collection: Allow playbooks to be executed using collection

When available in a collection 'playbooks' directory, playbooks can be directly accessed as roles and modules: 'namespace.collection.playbook'. This allows, for example the deployment roles to be executed with the provided ansible-freeipa playbooks requiring minimal effort from the user part. In order to be accessible, though, the playbooks must not use dash ("-") on the file names, as they are replaced by underscorse ("_") during Ansible processing and then, the files are not found. By renaming the playbooks that, currently, do not set any variable as an usage example, replacing "-" by "_", we allow the FreeIPA collection playbooks to be executed without the user having to search for the correct file, like: $ ansible-playbook -i inventory freeipa.ansible_freeipa.install_server
Merge pull request #1340 from t-woerner/dns_over_tls_hotfix
2026-05-14 21:42:17 +00:00 · 2025-03-17 15:39:07 -03:00 · 2025-02-11 14:51:58 +05:30 · 2025-02-07 18:16:10 +01:00 · 2025-02-04 11:54:15 -03:00 · 2025-02-04 12:32:42 +01:00
352 changed files with 12739 additions and 3954 deletions
--- a/.ansible-lint
+++ b/.ansible-lint
@@ -7,7 +7,6 @@ exclude_paths:
  - .tox/
  - .venv/
  - .yamllint
  - molecule/
  - tests/azure/
  - meta/runtime.yml
  - requirements-docker.yml
--- a/.github/workflows/ansible-test.yml
+++ b/.github/workflows/ansible-test.yml
@@ -8,7 +8,7 @@ jobs:
    name: Verify ansible-test sanity
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v3.1.0
+      - uses: actions/checkout@v4.1.1
        with:
          fetch-depth: 0
      - name: Run ansible-test
--- a/.github/workflows/docs.yml
+++ b/.github/workflows/docs.yml
@@ -8,10 +8,10 @@ jobs:
    name: Check Ansible Documentation with ansible-core 2.13.
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v3.1.0
+      - uses: actions/checkout@v4.1.1
        with:
-          fetch-depth: 0
+          fetch-depth: 1
-      - uses: actions/setup-python@v4.3.0
+      - uses: actions/setup-python@v5.1.0
        with:
          python-version: '3.x'
      - name: Install Ansible 2.13
@@ -25,10 +25,10 @@ jobs:
    name: Check Ansible Documentation with ansible-core 2.14.
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v3.1.0
+      - uses: actions/checkout@v4.1.1
        with:
-          fetch-depth: 0
+          fetch-depth: 1
-      - uses: actions/setup-python@v4.3.0
+      - uses: actions/setup-python@v5.1.0
        with:
          python-version: '3.x'
      - name: Install Ansible 2.14
@@ -42,10 +42,10 @@ jobs:
    name: Check Ansible Documentation with ansible-core 2.15.
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v3.1.0
+      - uses: actions/checkout@v4.1.1
        with:
-          fetch-depth: 0
+          fetch-depth: 1
-      - uses: actions/setup-python@v4.3.0
+      - uses: actions/setup-python@v5.1.0
        with:
          python-version: '3.x'
      - name: Install Ansible 2.15
@@ -59,10 +59,10 @@ jobs:
    name: Check Ansible Documentation with latest Ansible version.
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v3.1.0
+      - uses: actions/checkout@v4.1.1
        with:
-          fetch-depth: 0
+          fetch-depth: 1
-      - uses: actions/setup-python@v4.3.0
+      - uses: actions/setup-python@v5.1.0
        with:
          python-version: '3.x'
      - name: Install Ansible-latest
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -8,55 +8,40 @@ jobs:
    name: Verify ansible-lint
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v3.1.0
+      - uses: actions/checkout@v4.1.1
        with:
          fetch-depth: 0
-      - uses: actions/setup-python@v4.3.0
+      - uses: actions/setup-python@v5.1.0
        with:
          python-version: "3.x"
      - name: Run ansible-lint
        run: |
-          pip install "ansible-core >=2.15,<2.16" ansible-lint
+          pip install "ansible-core>=2.16,<2.17" 'ansible-lint==6.22'
          utils/build-galaxy-release.sh -ki
          cd .galaxy-build
-          ansible-lint
+          ansible-lint --profile production --exclude tests/integration/ --exclude tests/unit/ --parseable --nocolor
  yamllint:
    name: Verify yamllint
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v3.1.0
+      - uses: actions/checkout@v4.1.1
        with:
-          fetch-depth: 0
+          fetch-depth: 1
-      - uses: actions/setup-python@v4.3.0
+      - uses: actions/setup-python@v5.1.0
        with:
          python-version: "3.x"
      - name: Run yaml-lint
        uses: ibiqlik/action-yamllint@v3.1.1
  pydocstyle:
    name: Verify pydocstyle
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3.1.0
        with:
          fetch-depth: 0
      - uses: actions/setup-python@v4.3.0
        with:
          python-version: "3.x"
      - name: Run pydocstyle
        run: |
            pip install pydocstyle
            pydocstyle
  flake8:
    name: Verify flake8
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v3.1.0
+      - uses: actions/checkout@v4.1.1
        with:
-          fetch-depth: 0
+          fetch-depth: 1
-      - uses: actions/setup-python@v4.3.0
+      - uses: actions/setup-python@v5.1.0
        with:
          python-version: "3.x"
      - name: Run flake8
@@ -68,23 +53,25 @@ jobs:
    name: Verify pylint
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v3.1.0
+      - uses: actions/checkout@v4.1.1
        with:
-          fetch-depth: 0
+          fetch-depth: 1
-      - uses: actions/setup-python@v4.3.0
+      - uses: actions/setup-python@v5.1.0
        with:
          python-version: "3.x"
      - name: Run pylint
        run: |
-            pip install pylint==2.14.4 wrapt==1.14.0
+            pip install 'pylint>=3.0'
            pylint plugins roles --disable=import-error
  shellcheck:
    name: Shellcheck
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v3.1.0
+      - uses: actions/checkout@v4.1.1
        with:
-          fetch-depth: 0
+          fetch-depth: 1
      - name: Run ShellCheck
        uses: ludeeus/action-shellcheck@master
        env:
          SHELLCHECK_OPTS: -x
--- a/.github/workflows/readme.yml
+++ b/.github/workflows/readme.yml
@@ -8,9 +8,9 @@ jobs:
    name: Verify readme
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v3.1.0
+      - uses: actions/checkout@v4.1.1
        with:
-          fetch-depth: 0
+          fetch-depth: 1
      - name: Run readme test
        run: |
          error=0
--- a/.gitignore
+++ b/.gitignore
@@ -12,3 +12,4 @@ importer_result.json
 /.venv/
 tests/logs/
 TEST*.xml
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -1,30 +1,36 @@
 ---
 repos:
 - repo: https://github.com/ansible/ansible-lint.git
-  rev: v6.6.1
+  rev: v24.5.0
  hooks:
  - id: ansible-lint
    always_run: false
    pass_filenames: true
    files: \.(yaml|yml)$
    exclude: /env[^/]*.(yaml|yml)$
-    entry: |
+    entry: |-
-        env ANSIBLE_LIBRARY=./plugins/modules ANSIBLE_MODULE_UTILS=./plugins/module_utils ANSIBLE_DOC_FRAGMENT_PLUGINS=./plugins/doc_fragments ansible-lint
+        env
        ANSIBLE_LIBRARY=./plugins/modules
        ANSIBLE_MODULE_UTILS=./plugins/module_utils
        ANSIBLE_DOC_FRAGMENT_PLUGINS=./plugins/doc_fragments
        ansible-lint
          --offline
          --profile production
          --exclude tests/integration/
          --exclude tests/unit/
          --parseable
          --nocolor
 - repo: https://github.com/adrienverge/yamllint.git
-  rev: v1.28.0
+  rev: v1.35.1
  hooks:
  - id: yamllint
    files: \.(yaml|yml)$
 - repo: https://github.com/pycqa/flake8
-  rev: 5.0.3
+  rev: 7.0.0
  hooks:
  - id: flake8
 - repo: https://github.com/pycqa/pydocstyle
  rev: 6.0.0
  hooks:
  - id: pydocstyle
 - repo: https://github.com/pycqa/pylint
-  rev: v2.14.4
+  rev: v3.2.2
  hooks:
  - id: pylint
    args:
@@ -44,4 +50,7 @@ repos:
    name: ShellCheck
    language: system
    entry: shellcheck
-    files: \.sh$
+    args: ['-x']
    files: >
      \.sh$
      utils/sh*$
--- a/.yamllint
+++ b/.yamllint
@@ -20,4 +20,9 @@ rules:
    max: 160
  # Disabled rules
  indentation: disable
-  comments: disable
+  comments:
    min-spaces-from-content: 1
  comments-indentation: disable
  octal-values:
    forbid-implicit-octal: true
    forbid-explicit-octal: true
--- a/README-automember.md
+++ b/README-automember.md
@@ -22,7 +22,7 @@ Requirements
 ------------
 **Controller**
-* Ansible version: 2.8+
+* Ansible version: 2.14+
 **Node**
 * Supported FreeIPA version (see above)
--- a/README-automountkey.md
+++ b/README-automountkey.md
@@ -21,7 +21,7 @@ FreeIPA versions 4.4.0 and up are supported by the ipaautomountkey module.
 Requirements
 ------------
 **Controller**
-* Ansible version: 2.8+
+* Ansible version: 2.14+
 **Node**
 * Supported FreeIPA version (see above)
--- a/README-automountlocation.md
+++ b/README-automountlocation.md
@@ -21,7 +21,7 @@ FreeIPA versions 4.4.0 and up are supported by the ipaautomountlocation module.
 Requirements
 ------------
 **Controller**
-* Ansible version: 2.8+
+* Ansible version: 2.14+
 **Node**
 * Supported FreeIPA version (see above)
--- a/README-automountmap.md
+++ b/README-automountmap.md
@@ -21,7 +21,7 @@ FreeIPA versions 4.4.0 and up are supported by the ipaautomountmap module.
