Update README-role.md

Fix module documentation

.ansible-lint

@@ -0,0 +1,23 @@
+exclude_paths:
+  - roles
+  - .tox
+  - .venv
+
+parseable: true
+
+quiet: false
+
+skip_list:
+  - '201'  # Trailing whitespace
+  - '204'  # Lines should be no longer than 160 chars
+  - '206'  # Variables should have spaces before and after: {{ var_name }}'
+  - '208'  # File permissions not mentioned
+  - '301'  # Commands should not change things if nothing needs doing'
+  - '305'  # Use shell only when shell functionality is required'
+  - '306'  # Shells that use pipes should set the pipefail option'
+  - '502'  # All tasks should be named
+  - '505'  # Referenced missing file
+
+use_default_rules: true
+
+verbosity: 1

.copr/Makefile

@@ -0,0 +1,9 @@
+srpm:
+	# Setup development environment
+	echo "Installing base development environment"
+	dnf install -y dnf-plugins-core git-all
+	echo "Call SRPM build Script"
+	./utils/build-srpm.sh
+	if [[ "${outdir}" != "" ]]; then \
+		mv /builddir/build/SRPMS/* ${outdir}; \
+	fi

.github/workflows/lint.yml

@@ -0,0 +1,33 @@
+---
+name: Run Linters
+on:
+  - push
+  - pull_request
+jobs:
+  linters:
+    name: Run Linters
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - uses: actions/setup-python@v2
+        with:
+          python-version: "3.6"
+
+      - name: Run ansible-lint
+        uses: ansible/ansible-lint-action@master
+        with:
+          targets: |
+            tests/*.yml
+            tests/*/*.yml
+            tests/*/*/*.yml
+            playbooks/*.yml
+            playbooks/*/*.yml
+        env:
+          ANSIBLE_MODULE_UTILS: plugins/module_utils
+          ANSIBLE_LIBRARY: plugins/modules
+
+      - name: Run yaml-lint
+        uses: ibiqlik/action-yamllint@v1
+
+      - name: Run Python linters
+        uses: rjeffman/python-lint-action@master

.gitignore

@@ -1,2 +1,8 @@
 *.pyc
 *.retry
+
+# ignore virtual environments
+/.tox/
+/.venv/
+
+tests/logs/

.yamllint

@@ -0,0 +1,28 @@
+---
+ignore: |
+  /.tox/
+  /.venv/
+  /.github/
+
+extends: default
+
+rules:
+  braces:
+    max-spaces-inside: 1
+    level: error
+  brackets:
+    max-spaces-inside: 1
+    level: error
+  truthy:
+    allowed-values: ["yes", "no", "true", "false", "True", "False"]
+    level: error
+  # Disabled rules
+  document-start: disable
+  indentation: disable
+  line-length: disable
+  colons: disable
+  empty-lines: disable
+  comments: disable
+  comments-indentation: disable
+  trailing-spaces: disable
+  new-line-at-end-of-file: disable

README-config.md

@@ -0,0 +1,150 @@
+Config module
+===========
+
+Description
+-----------
+
+The config module allows the setting of global config parameters within IPA. If no parameters are specified it returns the list of all current parameters.
+
+The config module is as compatible as possible to the Ansible upstream `ipa_config` module, but adds many additional parameters
+
+
+Features
+--------
+* IPA server configuration management
+
+
+Supported FreeIPA Versions
+--------------------------
+
+FreeIPA versions 4.4.0 and up are supported by the ipaconfig module.
+
+Some variables are only supported on newer versions of FreeIPA. Check `Variables` section for details.
+
+Requirements
+------------
+
+**Controller**
+* Ansible version: 2.8+
+
+**Node**
+* Supported FreeIPA version (see above)
+
+
+Usage
+=====
+
+Example inventory file
+
+```ini
+[ipaserver]
+ipaserver.test.local
+```
+
+
+Example playbook to read config options:
+
+```yaml
+---
+- name: Playbook to handle global config options
+  hosts: ipaserver
+  become: true
+  tasks:
+    - name: return current values of the global configuration options
+      ipaconfig:
+        ipaadmin_password: password
+      register: result
+    - name: display default login shell
+      debug:
+        msg: '{{result.config.defaultlogin }}'
+
+    - name: ensure defaultloginshell and maxusernamelength are set as required
+      ipaconfig:
+        ipaadmin_password: password
+        defaultlogin: /bin/bash
+        maxusername: 64
+```
+
+```yaml
+---
+- name: Playbook to ensure some config options are set
+  hosts: ipaserver
+  become: true
+  tasks:
+    - name: set defaultlogin and maxusername
+      ipaconfig:
+        ipaadmin_password: password
+        defaultlogin: /bin/bash
+        maxusername: 64
+```
+
+
+Variables
+=========
+
+ipauser
+-------
+
+**General Variables:**
+
+Variable | Description | Required
+-------- | ----------- | --------
+`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
+`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
+`maxusername` \| `ipamaxusernamelength` |  Set the maximum username length (1 to 255) | no
+`maxhostname` \| `ipamaxhostnamelength` |  Set the maximum hostname length between 64-255. Only usable with IPA versions 4.8.0 and up. | no
+`homedirectory` \| `ipahomesrootdir` |  Set the default location of home directories | no
+`defaultshell` \| `ipadefaultloginshell` |  Set the default shell for new users | no
+`defaultgroup` \| `ipadefaultprimarygroup` |  Set the default group for new users | no
+`emaildomain`\| `ipadefaultemaildomain`  |  Set the default e-mail domain | false
+`searchtimelimit` \| `ipasearchtimelimit` |  Set maximum amount of time (seconds) for a search -1 to 2147483647 (-1 or 0 is unlimited) | no
+`searchrecordslimit` \| `ipasearchrecordslimit` |  Set maximum number of records to search -1 to 2147483647 (-1 or 0 is unlimited) | no
+`usersearch` \| `ipausersearchfields` |  Set list of fields to search when searching for users | no
+`groupsearch` \| `ipagroupsearchfields` |  Set list of fields to search in when searching for groups | no
+`enable_migration` \| `ipamigrationenabled` |  Enable migration mode (choices: True, False ) | no
+`groupobjectclasses` \| `ipagroupobjectclasses` |  Set default group objectclasses (list) | no
+`userobjectclasses` \| `ipauserobjectclasses` |  Set default user objectclasses (list) | no
+`pwdexpnotify` \| `ipapwdexpadvnotify` |  Set number of days's notice of impending password expiration (0 to 2147483647) | no
+`configstring` \| `ipaconfigstring` |  Set extra hashes to generate in password plug-in (choices:`AllowNThash`, `KDC:Disable Last Success`, `KDC:Disable Lockout`, `KDC:Disable Default Preauth for SPNs`). Use `""` to clear this variable. | no
+`selinuxusermaporder` \| `ipaselinuxusermaporder`| Set ordered list in increasing priority of SELinux users | no
+`selinuxusermapdefault`\| `ipaselinuxusermapdefault` |  Set default SELinux user when no match is found in SELinux map rule | no
+`pac_type` \| `ipakrbauthzdata` |  set default types of PAC supported for services (choices: `MS-PAC`, `PAD`, `nfs:NONE`). Use `""` to clear this variable. | no
+`user_auth_type` \| `ipauserauthtype` |  set default types of supported user authentication (choices: `password`, `radius`, `otp`, `disabled`). Use `""` to clear this variable. | no
+`domain_resolution_order` \| `ipadomainresolutionorder` | Set list of domains used for short name qualification | no
+`ca_renewal_master_server` \| `ipacarenewalmasterserver`| Renewal master for IPA certificate authority. | no
+
+
+Return Values
+=============
+
+Variable | Description | Returned When
+-------- | ----------- | -------------
+`config` | config dict <br />Fields: | No values to configure are specified
+&nbsp; | `maxusername` | &nbsp;
+&nbsp; | `maxhostname` | &nbsp;
+&nbsp; | `homedirectory` | &nbsp;
+&nbsp; | `defaultshell` | &nbsp;
+&nbsp; | `defaultgroup` | &nbsp;
+&nbsp; | `emaildomain` | &nbsp;
+&nbsp; | `searchtimelimit` | &nbsp;
+&nbsp; | `searchrecordslimit` | &nbsp;
+&nbsp; | `usersearch` | &nbsp;
+&nbsp; | `groupsearch` | &nbsp;
+&nbsp; | `enable_migration` | &nbsp;
+&nbsp; | `groupobjectclasses` | &nbsp;
+&nbsp; | `userobjectclasses` | &nbsp;
+&nbsp; | `pwdexpnotify` | &nbsp;
+&nbsp; | `configstring` | &nbsp;
+&nbsp; | `selinuxusermapdefault` | &nbsp;
+&nbsp; | `selinuxusermaporder` | &nbsp;
+&nbsp; | `pac_type` | &nbsp;
+&nbsp; | `user_auth_type` | &nbsp;
+&nbsp; | `domain_resolution_order` | &nbsp;
+&nbsp; | `ca_renewal_master_server` | &nbsp;
+
+All returned fields take the same form as their namesake input parameters
+
+Authors
+=======
+
+Chris Procter

README-delegation.md

@@ -0,0 +1,157 @@
+Delegation module
+=================
+
+Description
+-----------
+
+The delegation module allows to ensure presence, absence of delegations and delegation attributes.
+
+
+Features
+--------
+
+* Delegation management
+
+
+Supported FreeIPA Versions
+--------------------------
+
+FreeIPA versions 4.4.0 and up are supported by the ipadelegation module.
+
+
+Requirements
+------------
+
+**Controller**
+* Ansible version: 2.8+
+
+**Node**
+* Supported FreeIPA version (see above)
+
+
+Usage
+=====
+
+Example inventory file
+
+```ini
+[ipaserver]
+ipaserver.test.local
+```
+
+
+Example playbook to make sure delegation "basic manager attributes" is present:
+
+```yaml
+---
+- name: Playbook to manage IPA delegation.
+  hosts: ipaserver
+  become: yes
+
+  tasks:
+  - ipadelegation:
+      ipaadmin_password: SomeADMINpassword
+      name: "basic manager attributes"
+      permission: read
+      attribute:
+      - businesscategory
+      - employeetype
+      group: managers
+      membergroup: employees
+```
+
+
+Example playbook to make sure delegation "basic manager attributes" is absent:
+
+```yaml
+---
+- name: Playbook to manage IPA delegation.
+  hosts: ipaserver
+  become: yes
+
+  tasks:
+  - ipadelegation:
+      ipaadmin_password: SomeADMINpassword
+      name: "basic manager attributes"
+      state: absent
+```
+
+
+Example playbook to make sure "basic manager attributes" member attributes employeetype and employeenumber are present:
+
+```yaml
+---
+- name: Playbook to manage IPA delegation.
+  hosts: ipaserver
+  become: yes
+
+  tasks:
+  - ipadelegation:
+      ipaadmin_password: SomeADMINpassword
+      name: "basic manager attributes"
+      attribute:
+      - employeenumber
+      - employeetype
+      action: member
+```
+
+
+Example playbook to make sure "basic manager attributes" member attributes employeetype and employeenumber are absent:
+
+```yaml
+---
+- name: Playbook to manage IPA delegation.
+  hosts: ipaserver
+  become: yes
+
+  tasks:
+  - ipadelegation:
+      ipaadmin_password: SomeADMINpassword
+      name: "basic manager attributes"
+      attribute:
+      - employeenumber
+      - employeetype
+      action: member
+      state: absent
+```
+
+
+Example playbook to make sure delegation "basic manager attributes" is absent:
+
+```yaml
+---
+- name: Playbook to manage IPA delegation.
+  hosts: ipaserver
+  become: yes
+
+  tasks:
+  - ipadelegation:
+      ipaadmin_password: SomeADMINpassword
+      name: "basic manager attributes"
+      state: absent
+```
+
+
+Variables
+---------
+
+ipadelegation
+-------
+
+Variable | Description | Required
+-------- | ----------- | --------
+`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
+`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
+`name` \| `aciname` | The list of delegation name strings. | yes
+`permission` \| `permissions` |  The permission to grant `read`, `read,write`, `write`]. Default is `write`. | no
+`attribute` \| `attrs` | The attribute list to which the delegation applies. | no
+`membergroup` \| `memberof` | The user group to apply delegation to. | no
+`group` | User group ACI grants access to. | no
+`action` | Work on delegation or member level. It can be on of `member` or `delegation` and defaults to `delegation`. | no
+`state` | The state to ensure. It can be one of `present`, `absent`, default: `present`. | no
+
+
+Authors
+=======
+
+Thomas Woerner

