ "freeipa-server-dns" ]
-ipareplica_packages_adtrust: [ "freeipa-server-trust-ad" ]
+ipareplica_packages_adtrust: [ "freeipa-server-trust-ad" ]
+ipareplica_packages_firewalld: [ "firewalld" ]

roles/ipareplica/vars/RedHat-7.3.yml

@@ -2,4 +2,5 @@
 # vars/RedHat-7.3.yml
 ipareplica_packages: [ "ipa-server", "libselinux-python" ]
 ipareplica_packages_dns: [ "ipa-server-dns" ]
-ipareplica_packages_adtrust: [ "ipa-server-trust-ad" ]
+ipareplica_packages_adtrust: [ "ipa-server-trust-ad" ]
+ipareplica_packages_firewalld: [ "firewalld" ]

roles/ipareplica/vars/RedHat-7.yml

@@ -2,4 +2,5 @@
 # vars/RedHat-7.yml
 ipareplica_packages: [ "ipa-server", "libselinux-python" ]
 ipareplica_packages_dns: [ "ipa-server-dns" ]
-ipareplica_packages_adtrust: [ "ipa-server-trust-ad" ]
+ipareplica_packages_adtrust: [ "ipa-server-trust-ad" ]
+ipareplica_packages_firewalld: [ "firewalld" ]

roles/ipareplica/vars/RedHat-8.yml

@@ -3,3 +3,4 @@
 ipareplica_packages: [ "@idm:DL1/server" ]
 ipareplica_packages_dns: [ "@idm:DL1/dns" ]
 ipareplica_packages_adtrust: [ "@idm:DL1/adtrust" ]
+ipareplica_packages_firewalld: [ "firewalld" ]

roles/ipareplica/vars/Ubuntu.yml

@@ -2,3 +2,4 @@
 ipareplica_packages: [ "freeipa-server" ]
 ipareplica_packages_dns: [ "freeipa-server-dns" ]
 ipareplica_packages_adtrust: [ "freeipa-server-trust-ad" ]
+ipareplica_packages_firewalld: [ "firewalld" ]

roles/ipareplica/vars/default.yml

@@ -3,3 +3,4 @@
 ipareplica_packages: [ "freeipa-server", "python3-libselinux" ]
 ipareplica_packages_dns: [ "freeipa-server-dns" ]
 ipareplica_packages_adtrust: [ "freeipa-server-trust-ad" ]
+ipareplica_packages_firewalld: [ "firewalld" ]

roles/ipaserver/library/ipaserver_test.py

@@ -719,12 +719,7 @@ def main():
                 msg="File %s does not exist." % options.dirsrv_config_file)
 
     # domain_name
-    if options.setup_dns and not options.allow_zone_overlap and \
-       options.domain_name is not None:
-        try:
-            check_zone_overlap(options.domain_name, False)
-        except ValueError as e:
-            ansible_module.fail_json(msg=str(e))
+    # Validation is done later on in ipaserver_prepare dns.install_check
 
     # dm_password
     with redirect_stdout(ansible_log):

roles/ipaserver/tasks/install.yml

@@ -19,6 +19,19 @@
       state: present
     when: ipaserver_setup_adtrust | bool
 
+  - name: Install - Ensure that firewall packages installed
+    package:
+      name: "{{ ipaserver_packages_firewalld }}"
+      state: present
+    when: ipaserver_setup_firewalld | bool
+
+  - name: Firewalld service - Ensure that firewalld is running
+    systemd:
+      name: firewalld
+      enabled: yes
+      state: started
+    when: ipaserver_setup_firewalld | bool
+
   when: ipaserver_install_packages | bool
 