 Requirements
 ------------
 **Controller**
-* Ansible version: 2.8+
+* Ansible version: 2.14+
 **Node**
 * Supported FreeIPA version (see above)
--- a/README-cert.md
+++ b/README-cert.md
@@ -25,7 +25,7 @@ Requirements
 ------------
 **Controller**
-* Ansible version: 2.8+
+* Ansible version: 2.14+
 * Some tool to generate a certificate signing request (CSR) might be needed, like `openssl`.
 **Node**
@@ -77,6 +77,23 @@ Example playbook to revoke an existing certificate:
    ipacert:
      ipaadmin_password: SomeADMINpassword
      serial_number: 123456789
      reason: 5
      state: revoked
 ```
 When revoking a certificate a mnemonic can also be used to set the revocation reason:
 ```yaml
 ---
 - name: Revoke certificate
  hosts: ipaserver
  tasks:
  - name Revoke a certificate
    ipacert:
      ipaadmin_password: SomeADMINpassword
      serial_number: 123456789
      reason: cessationOfOperation
      state: revoked
 ```
--- a/README-config.md
+++ b/README-config.md
@@ -25,7 +25,7 @@ Requirements
 ------------
 **Controller**
-* Ansible version: 2.8+
+* Ansible version: 2.14+
 **Node**
 * Supported FreeIPA version (see above)
--- a/README-delegation.md
+++ b/README-delegation.md
@@ -23,7 +23,7 @@ Requirements
 ------------
 **Controller**
-* Ansible version: 2.8+
+* Ansible version: 2.14+
 **Node**
 * Supported FreeIPA version (see above)
--- a/README-dnsconfig.md
+++ b/README-dnsconfig.md
@@ -22,7 +22,7 @@ Requirements
 ------------
 **Controller**
-* Ansible version: 2.8+
+* Ansible version: 2.14+
 **Node**
 * Supported FreeIPA version (see above)
--- a/README-dnsforwardzone.md
+++ b/README-dnsforwardzone.md
@@ -21,7 +21,7 @@ FreeIPA versions 4.4.0 and up are supported by the ipadnsforwardzone module.
 Requirements
 ------------
 **Controller**
-* Ansible version: 2.8+
+* Ansible version: 2.14+
 **Node**
 * Supported FreeIPA version (see above)
--- a/README-dnsrecord.md
+++ b/README-dnsrecord.md
@@ -22,7 +22,7 @@ Requirements
 ------------
 **Controller**
-* Ansible version: 2.8+
+* Ansible version: 2.14+
 **Node**
 * Supported FreeIPA version (see above)
--- a/README-dnszone.md
+++ b/README-dnszone.md
@@ -23,7 +23,7 @@ Requirements
 ------------
 **Controller**
-* Ansible version: 2.8+
+* Ansible version: 2.14+
 **Node**
@@ -133,6 +133,22 @@ Example playbook to enable a zone:
      state: enabled
 ```
 Example playbook to allow per-zone privilege delegation:
 ```yaml
 ---
 - name: Playbook to enable per-zone privilege delegation
  hosts: ipaserver
  become: true
  tasks:
  - name: Enable privilege delegation.
    ipadnszone:
      ipaadmin_password: SomeADMINpassword
      name: testzone.local
      permission: true
 ```
 Example playbook to remove a zone:
 ```yaml
@@ -223,6 +239,7 @@ Variable | Description | Required
 `ttl`| Time to live for records at zone apex | no
 `default_ttl`| Time to live for records without explicit TTL definition | no
 `nsec3param_rec`| NSEC3PARAM record for zone in format: hash_algorithm flags iterations salt | no
 `permission` \| `managedby` | Set per-zone access delegation permission. | no
 `skip_overlap_check`| Force DNS zone creation even if it will overlap with an existing zone | no
 `skip_nameserver_check` | Force DNS zone creation even if nameserver is not resolvable | no
@@ -238,4 +255,6 @@ Variable | Description | Returned When
 Authors
 =======
-Sergio Oliveira Campos
+- Sergio Oliveira Campos
 - Thomas Woerner
 - Rafael Jeffman
--- a/README-group.md
+++ b/README-group.md
@@ -8,8 +8,12 @@ The group module allows to ensure presence and absence of groups and members of
 The group module is as compatible as possible to the Ansible upstream `ipa_group` module, but additionally offers to add users to a group and also to remove users from a group.
-## Note
+
-Ensuring presence (adding) of several groups with mixed types (`external`, `nonposix` and `posix`) requires a fix in FreeIPA. The module implements a workaround to automatically use `client` context if the fix is not present in the target node FreeIPA and if more than one group is provided to the task using the `groups` parameter. If `ipaapi_context` is forced to be `server`, the module will fail in this case.
+Notes
 -----
 * Ensuring presence (adding) of several groups with mixed types (`external`, `nonposix` and `posix`) requires a fix in FreeIPA. The module implements a workaround to automatically use `client` context if the fix is not present in the target node FreeIPA and if more than one group is provided to the task using the `groups` parameter. If `ipaapi_context` is forced to be `server`, the module will fail in this case.
 * Using `externalmember` or `idoverrideuser` is only supported with `ipaapi_context: server`. With 'client' context, module execution will fail.
 Features
@@ -29,7 +33,7 @@ Requirements
 ------------
 **Controller**
-* Ansible version: 2.8+
+* Ansible version: 2.14+
 **Node**
 * Supported FreeIPA version (see above)
@@ -130,6 +134,45 @@ And ensure the presence of the groups with this example playbook:
      groups: "{{ groups }}"
 ```
 Example playbook to rename a group:
 ```yaml
 ---
 - name: Playbook to rename a single group
  hosts: ipaserver
  become: false
  gather_facts: false
  tasks:
  - name: Rename group appops to webops
    ipagroup:
      ipaadmin_password: SomeADMINpassword
      name: appops
      rename: webops
      state: renamed
 ```
 Several groups can also be renamed with a single task, as in the example playbook:
 ```yaml
 ---
 - name: Playbook to rename multiple groups
  hosts: ipaserver
  become: false
  gather_facts: false
  tasks:
  - name: Rename group1 to newgroup1 and group2 to newgroup2
    ipagroup:
      ipaadmin_password: SomeADMINpassword
      groups:
      - name: group1
        rename: newgroup1
      - name: group2
        rename: newgroup2
      state: renamed
 ```
 Example playbook to add users to a group:
 ```yaml
@@ -174,7 +217,7 @@ Example playbook to add members from a trusted realm to an external group:
 ---
 - name: Playbook to handle groups.
  hosts: ipaserver
-  
+
  tasks:
  - name: Create an external group and add members from a trust to it.
    ipagroup:
@@ -237,6 +280,7 @@ Example playbook to ensure groups are absent:
      state: absent
 ```
 Variables
 =========
@@ -260,13 +304,15 @@ Variable | Description | Required
 `service` | List of service name strings assigned to this group. Only usable with IPA versions 4.7 and up. | no
 `membermanager_user` | List of member manager users assigned to this group. Only usable with IPA versions 4.8.4 and up. | no
 `membermanager_group` | List of member manager groups assigned to this group. Only usable with IPA versions 4.8.4 and up. | no
-`externalmember` \| `ipaexternalmember`  \| `external_member`| List of members of a trusted domain in DOM\\name or name@domain form. | no
+`externalmember` \| `ipaexternalmember`  \| `external_member`| List of members of a trusted domain in DOM\\name or name@domain form. Requires "server" context. | no
-`idoverrideuser` | List of user ID overrides to manage. Only usable with IPA versions 4.8.7 and up.| no
+`idoverrideuser` | List of user ID overrides to manage. Only usable with IPA versions 4.8.7 and up. Requires "server" context. | no
 `rename` \| `new_name` | Rename the user object to the new name string. Only usable with `state: renamed`. | no
 `action` | Work on group or member level. It can be on of `member` or `group` and defaults to `group`. | no
-`state` | The state to ensure. It can be one of `present` or `absent`, default: `present`. | yes
+`state` | The state to ensure. It can be one of `present`, `absent` or `renamed`, default: `present`. | yes
 Authors
 =======
-Thomas Woerner
+- Thomas Woerner
 - Rafael Jeffman
--- a/README-hbacrule.md
+++ b/README-hbacrule.md
@@ -22,7 +22,7 @@ Requirements
 ------------
 **Controller**
-* Ansible version: 2.8+
+* Ansible version: 2.14+
 **Node**
 * Supported FreeIPA version (see above)
@@ -44,7 +44,7 @@ Example playbook to make sure HBAC Rule login exists:
 ```yaml
 ---
 - name: Playbook to handle hbacrules
-  hbacsvcs: ipaserver
+  hosts: ipaserver
  become: true
  tasks:
@@ -60,7 +60,7 @@ Example playbook to make sure HBAC Rule login exists with the only HBAC Service
 ```yaml
 ---
 - name: Playbook to handle hbacrules
-  hbacsvcs: ipaserver
+  hosts: ipaserver
  become: true
  tasks:
@@ -77,7 +77,7 @@ Example playbook to make sure HBAC Service sshd is present in HBAC Rule login:
 ```yaml
 ---
 - name: Playbook to handle hbacrules
-  hbacsvcs: ipaserver
+  hosts: ipaserver
  become: true
  tasks:
@@ -95,7 +95,7 @@ Example playbook to make sure HBAC Service sshd is absent in HBAC Rule login:
 ```yaml
 ---
 - name: Playbook to handle hbacrules
-  hbacsvcs: ipaserver
+  hosts: ipaserver
  become: true
  tasks:
@@ -114,7 +114,7 @@ Example playbook to make sure HBAC Rule login is absent:
 ```yaml
 ---
 - name: Playbook to handle hbacrules
-  hbacsvcs: ipaserver
+  hosts: ipaserver
  become: true
  tasks:
--- a/README-hbacsvc.md
+++ b/README-hbacsvc.md
@@ -22,7 +22,7 @@ Requirements
 ------------
 **Controller**
-* Ansible version: 2.8+
+* Ansible version: 2.14+
 **Node**
 * Supported FreeIPA version (see above)
--- a/README-hbacsvcgroup.md
+++ b/README-hbacsvcgroup.md