README-dnsforwardzone.md

@@ -0,0 +1,115 @@
+Dnsforwardzone module
+=====================
+
+Description
+-----------
+
+The dnsforwardzone module allows the addition and removal of dns forwarders from the IPA DNS config.
+
+It is desgined to follow the IPA api as closely as possible while ensuring ease of use.
+
+
+Features
+--------
+* DNS zone management
+
+Supported FreeIPA Versions
+--------------------------
+
+FreeIPA versions 4.4.0 and up are supported by the ipadnsforwardzone module.
+
+Requirements
+------------
+**Controller**
+* Ansible version: 2.8+
+
+**Node**
+* Supported FreeIPA version (see above)
+
+
+Usage
+=====
+
+Example inventory file
+
+```ini
+[ipaserver]
+ipaserver.test.local
+```
+
+
+Example playbook to ensure presence of a forwardzone to ipa DNS:
+
+```yaml
+---
+- name: Playbook to handle add a forwarder
+  hosts: ipaserver
+  become: true
+
+  tasks:
+  - name: ensure presence of forwardzone for DNS requests for example.com to 8.8.8.8
+    ipadnsforwardzone:
+      ipaadmin_password: SomeADMINpassword
+      state: present
+      name: example.com
+      forwarders:
+        - 8.8.8.8
+      forwardpolicy: first
+      skip_overlap_check: true
+
+  - name: ensure the forward zone is disabled
+    ipadnsforwardzone:
+      ipaadmin_password: SomeADMINpassword
+      name: example.com
+      state: disabled
+
+  - name: ensure presence of multiple upstream DNS servers for example.com
+    ipadnsforwardzone:
+      ipaadmin_password: SomeADMINpassword
+      state: present
+      name: example.com
+      forwarders:
+        - 8.8.8.8
+        - 4.4.4.4
+
+  - name: ensure presence of another forwarder to any existing ones for example.com
+    ipadnsforwardzone:
+      ipaadmin_password: SomeADMINpassword
+      state: present
+      name: example.com
+      forwarders:
+        - 1.1.1.1
+      action: member
+
+  - name: ensure the forwarder for example.com does not exists (delete it if needed)
+    ipadnsforwardzone:
+      ipaadmin_password: SomeADMINpassword
+      name: example.com
+      state: absent
+```
+
+Variables
+=========
+
+ipagroup
+-------
+
+Variable | Description | Required
+-------- | ----------- | --------
+`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
+`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
+`name` \| `cn` | Zone name (FQDN). | yes if `state` == `present`
+`forwarders` \| `idnsforwarders` |  Per-zone forwarders. A custom port can be specified for each forwarder. Options | no
+  | `ip_address`: The forwarder IP address. | yes
+  | `port`: The forwarder IP port. | no
+`forwardpolicy` \| `idnsforwardpolicy` | Per-zone conditional forwarding policy. Possible values are `only`, `first`, `none`. Set to "none" to disable forwarding to global forwarder for this zone. In that case, conditional zone forwarders are disregarded. | no
+`skip_overlap_check` | Force DNS zone creation even if it will overlap with an existing zone. Defaults to False. | no
+`permission` | Allow DNS Forward Zone to be managed. (bool) | no
+`action` | Work on group or member level. It can be on of `member` or `dnsforwardzone` and defaults to `dnsforwardzone`. | no
+`state` | The state to ensure. It can be one of `present`, `absent`, `enabled` or `disabled`, default: `present`. | yes
+
+
+Authors
+=======
+
+Chris Procter

README-dnsrecord.md

@@ -0,0 +1,357 @@
+DNSRecord module
+================
+
+Description
+-----------
+
+The dnsrecord module allows management of DNS records and is as compatible as possible with the Ansible upstream `ipa_dnsrecord` module, but provide some other features like multiple record management in one execution and support for more DNS record types.
+
+
+Features
+--------
+* DNS record management.
+
+
+Supported FreeIPA Versions
+--------------------------
+
+FreeIPA versions 4.4.0 and up are supported by the ipadnsrecord module.
+
+
+Requirements
+------------
+
+**Controller**
+* Ansible version: 2.8+
+
+**Node**
+* Supported FreeIPA version (see above)
+
+
+Usage
+=====
+
+Example inventory file
+
+```ini
+[ipaserver]
+ipaserver.example.com
+```
+
+Example playbook to ensure an AAAA record is present:
+
+```yaml
+---
+- ipadnsrecord:
+    ipaadmin_password: SomeADMINpassword
+    name: host01
+    zone_name: example.com
+    record_type: 'AAAA'
+    record_value: '::1'
+```
+
+Example playbook to ensure an AAAA record is present, with a TTL of 300:
+
+```yaml
+---
+- ipadnsrecord:
+    ipaadmin_password: SomeADMINpassword
+    name: host01
+    zone_name: example.com
+    record_type: 'AAAA'
+    record_value: '::1'
+    record_ttl: 300
+```
+
+Example playbook to ensure an AAAA record is present, with a reverse PTR record:
+```yaml
+---
+- ipadnsrecord:
+    ipaadmin_password: SomeADMINpassword
+    name: host02
+    zone_name: example.com
+    record_type: 'AAAA'
+    record_value: 'fd00::0002'
+    create_reverse: yes
+```
+
+Example playbook to ensure a LOC record is present, given its individual attributes:
+```yaml
+---
+- ipadnsrecord:
+    ipaadmin_password: SomeADMINpassword
+    zone_name: example.com
+    name: host03
+    loc_lat_deg: 52
+    loc_lat_min: 22
+    loc_lat_sec: 23.000
+    loc_lat_dir: N
+    loc_lon_deg: 4
+    loc_lon_min: 53
+    loc_lon_sec: 32.00
+    loc_lon_dir: E
+    loc_altitude: -2.00
+    loc_size: 1.00
+    loc_h_precision: 10000
+    loc_v_precision: 10
+```
+
+Example playbook to ensure multiple DNS records are present:
+
+```yaml
+---
+ipadnsrecord:
+  ipaadmin_password: SomeADMINpassword
+  records:
+    - name: host02
+      zone_name: example.com
+      record_type: A
+      record_value:
+        - "{{ ipv4_prefix }}.112"
+        - "{{ ipv4_prefix }}.122"
+    - name: host02
+      zone_name: example.com
+      record_type: AAAA
+      record_value: ::1
+```
+
+Example playbook to ensure multiple CNAME records are present:
+
+```yaml
+---
+- name: Ensure that 'host03' and 'host04' have CNAME records.
+  ipadnsrecord:
+    ipaadmin_password: SomeADMINpassword
+    zone_name: example.com
+    records:
+    - name: host03
+      cname_hostname: host03.example.com
+    - name: host04
+      cname_hostname: host04.example.com
+```
+
+Example playbook to ensure NS record is absent:
+
+```yaml
+---
+- ipadnsrecord:
+    ipaadmin_password: SomeADMINpassword
+    zone_name: example.com
+    name: host04
+    ns_hostname: host04
+    state: absent
+```
+
+Example playbook to ensure LOC record is present, with fields:
+
+```yaml
+---
+- ipadnsrecord:
+    ipaadmin_password: SomeADMINpassword
+    zone_name: example.com
+    name: host04
+    loc_lat_deg: 52
+    loc_lat_min: 22
+    loc_lat_sec: 23.000
+    loc_lat_dir: N
+    loc_lon_deg: 4
+    loc_lon_min: 53
+    loc_lon_sec: 32.000
+    loc_lon_dir: E
+    loc_altitude: -2.00
+    loc_size: 0.00
+    loc_h_precision: 10000
+    loc_v_precision: 10
+```
+
+Change value of an existing LOC record:
+
+```yaml
+---
+- ipadnsrecord:
+  ipaadmin_password: SomeADMINpassword
+  zone_name: example.com
+  name: host04
+  loc_size: 1.00
+  loc_rec: 52 22 23 N 4 53 32 E -2 0 10000 10
+```
+
+Example playbook to ensure multiple A records are present:
+
+```yaml
+- ipadnsrecord:
+    ipaadmin_password: SomeADMINpassword
+    zone_name: example.com
+    name: host04
+    a_rec:
+      - 192.168.122.221
+      - 192.168.122.222
+      - 192.168.122.223
+      - 192.168.122.224
+```
+
+Example playbook to ensure A and AAAA records are present, with reverse records (PTR):
+```yaml
+- ipadnsrecord:
+    ipaadmin_password: SomeADMINpassword
+    zone_name: example.com
+    name: host01
+    a_rec:
+      - 192.168.122.221
+      - 192.168.122.222
+    aaaa_rec:
+      - fd00:;0001
+      - fd00::0002
+    create_reverse: yes
+```
+
+Example playbook to ensure multiple A and AAAA records are present, but only A records have reverse records:
+```yaml
+- ipadnsrecord:
+    ipaadmin_password: SomeADMINpassword
+    zone_name: example.com
+    name: host01
+    a_ip_address: 192.168.122.221
+    aaaa_ip_address: fd00::0001
+    a_create_reverse: yes
+```
+
+Example playbook to ensure multiple DNS records are absent:
+
+```yaml
+---
+- ipadnsrecord:
+    ipaadmin_password: SomeADMINpassword
+    zone_name: example.com
+    records:
+    - name: host01
+      del_all: yes
+    - name: host02
+      del_all: yes
+    - name: host03
+      del_all: yes
+    - name: host04
+      del_all: yes
+    - name: _ftp._tcp
+      del_all: yes
+    - name: _sip._udp
+      del_all: yes
+    state: absent
+```
+
+Variables
+=========
+
+ipadnsrecord
+------------
+
+Variable | Description | Required
+-------- | ----------- | --------
+`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
+`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
+`zone_name` \| `dnszone` | The DNS zone name to which DNS record needs to be managed. You can use one global zone name for multiple records. | no
+  required: true
+`records` | The list of dns records dicts. Each `records` dict entry can contain **record variables**. | no
+  | **Record variables** | no
+**Record variables** | Used when defining a single record. | no
+`state` | The state to ensure. It can be one of `present` or `absent`, and defaults to `present`. | yes
+
+
+**Record Variables:**
+
+Variable | Description | Required
+-------- | ----------- | --------
+`zone_name` \| `dnszone` | The DNS zone name to which DNS record needs to be managed. You can use one global zone name for multiple records. When used on a `records` dict, overrides the global `zone_name`. | yes
+`name` \| `record_name` | The DNS record name to manage. | yes
+`record_type` | The type of DNS record. Supported values are  `A`, `AAAA`, `A6`, `AFSDB`, `CERT`, `CNAME`, `DLV`, `DNAME`, `DS`, `KX`, `LOC`, `MX`, `NAPTR`, `NS`, `PTR`, `SRV`, `SSHFP`, `TLSA`, `TXT`, `URI`, and defaults to `A`. | no
+`record_value` | Manage DNS record name with this values. | no
+`record_ttl` | Set the TTL for the record. (int) | no
+`del_all` | Delete all associated records. (bool) | no
+`a_rec` \| `a_record` | Raw A record. | no
+`aaaa_rec` \| `aaaa_record` |  Raw AAAA record. | no
+`a6_rec` \| `a6_record` | Raw A6 record data. | no
+`afsdb_rec` \| `afsdb_record` | Raw AFSDB record. | no
+`cert_rec` \| `cert_record` | Raw CERT record. | no
+`cname_rec` \| `cname_record` | Raw CNAME record. | no
+`dlv_rec` \| `dlv_record` |  Raw DLV record. | no
+`dname_rec` \| `dname_record` | Raw DNAM record. | no
+`ds_rec` \| `ds_record` | Raw DS record. | no
+`kx_rec` \| `kx_record` |  Raw KX record. | no
+`loc_rec` \| `loc_record` | Raw LOC record. | no
+`mx_rec` \| `mx_record` | Raw MX record. | no
+`naptr_rec` \| `naptr_record` | Raw NAPTR record. | no
+`ns_rec` \| `ns_record` | Raw NS record. | no
+`ptr_rec` \| `ptr_record` | Raw PTR record. | no
+`srv_rec` \| `srv_record` | Raw SRV record. | no
+`sshfp_rec` \| `sshfp_record` | Raw SSHFP record. | no
+`tlsa_rec` \| `tlsa_record` | Raw TLSA record. | no
+`txt_rec` \| `txt_record` | Raw TXT record. | no
+`uri_rec` \| `uri_record` | Raw URI record. | no
+`ip_address` | IP adress for A or AAAA records. Set `record_type` to `A` or `AAAA`. | no
+`create_reverse` \| `reverse` | Create reverse records for `A` and `AAAA` record types. There is no equivalent to remove reverse records. (bool) | no
+`a_ip_address` | IP adress for A records. Set `record_type` to `A`. | no
+`a_create_reverse` | Create reverse records only for `A` records. There is no equivalent to remove reverse records. (bool) | no
+`aaaa_ip_address` | IP adress for AAAA records. Set `record_type` `AAAA`. | no
+`aaaa_create_reverse` | Create reverse records only for `AAAA` record types. There is no equivalent to remove reverse records. (bool) | no
+`a6_data` | A6 record. Set `record_type` to `A6`. | no
+`afsdb_subtype` | AFSDB Subtype. Set `record_type` to `AFSDB`. (int) | no
+`afsdb_hostname` | AFSDB Hostname. Set `record_type` to `AFSDB`. | no
+`cert_type` | CERT Certificate Type. Set `record_type` to `CERT`. (int) | no
+`cert_key_tag` | CERT Key Tag. Set `record_type` to `CERT`. (int) | no
+`cert_algorithm` | CERT Algorithm. Set `record_type` to `CERT`. (int) | no
+`cert_certificate_or_crl` | CERT Certificate or  Certificate Revocation List (CRL). Set `record_type` to `CERT`. | no
+`cname_hostname` | A hostname which this alias hostname points to. Set `record_type` to `CNAME`. | no
+`dlv_key_tag` | DS Key Tag. Set `record_type` to `DLV`. (int) | no
+`dlv_algorithm` | DLV Algorithm. Set `record_type` to `DLV`. (int) | no
+`dlv_digest_type` | DLV Digest Type. Set `record_type` to `DLV`. (int) | no
+`dlv_digest` | DLV Digest. Set `record_type` to `DLV`. | no
+`dname_target` | DNAME Target. Set `record_type` to `DNAME`. | no
+`ds_key_tag` | DS Key Tag. Set `record_type` to `DS`. (int) | no
+`ds_algorithm` | DS Algorithm. Set `record_type` to `DS`. (int) | no
+`ds_digest_type` | DS Digest Type. Set `record_type` to `DS`. (int) | no
+`ds_digest` | DS Digest. Set `record_type` to `DS`. | no
+`kx_preference` | Preference given to this exchanger. Lower values are more preferred. Set `record_type` to `KX`. (int) | no
+`kx_exchanger` | A host willing to act as a key exchanger.  Set `record_type` to `KX`. | no
+`loc_lat_deg` | LOC Degrees Latitude. Set `record_type` to `LOC`. (int) | no
+`loc_lat_min` | LOC Minutes Latitude. Set `record_type` to `LOC`. (int) | no
+`loc_lat_sec` | LOC Seconds Latitude. Set `record_type` to `LOC`. (float) | no
+`loc_lat_dir` | LOC Direction Latitude. Valid values are `N` or `S`. Set `record_type` to `LOC`. (int) | no
+`loc_lon_deg` | LOC Degrees Longitude. Set `record_type` to `LOC`. (int) | no
+`loc_lon_min` | LOC Minutes Longitude. Set `record_type` to `LOC`. (int) | no
+`loc_lon_sec` | LOC Seconds Longitude. Set `record_type` to `LOC`. (float) | no
+`loc_lon_dir` | LOC Direction Longitude. Valid values are `E` or `W`. Set `record_type` to `LOC`. (int) | no
+`loc_altitude` | LOC Altitude. Set `record_type` to `LOC`. (float) | no
+`loc_size` | LOC Size. Set `record_type` to `LOC`. (float) | no
+`loc_h_precision` | LOC Horizontal Precision. Set `record_type` to `LOC`. (float) | no
+`loc_v_precision` | LOC Vertical Precision. Set `record_type` to `LOC`. (float) | no
+`mx_preference` | Preference given to this exchanger. Lower values are more preferred. Set `record_type` to `MX`. (int) | no
+`mx_exchanger` | A host willing to act as a mail exchanger.  Set `record_type` to `LOC`. | no
+`naptr_order` | NAPTR Order. Set `record_type` to `NAPTR`. (int) | no
+`naptr_preference` | NAPTR Preference. Set `record_type` to `NAPTR`. (int) | no
+`naptr_flags` | NAPTR Flags. Set `record_type` to `NAPTR`. | no
+`naptr_service` | NAPTR Service. Set `record_type` to `NAPTR`. | no
+`naptr_regexp` | NAPTR Regular Expression. Set `record_type` to `NAPTR`. | no
+`naptr_replacement` | NAPTR Replacement. Set `record_type` to `NAPTR`. | no
+`ns_hostname` | NS Hostname. Set `record_type` to `NS`. | no
+`ptr_hostname` | The hostname this reverse record points to. . Set `record_type` to `PTR`. | no
+`srv_priority` | Lower number means higher priority. Clients will attempt to contact the server with the lowest-numbered priority they can reach. Set `record_type` to `SRV`. (int) | no
+`srv_weight` | Relative weight for entries with the same priority. Set `record_type` to `SRV`. (int) | no
+`srv_port` | SRV Port. Set `record_type` to `SRV`. (int) | no
+`srv_target` | The domain name of the target host or '.' if the service is decidedly not available at this domain. Set `record_type` to `SRV`. | no
+`sshfp_algorithm` | SSHFP Algorithm. Set `record_type` to `SSHFP`. (int) | no
+`sshfp_fp_type` | SSHFP Fingerprint Type. Set `record_type` to `SSHFP`. (int) | no
+`sshfp_fingerprint`| SSHFP Fingerprint. Set `record_type` to `SSHFP`. (int) | no
+`txt_data` | TXT Text Data. Set `record_type` to `TXT`. | no
+`tlsa_cert_usage` | TLSA Certificate Usage. Set `record_type` to `TLSA`. (int) | no
+`tlsa_selector` | TLSA Selector. Set `record_type` to `TLSA`. (int) | no
+`tlsa_matching_type` | TLSA Matching Type. Set `record_type` to `TLSA`. (int) | no
+`tlsa_cert_association_data` | TLSA Certificate Association Data. Set `record_type` to `TLSA`. | no
+`uri_target` | Target Uniform Resource Identifier according to RFC 3986. Set `record_type` to `URI`. | no
+`uri_priority` | Lower number means higher priority. Clients will attempt to contact the URI with the lowest-numbered priority they can reach. Set `record_type` to `URI`. (int) | no
+`uri_weight` | Relative weight for entries with the same priority. Set `record_type` to `URI`. (int) | no
+
+
+Authors
+=======
+
+Rafael Guterres Jeffman