 #- name: Install - Include Python2/3 import test

roles/ipaserver/vars/CentOS-7.yml

@@ -2,4 +2,5 @@
 # vars/rhel.yml
 ipaserver_packages: [ "ipa-server", "libselinux-python" ]
 ipaserver_packages_dns: [ "ipa-server-dns" ]
-ipaserver_packages_adtrust: [ "ipa-server-trust-ad" ]
+ipaserver_packages_adtrust: [ "ipa-server-trust-ad" ]
+ipaserver_packages_firewalld: [ "firewalld" ]

roles/ipaserver/vars/Fedora-25.yml

@@ -1,3 +1,4 @@
 ipaserver_packages: [ "ipa-server", "libselinux-python" ]
 ipaserver_packages_dns: [ "ipa-server-dns" ]
-ipaserver_packages_adtrust: [ "ipa-server-trust-ad" ]
+ipaserver_packages_adtrust: [ "ipa-server-trust-ad" ]
+ipaserver_packages_firewalld: [ "firewalld" ]

roles/ipaserver/vars/Fedora-26.yml

@@ -1,3 +1,4 @@
 ipaserver_packages: [ "ipa-server", "libselinux-python" ]
 ipaserver_packages_dns: [ "ipa-server-dns" ]
-ipaserver_packages_adtrust: [ "ipa-server-trust-ad" ]
+ipaserver_packages_adtrust: [ "ipa-server-trust-ad" ]
+ipaserver_packages_firewalld: [ "firewalld" ]

roles/ipaserver/vars/Fedora-27.yml

@@ -1,3 +1,4 @@
 ipaserver_packages: [ "ipa-server", "libselinux-python" ]
 ipaserver_packages_dns: [ "ipa-server-dns" ]
 ipaserver_packages_adtrust: [ "ipa-server-trust-ad" ]
+ipaserver_packages_firewalld: [ "firewalld" ]

roles/ipaserver/vars/Fedora.yml

@@ -1,3 +1,4 @@
 ipaserver_packages: [ "freeipa-server", "python3-libselinux" ]
 ipaserver_packages_dns: [ "freeipa-server-dns" ]
-ipaserver_packages_adtrust: [ "freeipa-server-trust-ad" ]
+ipaserver_packages_adtrust: [ "freeipa-server-trust-ad" ]
+ipaserver_packages_firewalld: [ "firewalld" ]

roles/ipaserver/vars/RedHat-7.3.yml

@@ -2,4 +2,5 @@
 # vars/rhel.yml
 ipaserver_packages: [ "ipa-server", "libselinux-python" ]
 ipaserver_packages_dns: [ "ipa-server-dns" ]
-ipaserver_packages_adtrust: [ "ipa-server-trust-ad" ]
+ipaserver_packages_adtrust: [ "ipa-server-trust-ad" ]
+ipaserver_packages_firewalld: [ "firewalld" ]

roles/ipaserver/vars/RedHat-7.yml

@@ -2,4 +2,5 @@
 # vars/rhel.yml
 ipaserver_packages: [ "ipa-server", "libselinux-python" ]
 ipaserver_packages_dns: [ "ipa-server-dns" ]
-ipaserver_packages_adtrust: [ "ipa-server-trust-ad" ]
+ipaserver_packages_adtrust: [ "ipa-server-trust-ad" ]
+ipaserver_packages_firewalld: [ "firewalld" ]

roles/ipaserver/vars/RedHat-8.yml

@@ -3,3 +3,4 @@
 ipaserver_packages: [ "@idm:DL1/server" ]
 ipaserver_packages_dns: [ "@idm:DL1/dns" ]
 ipaserver_packages_adtrust: [ "@idm:DL1/adtrust" ]
+ipaserver_packages_firewalld: [ "firewalld" ]

roles/ipaserver/vars/Ubuntu.yml

@@ -2,3 +2,4 @@
 ipaserver_packages: [ "freeipa-server" ]
 ipaserver_packages_dns: [ "freeipa-server-dns" ]
 ipaserver_packages_adtrust: [ "freeipa-server-trust-ad" ]
+ipaserver_packages_firewalld: [ "firewalld" ]

roles/ipaserver/vars/default.yml

@@ -3,3 +3,4 @@
 ipaserver_packages: [ "ipa-server", "python3-libselinux" ]
 ipaserver_packages_dns: [ "ipa-server-dns" ]
 ipaserver_packages_adtrust: [ "freeipa-server-trust-ad" ]
+ipaserver_packages_firewalld: [ "firewalld" ]

utils/build-galaxy-release.sh

@@ -35,7 +35,7 @@ done
 
 #git diff
 
-mazer build
+ansible-galaxy collection build
 
 rm plugins/module_utils/ansible_ipa_*
 rm plugins/modules/ipaserver_*