@@ -22,7 +22,7 @@ Requirements
 ------------
 **Controller**
-* Ansible version: 2.8+
+* Ansible version: 2.14+
 **Node**
 * Supported FreeIPA version (see above)
@@ -44,7 +44,7 @@ Example playbook to make sure HBAC Service Group login exists:
 ```yaml
 ---
 - name: Playbook to handle hbacsvcgroups
-  hbacsvcs: ipaserver
+  hosts: ipaserver
  become: true
  tasks:
@@ -60,7 +60,7 @@ Example playbook to make sure HBAC Service Group login exists with the only HBAC
 ```yaml
 ---
 - name: Playbook to handle hbacsvcgroups
-  hbacsvcs: ipaserver
+  hosts: ipaserver
  become: true
  tasks:
@@ -77,7 +77,7 @@ Example playbook to make sure HBAC Service sshd is present in HBAC Service Group
 ```yaml
 ---
 - name: Playbook to handle hbacsvcgroups
-  hbacsvcs: ipaserver
+  hosts: ipaserver
  become: true
  tasks:
@@ -95,7 +95,7 @@ Example playbook to make sure HBAC Service sshd is absent in HBAC Service Group
 ```yaml
 ---
 - name: Playbook to handle hbacsvcgroups
-  hbacsvcs: ipaserver
+  hosts: ipaserver
  become: true
  tasks:
@@ -114,7 +114,7 @@ Example playbook to make sure HBAC Service Group login is absent:
 ```yaml
 ---
 - name: Playbook to handle hbacsvcgroups
-  hbacsvcs: ipaserver
+  hosts: ipaserver
  become: true
  tasks:
--- a/README-host.md
+++ b/README-host.md
@@ -24,7 +24,7 @@ Requirements
 ------------
 **Controller**
-* Ansible version: 2.8+
+* Ansible version: 2.14+
 **Node**
 * Supported FreeIPA version (see above)
@@ -341,7 +341,7 @@ Variable | Description | Required
 `password` \| `user_password` \| `userpassword` | Password used in bulk enrollment for absent or not enrolled hosts. | no
 `random` \| `random_password` |  Initiate the generation of a random password to be used in bulk enrollment for absent or not enrolled hosts. | no
 `certificate` \| `usercertificate` | List of base-64 encoded host certificates | no
-`managedby` \| `principalname` \| `krbprincipalname` | List of hosts that can manage this host | no
+`managedby_host` | List of hosts that can manage this host | no
 `principal` \| `principalname` \| `krbprincipalname` | List of principal aliases for this host | no
 `allow_create_keytab_user` \| `ipaallowedtoperform_write_keys_user` | Users allowed to create a keytab of this host. | no
 `allow_create_keytab_group` \| `ipaallowedtoperform_write_keys_group` | Groups allowed to create a keytab of this host. | no
--- a/README-hostgroup.md
+++ b/README-hostgroup.md
@@ -26,7 +26,7 @@ Requirements
 ------------
 **Controller**
-* Ansible version: 2.8+
+* Ansible version: 2.14+
 **Node**
 * Supported FreeIPA version (see above)
--- a/README-idoverridegroup.md
+++ b/README-idoverridegroup.md
@@ -0,0 +1,233 @@
 Idoverridegroup module
 ============
 Description
 -----------
 The idoverridegroup module allows to ensure presence and absence of idoverridegroups and idoverridegroup members.
 Use Cases
 ---------
 With idoverridegroup it is possible to manage group attributes within ID views. These attributes are for example the group name or gid.
 Features
 --------
 * Idoverridegroup management
 Supported FreeIPA Versions
 --------------------------
 FreeIPA versions 4.4.0 and up are supported by the ipaidoverridegroup module.
 Requirements
 ------------
 **Controller**
 * Ansible version: 2.14+
 **Node**
 * Supported FreeIPA version (see above)
 Usage
 =====
 Example inventory file
 ```ini
 [ipaserver]
 ipaserver.test.local
 ```
 Example playbook to make sure test group test_group is present in idview test_idview
 ```yaml
 ---
 - name: Playbook to manage idoverridegroup
  hosts: ipaserver
  become: false
  tasks:
  - name: Ensure test group test_group is present in idview test_idview.
    ipaidoverridegroup:
      ipaadmin_password: SomeADMINpassword
      idview: test_idview
      anchor: test_group
 ```
 Example playbook to make sure test group test_group is present in idview test_idview with description
 ```yaml
 ---
 - name: Playbook to manage idoverridegroup
  hosts: ipaserver
  become: false
  tasks:
  - name: Ensure test group test_group is present in idview test_idview with description
    ipaidoverridegroup:
      ipaadmin_password: SomeADMINpassword
      idview: test_idview
      anchor: test_group
      description: "test_group description"
 ```
 Example playbook to make sure test group test_group is present in idview test_idview without description
 ```yaml
 ---
 - name: Playbook to manage idoverridegroup
  hosts: ipaserver
  become: false
  tasks:
  - name: Ensure test group test_group is present in idview test_idview without description
    ipaidoverridegroup:
      ipaadmin_password: SomeADMINpassword
      idview: test_idview
      anchor: test_group
      description: ""
 ```
 Example playbook to make sure test group test_group is present in idview test_idview with internal name test_123_group
 ```yaml
 ---
 - name: Playbook to manage idoverridegroup
  hosts: ipaserver
  become: false
  tasks:
  - name: Ensure test group test_group is present in idview test_idview with internal name test_123_group
    ipaidoverridegroup:
      ipaadmin_password: SomeADMINpassword
      idview: test_idview
      anchor: test_group
      name: test_123_group
 ```
 Example playbook to make sure test group test_group is present in idview test_idview without internal name
 ```yaml
 ---
 - name: Playbook to manage idoverridegroup
 - name: Ensure test group test_group is present in idview test_idview without internal name
  hosts: ipaserver
  become: false
  tasks:
  - ipaidoverridegroup:
      ipaadmin_password: SomeADMINpassword
      idview: test_idview
      anchor: test_group
      name: ""
 ```
 Example playbook to make sure test group test_group is present in idview test_idview with gid 20001
 ```yaml
 ---
 - name: Playbook to manage idoverridegroup
  hosts: ipaserver
  become: false
  tasks:
  - name: Ensure test group test_group is present in idview test_idview with gid 20001
    ipaidoverridegroup:
      ipaadmin_password: SomeADMINpassword
      idview: test_idview
      anchor: test_group
      gid: 20001
 ```
 Example playbook to make sure test group test_group is present in idview test_idview without gid
 ```yaml
 ---
 - name: Playbook to manage idoverridegroup
  hosts: ipaserver
  become: false
  tasks:
  - name: Ensure test group test_group is present in idview test_idview without gid
    ipaidoverridegroup:
      ipaadmin_password: SomeADMINpassword
      idview: test_idview
      anchor: test_group
      gid: ""
 ```
 Example playbook to make sure test group test_group is present in idview test_idview with enabling falling back to AD DC LDAP when resolving AD trusted objects. (For two-way trusts only.)
 ```yaml
 ---
 - name: Playbook to manage idoverridegroup
  hosts: ipaserver
  become: false
  tasks:
  - name: Ensure test group test_group is present in idview test_idview with fallback_to_ldap enabled
    ipaidoverridegroup:
      ipaadmin_password: SomeADMINpassword
      idview: test_idview
      anchor: test_group
      fallback_to_ldap: true
 ```
 Example playbook to make sure test group test_group is absent in idview test_idview
 ```yaml
 ---
 - name: Playbook to manage idoverridegroup
  hosts: ipaserver
  become: false
  tasks:
  - name: Ensure test group test_group is absent in idview test_idview
    ipaidoverridegroup:
      ipaadmin_password: SomeADMINpassword
      idview: test_idview
      anchor: test_group
      continue: true
      state: absent
 ```
 Variables
 ---------
 Variable | Description | Required
 -------- | ----------- | --------
 `ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
 `ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
 `ipaapi_context` | The context in which the module will execute. Executing in a server context is preferred. If not provided context will be determined by the execution environment. Valid values are `server` and `client`. | no
 `ipaapi_ldap_cache` | Use LDAP cache for IPA connection. The bool setting defaults to true. (bool) | no
 `idview` \| `idviewcn` | The doverridegroup idview string. | yes
 `anchor` \| `ipaanchoruuid` | The list of anchors to override. | yes
 `description` \| `desc` | Description | no
 `name` \| `group_name` \| `cn` | The group. | no
 `gid` \| `gidnumber` | Group ID Number (int or "") | no
 `fallback_to_ldap` | Allow falling back to AD DC LDAP when resolving AD trusted objects. For two-way trusts only. | no
 `delete_continue` \| `continue` | Continuous mode. Don't stop on errors. Valid only if `state` is `absent`. | no
 `state` | The state to ensure. It can be one of `present`, `absent`, default: `present`. | no
 Authors
 =======
 Thomas Woerner
--- a/README-idoverrideuser.md
+++ b/README-idoverrideuser.md
@@ -0,0 +1,503 @@
 Idoverrideuser module
 ============
 Description
 -----------
 The idoverrideuser module allows to ensure presence and absence of idoverrideusers and idoverrideuser members.
 Use Cases
 ---------
 With idoverrideuser it is possible to manage user attributes within ID views. These attributes are for example the login name, home directory, certificate for authentication or SSH keys.
 Features
 --------
 * Idoverrideuser management
 Supported FreeIPA Versions
 --------------------------
 FreeIPA versions 4.4.0 and up are supported by the ipaidoverrideuser module.