README-dnszone.md

@@ -0,0 +1,247 @@
+DNSZone Module
+==============
+
+Description
+-----------
+
+The dnszone module allows to configure zones in DNS server.
+
+
+Features
+--------
+
+* Add, remove, modify, enable or disable DNS zones.
+
+
+Supported FreeIPA Versions
+--------------------------
+
+FreeIPA versions 4.4.0 and up are supported by ipadnszone module.
+
+
+Requirements
+------------
+
+**Controller**
+* Ansible version: 2.8+
+
+
+**Node**
+* Supported FreeIPA version (see above)
+
+
+Usage
+-----
+
+
+```ini
+[ipaserver]
+ipaserver.test.local
+```
+
+Example playbook to create a simple DNS zone:
+
+```yaml
+
+---
+- name: dnszone present
+  hosts: ipaserver
+  become: true
+
+  tasks:
+  - name: Ensure zone is present.
+    ipadnszone:
+      ipaadmin_password: SomeADMINpassword
+      name: testzone.local
+      state: present
+
+```
+
+
+Example playbook to create a DNS zone with all currently supported variables:
+```yaml
+
+---
+- name: dnszone present
+  hosts: ipaserver
+  become: true
+
+  tasks:
+  - name: Ensure zone is present.
+    ipadnszone:
+      ipaadmin_password: SomeADMINpassword
+      name: testzone.local
+      allow_sync_ptr: true
+      dynamic_update: true
+      dnssec: true
+      allow_transfer:
+        - 1.1.1.1
+        - 2.2.2.2
+      allow_query:
+        - 1.1.1.1
+        - 2.2.2.2
+      forwarders:
+        - ip_address: 8.8.8.8
+        - ip_address: 8.8.4.4
+          port: 52
+      serial: 1234
+      refresh: 3600
+      retry: 900
+      expire: 1209600
+      minimum: 3600
+      ttl: 60
+      default_ttl: 90
+      name_server: ipaserver.test.local.
+      admin_email: admin.admin@example.com
+      nsec3param_rec: "1 7 100 0123456789abcdef"
+      skip_overlap_check: true
+      skip_nameserver_check: true
+      state: present
+```
+
+
+Example playbook to disable a zone:
+
+```yaml
+
+---
+- name: Playbook to disable DNS zone
+  hosts: ipaserver
+  become: true
+
+  tasks:
+  - name: Disable zone.
+    ipadnszone:
+      ipaadmin_password: SomeADMINpassword
+      name: testzone.local
+      state: disabled
+```
+
+
+Example playbook to enable a zone:
+```yaml
+
+---
+- name: Playbook to enable DNS zone
+  hosts: ipaserver
+  become: true
+
+  tasks:
+  - name: Enable zone.
+    ipadnszone:
+      ipaadmin_password: SomeADMINpassword
+      name: testzone.local
+      state: enabled
+```
+
+
+Example playbook to remove a zone:
+```yaml
+
+---
+- name: Playbook to remove DNS zone
+  hosts: ipaserver
+  become: true
+
+  tasks:
+  - name: Remove zone.
+    ipadnszone:
+      ipaadmin_password: SomeADMINpassword
+      name: testzone.local
+      state: absent
+
+```
+
+Example playbook to create a zone for reverse DNS lookup, from an IP address:
+
+```yaml
+
+---
+- name: dnszone present
+  hosts: ipaserver
+  become: true
+
+  tasks:
+  - name: Ensure zone for reverse DNS lookup is present.
+    ipadnszone:
+      ipaadmin_password: SomeADMINpassword
+      name_from_ip: 192.168.1.2
+      state: present
+```
+
+Note that, on the previous example the zone created with `name_from_ip` might be "1.168.192.in-addr.arpa.", "168.192.in-addr.arpa.", or "192.in-addr.arpa.", depending on the DNS response the system get while querying for zones, and for this reason, when creating a zone using `name_from_ip`, the inferred zone name is returned to the controller, in the attribute `dnszone.name`. Since the zone inferred might not be what a user expects, `name_from_ip` can only be used with `state: present`. To have more control over the zone name, the prefix length for the IP address can be provided.
+
+Example playbook to create a zone for reverse DNS lookup, from an IP address, given the prefix length and displaying the resulting zone name:
+
+```yaml
+
+---
+- name: dnszone present
+  hosts: ipaserver
+  become: true
+
+  tasks:
+  - name: Ensure zone for reverse DNS lookup is present.
+    ipadnszone:
+      ipaadmin_password: SomeADMINpassword
+      name_from_ip: 192.168.1.2/24
+      state: present
+    register: result
+  - name: Display inferred zone name.
+    debug:
+      msg: "Zone name: {{ result.dnszone.name }}"
+```
+
+
+Variables
+=========
+
+ipadnszone
+----------
+
+Variable | Description | Required
+-------- | ----------- | --------
+`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
+`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
+`name` \| `zone_name` | The zone name string or list of strings. | no
+`name_from_ip` | Derive zone name from reverse of IP (PTR). Can only be used with `state: present`. | no
+`forwarders` | The list of forwarders dicts. Each `forwarders` dict entry has:| no
+  | `ip_address` - The IPv4 or IPv6 address of the DNS server. | yes
+  | `port` - The custom port that should be used on this server. | no
+`forward_policy` | The global forwarding policy. It can be one of `only`, `first`, or `none`.  | no
+`allow_sync_ptr` | Allow synchronization of forward (A, AAAA) and reverse (PTR) records (bool). | no
+`state` | The state to ensure. It can be one of `present`, `enabled`, `disabled` or `absent`, default: `present`. | yes
+`name_server`| Authoritative nameserver domain name | no
+`admin_email`| Administrator e-mail address | no
+`update_policy`| BIND update policy | no
+`dynamic_update` \| `dynamicupdate` | Allow dynamic updates | no
+`dnssec`| Allow inline DNSSEC signing of records in the zone | no
+`allow_transfer`| List of IP addresses or networks which are allowed to transfer the zone | no
+`allow_query`| List of IP addresses or networks which are allowed to issue queries | no
+`serial`| SOA record serial number | no
+`refresh`| SOA record refresh time | no
+`retry`| SOA record retry time | no
+`expire`| SOA record expire time | no
+`minimum`| How long should negative responses be cached | no
+`ttl`| Time to live for records at zone apex | no
+`default_ttl`| Time to live for records without explicit TTL definition | no
+`nsec3param_rec`| NSEC3PARAM record for zone in format: hash_algorithm flags iterations salt | no
+`skip_overlap_check`| Force DNS zone creation even if it will overlap with an existing zone | no
+`skip_nameserver_check` | Force DNS zone creation even if nameserver is not resolvable | no
+
+
+Return Values
+=============
+
+ipadnszone
+----------
+
+Variable | Description | Returned When
+-------- | ----------- | -------------
+`dnszone` | DNS Zone dict with zone name infered from `name_from_ip`. <br>Options: |  If `state` is `present`, `name_from_ip` is used, and a zone was created.
+&nbsp; | `name` - The name of the zone created, inferred from `name_from_ip`. | Always
+
+Authors
+=======
+
+Sergio Oliveira Campos

README-group.md

@@ -19,6 +19,8 @@ Supported FreeIPA Versions
 
 FreeIPA versions 4.4.0 and up are supported by the ipagroup module.
 
+Some variables are only supported on newer versions of FreeIPA. Check `Variables` section for details.
+
 
 Requirements
 ------------
@@ -137,12 +139,15 @@ Variable | Description | Required
 `name` \| `cn` | The list of group name strings. | no
 `description` | The group description string. | no
 `gid` \| `gidnumber` | The GID integer. | no
+`posix` | Create a non-POSIX group or change a non-POSIX to a posix group. (bool) | no
 `nonposix` | Create as a non-POSIX group. (bool) | no
 `external` | Allow adding external non-IPA members from trusted domains. (bool) | no
 `nomembers` | Suppress processing of membership attributes. (bool) | no
 `user` | List of user name strings assigned to this group. | no
 `group` | List of group name strings assigned to this group. | no
 `service` | List of service name strings assigned to this group. Only usable with IPA versions 4.7 and up. | no
+`membermanager_user` | List of member manager users assigned to this group. Only usable with IPA versions 4.8.4 and up. | no
+`membermanager_group` | List of member manager groups assigned to this group. Only usable with IPA versions 4.8.4 and up. | no
 `action` | Work on group or member level. It can be on of `member` or `group` and defaults to `group`. | no
 `state` | The state to ensure. It can be one of `present` or `absent`, default: `present`. | yes
 

README-hbacrule.md

@@ -138,9 +138,9 @@ Variable | Description | Required
 `ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
 `name` \| `cn` | The list of hbacrule name strings. | yes
 `description` | The hbacrule description string. | no
-`usercategory` \| `usercat` | User category the rule applies to. Choices: ["all"] | no
-`hostcategory` \| `hostcat` | Host category the rule applies to. Choices: ["all"] | no
-`servicecategory` \| `servicecat` | HBAC service category the rule applies to. Choices: ["all"] | no
+`usercategory` \| `usercat` | User category the rule applies to. Choices: ["all", ""] | no
+`hostcategory` \| `hostcat` | Host category the rule applies to. Choices: ["all", ""] | no
+`servicecategory` \| `servicecat` | HBAC service category the rule applies to. Choices: ["all", ""] | no
 `nomembers` | Suppress processing of membership attributes. (bool) | no
 `host` | List of host name strings assigned to this hbacrule. | no
 `hostgroup` | List of host group name strings assigned to this hbacrule. | no

README-host.md

@@ -173,14 +173,14 @@ Example playbook to ensure host presence with a random password:
       name: host01.example.com
       random: yes
       force: yes
+      update_password: on_create
     register: ipahost
 
   - name: Print generated random password
     debug:
       var: ipahost.host.randompassword
 ```
-Please remember that the `force` tag will also force the generation of a new random password even if the host already exists and if `update_password` is limited to `on_create`.
-
+Please remember that a new random password will be generated for an existing but not enrolled host if `update_password` is not limited to `on_create`. For an already enrolled host the task will fail with `update_password` default setting `always`.
 
 Example playbook to ensure presence of several hosts with a random password:
 
@@ -198,9 +198,11 @@ Example playbook to ensure presence of several hosts with a random password:
       - name: host01.example.com
         random: yes
         force: yes
+        update_password: on_create
       - name: host02.example.com
         random: yes
         force: yes
+        update_password: on_create
     register: ipahost
 
   - name: Print generated random password for host01.example.com
@@ -211,7 +213,7 @@ Example playbook to ensure presence of several hosts with a random password:
     debug:
       var: ipahost.host["host02.example.com"].randompassword
 ```
-Please remember that the `force` tag will also force the generation of a new random password even if the host alreay exists and if `update_password` is limited to `on_create`.
+Please remember that a new random password will be generated for an existing but not enrolled host if `update_password` is not limited to `on_create`. For an already enrolled host the task will fail with `update_password` default setting `always`.
 
 
 Example playbook to ensure presence of host member principal:
@@ -337,8 +339,8 @@ Variable | Description | Required
 `location` \| `ns_host_location` | Host location (e.g. "Lab 2"). | no
 `platform` \| `ns_hardware_platform` | Host hardware platform (e.g. "Lenovo T61"). | no
 `os` \| `ns_os_version` | Host operating system and version (e.g. "Fedora 9"). | no
-`password` \| `user_password` \| `userpassword` | Password used in bulk enrollment. | no
-`random` \| `random_password` |  Initiate the generation of a random password to be used in bulk enrollment. | no
+`password` \| `user_password` \| `userpassword` | Password used in bulk enrollment for absent or not enrolled hosts. | no
+`random` \| `random_password` |  Initiate the generation of a random password to be used in bulk enrollment for absent or not enrolled hosts. | no
 `certificate` \| `usercertificate` | List of base-64 encoded host certificates | no
 `managedby` \| `principalname` \| `krbprincipalname` | List of hosts that can manage this host | no
 `principal` \| `principalname` \| `krbprincipalname` | List of principal aliases for this host | no
@@ -353,7 +355,7 @@ Variable | Description | Required
 `mac_address` \| `macaddress` | List of hardware MAC addresses. | no
 `sshpubkey` \| `ipasshpubkey` | List of SSH public keys | no
 `userclass` \| `class` | Host category (semantics placed on this attribute are for local interpretation) | no
-`auth_ind` \| `krbprincipalauthind` | Defines a whitelist for Authentication Indicators. Use 'otp' to allow OTP-based 2FA authentications. Use 'radius' to allow RADIUS-based 2FA authentications. Use empty string to reset auth_ind to the initial value. Other values may be used for custom configurations. choices: ["radius", "otp", "pkinit", "hardened", ""] | no
+`auth_ind` \| `krbprincipalauthind` | Defines an allow list for Authentication Indicators. Use 'otp' to allow OTP-based 2FA authentications. Use 'radius' to allow RADIUS-based 2FA authentications. Use empty string to reset auth_ind to the initial value. Other values may be used for custom configurations. choices: ["radius", "otp", "pkinit", "hardened", ""] | no
 `requires_pre_auth` \| `ipakrbrequirespreauth` | Pre-authentication is required for the service (bool) | no
 `ok_as_delegate` \| `ipakrbokasdelegate` | Client credentials may be delegated to the service (bool) | no
 `ok_to_auth_as_delegate` \| `ipakrboktoauthasdelegate` | The service is allowed to authenticate on behalf of a client (bool) | no

README-hostgroup.md

@@ -19,6 +19,8 @@ Supported FreeIPA Versions
 
 FreeIPA versions 4.4.0 and up are supported by the ipahostgroup module.
 
+Some variables are only supported on newer versions of FreeIPA. Check `Variables` section for details.
+
 
 Requirements
 ------------
@@ -105,6 +107,23 @@ Example playbook to make sure hosts and hostgroups are absent in databases hostg
       state: absent
 ```
 
+Example playbook to rename an existing playbook:
+
+```yaml
+---
+- name: Playbook to handle hostgroups
+  hosts: ipaserver
+  become: true
+
+  tasks:
+  # Ensure host-group databases is absent
+  - ipahostgroup:
+      ipaadmin_password: SomeADMINpassword
+      name: databases
+      rename: datalake
+      state: renamed
+```
+
 Example playbook to make sure host-group databases is absent:
 
 ```yaml
@@ -121,7 +140,6 @@ Example playbook to make sure host-group databases is absent:
       state: absent
 ```
 
-
 Variables
 =========
 
@@ -137,8 +155,11 @@ Variable | Description | Required
 `nomembers` | Suppress processing of membership attributes. (bool) | no
 `host` | List of host name strings assigned to this hostgroup. | no
 `hostgroup` | List of hostgroup name strings assigned to this hostgroup. | no
+`membermanager_user` | List of member manager users assigned to this hostgroup. Only usable with IPA versions 4.8.4 and up. | no
+`membermanager_group` | List of member manager groups assigned to this hostgroup. Only usable with IPA versions 4.8.4 and up. | no
+`rename` \| `new_name` | Rename hostgroup to the provided name. Only usable with IPA versions 4.8.7 and up. | no
 `action` | Work on hostgroup or member level. It can be on of `member` or `hostgroup` and defaults to `hostgroup`. | no
-`state` | The state to ensure. It can be one of `present` or `absent`, default: `present`. | no
+`state` | The state to ensure. It can be one of `present`, `absent` or `renamed`, default: `present`. | no
 
 
 Authors

README-location.md

@@ -0,0 +1,92 @@
+Location module
+===============
+
+Description
+-----------
+
+The location module allows to ensure presence and absence of locations.
+
+Features
+--------
+
+* Location management
+
+
+Supported FreeIPA Versions
+--------------------------
+
+FreeIPA versions 4.4.0 and up are supported by the ipalocation module.
+
+
+Requirements
+------------
+
+**Controller**
+* Ansible version: 2.8+
+
+**Node**
+* Supported FreeIPA version (see above)
+
+
+Usage
+=====
+
+Example inventory file
+
+```ini
+[ipaserver]
+ipaserver.test.local
+```
+
+
+Example playbook to make sure location "my_location1" is present:
+
+```yaml
+---
+- name: Playbook to manage IPA location.
+  hosts: ipaserver
+  become: yes
+
+  tasks:
+  - ipalocation:
+      ipaadmin_password: SomeADMINpassword
+      name: my_location1
+      description: My Location 1
+```
+
+
+Example playbook to make sure location "my_location1" is absent:
+
+```yaml
+---
+- name: Playbook to manage IPA location.
+  hosts: ipaserver
+  become: yes
+
+  tasks:
+  - ipalocation:
+      ipaadmin_password: SomeADMINpassword
+      name: my_location1
+      state: absent
+```
+
+
+Variables
+---------
+
+ipalocation
+-------
+
+Variable | Description | Required
+-------- | ----------- | --------
+`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
+`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
+`name` \| `idnsname` | The list of location name strings. | yes
+`description` | The IPA location string | false
+`state` | The state to ensure. It can be one of `present`, `absent`, default: `present`. | no
+
+
+Authors
+=======
+
+Thomas Woerner

README-privilege.md

@@ -0,0 +1,147 @@
+Privilege module
+================
+
+Description
+-----------
+
+The privilege module allows to ensure presence and absence of privileges and privilege members.
+
+Features
+--------
+
+* Privilege management
+
+
+Supported FreeIPA Versions
+--------------------------
+
+FreeIPA versions 4.4.0 and up are supported by the ipaprivilege module.
+
+
+Requirements
+------------
+
+**Controller**
+* Ansible version: 2.8+
+
+**Node**
+* Supported FreeIPA version (see above)
+
+
+Usage
+=====
+
+Example inventory file
+
+```ini
+[ipaserver]
+ipaserver.test.local
+```
+
+
+Example playbook to make sure privilege "Broad Privilege" is present:
+
+```yaml
+---
+- name: Playbook to manage IPA privilege.
+  hosts: ipaserver
+  become: yes
+
+  tasks:
+  - ipaprivilege:
+      ipaadmin_password: SomeADMINpassword
+      name: Broad Privilege
+      description: Broad Privilege
+```
+
+Example playbook to make sure privilege "Broad Privilege" member permission has multiple values:
+
+```yaml
+---
+- name: Playbook to manage IPA privilege permission member.
+  hosts: ipaserver
+  become: yes
+
+  tasks:
+  - ipaprivilege:
+      ipaadmin_password: SomeADMINpassword
+      name: Broad Privilege
+      permission:
+      - "Write IPA Configuration"
+      - "System: Write DNS Configuration"
+      - "System: Update DNS Entries"
+      action: member
+```
+
+
+Example playbook to make sure privilege "Broad Privilege" member permission 'Write IPA Configuration' is absent:
+
+
+```yaml
+---
+- name: Playbook to manage IPA privilege permission member.
+  hosts: ipaserver
+  become: yes
+
+  tasks:
+  - ipaprivilege:
+      ipaadmin_password: SomeADMINpassword
+      name: Broad Privilege
+      permission:
+      - "Write IPA Configuration"
+      action: member
+      state: absent
+```
+
+Example playbook to rename privilege "Broad Privilege" to "DNS Special Privilege":
+
+```yaml
+---
+- name: Playbook to manage IPA privilege.
+  hosts: ipaserver
+  become: yes
+
+  tasks:
+  - ipaprivilege:
+      ipaadmin_password: SomeADMINpassword
+      name: Broad Privilege
+      rename: DNS Special Privilege
+      state: renamed
+```
+
+Example playbook to make sure privilege "DNS Special Privilege" is absent:
+
+```yaml
+---
+- name: Playbook to manage IPA privilege.
+  hosts: ipaserver
+  become: yes
+  - name: Ensure privilege Broad Privilege is absent
+      ipaadmin_password: SomeADMINpassword
+      name: DNS Special Privilege
+      state: absent
+```
+
+
+Variables
+---------
+
+ipaprivilege
+------------
+
+Variable | Description | Required
+-------- | ----------- | --------
+`ipaadmin_principal` | The admin principal is a string and defaults to `admin`. | no
+`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node. | no
+`name` \| `cn` | The list of privilege name strings. | yes
+`description` | Privilege description. | no
+`rename` \| `new_name` | Rename the privilege object. | no
+`permission` | Permissions to be added to the privilege. | no
+`action` | Work on privilege or member level. It can be one of `member` or `privilege` and defaults to `privilege`. | no
+`state` | The state to ensure. It can be one of `present`, `absent` or `renamed`, default: `present`. | no
+
+
+Authors
+=======
+
+Rafael Guterres Jeffman

README-role.md

@@ -0,0 +1,264 @@
+Role module
+===========
+
+Description
+-----------
+
+The role module allows to ensure presence, absence of roles and members of roles.
+
+The role module is as compatible as possible to the Ansible upstream `ipa_role` module, but additionally offers role member management.
+
+
+Features
+--------
+
+* Role management
+
+
+Supported FreeIPA Versions
+--------------------------
+
+FreeIPA versions 4.4.0 and up are supported by the iparole module.
+
+
+Requirements
+------------
+
+**Controller**
+* Ansible version: 2.8+
+
+**Node**
+* Supported FreeIPA version (see above)
+
+
+Usage
+=====
+
+Example inventory file
+
+```ini
+[ipaserver]
+ipaserver.test.local
+```
+
+
+Example playbook to make sure role is present with all members:
+
+```yaml
+---
+- name: Playbook to manage IPA role with members.
+  hosts: ipaserver
+  become: yes
+  gather_facts: no
+
+  tasks:
+  - iparole:
+      ipaadmin_password: SomeADMINpassword
+      name: somerole
+      user:
+      - pinky
+      group:
+      - group01
+      host:
+      - host01.example.com
+      hostgroup:
+      - hostgroup01
+      privilege:
+      - Group Administrators
+      - User Administrators
+      service:
+      - service01
+```
+
+Example playbook to rename a role:
+
+```yaml
+- iparole:
+    ipaadmin_password: SomeADMINpassword
+    name: somerole
+    rename: anotherrole
+```
+
+Example playbook to make sure role is absent:
+
+```yaml
+---
+- name: Playbook to manage IPA role.
+  hosts: ipaserver
+  become: yes
+  gather_facts: no
+
+  tasks:
+  - iparole:
+      ipaadmin_password: SomeADMINpassword
+      name: somerole
+      state: absent
+```
+
+Example playbook to ensure a user is a member of a role:
+
+```yaml
+---
+- name: Playbook to manage IPA role member.
+  hosts: ipaserver
+  become: yes
+  gather_facts: no
+
+  tasks:
+  - iparole:
+      ipaadmin_password: SomeADMINpassword
+      name: somerole
+      user:
+      - pinky
+      action: member
+```
+
+Example playbook to ensure a group is a member of a role:
+
+```yaml
+---
+- name: Playbook to manage IPA role member.
+  hosts: ipaserver
+  become: yes
+  gather_facts: no
+
+  tasks:
+  - iparole:
+      ipaadmin_password: SomeADMINpassword
+      name: somerole
+      host:
+      - host01.example.com
+      action: member
+```
+
+Example playbook to ensure a host is a member of a role:
+
+```yaml
+---
+- name: Playbook to manage IPA role member.
+  hosts: ipaserver
+  become: yes
+  gather_facts: no
+
+  tasks:
+  - iparole:
+      ipaadmin_password: SomeADMINpassword
+      name: somerole
+      host:
+      - host01.example.com
+      action: member
+```
+
+Example playbook to ensure a hostgroup is a member of a role:
+
+```yaml
+---
+- name: Playbook to manage IPA role member.
+  hosts: ipaserver
+  become: yes
+  gather_facts: no
+
+  tasks:
+  - iparole:
+      ipaadmin_password: SomeADMINpassword
+      name: somerole
+      hostgroup:
+      - hostgroup01
+      action: member
+```
+
+Example playbook to ensure a service is a member of a role:
+
+```yaml
+---
+- name: Playbook to manage IPA role member.
+  hosts: ipaserver
+  become: yes
+  gather_facts: no
+
+  tasks:
+  - iparole:
+      ipaadmin_password: SomeADMINpassword
+      name: somerole
+      service:
+      - service01
+      action: member
+```
+
+Example playbook to ensure a privilege is a member of a role:
+
+```yaml
+---
+- name: Playbook to manage IPA role member.
+  hosts: ipaserver
+  become: yes
+  gather_facts: no
+
+  tasks:
+  - iparole:
+      ipaadmin_password: SomeADMINpassword
+      name: somerole
+      privilege:
+      - Group Administrators
+      - User Administrators
+      action: member
+```
+
+Example playbook to ensure that different members are not associated with a role.
+
+```yaml
+---
+- name: Playbook to manage IPA role member.
+  hosts: ipaserver
+  become: yes
+  gather_facts: no
+
+  tasks:
+  - iparole:
+      ipaadmin_password: SomeADMINpassword
+      name: somerole
+      user:
+      - pinky
+      group:
+      - group01
+      host:
+      - host01.example.com
+      hostgroup:
+      - hostgroup01
+      privilege:
+      - Group Administrators
+      - User Administrators
+      service:
+      - service01
+      action: member
+      state: absent
+```
+
+
+Variables
+---------
+
+iparole
+-------
+
+Variable | Description | Required
+-------- | ----------- | --------
+`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
+`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
+`name` \| `cn` | The list of role name strings. | yes
+`description` | A description for the role. | no
+`rename` | Rename the role object. | no
+`privilege` | Privileges associated to this role. | no
+`user` | List of users to be assigned or not assigned to the role. | no
+`group` | List of groups to be assigned or not assigned to the role. | no
+`host` | List of hosts to be assigned or not assigned to the role. | no
+`hostgroup` | List of hostgroups to be assigned or not assigned to the role. | no
+`service` | List of services to be assigned or not assigned to the role. | no
+`action` | Work on role or member level. It can be on of `member` or `role` and defaults to `role`. | no
+`state` | The state to ensure. It can be one of `present`, `absent`, default: `present`. | no
+
+
+Authors
+=======
+
+Rafael Jeffman

README-selfservice.md

@@ -0,0 +1,151 @@
+Selfservice module
+=================
+
+Description
+-----------
+
+The selfservice module allows to ensure presence, absence of selfservices and selfservice attributes.
+
+
+Features
+--------
+
+* Selfservice management
+
+
+Supported FreeIPA Versions
+--------------------------
+
+FreeIPA versions 4.4.0 and up are supported by the ipaselfservice module.
+
+
+Requirements
+------------
+
+**Controller**
+* Ansible version: 2.8+
+
+**Node**
+* Supported FreeIPA version (see above)
+
+
+Usage
+=====
+
+Example inventory file
+
+```ini
+[ipaserver]
+ipaserver.test.local
+```
+
+
+Example playbook to make sure selfservice "Users can manage their own name details" is present:
+
+```yaml
+---
+- name: Playbook to manage IPA selfservice.
+  hosts: ipaserver
+  become: yes
+
+  tasks:
+  - ipaselfservice:
+      ipaadmin_password: SomeADMINpassword
+      name: "Users can manage their own name details"
+      permission: read
+      attribute:
+      - title
+      - initials
+```
+
+
+Example playbook to make sure selfservice "Users can manage their own name details" is absent:
+
+```yaml
+---
+- name: Playbook to manage IPA selfservice.
+  hosts: ipaserver
+  become: yes
+
+  tasks:
+  - ipaselfservice:
+      ipaadmin_password: SomeADMINpassword
+      name: "Users can manage their own name details"
+      state: absent
+```
+
+
+Example playbook to make sure "Users can manage their own name details" member attribute initials is present:
+
+```yaml
+---
+- name: Playbook to manage IPA selfservice.
+  hosts: ipaserver
+  become: yes
+
+  tasks:
+  - ipaselfservice:
+      ipaadmin_password: SomeADMINpassword
+      name: "Users can manage their own name details"
+      attribute:
+      - initials
+      action: member
+```
+
+
+Example playbook to make sure "Users can manage their own name details" member attribute initials is absent:
+
+```yaml
+---
+- name: Playbook to manage IPA selfservice.
+  hosts: ipaserver
+  become: yes
+
+  tasks:
+  - ipaselfservice:
+      ipaadmin_password: SomeADMINpassword
+      name: "Users can manage their own name details"
+      attribute:
+      - initials
+      action: member
+      state: absent
+```
+
+
+Example playbook to make sure selfservice "Users can manage their own name details" is absent:
+
+```yaml
+---
+- name: Playbook to manage IPA selfservice.
+  hosts: ipaserver
+  become: yes
+
+  tasks:
+  - ipaselfservice:
+      ipaadmin_password: SomeADMINpassword
+      name: "Users can manage their own name details"
+      state: absent
+```
+
+
+Variables
+---------
+
+ipaselfservice
+-------
+
+Variable | Description | Required
+-------- | ----------- | --------
+`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
+`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
+`name` \| `aciname` | The list of selfservice name strings. | yes
+`permission` \| `permissions` |  The permission to grant `read`, `read,write`, `write`]. Default is `write`. | no
+`attribute` \| `attrs` | The attribute list to which the selfservice applies. | no
+`action` | Work on selfservice or member level. It can be on of `member` or `selfservice` and defaults to `selfservice`. | no
+`state` | The state to ensure. It can be one of `present`, `absent`, default: `present`. | no
+
+
+Authors
+=======
+
+Thomas Woerner

README-service.md

@@ -18,7 +18,7 @@ Supported FreeIPA Versions
 
 FreeIPA versions 4.4.0 and up are supported by the ipaservice module.
 
-Option `skip_host_check` requires FreeIPA version 4.7.0 or later.
+Some variables are only supported on newer versions of FreeIPA. Check `Variables` section for details.
 
 
 Requirements
@@ -56,7 +56,7 @@ Example playbook to make sure service is present:
   - ipaservice:
       ipaadmin_password: SomeADMINpassword
       name: HTTP/www.example.com
-      certificate:
+      certificate: |
         - MIIC/zCCAeegAwIBAgIUMNHIbn+hhrOVew/2WbkteisV29QwDQYJKoZIhvcNAQELBQAw
         DzENMAsGA1UEAwwEdGVzdDAeFw0yMDAyMDQxNDQxMDhaFw0zMDAyMDExNDQxMDhaMA8xDT
         ALBgNVBAMMBHRlc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC+XVVGFYpH
@@ -77,7 +77,7 @@ Example playbook to make sure service is present:
       requires_pre_auth: false
       ok_as_delegate: false
       ok_to_auth_as_delegate: false
-      skip-host-check: true
+      skip_host_check: true
       force: true
 ```
 