 Requirements
 ------------
 **Controller**
 * Ansible version: 2.14+
 **Node**
 * Supported FreeIPA version (see above)
 Usage
 =====
 Example inventory file
 ```ini
 [ipaserver]
 ipaserver.test.local
 ```
 Example playbook to make sure test user test_user is present in idview test_idview
 ```yaml
 ---
 - name: Playbook to manage idoverrideuser
  hosts: ipaserver
  become: false
  tasks:
  - name: Ensure test user test_user is present in idview test_idview.
    ipaidoverrideuser:
      ipaadmin_password: SomeADMINpassword
      idview: test_idview
      anchor: test_user
 ```
 Example playbook to make sure test user test_user is present in idview test_idview with description
 ```yaml
 ---
 - name: Playbook to manage idoverrideuser
  hosts: ipaserver
  become: false
  tasks:
  - name: Ensure test user test_user is present in idview test_idview with description
    ipaidoverrideuser:
      ipaadmin_password: SomeADMINpassword
      idview: test_idview
      anchor: test_user
      description: "test_user description"
 ```
 Example playbook to make sure test user test_user is present in idview test_idview without description
 ```yaml
 ---
 - name: Playbook to manage idoverrideuser
  hosts: ipaserver
  become: false
  tasks:
  - name: Ensure test user test_user is present in idview test_idview without description
    ipaidoverrideuser:
      ipaadmin_password: SomeADMINpassword
      idview: test_idview
      anchor: test_user
      description: ""
 ```
 Example playbook to make sure test user test_user is present in idview test_idview with internal name test_123_user
 ```yaml
 ---
 - name: Playbook to manage idoverrideuser
  hosts: ipaserver
  become: false
  tasks:
  - name: Ensure test user test_user is present in idview test_idview with internal name test_123_user
    ipaidoverrideuser:
      ipaadmin_password: SomeADMINpassword
      idview: test_idview
      anchor: test_user
      name: test_123_user
 ```
 Example playbook to make sure test user test_user is present in idview test_idview without internal name
 ```yaml
 ---
 - name: Playbook to manage idoverrideuser
  hosts: ipaserver
  become: false
  tasks:
  - name: Ensure test user test_user is present in idview test_idview without internal name
    ipaidoverrideuser:
      ipaadmin_password: SomeADMINpassword
      idview: test_idview
      anchor: test_user
      name: ""
 ```
 Example playbook to make sure test user test_user is present in idview test_idview with uid 20001
 ```yaml
 ---
 - name: Playbook to manage idoverrideuser
  hosts: ipaserver
  become: false
  tasks:
  - name: Ensure test user test_user is present in idview test_idview with uid 20001
    ipaidoverrideuser:
      ipaadmin_password: SomeADMINpassword
      idview: test_idview
      anchor: test_user
      uid: 20001
 ```
 Example playbook to make sure test user test_user is present in idview test_idview without uid
 ```yaml
 ---
 - name: Playbook to manage idoverrideuser
  hosts: ipaserver
  become: false
  tasks:
  - name: Ensure test user test_user is present in idview test_idview without uid
    ipaidoverrideuser:
      ipaadmin_password: SomeADMINpassword
      idview: test_idview
      anchor: test_user
      uid: ""
 ```
 Example playbook to make sure test user test_user is present in idview test_idview with gecos "Gecos Test"
 ```yaml
 ---
 - name: Playbook to manage idoverrideuser
  hosts: ipaserver
  become: false
  tasks:
  - name: Ensure test user test_user is present in idview test_idview with gecos "Gecos Test"
    ipaidoverrideuser:
      ipaadmin_password: SomeADMINpassword
      idview: test_idview
      anchor: test_user
      gecos: Gecos Test
 ```
 Example playbook to make sure test user test_user is present in idview test_idview without gecos
 ```yaml
 ---
 - name: Playbook to manage idoverrideuser
  hosts: ipaserver
  become: false
  tasks:
  - name: Ensure test user test_user is present in idview test_idview without gecos
    ipaidoverrideuser:
      ipaadmin_password: SomeADMINpassword
      idview: test_idview
      anchor: test_user
      gecos: ""
 ```
 Example playbook to make sure test user test_user is present in idview test_idview with gidnumber
 ```yaml
 ---
 - name: Playbook to manage idoverrideuser
  hosts: ipaserver
  become: false
  tasks:
  - name: Ensure test user test_user is present in idview test_idview with gidnumber
    ipaidoverrideuser:
      ipaadmin_password: SomeADMINpassword
      idview: test_idview
      anchor: test_user
      gidnumber: 20001
 ```
 Example playbook to make sure test user test_user is present in idview test_idview without gidnumber
 ```yaml
 ---
 - name: Playbook to manage idoverrideuser
  hosts: ipaserver
  become: false
  tasks:
  - name: Ensure test user test_user is present in idview test_idview without gidnumber
    ipaidoverrideuser:
      ipaadmin_password: SomeADMINpassword
      idview: test_idview
      anchor: test_user
      gidnumber: ""
 ```
 Example playbook to make sure test user test_user is present in idview test_idview with homedir /Users
 ```yaml
 ---
 - name: Playbook to manage idoverrideuser
  hosts: ipaserver
  become: false
  tasks:
  - name: Ensure test user test_user is present in idview test_idview with homedir /Users
    ipaidoverrideuser:
      ipaadmin_password: SomeADMINpassword
      idview: test_idview
      anchor: test_user
      homedir: /Users
 ```
 Example playbook to make sure test user test_user is present in idview test_idview without homedir
 ```yaml
 ---
 - name: Playbook to manage idoverrideuser
  hosts: ipaserver
  become: false
  tasks:
  - name: Ensure test user test_user is present in idview test_idview without homedir
    ipaidoverrideuser:
      ipaadmin_password: SomeADMINpassword
      idview: test_idview
      anchor: test_user
      homedir: ""
 ```
 Example playbook to make sure test user test_user is present in idview test_idview with shell
 ```yaml
 ---
 - name: Playbook to manage idoverrideuser
  hosts: ipaserver
  become: false
  tasks:
  - name: Ensure test user test_user is present in idview test_idview with shell
    ipaidoverrideuser:
      ipaadmin_password: SomeADMINpassword
      idview: test_idview
      anchor: test_user
      shell: /bin/someshell
 ```
 Example playbook to make sure test user test_user is present in idview test_idview without shell
 ```yaml
 ---
 - name: Playbook to manage idoverrideuser
  hosts: ipaserver
  become: false
  tasks:
  - name: Ensure test user test_user is present in idview test_idview without shell
    ipaidoverrideuser:
      ipaadmin_password: SomeADMINpassword
      idview: test_idview
      anchor: test_user
      shell: ""
 ```
 Example playbook to make sure test user test_user is present in idview test_idview with sshpubkey
 ```yaml
 ---
 - name: Playbook to manage idoverrideuser
  hosts: ipaserver
  become: false
  tasks:
  - name: Ensure test user test_user is present in idview test_idview with sshpubkey
    ipaidoverrideuser:
      ipaadmin_password: SomeADMINpassword
      idview: test_idview
      anchor: test_user
      sshpubkey:
      - ssh-rsa AAAAB3NzaC1yc2EAAADAQABAAABgQCqmVDpEX5gnSjKuv97Ay ...
 ```
 Example playbook to make sure test user test_user is present in idview test_idview without sshpubkey
 ```yaml
 ---
 - name: Playbook to manage idoverrideuser
  hosts: ipaserver
  become: false
  tasks:
  - name: Ensure test user test_user is present in idview test_idview without sshpubkey
    ipaidoverrideuser:
      ipaadmin_password: SomeADMINpassword
      idview: test_idview
      anchor: test_user
      sshpubkey: []
 ```
 Example playbook to make sure test user test_user is present in idview test_idview with 1 certificate
 ```yaml
 ---
 - name: Playbook to manage idoverrideuser
  hosts: ipaserver
  become: false
  tasks:
  - name: Ensure test user test_user is present in idview test_idview with 1 certificate
    ipaidoverrideuser:
      ipaadmin_password: SomeADMINpassword
      idview: test_idview
      anchor: test_user
      certificate:
      - "{{ lookup('file', 'cert1.b64', rstrip=False) }}"
 ```
 Example playbook to make sure test user test_user is present in idview test_idview with 3 certificate members
 ```yaml
 ---
 - name: Playbook to manage idoverrideuser
  hosts: ipaserver
  become: false
  tasks:
  - name: Ensure test user test_user is present in idview test_idview with 3 certificate members
    ipaidoverrideuser:
      ipaadmin_password: SomeADMINpassword
      idview: test_idview
      anchor: test_user
      certificate:
      - "{{ lookup('file', 'cert1.b64', rstrip=False) }}"
      - "{{ lookup('file', 'cert2.b64', rstrip=False) }}"
      - "{{ lookup('file', 'cert3.b64', rstrip=False) }}"
      action: member
 ```
 Example playbook to make sure test user test_user is present in idview test_idview without 2 certificate members
 ```yaml
 ---
 - name: Playbook to manage idoverrideuser
  hosts: ipaserver
  become: false
  tasks:
  - name: Ensure test user test_user is present in idview test_idview without 2 certificate members
    ipaidoverrideuser:
      ipaadmin_password: SomeADMINpassword
      idview: test_idview
      anchor: test_user
      certificate:
      - "{{ lookup('file', 'cert2.b64', rstrip=False) }}"
      - "{{ lookup('file', 'cert3.b64', rstrip=False) }}"
      action: member
      state: absent
 ```
 Example playbook to make sure test user test_user is present in idview test_idview without certificates
 ```yaml
 ---
 - name: Playbook to manage idoverrideuser
  hosts: ipaserver
  become: false
  tasks:
  - name: Ensure test user test_user is present in idview test_idview without certificates
    ipaidoverrideuser:
      ipaadmin_password: SomeADMINpassword
      idview: test_idview
      anchor: test_user
      certificate: []
 ```
 Example playbook to make sure test user test_user is present in idview test_idview with enabling falling back to AD DC LDAP when resolving AD trusted objects. (For two-way trusts only.)