@@ -167,7 +167,7 @@ Example playbook to ensure service has a certificate:
   - ipaservice:
       ipaadmin_password: SomeADMINpassword
       name: HTTP/www.example.com
-      certificate:
+      certificate: |
         - MIIC/zCCAeegAwIBAgIUMNHIbn+hhrOVew/2WbkteisV29QwDQYJKoZIhvcNAQELBQAw
         DzENMAsGA1UEAwwEdGVzdDAeFw0yMDAyMDQxNDQxMDhaFw0zMDAyMDExNDQxMDhaMA8xDT
         ALBgNVBAMMBHRlc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC+XVVGFYpH
@@ -294,11 +294,11 @@ Variable | Description | Required
 `name` \| `service` | The list of service name strings. | yes
 `certificate` \| `usercertificate` | Base-64 encoded service certificate. | no
 `pac_type` \| `ipakrbauthzdata` | Supported PAC type. It can be one of `MS-PAC`, `PAD`, or `NONE`. | no
-`auth_ind` \| `krbprincipalauthind` | Defines a whitelist for Authentication Indicators. It can be any of `otp`, `radius`, `pkinit`, or `hardened`. | no
+`auth_ind` \| `krbprincipalauthind` | Defines an allow list for Authentication Indicators. It can be any of `otp`, `radius`, `pkinit`, or `hardened`. | no
 `requires_pre_auth` \| `ipakrbrequirespreauth` | Pre-authentication is required for the service. Default to true. (bool) | no
 `ok_as_delegate` \|  `ipakrbokasdelegate` | Client credentials may be delegated to the service. Default to false. (bool) | no
 `ok_to_auth_as_delegate` \|  `ipakrboktoauthasdelegate` | The service is allowed to authenticate on behalf of a client. Default to false. (bool) | no
-`skip_host_check` | Force service to be created even when host object does not exist to manage it. Default to false. (bool)| no
+`skip_host_check` | Force service to be created even when host object does not exist to manage it. Only usable with IPA versions 4.7.0 and up. Default to false. (bool)| no
 `force` | Force principal name even if host not in DNS. Default to false. (bool) | no
 `host` \| `managedby_host`| Hosts that can manage the service. | no
 `principal` \| `krbprincipalname` | List of principal aliases for the service. | no
@@ -310,6 +310,7 @@ Variable | Description | Required
 `allow_retrieve_keytab_group` \| `ipaallowedtoperform_read_keys_group` | Groups allowed to retrieve a keytab of this host. | no
 `allow_retrieve_keytab_host` \| `ipaallowedtoperform_read_keys_host` | Hosts allowed to retrieve a keytab from of host. | no
 `allow_retrieve_keytab_hostgroup` \| `ipaallowedtoperform_read_keys_hostgroup` | Host groups allowed to retrieve a keytab of this host. | no
+`continue` | Continuous mode: don't stop on errors. Valid only if `state` is `absent`. Default: `no` (bool) | no
 `action` | Work on service or member level. It can be on of `member` or `service` and defaults to `service`. | no
 `state` | The state to ensure. It can be one of `present`, `absent`, or `disabled`, default: `present`. | no
 

README-sudorule.md

@@ -122,11 +122,11 @@ Variable | Description | Required
 `ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
 `name` \| `cn` | The list of sudorule name strings. | yes
 `description` | The sudorule description string. | no
-`usercategory` | User category the rule applies to. Choices: ["all"] | no
-`hostcategory` | Host category the rule applies to. Choices: ["all"] | no
-`cmdcategory` | Command category the rule applies to. Choices: ["all"] | no
-`runasusercategory` | RunAs User category the rule applies to. Choices: ["all"] | no
-`runasgroupcategory` | RunAs Group category the rule applies to. Choices: ["all"] | no
+`usercategory` \| `usercat` | User category the rule applies to. Choices: ["all", ""] | no
+`hostcategory` \| `hostcat` | Host category the rule applies to. Choices: ["all", ""] | no
+`cmdcategory` \| `cmdcat` | Command category the rule applies to. Choices: ["all", ""] | no
+`runasusercategory` \| `rusasusercat` | RunAs User category the rule applies to. Choices: ["all", ""] | no
+`runasgroupcategory` \| `runasgroupcat` | RunAs Group category the rule applies to. Choices: ["all", ""] | no
 `nomembers` | Suppress processing of membership attributes. (bool) | no
 `host` | List of host name strings assigned to this sudorule. | no
 `hostgroup` | List of host group name strings assigned to this sudorule. | no

README-trust.md

@@ -0,0 +1,119 @@
+Trust module
+============
+
+Description
+-----------
+
+The trust module allows to ensure presence and absence of a domain trust.
+
+Features
+--------
+
+* Trust management
+
+Supported FreeIPA Versions
+--------------------------
+
+FreeIPA versions 4.4.0 and up are supported by the ipatrust module.
+
+Requirements
+------------
+
+**Controller**
+
+* Ansible version: 2.8+
+
+**Node**
+
+* Supported FreeIPA version (see above)
+* samba-4
+* ipa-server-trust-ad
+
+Usage
+=====
+
+Example inventory file
+
+```ini
+[ipaserver]
+ipaserver.test.local
+```
+
+Example playbook to ensure a one-way trust is present:
+Omitting the two_way option implies the default of one-way
+
+```yaml
+---
+- name: Playbook to ensure a one-way trust is present
+  hosts: ipaserver
+  become: true
+
+  tasks:
+  - name: ensure the one-way trust present
+    ipatrust:
+      realm: ad.example.test
+      admin: Administrator
+      password: secret_password
+      state: present
+```
+
+Example playbook to ensure a two-way trust is present using a shared-secret:
+
+```yaml
+---
+- name: Playbook to ensure a two-way trust is present
+  hosts: ipaserver
+  become: true
+
+  tasks:
+  - name: ensure the two-way trust is present
+    ipatrust:
+      realm: ad.example.test
+      trust_secret: my_share_Secret
+      two_way: True
+      state: present
+```
+
+Example playbook to ensure a trust is absent:
+
+```yaml
+---
+- name: Playbook to ensure a trust is absent
+  hosts: ipaserver
+  become: true
+
+  tasks:
+  - name: ensure the trust is absent
+    ipatrust:
+      realm: ad.example.test
+      state: absent
+```
+
+This will only delete the ipa-side of the trust and it does NOT delete the id-range that matches the trust,
+
+Variables
+=========
+
+ipatrust
+-------
+
+Variable | Description | Required
+-------- | ----------- | --------
+`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
+`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
+`realm` | The realm name string. | yes
+`admin` | Active Directory domain administrator string. | no
+`password` | Active Directory domain administrator's password string. | no
+`server` | Domain controller for the Active Directory domain string. | no
+`trust_secret` | Shared secret for the trust string. | no
+`base_id` | First posix id for the trusted domain integer. | no
+`range_size` | Size of the ID range reserved for the trusted domain integer. | no
+`range_type` | Type of trusted domain ID range, It can be one of `ipa-ad-trust` or `ipa-ad-trust-posix`and defaults to `ipa-ad-trust`. | no
+`two_way` | Establish bi-directional trust. By default trust is inbound one-way only. (bool) | no
+`external` | Establish external trust to a domain in another forest. The trust is not transitive beyond the domain. (bool) | no
+`state` | The state to ensure. It can be one of `present` or `absent`, default: `present`. | yes
+
+Authors
+=======
+
+Rob Verduijn

README-user.md

@@ -417,10 +417,11 @@ Variable | Description | Required
 `employeetype` | Employee Type | no
 `preferredlanguage` | Preferred Language | no
 `certificate` | List of base-64 encoded user certificates. | no
-`certmapdata` | List of certificate mappings. Either `certificate` or `issuer` together with `subject` need to be specified. <br>Options: | no
-&nbsp; | `certificate` - Base-64 encoded user certificate | no
-&nbsp; | `issuer` - Issuer of the certificate | no
-&nbsp; | `subject` - Subject of the certificate | no
+`certmapdata` | List of certificate mappings. Either `data` or `certificate` or `issuer` together with `subject` need to be specified. Only usable with IPA versions 4.5 and up. <br>Options: | no
+&nbsp; | `certificate` - Base-64 encoded user certificate, not usable with other certmapdata options. | no
+&nbsp; | `issuer` - Issuer of the certificate, only usable together with `usbject` option. | no
+&nbsp; | `subject` - Subject of the certificate, only usable together with `issuer` option. | no
+&nbsp; | `data` - Certmap data, not usable with other certmapdata options. | no
 `noprivate` | Do not create user private group. (bool) | no
 `nomembers` | Suppress processing of membership attributes. (bool) | no
 
@@ -436,7 +437,7 @@ There are only return values if one or more random passwords have been generated
 