 ```yaml
 ---
 - name: Playbook to manage idoverrideuser
  hosts: ipaserver
  become: false
  tasks:
  - name: Ensure test user test_user is present in idview test_idview with fallback_to_ldap enabled
    ipaidoverrideuser:
      ipaadmin_password: SomeADMINpassword
      idview: test_idview
      anchor: test_user
      fallback_to_ldap: true
 ```
 Example playbook to make sure test user test_user is absent in idview test_idview
 ```yaml
 ---
 - name: Playbook to manage idoverrideuser
  hosts: ipaserver
  become: false
  tasks:
  - name: Ensure test user test_user is absent in idview test_idview
    ipaidoverrideuser:
      ipaadmin_password: SomeADMINpassword
      idview: test_idview
      anchor: test_user
      continue: true
      state: absent
 ```
 Variables
 ---------
 Variable | Description | Required
 -------- | ----------- | --------
 `ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
 `ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
 `ipaapi_context` | The context in which the module will execute. Executing in a server context is preferred. If not provided context will be determined by the execution environment. Valid values are `server` and `client`. | no
 `ipaapi_ldap_cache` | Use LDAP cache for IPA connection. The bool setting defaults to true. (bool) | no
 `idview` \| `idviewcn` | The doverrideuser idview string. | yes
 `anchor` \| `ipaanchoruuid` | The list of anchors to override. | yes
 `description` \| `desc` | Description | no
 `name` \| `login` | The user (internally uid) | no
 `uid` \| `uidnumber` | User ID Number (int or "") | no
 `gecos` | GECOS | no
 `gidnumber` | Group ID Number (int or ""). | no
 `homedir` \| `homedirectory` | Home directory. | no
 `shell` \| `loginshell` | Login shell. | no
 `sshpubkey` \| `ipasshpubkey` | List of SSH public keys. | no
 `certificate` \| `usercertificate` | List of Base-64 encoded user certificates. This variable can also be used with `action: member`. | no
 `fallback_to_ldap` | Allow falling back to AD DC LDAP when resolving AD trusted objects. For two-way trusts only. | no
 `delete_continue` \| `continue` | Continuous mode. Don't stop on errors. Valid only if `state` is `absent`. | no
 `nomembers` \| `no_members` | Suppress processing of membership attributes. Valid only if `state` is `absent`. | no
 `action` | Work on idoverrideuser or member level. It can be on of `member` or `idoverrideuser` and defaults to `idoverrideuser`. | no
 `state` | The state to ensure. It can be one of `present`, `absent`, default: `present`. | no
 Authors
 =======
 Thomas Woerner
--- a/README-idp.md
+++ b/README-idp.md
@@ -0,0 +1,192 @@
 Idp module
 ============
 Description
 -----------
 The idp module allows to ensure presence and absence of idps.
 Features
 --------
 * Idp management
 Supported FreeIPA Versions
 --------------------------
 FreeIPA versions 4.4.0 and up are supported by the ipaidp module.
 Requirements
 ------------
 **Controller**
 * Ansible version: 2.14+
 **Node**
 * Supported FreeIPA version (see above)
 Usage
 =====
 Example inventory file
 ```ini
 [ipaserver]
 ipaserver.test.local
 ```
 Example playbook to make sure keycloak idp my-keycloak-idp is present:
 ```yaml
 ---
 - name: Playbook to manage IPA idp.
  hosts: ipaserver
  become: false
  tasks:
  - name: Ensure keycloak idp my-keycloak-idp is present
    ipaidp:
      ipaadmin_password: SomeADMINpassword
      name: my-keycloak-idp
      provider: keycloak
      organization: main
      base_url: keycloak.idm.example.com:8443/auth
      client_id: my-client-id
 ```
 Example playbook to make sure keycloak idp my-keycloak-idp is absent:
 ```yaml
 ---
 - name: Playbook to manage IPA idp.
  hosts: ipaserver
  become: false
  tasks:
  - name: Ensure keycloak idp my-keycloak-idp is absent
    ipaidp:
      ipaadmin_password: SomeADMINpassword
      name: my-keycloak-idp
      delete_continue: true
      state: absent
 ```
 Example playbook to make sure github idp my-github-idp is present:
 ```yaml
 ---
 - name: Playbook to manage IPA idp.
  hosts: ipaserver
  become: false
  tasks:
  - name: Ensure github idp my-github-idp is present
    ipaidp:
      ipaadmin_password: SomeADMINpassword
      name: my-github-idp
      provider: github
      client_id: my-github-client-id
 ```
 Example playbook to make sure google idp my-google-idp is present using provider defaults without specifying provider:
 ```yaml
 ---
 - name: Playbook to manage IPA idp.
  hosts: ipaserver
  become: false
  tasks:
  - name: Ensure google idp my-google-idp is present using provider defaults without specifying provider
    ipaidp:
      ipaadmin_password: SomeADMINpassword
      name: my-google-idp
      auth_uri: https://accounts.google.com/o/oauth2/auth
      dev_auth_uri: https://oauth2.googleapis.com/device/code
      token_uri: https://oauth2.googleapis.com/token
      keys_uri: https://www.googleapis.com/oauth2/v3/certs
      userinfo_uri: https://openidconnect.googleapis.com/v1/userinfo
      client_id: my-google-client-id
      scope: "openid email"
      idp_user_id: email
 ```
 Example playbook to make sure google idp my-google-idp is present using provider:
 ```yaml
 ---
 - name: Playbook to manage IPA idp.
  hosts: ipaserver
  become: false
  tasks:
  - name: Ensure google idp my-google-idp is present using provider
    ipaidp:
      ipaadmin_password: SomeADMINpassword
      name: my-google-idp
      provider: google
      client_id: my-google-client-id
 ```
 Example playbook to make sure idps my-keycloak-idp, my-github-idp and my-google-idp are absent:
 ```yaml
 ---
 - name: Playbook to manage IPA idp.
  hosts: ipaserver
  become: false
  tasks:
  - name: Ensure idps my-keycloak-idp, my-github-idp and my-google-idp are absent
    ipaidp:
      ipaadmin_password: SomeADMINpassword
      name:
      - my-keycloak-idp
      - my-github-idp
      - my-google-idp
      delete_continue: true
      state: absent
 ```
 Variables
 ---------
 Variable | Description | Required
 -------- | ----------- | --------
 `ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
 `ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
 `ipaapi_context` | The context in which the module will execute. Executing in a server context is preferred. If not provided context will be determined by the execution environment. Valid values are `server` and `client`. | no
 `ipaapi_ldap_cache` | Use LDAP cache for IPA connection. The bool setting defaults to true. (bool) | false
 `name` \| `cn` | The list of idp name strings. | yes
 auth_uri \| ipaidpauthendpoint | OAuth 2.0 authorization endpoint string. | no
 dev_auth_uri \| ipaidpdevauthendpoint | Device authorization endpoint string. | no
 token_uri \| ipaidptokenendpoint | Token endpoint string. | no
 userinfo_uri \| ipaidpuserinfoendpoint | User information endpoint string. | no
 keys_uri \| ipaidpkeysendpoint | JWKS endpoint string. | no
 issuer_url \| ipaidpissuerurl | The Identity Provider OIDC URL string. | no
 client_id \| ipaidpclientid | OAuth 2.0 client identifier string. | no
 secret \| ipaidpclientsecret | OAuth 2.0 client secret string. | no
 scope \| ipaidpscope | OAuth 2.0 scope string. Multiple scopes separated by space. | no
 idp_user_id \| ipaidpsub | Attribute string for user identity in OAuth 2.0 userinfo. | no
 provider \| ipaidpprovider | Pre-defined template string. This provides the provider defaults, which can be overridden with the other IdP options. Choices: ["google","github","microsoft","okta","keycloak"] | no
 organization \| ipaidporg | Organization ID string or Realm name for IdP provider templates. | no
 base_url \| ipaidpbaseurl | Base URL string for IdP provider templates. | no
 rename \| new_name | New name for the Identity Provider server object. Only with `state: renamed`. | no
 delete_continue \| continue | Continuous mode. Don't stop on errors. Valid only if `state` is `absent`. | no
 `state` | The state to ensure. It can be one of `present`, `absent`, `renamed`, default: `present`. | no
 Authors
 =======
 Thomas Woerner
--- a/README-idrange.md
+++ b/README-idrange.md
@@ -37,7 +37,7 @@ Requirements
 ------------
 **Controller**
-* Ansible version: 2.8+
+* Ansible version: 2.14+
 **Node**
 * Supported FreeIPA version (see above)
--- a/README-idview.md
+++ b/README-idview.md
@@ -0,0 +1,153 @@
 Idview module
 ============
 Description
 -----------
 The idview module allows to ensure presence and absence of idviews and idview host members.
 Use Cases
 ---------
 With ID views it is possible to override user or group attributes for users stored in the LDAP server. For example the login name, home directory, certificate for authentication or SSH keys. An ID view is client-side and specifies new values for user or group attributes and also the client host or hosts on which the values apply.
 The ID view and the applied hosts are managed with idview, the user attributes are managed with idoverrideuser and the group attributes with idoverridegroup.
 Features
 --------
 * Idview management
 Supported FreeIPA Versions
 --------------------------
 FreeIPA versions 4.4.0 and up are supported by the ipaidview module.
 Requirements
 ------------
 **Controller**
 * Ansible version: 2.14+
 **Node**
 * Supported FreeIPA version (see above)
 Usage
 =====
 Example inventory file
 ```ini
 [ipaserver]
 ipaserver.test.local
 ```
 Example playbook to make sure idview "test_idview" is present:
 ```yaml
 ---
 - name: Playbook to manage IPA idview.
  hosts: ipaserver
  become: false
  tasks:
  - ipaidview:
      ipaadmin_password: SomeADMINpassword
      name: test_idview
 ```
 Example playbook to make sure idview "test_idview" member host "testhost.example.com" is present:
 ```yaml
 ---
 - name: Playbook to manage IPA idview host member.
  hosts: ipaserver
  become: false
  tasks:
  - ipaidview:
      ipaadmin_password: SomeADMINpassword
      name: test_idview
      host: testhost.example.com
      action: member
 ```
 Example playbook to make sure idview "test_idview" member host "testhost.example.com" is absent:
 ```yaml
 ---
 - name: Playbook to manage IPA idview host member.
  hosts: ipaserver
  become: false
  tasks:
  - ipaidview:
      ipaadmin_password: SomeADMINpassword
      name: test_idview
      host: testhost.example.com
      action: member
      state: absent
 ```
 Example playbook to make sure idview "test_idview" is present with domain_resolution_order for "ad.example.com:ipa.example.com":
 ```yaml
 ---
 - name: Playbook to manage IPA idview host member.
  hosts: ipaserver
  become: false
  tasks:
  - ipaidview:
      ipaadmin_password: SomeADMINpassword
      name: test_idview
      domain_resolution_order: "ad.example.com:ipa.example.com"
 ```
 Example playbook to make sure idview "test_idview" is absent:
 ```yaml
 ---
 - name: Playbook to manage IPA idview.
  hosts: ipaserver
  become: false
  tasks:
  - ipaidview:
      ipaadmin_password: SomeADMINpassword
      name: test_idview
      state: absent
 ```
 Variables
 ---------
 Variable | Description | Required
 -------- | ----------- | --------
 `ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
 `ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
 `ipaapi_context` | The context in which the module will execute. Executing in a server context is preferred. If not provided context will be determined by the execution environment. Valid values are `server` and `client`. | no
 `ipaapi_ldap_cache` | Use LDAP cache for IPA connection. The bool setting defaults to true. (bool) | no
 `name` \| `cn` | The list of idview name strings. | yes
 `description` \| `desc` | The description string of the idview. | no
 `domain_resolution_order` \| `ipadomainresolutionorder` | Colon-separated list of domains used for short name qualification. | no
 `host` \| `hosts` | List of hosts to apply the ID View to. A host can only be applied to a single idview at any time. Applying a host that is already applied to a different idview will change the idview the host is applied to to the new one. | no
 `rename` \| `new_name` | Rename the ID view object to the new name string. Only usable with `state: renamed`. | no
 `delete_continue` \| `continue` | Continuous mode. Don't stop on errors. Valid only if `state` is `absent`. | no
 `action` | Work on idview or member level. It can be on of `member` or `idview` and defaults to `idview`. | no
 `state` | The state to ensure. It can be one of `present`, `absent` and `renamed`, default: `present`. | no
 Authors
 =======
 Thomas Woerner
--- a/README-inventory-plugin-freeipa.md
+++ b/README-inventory-plugin-freeipa.md
@@ -0,0 +1,106 @@
 Inventory plugin
 ================
 Description
 -----------
 The inventory plugin compiles a dynamic inventory from IPA domain. The servers can be filtered by their role(s).
 This plugin is using the Python requests binding, that is only available for Python 3.7 and up.
 Features
 --------
 * Dynamic inventory
 Supported FreeIPA Versions
 --------------------------
 FreeIPA versions 4.6.0 and up are supported by the inventory plugin.
 Requirements
 ------------
 **Controller**
 * Ansible version: 2.14+
 **Node**
 * Supported FreeIPA version (see above)
 Configuration
 =============
 The inventory plugin is automatically enabled from the Ansible collection or from the top directory of the git repo if the `plugins` folder is linked to `~/.ansible`.
 If `ansible.cfg` was modified to point to the roles and modules with `roles_path`, `library` and `module_utils` tag, then it is needed to set `inventory_plugins` also:
 ```
 inventory_plugins = /my/dir/ansible-freeipa/plugins/inventory
 ```
 Usage
 =====
 Example inventory file "freeipa.yml":
 ```yml
 ---
 plugin: freeipa
 server: server.ipa.local
 ipaadmin_password: SomeADMINpassword
 ```
 Example inventory file "freeipa.yml" with server TLS certificate verification using local copy of `/etc/ipa/ca.crt` from the server:
 ```yml
 ---
 plugin: freeipa
 server: server.ipa.local
 ipaadmin_password: SomeADMINpassword
 verify: ca.crt
 ```
 How to use the plugin
 ---------------------
 With the `ansible-inventory` command it is possible to show the generated inventorey:
 ```bash
 ansible-inventory -v -i freeipa.yml --graph
 ```
 Example inventory file "freeipa.yml" for use with `playbooks/config/retrieve-config.yml`:
 ```yml
 ---
 plugin: freeipa
 server: server.ipa.local
 ipaadmin_password: SomeADMINpassword
 inventory_group: ipaserver
 ```
 ```bash
 ansible-playbook -u root -i ipa.yml playbooks/config/retrieve-config.yml 
 ```
 Variables
 =========
 Variable | Description | Required
 -------- | ----------- | --------
 `ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
 `ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
 `server` | The FQDN of server to start the scan. (string) | yes
 `verify` | The server TLS certificate file for verification (/etc/ipa/ca.crt). Turned off if not set. (string) | yes
 `role` | The role(s) of the server. If several roles are given, only servers that have all the roles are returned. (list of strings) (choices: "IPA master", "CA server", "KRA server", "DNS server", "AD trust controller", "AD trust agent") | no
 `inventory_group` | The inventory group to create. The default group name is "ipaservers". | no
 Authors
 =======
 - Thomas Woerner
--- a/README-location.md
+++ b/README-location.md
@@ -22,7 +22,7 @@ Requirements
 ------------
 **Controller**
-* Ansible version: 2.8+
+* Ansible version: 2.14+
 **Node**
 * Supported FreeIPA version (see above)
--- a/README-netgroup.md
+++ b/README-netgroup.md
@@ -22,7 +22,7 @@ Requirements
 ------------
 **Controller**
-* Ansible version: 2.8+
+* Ansible version: 2.14+
 **Node**
 * Supported FreeIPA version (see above)
--- a/README-permission.md
+++ b/README-permission.md
@@ -22,7 +22,7 @@ Requirements
 ------------
 **Controller**
-* Ansible version: 2.8+
+* Ansible version: 2.14+
 **Node**
 * Supported FreeIPA version (see above)
--- a/README-privilege.md
+++ b/README-privilege.md
@@ -22,7 +22,7 @@ Requirements
 ------------
 **Controller**
-* Ansible version: 2.8+
+* Ansible version: 2.14+
 **Node**
 * Supported FreeIPA version (see above)
--- a/README-pwpolicy.md
+++ b/README-pwpolicy.md
@@ -22,7 +22,7 @@ Requirements
 ------------
 **Controller**
-* Ansible version: 2.8+
+* Ansible version: 2.14+
 **Node**
 * Supported FreeIPA version (see above)
--- a/README-role.md
+++ b/README-role.md
@@ -25,7 +25,7 @@ Requirements
 ------------
 **Controller**
-* Ansible version: 2.8+
+* Ansible version: 2.14+
 **Node**
 * Supported FreeIPA version (see above)
--- a/README-selfservice.md
+++ b/README-selfservice.md
@@ -23,7 +23,7 @@ Requirements
 ------------
 **Controller**
-* Ansible version: 2.8+
+* Ansible version: 2.14+
 **Node**
 * Supported FreeIPA version (see above)
--- a/README-server.md
+++ b/README-server.md
@@ -22,7 +22,7 @@ Requirements
 ------------
 **Controller**
-* Ansible version: 2.8+
+* Ansible version: 2.14+
 **Node**
 * Supported FreeIPA version (see above)
--- a/README-service.md
+++ b/README-service.md
@@ -25,7 +25,7 @@ Requirements
 ------------
 **Controller**
-* Ansible version: 2.8+
+* Ansible version: 2.14+
 **Node**
 * Supported FReeIPA version (see above)
@@ -282,6 +282,65 @@ Example playbook to allow users, groups, hosts or hostgroups to retrieve a keyta
 ```
 Example playbook to ensure presence of serveral services in a single task:
 ```yaml
 ---
 - name: Playbook to manage IPA service.
  hosts: ipaserver
  tasks:
  - name: Ensure services are present
    ipaservice:
      ipaadmin_password: SomeADMINpassword
      services:
      - name: HTTP/www.example.com
        principal:
        - host/host1.example.com
      - name: mysvc/www.example.com
        pac_type: NONE
        ok_as_delegate: yes
        ok_to_auth_as_delegate: yes
      - name: HTTP/www.example.com
        allow_create_keytab_user:
        - user01
        - user02
        allow_create_keytab_group:
        - group01
        - group02
        allow_create_keytab_host:
        - host1.example.com
        - host2.example.com
        allow_create_keytab_hostgroup:
        - hostgroup01
        - hostgroup02
      - name: mysvc/host2.example.com
        auth_ind: otp,radius
 ```
 Example playbook to ensure presence of serveral services in a single task with `member` `action`:
 ```yaml
 ---
 - name: Playbook to manage IPA service.