 Variable | Description | Returned When
 -------- | ----------- | -------------
-`host` | Host dict with random password. (dict) <br>Options: | If random is yes and user did not exist or update_password is yes
+`user` | User dict with random password. (dict) <br>Options: | If random is yes and user did not exist or update_password is yes
 &nbsp; | `randompassword` - The generated random password | If only one user is handled by the module
 &nbsp; | `name` - The user name of the user that got a new random password. (dict) <br> Options: <br> &nbsp; `randompassword` - The generated random password | If several users are handled by the module
 

README-vault.md

@@ -41,7 +41,7 @@ Example inventory file
 ipaserver.test.local
 ```
 
-Example playbook to make sure vault is present:
+Example playbook to make sure vault is present (by default, vault type is `symmetric`):
 
 ```yaml
 ---
@@ -53,8 +53,7 @@ Example playbook to make sure vault is present:
   - ipavault:
       ipaadmin_password: SomeADMINpassword
       name: symvault
-      username: admin
-      vault_password: MyVaultPassword123
+      password: SomeVAULTpassword
       description: A standard private vault.
 ```
 
@@ -124,13 +123,30 @@ Example playbook to make sure vault data is present in a symmetric vault:
       ipaadmin_password: SomeADMINpassword
       name: symvault
       username: admin
-      vault_password: MyVaultPassword123
-      vault_data: >
+      password: SomeVAULTpassword
+      data: >
         Data archived.
         More data archived.
       action: member
 ```
 
+Example playbook to retrieve vault data from a symmetric vault:
+
+```yaml
+---
+- name: Playbook to handle vaults
+  hosts: ipaserver
+  become: true
+
+  tasks:
+  - ipavault:
+      ipaadmin_password: SomeADMINpassword
+      name: symvault
+      username: admin
+      password: SomeVAULTpassword
+      state: retrieved
+```
+
 Example playbook to make sure vault data is absent in a symmetric vault:
 
 ```yaml
@@ -144,11 +160,27 @@ Example playbook to make sure vault data is absent in a symmetric vault:
       ipaadmin_password: SomeADMINpassword
       name: symvault
       username: admin
-      vault_password: MyVaultPassword123
+      password: SomeVAULTpassword
       action: member
       state: absent
 ```
 
+Example playbook to change the password of a symmetric:
+
+```yaml
+---
+- name: Playbook to handle vaults
+  hosts: ipaserver
+  become: true
+
+  tasks:
+  - ipavault:
+      ipaadmin_password: SomeADMINpassword
+      name: symvault
+      old_password: SomeVAULTpassword
+      new_password: SomeNEWpassword
+```
+
 Example playbook to make sure vault is absent:
 
 ```yaml
@@ -163,6 +195,9 @@ Example playbook to make sure vault is absent:
       name: symvault
       username: admin
       state: absent
+    register: result
+  - debug:
+      msg: "{{ result.vault.data }}"
 ```
 
 Variables
@@ -178,17 +213,41 @@ Variable | Description | Required
 `name` \| `cn` | The list of vault name strings. | yes
 `description` | The vault description string. | no
 `nomembers` | Suppress processing of membership attributes. (bool) | no
-`vault_public_key` \| `ipavaultpublickey` | Vault public key. | no
-`vault_salt` \| `ipavaultsalt` | Vault salt. | no
+`password` \| `vault_password` \| `ipavaultpassword` \| `old_password`| Vault password. | no
+`password_file` \| `vault_password_file` \| `old_password_file`| File containing Base64 encoded Vault password. | no
+`new_password` | Vault new password. | no
+`new_password_file` | File containing Base64 encoded new Vault password. | no
+`public_key ` \| `vault_public_key` \| `old_password_file` | Base64 encoded vault public key. | no
+`public_key_file` \| `vault_public_key_file` | Path to file with public key. | no
+`private_key `\| `vault_private_key` | Base64 encoded vault private key. Used only to retrieve data. | no
+`private_key_file` \| `vault_private_key_file` | Path to file with private key. Used only to retrieve data. | no
+`salt` \| `vault_salt` \| `ipavaultsalt` | Vault salt. | no
 `vault_type` \| `ipavaulttype` | Vault types are based on security level. It can be one of `standard`, `symmetric` or `asymmetric`, default: `symmetric` | no
+`user` \| `username` | Any user can own one or more user vaults. | no
 `service` | Any service can own one or more service vaults. | no
-`user` | Any user can own one or more user vaults. | no
 `shared` | Vault is shared. Default to false. (bool) | no
 `users` | Users that are members of the vault. | no
 `groups` | Groups that are member of the vault. | no
-`vault_data` \| `ipavaultdata` | Data to be stored in the vault. | no
+`services` | Services that are member of the vault. | no
+`data` \|`vault_data` \| `ipavaultdata` | Data to be stored in the vault. | no
+`in` \| `datafile_in` | Path to file with data to be stored in the vault. | no
+`out` \| `datafile_out` | Path to file to store data retrieved from the vault. | no
 `action` | Work on vault or member level. It can be on of `member` or `vault` and defaults to `vault`. | no
-`state` | The state to ensure. It can be one of `present` or `absent`, default: `present`. | no
+`state` | The state to ensure. It can be one of `present`, `absent` or `retrieved`, default: `present`. | no
+
+
+Return Values
+=============
+
+ipavault
+--------
+
+There is only a return value if `state` is `retrieved`.
+
+Variable | Description | Returned When
+-------- | ----------- | -------------
+`vault` | Vault dict with archived data. (dict) <br>Options: | If `state` is `retrieved` and `out` is not defined.
+&nbsp; | `data` - The vault data. | Always
 
 
 Notes

README.md

@@ -11,6 +11,9 @@ Features
 * Cluster deployments: Server, replicas and clients in one playbook
 * One-time-password (OTP) support for client installation
 * Repair mode for clients
+* Modules for dns forwarder management
+* Modules for dns record management
+* Modules for dns zone management
 * Modules for group management
 * Modules for hbacrule management
 * Modules for hbacsvc management
@@ -18,11 +21,13 @@ Features
 * Modules for host management
 * Modules for hostgroup management
 * Modules for pwpolicy management
+* Modules for role management
 * Modules for service management
 * Modules for sudocmd management
 * Modules for sudocmdgroup management
 * Modules for sudorule management
 * Modules for topology management
+* Modules fot trust management
 * Modules for user management
 * Modules for vault management
 
@@ -408,6 +413,9 @@ Modules in plugin/modules
 =========================
 
 * [ipadnsconfig](README-dnsconfig.md)
+* [ipadnsforwardzone](README-dnsforwardzone.md)
+* [ipadnsrecord](README-dnsrecord.md)
+* [ipadnszone](README-dnszone.md)
 * [ipagroup](README-group.md)
 * [ipahbacrule](README-hbacrule.md)
 * [ipahbacsvc](README-hbacsvc.md)
@@ -415,11 +423,15 @@ Modules in plugin/modules
 * [ipahost](README-host.md)
 * [ipahostgroup](README-hostgroup.md)
 * [ipapwpolicy](README-pwpolicy.md)
+* [iparole](README-role.md)
 * [ipaservice](README-service.md)
 * [ipasudocmd](README-sudocmd.md)
 * [ipasudocmdgroup](README-sudocmdgroup.md)
 * [ipasudorule](README-sudorule.md)
 * [ipatopologysegment](README-topology.md)
 * [ipatopologysuffix](README-topology.md)
+* [ipatrust](README-trust.md)
 * [ipauser](README-user.md)
 * [ipavault](README-vault.md)
+
+If you want to write a new module please read [writing a new module](plugins/modules/README.md).

galaxy.yml

@@ -13,11 +13,11 @@ issues: "https://github.com/freeipa/ansible-freeipa/issues"
 
 readme: "README.md"
 license: "GPL-3.0-or-later"
-license_file: "COPYING"
 
 dependencies:
 
 tags:
+  - "system"
   - "identity"
   - "ipa"
   - "freeipa"

molecule/centos-7-build/molecule.yml

@@ -0,0 +1,18 @@
+---
+driver:
+  name: docker
+platforms:
+  - name: centos-7-build
+    image: centos/systemd
+    pre_build_image: true
+    hostname: ipaserver.test.local
+    dns_servers:
+      - 8.8.8.8
+    volumes:
+      - /sys/fs/cgroup:/sys/fs/cgroup:ro
+    command: /usr/sbin/init
+    privileged: true
+provisioner:
+  name: ansible
+  playbooks:
+    prepare: ../resources/playbooks/prepare-build.yml

molecule/centos-7/molecule.yml

@@ -0,0 +1,18 @@
+---
+driver:
+  name: docker
+platforms:
+  - name: centos-7
+    image: quay.io/ansible-freeipa/upstream-tests:centos-7
+    pre_build_image: true
+    hostname: ipaserver.test.local
+    dns_servers:
+      - 127.0.0.1
+    volumes:
+      - /sys/fs/cgroup:/sys/fs/cgroup:ro
+    command: /usr/sbin/init
+    privileged: true
+provisioner:
+  name: ansible
+  playbooks:
+    prepare: ../resources/playbooks/prepare.yml

molecule/centos-8-build/molecule.yml

@@ -0,0 +1,18 @@
+---
+driver:
+  name: docker
+platforms:
+  - name: centos-8-build
+    image: centos:8
+    pre_build_image: true
+    hostname: ipaserver.test.local
+    dns_servers:
+      - 8.8.8.8
+    volumes:
+      - /sys/fs/cgroup:/sys/fs/cgroup:ro
+    command: /usr/sbin/init
+    privileged: true
+provisioner:
+  name: ansible
+  playbooks:
+    prepare: ../resources/playbooks/prepare-build.yml

molecule/centos-8/molecule.yml

@@ -0,0 +1,18 @@
+---
+driver:
+  name: docker
+platforms:
+  - name: centos-8
+    image: quay.io/ansible-freeipa/upstream-tests:centos-8
+    pre_build_image: true
+    hostname: ipaserver.test.local
+    dns_servers:
+      - 127.0.0.1
+    volumes:
+      - /sys/fs/cgroup:/sys/fs/cgroup:ro
+    command: /usr/sbin/init
+    privileged: true
+provisioner:
+  name: ansible
+  playbooks:
+    prepare: ../resources/playbooks/prepare.yml

molecule/default

@@ -0,0 +1 @@
+centos-8

molecule/fedora-latest-build/Dockerfile

@@ -0,0 +1,30 @@
+FROM fedora:latest
+ENV container=docker
+
+RUN rm -fv /var/cache/dnf/metadata_lock.pid; \
+dnf makecache; \
+dnf --assumeyes install \
+    /usr/bin/python3 \
+    /usr/bin/python3-config \
+    /usr/bin/dnf-3 \
+    sudo \
+    bash \
+    systemd \
+    procps-ng \
+    iproute && \
+dnf clean all; \
+(cd /lib/systemd/system/sysinit.target.wants/; for i in *; do [ $i == systemd-tmpfiles-setup.service ] || rm -f $i; done); \
+rm -f /lib/systemd/system/multi-user.target.wants/*;\
+rm -f /etc/systemd/system/*.wants/*;\
+rm -f /lib/systemd/system/local-fs.target.wants/*; \
+rm -f /lib/systemd/system/sockets.target.wants/*udev*; \
+rm -f /lib/systemd/system/sockets.target.wants/*initctl*; \
+rm -f /lib/systemd/system/basic.target.wants/*;\
+rm -f /lib/systemd/system/anaconda.target.wants/*; \
+rm -rf /var/cache/dnf/;
+
+STOPSIGNAL RTMIN+3
+
+VOLUME ["/sys/fs/cgroup"]
+
+CMD ["/usr/sbin/init"]

molecule/fedora-latest-build/molecule.yml

@@ -0,0 +1,18 @@
+---
+driver:
+  name: docker
+platforms:
+  - name: fedora-latest-build
+    image: fedora-latest
+    dockerfile: Dockerfile
+    hostname: ipaserver.test.local
+    dns_servers:
+      - 8.8.8.8
+    volumes:
+      - /sys/fs/cgroup:/sys/fs/cgroup:ro
+    command: /usr/sbin/init
+    privileged: true
+provisioner:
+  name: ansible
+  playbooks:
+    prepare: ../resources/playbooks/prepare-build.yml

molecule/fedora-latest/molecule.yml

@@ -0,0 +1,18 @@
+---
+driver:
+  name: docker
+platforms:
+  - name: fedora-latest
+    image: quay.io/ansible-freeipa/upstream-tests:fedora-latest
+    pre_build_image: true
+    hostname: ipaserver.test.local
+    dns_servers:
+      - 127.0.0.1
+    volumes:
+      - /sys/fs/cgroup:/sys/fs/cgroup:ro
+    command: /usr/sbin/init
+    privileged: true
+provisioner:
+  name: ansible
+  playbooks:
+    prepare: ../resources/playbooks/prepare.yml

molecule/resources/playbooks/library

@@ -0,0 +1 @@
+../../../plugins/modules/

molecule/resources/playbooks/module_utils

@@ -0,0 +1 @@
+../../../plugins/module_utils/

molecule/resources/playbooks/prepare-build.yml

@@ -0,0 +1,27 @@
+---
+- name: Converge
+  hosts: all
+  tasks:
+  - include_tasks: prepare-common.yml
+
+  - name: Ensure sudo package is installed
+    package:
+      name: sudo
+
+  - name: Ensure nss package is updated
+    package:
+      name: nss
+      state: latest  # noqa 403
+
+  - include_role:
+      name: ipaserver
+    vars:
+      ipaserver_setup_dns: yes
+      ipaserver_setup_kra: yes
+      ipaserver_auto_forwarders: yes
+      ipaserver_no_dnssec_validation: yes
+      ipaserver_auto_reverse: yes
+      ipaadmin_password: SomeADMINpassword
+      ipadm_password: SomeDMpassword
+      ipaserver_domain: test.local
+      ipaserver_realm: TEST.LOCAL