  hosts: ipaserver
  become: true
  gather_facts: false
  tasks:
    - name: Ensure service host members are present
      ipaservice:
        ipaadmin_password: SomeADMINpassword
        services:
        - name: HTTP/www1.example.com
          host: host1.example.com
        - name: HTTP/www2.example.com
          host: host2.example.com
        action: member
 ```
 Variables
 ---------
@@ -291,7 +350,15 @@ Variable | Description | Required
 `ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
 `ipaapi_context` | The context in which the module will execute. Executing in a server context is preferred. If not provided context will be determined by the execution environment. Valid values are `server` and `client`. | no
 `ipaapi_ldap_cache` | Use LDAP cache for IPA connection. The bool setting defaults to yes. (bool) | no
-`name` \| `service` | The list of service name strings. | yes
+`name` \| `service` | The list of service name strings. `name` with *service variables* or `services` containing *service variables* need to be used. | no
 `action` | Work on service or member level. It can be on of `member` or `service` and defaults to `service`. | no
 `state` | The state to ensure. It can be one of `present`, `absent`, or `disabled`, default: `present`. | no
 **Service Variables:**
 Variable | Description | Required
 -------- | ----------- | --------
 `certificate` \| `usercertificate` | Base-64 encoded service certificate. | no
 `pac_type` \| `ipakrbauthzdata` | Supported PAC type. It can be one of `MS-PAC`, `PAD`, or `NONE`. Use empty string to reset pac_type to the initial value. | no
 `auth_ind` \| `krbprincipalauthind` | Defines an allow list for Authentication Indicators. It can be any of `otp`, `radius`, `pkinit`, `hardened`, `idp` or `""`.  An additional check ensures that only types can be used that are supported by the IPA version. Use empty string to reset auth_ind to the initial value. | no
@@ -310,11 +377,9 @@ Variable | Description | Required
 `allow_retrieve_keytab_group` \| `ipaallowedtoperform_read_keys_group` | Groups allowed to retrieve a keytab of this host. | no
 `allow_retrieve_keytab_host` \| `ipaallowedtoperform_read_keys_host` | Hosts allowed to retrieve a keytab from of host. | no
 `allow_retrieve_keytab_hostgroup` \| `ipaallowedtoperform_read_keys_hostgroup` | Host groups allowed to retrieve a keytab of this host. | no
 `continue` | Continuous mode: don't stop on errors. Valid only if `state` is `absent`. Default: `no` (bool) | no
 `smb` | Service is an SMB service. If set, `cifs/` will be prefixed to the service name if needed. | no
 `netbiosname` | NETBIOS name for the SMB service. Only with `smb: yes`. | no
-`action` | Work on service or member level. It can be on of `member` or `service` and defaults to `service`. | no
+`continue` \| `delete_continue` | Continuous mode: don't stop on errors. Valid only if `state` is `absent`. Default: `no` (bool) | no
 `state` | The state to ensure. It can be one of `present`, `absent`, or `disabled`, default: `present`. | no
 Authors
--- a/README-servicedelegationrule.md
+++ b/README-servicedelegationrule.md
@@ -24,7 +24,7 @@ Requirements
 ------------
 **Controller**
-* Ansible version: 2.8+
+* Ansible version: 2.14+
 **Node**
 * Supported FreeIPA version (see above)
--- a/README-servicedelegationtarget.md
+++ b/README-servicedelegationtarget.md
@@ -24,7 +24,7 @@ Requirements
 ------------
 **Controller**
-* Ansible version: 2.8+
+* Ansible version: 2.14+
 **Node**
 * Supported FreeIPA version (see above)
--- a/README-sudocmd.md
+++ b/README-sudocmd.md
@@ -24,7 +24,7 @@ Requirements
 ------------
 **Controller**
-* Ansible version: 2.8+
+* Ansible version: 2.14+
 **Node**
 * Supported FreeIPA version (see above)
--- a/README-sudocmdgroup.md
+++ b/README-sudocmdgroup.md
@@ -24,7 +24,7 @@ Requirements
 ------------
 **Controller**
-* Ansible version: 2.8+
+* Ansible version: 2.14+
 **Node**
 * Supported FreeIPA version (see above)
--- a/README-sudorule.md
+++ b/README-sudorule.md
@@ -22,7 +22,7 @@ Requirements
 ------------
 **Controller**
-* Ansible version: 2.8+
+* Ansible version: 2.14+
 **Node**
 * Supported FreeIPA version (see above)
@@ -93,6 +93,26 @@ Example playbook to make sure sudocmds are not present in Sudo Rule:
      state: absent
 ```
 Example playbook to ensure a Group of RunAs User is present in sudo rule:
 ```yaml
 ---
 - name: Playbook to manage sudorule member
  hosts: ipaserver
  become: no
  gather_facts: no
  tasks:
  - name: Ensure sudorule 'runasuser' has 'ipasuers' group as runas users.
    ipasudorule:
      ipaadmin_password: SomeADMINpassword
      name: testrule1
      runasuser_group: ipausers
      action: member
 ```
 Example playbook to make sure Sudo Rule is absent:
 ```yaml
@@ -109,6 +129,49 @@ Example playbook to make sure Sudo Rule is absent:
      state: absent
 ```
 Example playbook to ensure multiple Sudo Rule are present using batch mode:
 ```yaml
 ---
 - name: Playbook to handle sudorules
  hosts: ipaserver
  become: true
 - name: Ensure multiple Sudo Rules are present using batch mode.
  ipasudorule:
    ipaadmin_password: SomeADMINpassword
    sudorules:
      - name: testrule1
        hostmask:
          - 192.168.122.1/24
      - name: testrule2
        hostcategory: all
 ```
 Example playbook to ensure multiple Sudo Rule members are present using batch mode:
 ```yaml
 ---
 - name: Playbook to handle sudorules
  hosts: ipaserver
  become: true
 - name: Ensure multiple Sudo Rules are present using batch mode.
  ipasudorule:
    ipaadmin_password: SomeADMINpassword
    action: member
    sudorules:
      - name: testrule1
        user:
          - user01
          - user02
        group:
          - group01
      - name: testrule2
        hostgroup:
          - hostgroup01
          - hostgroup02
 ```
 Variables
 =========
@@ -119,7 +182,9 @@ Variable | Description | Required
 `ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
 `ipaapi_context` | The context in which the module will execute. Executing in a server context is preferred. If not provided context will be determined by the execution environment. Valid values are `server` and `client`. | no
 `ipaapi_ldap_cache` | Use LDAP cache for IPA connection. The bool setting defaults to yes. (bool) | no
-`name` \| `cn` | The list of sudorule name strings. | yes
+`name` \| `cn` | The list of sudorule name strings. | no
 `sudorules` | The list of sudorule dicts. Each `sudorule` dict entry can contain sudorule variables.<br>There is one required option in the `sudorule` dict:| no
 &nbsp; | `name` - The sudorule name string of the entry. | yes
 `description` | The sudorule description string. | no
 `usercategory` \| `usercat` | User category the rule applies to. Choices: ["all", ""] | no
 `hostcategory` \| `hostcat` | Host category the rule applies to. Choices: ["all", ""] | no
--- a/README-topology.md
+++ b/README-topology.md
@@ -22,7 +22,7 @@ Requirements
 ------------
 **Controller**
-* Ansible version: 2.8+
+* Ansible version: 2.14+
 **Node**
 * Supported FreeIPA version (see above)
--- a/README-trust.md
+++ b/README-trust.md
@@ -21,7 +21,7 @@ Requirements
 **Controller**
-* Ansible version: 2.8+
+* Ansible version: 2.14+
 **Node**
--- a/README-user.md
+++ b/README-user.md
@@ -24,7 +24,7 @@ Requirements
 ------------
 **Controller**
-* Ansible version: 2.8+
+* Ansible version: 2.14+
 **Node**
 * Supported FreeIPA version (see above)
@@ -279,7 +279,6 @@ Example playbook to disable a user:
 This can also be done as an alternative with the `users` variable containing only names.
 Example playbook to enable users:
 ```yaml
@@ -298,6 +297,22 @@ Example playbook to enable users:
 This can also be done as an alternative with the `users` variable containing only names.
 Example playbook to rename users:
 ```yaml
 ---
 - name: Playbook to handle users
  hosts: ipaserver
  become: true
  tasks:
  # Rename user pinky to reddy
  - ipauser:
      ipaadmin_password: SomeADMINpassword
      name: pinky
      rename: reddy
      state: renamed
 ```
 Example playbook to unlock users:
@@ -401,7 +416,7 @@ Variable | Description | Required
 `update_password` | Set password for a user in present state only on creation or always. It can be one of `always` or `on_create` and defaults to `always`. | no
 `preserve` | Delete a user, keeping the entry available for future use. (bool)  | no
 `action` | Work on user or member level. It can be on of `member` or `user` and defaults to `user`. | no
-`state` | The state to ensure. It can be one of `present`, `absent`, `enabled`, `disabled`, `unlocked` or `undeleted`, default: `present`. Only `names` or `users` with only `name` set are allowed if state is not `present`. | yes
+`state` | The state to ensure. It can be one of `present`, `absent`, `enabled`, `disabled`, `renamed`, `unlocked` or `undeleted`, default: `present`. Only `names` or `users` with only `name` set are allowed if state is not `present`. | yes
@@ -458,10 +473,10 @@ Variable | Description | Required
 `smb_profile_path:` \| `ipantprofilepath` | SMB profile path, in UNC format. Requires FreeIPA version 4.8.0+. | no 
 `smb_home_dir` \| `ipanthomedirectory` | SMB Home Directory, in UNC format. Requires FreeIPA version 4.8.0+.  | no 
 `smb_home_drive` \| `ipanthomedirectorydrive` | SMB Home Directory Drive, a single upercase letter (A-Z) followed by a colon (:), for example "U:". Requires FreeIPA version 4.8.0+. | no 
 `rename` \| `new_name` | Rename the user object to the new name string. Only usable with `state: renamed`. | no
 `nomembers` | Suppress processing of membership attributes. (bool) | no
 Return Values
 =============
@@ -477,5 +492,5 @@ Variable | Description | Returned When
 Authors
 =======
-Thomas Woerner
+- Thomas Woerner
-Rafael Jeffman
+- Rafael Jeffman
--- a/README-vault.md
+++ b/README-vault.md
@@ -24,7 +24,7 @@ Requirements
 ------------
 **Controller**
-* Ansible version: 2.8+
+* Ansible version: 2.14+
 **Node**
 * Supported FreeIPA version (see above)
--- a/README.md
+++ b/README.md
@@ -13,6 +13,7 @@ Features
 * Repair mode for clients
 * Backup and restore, also to and from controller
 * Smartcard setup for servers and clients
 * Inventory plugin freeipa
 * Modules for automembership rule management
 * Modules for automount key management
 * Modules for automount location management
@@ -30,7 +31,11 @@ Features
 * Modules for hbacsvcgroup management
 * Modules for host management
 * Modules for hostgroup management
 * Modules for idoverridegroup management
 * Modules for idoverrideuser management
 * Modules for idp management
 * Modules for idrange management
 * Modules for idview management
 * Modules for location management
 * Modules for netgroup management
 * Modules for permission management
@@ -61,7 +66,7 @@ Supported Distributions
 -----------------------
 * RHEL/CentOS 7.4+
-* Fedora 26+
+* Fedora 40+
 * Ubuntu
 * Debian 10+ (ipaclient only, no server or replica!)
@@ -69,7 +74,7 @@ Requirements
 ------------
 **Controller**
-* Ansible version: 2.8+ (ansible-freeipa is an Ansible Collection)
+* Ansible version: 2.14+
 **Node**
 * Supported FreeIPA version (see above)
@@ -104,9 +109,10 @@ You can use the roles directly within the top directory of the git repo, but to
 You can either adapt ansible.cfg:
 ```
-roles_path   = /my/dir/ansible-freeipa/roles
+roles_path        = /my/dir/ansible-freeipa/roles
-library      = /my/dir/ansible-freeipa/plugins/modules
+library           = /my/dir/ansible-freeipa/plugins/modules
-module_utils = /my/dir/ansible-freeipa/plugins/module_utils
+module_utils      = /my/dir/ansible-freeipa/plugins/module_utils
 inventory_plugins = /my/dir/ansible-freeipa/plugins/inventory
 ```
 Or you can link the directories:
@@ -119,7 +125,7 @@ ansible-freeipa/plugins/module_utils to ~/.ansible/plugins/
 **RPM package**
-There are RPM packages available for Fedora 29+. These are installing the roles and modules into the global Ansible directories for `roles`, `plugins/modules` and `plugins/module_utils` in the `/usr/share/ansible` directory. Therefore is it possible to use the roles and modules without adapting the names like it is done in the example playbooks.