molecule/resources/playbooks/prepare-common.yml

@@ -0,0 +1,33 @@
+# IPA depends on IPv6 and without it dirsrv service won't start.
+- name: Ensure IPv6 is ENABLED
+  sysctl:
+    name: "{{ item.name }}"
+    value: "{{ item.value }}"
+    sysctl_set: yes
+    state: present
+    reload: yes
+  with_items :
+    - name: net.ipv6.conf.all.disable_ipv6
+      value: 0
+    - name: net.ipv6.conf.lo.disable_ipv6
+      value: 0
+    - name: net.ipv6.conf.eth0.disable_ipv6
+      value: 1
+
+# Set fs.protected_regular to 0
+#   This is needed in some IPA versions in order to get KRA enabled.
+#   See https://pagure.io/freeipa/issue/7906 for more information.
+- name: stat protected_regular
+  stat:
+    path: /proc/sys/fs/protected_regular
+  register: result
+
+- name: Ensure fs.protected_regular is disabled
+  sysctl:
+    name: fs.protected_regular
+    value: 0
+    sysctl_set: yes
+    state: present
+    reload: yes
+  when: result.stat.exists
+

molecule/resources/playbooks/prepare.yml

@@ -0,0 +1,26 @@
+---
+- name: Converge
+  hosts: all
+  tasks:
+  - include_tasks: prepare-common.yml
+
+  # In some distros DS won't start up after reboot
+  #   This is due to a problem in 389-ds. See tickets:
+  #   * https://pagure.io/389-ds-base/issue/47429
+  #   * https://pagure.io/389-ds-base/issue/51039
+  #
+  # To avoid this problem we create the directories before starting IPA.
+  - name: Ensure lock dirs for DS exists
+    file:
+      state: directory
+      owner: dirsrv
+      group: dirsrv
+      path: "{{ item }}"
+    loop:
+      - /var/lock/dirsrv/
+      - /var/lock/dirsrv/slapd-TEST-LOCAL/
+
+  - name: Ensure IPA server is up an running
+    service:
+      name: ipa
+      state: started

molecule/resources/playbooks/roles

@@ -0,0 +1 @@
+../../../roles/

playbooks/config/retrieve-config.yml

@@ -0,0 +1,14 @@
+---
+- name: Playbook to handle global DNS configuration
+  hosts: ipaserver
+  become: no
+  gather_facts: no
+
+  tasks:
+  - name: Query IPA global configuration
+    ipaconfig:
+      ipaadmin_password: SomeADMINpassword
+    register: serverconfig
+
+  - debug:
+      msg: "{{ serverconfig }}"

playbooks/config/set-ca-renewal-master-server.yml

@@ -0,0 +1,11 @@
+---
+- name: Playbook to handle global DNS configuration
+  hosts: ipaserver
+  become: no
+  gather_facts: no
+
+  tasks:
+  - name: set ca_renewal_master_server
+    ipaconfig:
+      ipaadmin_password: SomeADMINpassword
+      ca_renewal_master_server: carenewal.example.com

playbooks/delegation/delegation-absent.yml

@@ -0,0 +1,11 @@
+---
+- name: Delegation absent
+  hosts: ipaserver
+  become: true
+
+  tasks:
+  - name: Ensure delegation "basic manager attributes" is absent
+    ipadelegation:
+      ipaadmin_password: SomeADMINpassword
+      name: "basic manager attributes"
+      state: absent

playbooks/delegation/delegation-member-absent.yml

@@ -0,0 +1,15 @@
+---
+- name: Delegation member absent
+  hosts: ipaserver
+  become: true
+
+  tasks:
+  - name: Ensure delegation "basic manager attributes" member attributes employeenumber and employeetype are absent
+    ipadelegation:
+      ipaadmin_password: SomeADMINpassword
+      name: "basic manager attributes"
+      attribute:
+      - employeenumber
+      - employeetype
+      action: member
+      state: absent

playbooks/delegation/delegation-member-present.yml

@@ -0,0 +1,13 @@
+---
+- name: Delegation member present
+  hosts: ipaserver
+  become: true
+
+  tasks:
+  - name: Ensure delegation "basic manager attributes" member attribute departmentnumber is present
+    ipadelegation:
+      ipaadmin_password: SomeADMINpassword
+      name: "basic manager attributes"
+      attribute:
+      - departmentnumber
+      action: member

playbooks/delegation/delegation-present.yml

@@ -0,0 +1,15 @@
+---
+- name: Delegation present
+  hosts: ipaserver
+  become: true
+
+  tasks:
+  - name: Ensure delegation "basic manager attributes" is present
+    ipadelegation:
+      ipaadmin_password: SomeADMINpassword
+      name: "basic manager attributes"
+      permission: read
+      attribute:
+      - businesscategory
+      group: managers
+      membergroup: employees

playbooks/dnsforwardzone/ensure-dnsforwardzone-is-absent.yml

@@ -0,0 +1,11 @@
+---
+- name: Playbook to manage DNS forward zone
+  hosts: ipaserver
+  become: true
+  gather_facts: false
+
+  tasks:
+  # Ensure DNS zone is present
+  - ipadnsforwardzone:
+      ipaadmin_password: SomeADMINpassword
+      state: absent

playbooks/dnsforwardzone/ensure-dnsforwardzone-is-present.yml

@@ -0,0 +1,16 @@
+---
+- name: Playbook to manage DNS forward zone
+  hosts: ipaserver
+  become: true
+  gather_facts: false
+
+  tasks:
+  # Ensure DNS zone is present
+  - ipadnsforwardzone:
+      ipaadmin_password: SomeADMINpassword
+      name: example.com
+      forwarders:
+        - ip_address: 8.8.8.8
+      forwardpolicy: first
+      skip_overlap_check: true
+      permission: yes

playbooks/dnsforwardzone/ensure-dnsforwardzone-with-forwarder-port.yml

@@ -0,0 +1,14 @@
+---
+- name: Playbook to manage DNS forward zone
+  hosts: ipaserver
+  become: true
+  gather_facts: false
+
+  tasks:
+  # Ensure DNS zone is present
+  - ipadnsforwardzone:
+      ipaadmin_password: SomeADMINpassword
+      name: example.com
+      forwarders:
+        - ip_address: 192.168.100.123
+          port: 8063

playbooks/dnsrecord/ensure-A-and-AAAA-records-are-absent.yml

@@ -0,0 +1,18 @@
+---
+- name: Test PTR Record is present.
+  hosts: ipaserver
+  become: true
+  gather_facts: false
+
+  tasks:
+  # Ensure a PTR record is present
+  - name: Ensure that 'host04' has A and AAAA records.
+    ipadnsrecord:
+      ipaadmin_password: SomeADMINpassword
+      zone_name: ipatest.local
+      records:
+      - name: host04
+        a_ip_address: 192.168.122.104
+      - name: host04
+        aaaa_ip_address: ::1
+      state: absent

playbooks/dnsrecord/ensure-A-and-AAAA-records-are-present.yml

@@ -0,0 +1,17 @@
+---
+- name: Test PTR Record is present.
+  hosts: ipaserver
+  become: true
+  gather_facts: false
+
+  tasks:
+  # Ensure a PTR record is present
+  - name: Ensure that 'host04' has A and AAAA records.
+    ipadnsrecord:
+      ipaadmin_password: SomeADMINpassword
+      zone_name: ipatest.local
+      records:
+      - name: host04
+        a_ip_address: 192.168.122.104
+      - name: host04
+        aaaa_ip_address: ::1

playbooks/dnsrecord/ensure-CNAME-record-is-absent.yml

@@ -0,0 +1,13 @@
+---
+- name: Test CNAME Record is present.
+  hosts: ipaserver
+  become: true
+  gather_facts: false
+
+  tasks:
+  # Ensure that 'host04' has CNAME, with cname_hostname
+  - ipadnsrecord:
+      zone_name: example.com
+      name: host04
+      cname_hostname: host04.example.com
+      state: absent

playbooks/dnsrecord/ensure-CNAME-record-is-present.yml

@@ -0,0 +1,12 @@
+---
+- name: Test CNAME Record is present.
+  hosts: ipaserver
+  become: true
+  gather_facts: false
+
+  tasks:
+  # Ensure that 'host04' has CNAME, with cname_hostname
+  - ipadnsrecord:
+      zone_name: example.com
+      name: host04
+      cname_hostname: host04.example.com

playbooks/dnsrecord/ensure-MX-record-is-present.yml

@@ -0,0 +1,15 @@
+---
+- name: Ensure MX Record is present.
+  hosts: ipaserver
+  become: true
+  gather_facts: false
+
+  tasks:
+  # Ensure an MX record is absent
+  - ipadnsrecord:
+      ipaadmin_password: SomeADMINpassword
+      name: '@'
+      record_type: 'MX'
+      record_value: '1 mailserver.example.com'
+      zone_name: example.com
+      state: present

playbooks/dnsrecord/ensure-PTR-record-is-present.yml

@@ -0,0 +1,15 @@
+---
+- name: Test PTR Record is present.
+  hosts: ipaserver
+  become: true
+  gather_facts: false
+
+  tasks:
+  # Ensure a PTR record is present
+  - ipadnsrecord:
+      ipaadmin_password: SomeADMINpassword
+      name: 5
+      record_type: 'PTR'
+      record_value: 'internal.ipa.example.com'
+      zone_name: 2.168.192.in-addr.arpa
+      state: present

playbooks/dnsrecord/ensure-SRV-record-is-present.yml

@@ -0,0 +1,15 @@
+---
+- name: Test SRV Record is present.
+  hosts: ipaserver
+  become: true
+  gather_facts: false
+
+  tasks:
+  # Ensure a SRV record is present
+  - ipadnsrecord:
+      ipaadmin_password: SomeADMINpassword
+      name: _kerberos._udp.example.com
+      record_type: 'SRV'
+      record_value: '10 50 88 ipa.example.com'
+      zone_name: example.com
+      state: present

playbooks/dnsrecord/ensure-SSHFP-record-is-present.yml

@@ -0,0 +1,16 @@
+---
+- name: Test SSHFP Record is present.
+  hosts: ipaserver
+  become: true
+  gather_facts: false
+
+  tasks:
+  # Ensure a SSHFP record is present
+  # SSHFP fingerprint generated with `ssh-keygen -r host04.testzone.local`
+  - ipadnsrecord:
+      ipaadmin_password: SomeADMINpassword
+      zone_name: example.com
+      name: host04
+      sshfp_algorithm: 1
+      sshfp_fp_type: 1
+      sshfp_fingerprint: d21802c61733e055b8d16296cbce300efb8a167a

playbooks/dnsrecord/ensure-TLSA-record-is-present.yml

@@ -0,0 +1,16 @@
+---
+- name: Test SSHFP Record is present.
+  hosts: ipaserver
+  become: true
+  gather_facts: false
+
+  tasks:
+  # Ensure a SSHFP record is present
+  - ipadnsrecord:
+      ipaadmin_password: SomeADMINpassword
+      zone_name: example.com
+      name: host04
+      tlsa_cert_usage: 3
+      tlsa_selector: 1
+      tlsa_matching_type: 1
+      tlsa_cert_association_data: 9c0ad776dbeae8d9d55b0ad42899d30235c114d5f918fd69746e4279e47bdaa2

playbooks/dnsrecord/ensure-TXT-record-is-present.yml

@@ -0,0 +1,15 @@
+---
+- name: Test TXT Record is present.
+  hosts: ipaserver
+  become: true
+  gather_facts: false
+
+  tasks:
+  # Ensure a TXT record is absent
+  - ipadnsrecord:
+      ipaadmin_password: SomeADMINpassword
+      name: _kerberos
+      record_type: 'TXT'
+      record_value: 'EXAMPLE.COM'
+      zone_name: example.com
+      state: present

playbooks/dnsrecord/ensure-URI-record-is-present.yml

@@ -0,0 +1,17 @@
+---
+- name: Test URI Record is present.
+  hosts: ipaserver
+  become: true
+  gather_facts: false
+
+  tasks:
+  # Ensure a URI record is absent
+  - ipadnsrecord:
+      ipaadmin_password: SomeADMINpassword
+      name: _ftp._tcp
+      record_type: 'URI'
+      uri_priority: 10
+      uri_weight: 1
+      uri_target: ftp://ftp.example.com/public
+      zone_name: example.com
+      state: present

playbooks/dnsrecord/ensure-dnsrecord-is-absent.yml

@@ -0,0 +1,15 @@
+---
+- name: Test DNS Record is absent.
+  hosts: ipaserver
+  become: true
+  gather_facts: false
+
+  tasks:
+  # Ensure that dns record is absent
+  - ipadnsrecord:
+      ipaadmin_password: SomeADMINpassword
+      name: host01
+      zone_name: example.com
+      record_type: 'AAAA'
+      record_value: '::1'
+      state: absent

playbooks/dnsrecord/ensure-dnsrecord-is-present.yml

@@ -0,0 +1,15 @@
+---
+- name: Test DNS Record is present.
+  hosts: ipaserver
+  become: true
+  gather_facts: false
+
+  tasks:
+  # Ensure that dns record is present
+  - ipadnsrecord:
+      ipaadmin_password: SomeADMINpassword
+      name: host01
+      zone_name: example.com
+      record_type: 'AAAA'
+      record_value: '::1'
+      state: present

playbooks/dnsrecord/ensure-dnsrecord-with-reverse-is-present.yml

@@ -0,0 +1,15 @@
+---
+- name: Test DNS Record is present.
+  hosts: ipaserver
+  become: true
+  gather_facts: false
+
+  tasks:
+  # Ensure that dns record is present
+  - ipadnsrecord:
+      ipaadmin_password: SomeADMINpassword
+      name: host01
+      zone_name: example.com
+      ip_address: 192.160.123.45
+      create_reverse: yes
+      state: present

playbooks/dnsrecord/ensure-multiple-A-records-are-present.yml

@@ -0,0 +1,17 @@
+---
+- name: Playbook to manage DNS records.
+  hosts: ipaserver
+  become: yes
+  gather_facts: no
+
+  tasks:
+  - name: Ensure that 'host04' has multiple A records.
+    ipadnsrecord:
+      ipaadmin_password: SomeADMINpassword
+      zone_name: ipatest.local
+      name: host01
+      a_rec:
+        - 192.168.122.221
+        - 192.168.122.222
+        - 192.168.122.223
+        - 192.168.122.224

playbooks/dnsrecord/ensure-presence-multiple-records.yml

@@ -0,0 +1,21 @@
+---
+- name: Test multiple DNS Records are present.
+  hosts: ipaserver
+  become: true
+  gather_facts: false
+
+  tasks:
+  # Ensure that multiple dns records are present
+  - ipadnsrecord:
+      ipaadmin_password: SomeADMINpassword
+      records:
+        - name: host01
+          zone_name: example.com
+          record_type: A
+          record_value:
+            - 192.168.122.112
+            - 192.168.122.122
+        - name: host01
+          zone_name: testzone.local
+          record_type: AAAA
+          record_value: ::1

playbooks/dnszone/disable-zone-forwarders.yml

@@ -0,0 +1,11 @@
+---
+- name: Playbook to disable DNS zone forwarders
+  hosts: ipaserver
+  become: true
+
+  tasks:
+  - name: Disable zone forwarders.
+    ipadnszone:
+      ipaadmin_password: SomeADMINpassword
+      name: testzone.local
+      forward_policy: none

playbooks/dnszone/dnszone-absent.yml

@@ -0,0 +1,11 @@
+---
+- name: Playbook to ensure DNS zone is absent
+  hosts: ipaserver
+  become: true
+
+  tasks:
+  - name: Remove zone.
+    ipadnszone:
+      ipaadmin_password: SomeADMINpassword
+      name: testzone.local
+      state: absent

playbooks/dnszone/dnszone-all-params.yml

@@ -0,0 +1,35 @@
+- name: dnszone present
+  hosts: ipaserver
+  become: true
+
+  tasks:
+  - name: Ensure zone is present.
+    ipadnszone:
+      ipaadmin_password: SomeADMINpassword
+      name: testzone.local
+      allow_sync_ptr: true
+      dynamic_update: true
+      dnssec: true
+      allow_transfer:
+        - 1.1.1.1
+        - 2.2.2.2
+      allow_query:
+        - 1.1.1.1
+        - 2.2.2.2
+      forwarders:
+        - ip_address: 8.8.8.8
+        - ip_address: 8.8.4.4
+          port: 52
+      #serial: 1234
+      refresh: 3600
+      retry: 900
+      expire: 1209600
+      minimum: 3600
+      ttl: 60
+      default_ttl: 90
+      name_server: ipaserver.test.local.
+      admin_email: admin.admin@example.com
+      nsec3param_rec: "1 7 100 0123456789abcdef"
+      skip_overlap_check: true
+      skip_nameserver_check: true
+      state: present

playbooks/dnszone/dnszone-disable.yml

@@ -0,0 +1,11 @@
+---
+- name: Playbook to disable DNS zone
+  hosts: ipaserver
+  become: true
+
+  tasks:
+  - name: Disable zone.
+    ipadnszone:
+      ipaadmin_password: SomeADMINpassword
+      name: testzone.local
+      state: disabled

playbooks/dnszone/dnszone-enable.yml

@@ -0,0 +1,11 @@
+---
+- name: Playbook to enable DNS zone
+  hosts: ipaserver
+  become: true
+
+  tasks:
+  - name: Enable zone.
+    ipadnszone:
+      ipaadmin_password: SomeADMINpassword
+      name: testzone.local
+      state: enabled

playbooks/dnszone/dnszone-present.yml

@@ -0,0 +1,10 @@
+- name: dnszone present
+  hosts: ipaserver
+  become: true
+
+  tasks:
+  - name: Ensure zone is present.
+    ipadnszone:
+      ipaadmin_password: SomeADMINpassword
+      name: testzone.local
+      state: present

playbooks/dnszone/dnszone-reverse-from-ip.yml

@@ -0,0 +1,15 @@
+---
+- name: Playbook to ensure DNS zone exist
+  hosts: ipaserver
+  become: true
+
+  tasks:
+  - name: Ensure zone exist, finding zone name from IP address.
+    ipadnszone:
+      ipaadmin_password: SomeADMINpassword
+      name_from_ip: 10.1.2.3/24
+    register: result
+
+  - name: Zone name inferred from `name_from_ip`
+    debug:
+      msg: "Zone created: {{ result.dnszone.name }}"

playbooks/host/host-member-managedby_host-absent.yml

@@ -4,7 +4,7 @@
   become: true
 
   tasks:
-    ipahost:
+  - ipahost:
       ipaadmin_password: SomeADMINpassword
       name: host01.exmaple.com
       managedby_host: server.exmaple.com

playbooks/host/host-member-managedby_host-present.yml

@@ -4,7 +4,7 @@
   become: true
 
   tasks:
-    ipahost:
+  - ipahost:
       ipaadmin_password: SomeADMINpassword
       name: host01.exmaple.com
       managedby_host: server.exmaple.com

playbooks/host/host-present-with-managedby_host.yml

@@ -4,7 +4,7 @@
   become: true
 
   tasks:
-    ipahost:
+  - ipahost:
       ipaadmin_password: SomeADMINpassword
       name: host01.exmaple.com
       managedby_host: server.exmaple.com

playbooks/host/hosts-member-managedby_host-absent.yml

@@ -4,6 +4,7 @@
   become: true
 
   tasks:
+  - name: Ensure hosts manadegby_host is absent.
     ipahost:
       ipaadmin_password: SomeADMINpassword
       hosts:

playbooks/host/hosts-member-managedby_host-present.yml

@@ -4,6 +4,7 @@
   become: true
 
   tasks:
+  - name: Ensure hosts manadegby_host is absent.
     ipahost:
       ipaadmin_password: SomeADMINpassword
       hosts:

playbooks/host/hosts-present-with-managedby_host.yml

@@ -4,7 +4,7 @@
   become: true
 
   tasks:
-    ipahost:
+  - ipahost:
       ipaadmin_password: SomeADMINpassword
       hosts:
       - name: host01.exmaple.com

playbooks/host/hosts-present-with-randompasswords.yml

@@ -23,4 +23,3 @@
   - name: Print generated random password for host02.example.com
     debug:
       var: ipahost.host["host02.example.com"].randompassword
-

playbooks/hostgroup/rename-hostgroup.yml

@@ -0,0 +1,12 @@
+---
+- name: Playbook to handle hostgroups
+  hosts: ipaserver
+  become: yes
+
+  tasks:
+  - name : Rename host-group from `databases` to `datalake`
+    ipahostgroup:
+      ipaadmin_password: SomeADMINpassword
+      name: databases
+      rename: datalake
+      state: renamed

playbooks/location/location-absent.yml

@@ -0,0 +1,11 @@
+---
+- name: Location absent test
+  hosts: ipaserver
+  become: true
+
+  tasks:
+  - name: Ensure location my_location1 is absent
+    ipalocation:
+      ipaadmin_password: SomeADMINpassword
+      name: my_location1
+      state: absent

playbooks/location/location-present.yml

@@ -0,0 +1,10 @@
+---
+- name: Location present test
+  hosts: ipaserver
+  become: true
+
+  tasks:
+  - name: Ensure location my_location1 is present
+    ipalocation:
+      ipaadmin_password: SomeADMINpassword
+      name: my_location1

playbooks/privilege/privilege-absent.yml

@@ -0,0 +1,10 @@
+---
+- name: Privilege absent example
+  hosts: ipaserver
+  become: true
+
+  tasks:
+  - name: Ensure privilege "Broad Privilege" is absent
+    ipaprivilege:
+      name: Broad Privilege
+      state: absent

playbooks/privilege/privilege-member-absent.yml

@@ -0,0 +1,14 @@
+---
+- name: Privilege absent example
+  hosts: ipaserver
+  become: true
+
+  tasks:
+  - name: Ensure privilege "Broad Privilege" permission is absent
+    ipaprivilege:
+      ipaadmin_password: SomeADMINpassword
+      name: Broad Privilege
+      permission:
+      - "System: Write IPA Configuration"
+      action: member
+      state: absent

playbooks/privilege/privilege-member-present.yml

@@ -0,0 +1,15 @@
+---
+- name: Privilege member present example
+  hosts: ipaserver
+  become: true
+
+  tasks:
+  - name: Ensure privilege "Broad Privilege" permissions are present
+    ipaprivilege:
+      ipaadmin_password: SomeADMINpassword
+      name: Broad Privilege
+      permission:
+      - "System: Write IPA Configuration"
+      - "System: Write DNS Configuration"
+      - "System: Update DNS Entries"
+      action: member

playbooks/privilege/privilege-present.yml

@@ -0,0 +1,11 @@
+---
+- name: Privilege present example
+  hosts: ipaserver
+  become: true
+
+  tasks:
+  - name: Ensure privilege Broad Privilege is present
+    ipaprivilege:
+      ipaadmin_password: SomeADMINpassword
+      name: Broad Privilege
+      description: Broad Privilege

playbooks/role/role-is-absent.yml

@@ -0,0 +1,11 @@
+---
+- name: Playbook to manage IPA role.
+  hosts: ipaserver
+  become: yes
+  gather_facts: no
+
+  tasks:
+  - iparole:
+      ipaadmin_password: SomeADMINpassword
+      name: somerole
+      state: absent

playbooks/role/role-is-present.yml

@@ -0,0 +1,11 @@
+---
+- name: Playbook to manage IPA role.
+  hosts: ipaserver
+  become: yes
+  gather_facts: no
+
+  tasks:
+  - iparole:
+      ipaadmin_password: SomeADMINpassword
+      name: somerole
+      description: A role in IPA.

playbooks/role/role-member-group-absent.yml

@@ -0,0 +1,14 @@
+---
+- name: Playbook to manage IPA role member.
+  hosts: ipaserver
+  become: yes
+  gather_facts: no
+
+  tasks:
+  - iparole:
+      ipaadmin_password: SomeADMINpassword
+      name: somerole
+      group:
+      - group01
+      action: member
+      state: absent

playbooks/role/role-member-group-present.yml

@@ -0,0 +1,13 @@
+---
+- name: Playbook to manage IPA role member.
+  hosts: ipaserver
+  become: yes
+  gather_facts: no
+
+  tasks:
+  - iparole:
+      ipaadmin_password: SomeADMINpassword
+      name: somerole
+      group:
+      - group01
+      action: member

playbooks/role/role-member-host-absent.yml

@@ -0,0 +1,14 @@
+---
+- name: Playbook to manage IPA role member.
+  hosts: ipaserver
+  become: yes
+  gather_facts: no
+
+  tasks:
+  - iparole:
+      ipaadmin_password: SomeADMINpassword
+      name: somerole
+      host:
+      - host01.example.com
+      action: member
+      state: absent

playbooks/role/role-member-host-present.yml

@@ -0,0 +1,13 @@
+---
+- name: Playbook to manage IPA role member.
+  hosts: ipaserver
+  become: yes
+  gather_facts: no
+
+  tasks:
+  - iparole:
+      ipaadmin_password: SomeADMINpassword
+      name: somerole
+      host:
+      - host01.example.com
+      action: member

playbooks/role/role-member-hostgroup-absent.yml

@@ -0,0 +1,14 @@
+---
+- name: Playbook to manage IPA role member.
+  hosts: ipaserver
+  become: yes
+  gather_facts: no
+
+  tasks:
+  - iparole:
+      ipaadmin_password: SomeADMINpassword
+      name: somerole
+      hostgroup:
+      - hostgroup01
+      action: member
+      state: absent

playbooks/role/role-member-hostgroup-present.yml

@@ -0,0 +1,13 @@
+---
+- name: Playbook to manage IPA role member.
+  hosts: ipaserver
+  become: yes
+  gather_facts: no
+
+  tasks:
+  - iparole:
+      ipaadmin_password: SomeADMINpassword
+      name: somerole
+      hostgroup:
+      - hostgroup01
+      action: member

playbooks/role/role-member-privilege-absent.yml

@@ -0,0 +1,15 @@
+---
+- name: Playbook to manage IPA role member.
+  hosts: ipaserver
+  become: yes
+  gather_facts: no
+
+  tasks:
+  - iparole:
+      ipaadmin_password: SomeADMINpassword
+      name: somerole
+      privilege:
+      - Group Administrators
+      - User Administrators
+      action: member
+      state: absent

playbooks/role/role-member-privilege-present.yml

@@ -0,0 +1,14 @@
+---
+- name: Playbook to manage IPA role member.
+  hosts: ipaserver
+  become: yes
+  gather_facts: no
+
+  tasks:
+  - iparole:
+      ipaadmin_password: SomeADMINpassword
+      name: somerole
+      privilege:
+      - Group Administrators
+      - User Administrators
+      action: member

playbooks/role/role-member-service-absent.yml

@@ -0,0 +1,14 @@
+---
+- name: Playbook to manage IPA role member.
+  hosts: ipaserver
+  become: yes
+  gather_facts: no
+
+  tasks:
+  - iparole:
+      ipaadmin_password: SomeADMINpassword
+      name: testrole
+      service:
+      - http/www.example.com
+      action: member
+      state: absent

playbooks/role/role-member-service-present.yml

@@ -0,0 +1,13 @@
+---
+- name: Playbook to manage IPA role member.
+  hosts: ipaserver
+  become: yes
+  gather_facts: no
+
+  tasks:
+  - iparole:
+      ipaadmin_password: SomeADMINpassword
+      name: somerole
+      service:
+      - service01
+      action: member

playbooks/role/role-member-user-absent.yml

@@ -0,0 +1,14 @@
+---
+- name: Playbook to manage IPA role member.
+  hosts: ipaserver
+  become: yes
+  gather_facts: no
+
+  tasks:
+  - iparole:
+      ipaadmin_password: SomeADMINpassword
+      name: somerole
+      user:
+      - pinky
+      action: member
+      state: absent

playbooks/role/role-member-user-present.yml

@@ -0,0 +1,13 @@
+---
+- name: Playbook to manage IPA role member.
+  hosts: ipaserver
+  become: yes
+  gather_facts: no
+
+  tasks:
+  - iparole:
+      ipaadmin_password: SomeADMINpassword
+      name: somerole
+      user:
+      - pinky
+      action: member

playbooks/role/role-members-absent.yml

@@ -0,0 +1,25 @@
+---
+- name: Playbook to manage IPA role member.
+  hosts: ipaserver
+  become: yes
+  gather_facts: no
+
+  tasks:
+  - iparole:
+      ipaadmin_password: SomeADMINpassword
+      name: somerole
+      user:
+      - pinky
+      group:
+      - group01
+      host:
+      - host01.example.com
+      hostgroup:
+      - hostgroup01
+      privilege:
+      - Group Administrators
+      - User Administrators
+      service:
+      - service01
+      action: member
+      state: absent