+There are RPM packages available for Fedora. These are installing the roles and modules into the global Ansible directories for `roles`, `plugins/modules` and `plugins/module_utils` in the `/usr/share/ansible` directory. Therefore is it possible to use the roles and modules without adapting the names like it is done in the example playbooks.
 **Ansible Galaxy**
@@ -129,18 +135,8 @@ This command will get the whole collection from galaxy:
 ansible-galaxy collection install freeipa.ansible_freeipa
 ```
 Installing collections using the ansible-galaxy command is only supported with ansible 2.9+.
 The mazer tool can be used for to install the collection for ansible 2.8:
 ```bash
 mazer install freeipa.ansible_freeipa
 ```
 Ansible galaxy does not support the use of dash ('-') in a name and is automatically replacing this with an underscore ('\_'). Therefore the name is `ansible_freeipa`. The ansible_freeipa collection will be placed in the directory `~/.ansible/collections/ansible_collections/freeipa/ansible_freeipa` where it will be automatically be found for this user.
 The needed adaptions of collection prefixes for `modules` and `module_utils` will be done with ansible-freeipa release `0.1.6` for galaxy.
 Ansible inventory file
 ----------------------
@@ -450,7 +446,11 @@ Modules in plugin/modules
 * [ipahbacsvcgroup](README-hbacsvcgroup.md)
 * [ipahost](README-host.md)
 * [ipahostgroup](README-hostgroup.md)
 * [idoverridegroup](README-idoverridegroup.md)
 * [idoverrideuser](README-idoverrideuser.md)
 * [idp](README-idp.md)
 * [idrange](README-idrange.md)
 * [idview](README-idview.md)
 * [ipalocation](README-location.md)
 * [ipanetgroup](README-netgroup.md)
 * [ipapermission](README-permission.md)
@@ -472,3 +472,8 @@ Modules in plugin/modules
 * [ipavault](README-vault.md)
 If you want to write a new module please read [writing a new module](plugins/modules/README.md).
 Inventory plugins in plugin/inventory
 =====================================
 * [freeipa](README-inventory-plugin-freeipa.md)
--- a/infra/azure/azure-pipelines.yml
+++ b/infra/azure/azure-pipelines.yml
@@ -0,0 +1,73 @@
 ---
 trigger:
 - master
 pool:
  vmImage: 'ubuntu-20.04'
 variables:
  ansible_version: "-core >=2.16,<2.17"
  ansible_latest: "-core"
  ansible_minimum: "-core <2.16"
  distros: "fedora-latest,c9s,c10s,fedora-rawhide"
 stages:
 - stage: fedora_latest_ansible_latest
  dependsOn: []
  jobs:
  - template: templates/group_tests.yml
    parameters:
      build_number: $(Build.BuildNumber)
      distro: fedora-latest
      ansible_version: ${{ variables.ansible_latest }}
      skip_git_test: true
 - stage: fedora_latest_ansible_2_15
  dependsOn: []
  jobs:
  - template: templates/group_tests.yml
    parameters:
      build_number: $(Build.BuildNumber)
      distro: fedora-latest
      ansible_version: ${{ variables.ansbile_minimum }}
      skip_git_test: true
 # Supported distros
 - ${{ each distro in split(variables.distros, ',') }}:
  - stage: ${{ replace(distro, '-', '_') }}_ansible_2_16
    dependsOn: []
    jobs:
    - template: templates/group_tests.yml
      parameters:
        build_number: $(Build.BuildNumber)
        distro: ${{ distro }}
        ansible_version: ${{ variables.ansible_version }}
        skip_git_test: true
        test_galaxy: false
 # Galaxy on Fedora
 - stage: galaxy_fedora_latest_ansible_2_16
  dependsOn: []
  jobs:
  - template: templates/group_tests.yml
    parameters:
      build_number: $(Build.BuildNumber)
      distro: fedora-latest
      ansible_version: ${{ variables.ansible_version }}
      skip_git_test: true
      test_galaxy: true
 # CentOS 8 Stream, latest supported Ansible version.
 - stage: c8s_ansible_2_16
  dependsOn: []
  jobs:
  - template: templates/group_tests.yml
    parameters:
      build_number: $(Build.BuildNumber)
      distro: c8s
      ansible_version: "-core <2.17"
      skip_git_test: true
--- a/infra/azure/build-containers.yml
+++ b/infra/azure/build-containers.yml
@@ -0,0 +1,35 @@
 ---
 schedules:
 - cron: "0 0 * * 0"
  displayName: Weekly Sunday midnight build
  branches:
    include:
    - master
  always: true
 trigger: none
 pool:
  vmImage: 'ubuntu-24.04'
 variables: { distros: "fedora-latest,fedora-rawhide,c9s,c10s" }
 stages:
 - ${{ each distro in split(variables.distros, ',') }}:
  - stage: build_${{ join('_', split(distro, '-')) }}
    dependsOn: []
    jobs:
    - template: templates/build_container.yml
      parameters:
        distro: ${{ distro }}
 # Special case for CentOS 8 Stream
 - stage: CentOS_8_Stream
  dependsOn: []
  jobs:
  - template: templates/build_container.yml
    parameters:
      distro: c8s
      # ansible-core 2.17+ cannot be used to deploy on CentOS 8 Stream.
      ansible_core_version: "<2.17"
--- a/infra/azure/nightly.yml
+++ b/infra/azure/nightly.yml
@@ -0,0 +1,79 @@
 ---
 schedules:
 - cron: "0 19 * * *"
  displayName: Nightly Builds
  branches:
    include:
    - master
  always: true
 trigger: none
 pool:
  vmImage: 'ubuntu-20.04'
 variables:
  # We need to have two sets, as c8s is not supported by all ansible versions
  recent_distros: "fedora-latest,fedora-rawhide,c10s,c9s"
  distros: "fedora-latest,fedora-rawhide,c10s,c9s,c8s"
  ansible_latest: "-core"
  ansible_minimum: "-core <2.16"
  ansible_version: "-core >=2.16,<2.17"
 stages:
 # Minimum ansible
 - ${{ each distro in split(variables.distros, ',') }}:
  - stage: ${{ replace(distro, '-', '_') }}_ansible_2_15
    dependsOn: []
    jobs:
    - template: templates/group_tests.yml
      parameters:
        build_number: $(Build.BuildNumber)
        distro: fedora-latest
        ansible_version: ${{ variables.ansible_minimum }}
        skip_git_test: true
        test_galaxy: false
 # Latest ansible
 - ${{ each distro in split(variables.recent_distros, ',') }}:
  - stage: ${{ replace(distro, '-', '_') }}_ansible_latest
    dependsOn: []
    jobs:
    - template: templates/group_tests.yml
      parameters:
        build_number: $(Build.BuildNumber)
        distro: ${{ distro }}
        ansible_version: ${{ variables.ansible_latest }}
        skip_git_test: true
        test_galaxy: false
 # Selected ansible-core version
 - ${{ each distro in split(variables.distros, ',') }}:
  - stage: ${{ replace(distro, '-', '_') }}_ansible_2_16
    dependsOn: []
    jobs:
    - template: templates/group_tests.yml
      parameters:
        build_number: $(Build.BuildNumber)
        distro: ${{ distro }}
        ansible_version: ${{ variables.ansible_version }}
        skip_git_test: true
        test_galaxy: false
 # Galaxy collection with selected ansible-core version
 - ${{ each distro in split(variables.distros, ',') }}:
  - stage: galaxy_${{ replace(distro, '-', '_') }}_asible_2_16
    dependsOn: []
    jobs:
    - template: templates/group_tests.yml
      parameters:
        build_number: $(Build.BuildNumber)
        distro: ${{ distro }}
        ansible_version: ${{ variables.ansible_version }}
        skip_git_test: true
        test_galaxy: true
--- a/infra/azure/pr-pipeline.yml
+++ b/infra/azure/pr-pipeline.yml
@@ -0,0 +1,39 @@
 ---
 trigger:
 - master
 pool:
  vmImage: 'ubuntu-20.04'
 variables:
  distros: "fedora-latest,c10s,c9s,c8s,fedora-rawhide"
  ansible_version: "-core >=2.15,<2.16"
 stages:
 # Test with repository in all distros
 - ${{ each distro in split(variables.distros, ',') }}:
  - stage: ${{ replace(distro, '-', '_') }}_ansible_2_16
    dependsOn: []
    jobs:
    - template: templates/run_tests.yml
      parameters:
        build_number: $(Build.BuildNumber)
        distro: ${{ distro }}
        ansible_version: ${{ variables.ansible_version }}
        skip_git_test: false
        test_galaxy: false
 # Galaxy on Fedora
 - stage: galaxy_fedora_latest_ansible_2_16
  dependsOn: []
  jobs:
  - template: templates/run_tests.yml
    parameters:
      build_number: $(Build.BuildNumber)
      distro: fedora-latest
      ansible_version: ${{ variables.ansible_version }}
      skip_git_test: false
      test_galaxy: true
--- a/infra/azure/scripts/get_test_modules.py
+++ b/infra/azure/scripts/get_test_modules.py
@@ -23,8 +23,6 @@ def get_plugins_from_playbook(playbook):
        for tasks in task_block:
            for task in tasks:
                original_task = task
                if "." in task:
                    task = task.split(".")[-1]
                if task == "block":
                    _result.update(get_tasks(tasks["block"]))
                elif task in ["include_tasks", "import_tasks"
@@ -62,8 +60,7 @@ def get_plugins_from_playbook(playbook):
            return []
        except yaml.parser.ParserError:  # If not a YAML/JSON file.
            return []
-        else:
+        return data if data else []
            return data if data else []
    data = load_playbook(playbook)
    task_blocks = [t.get("tasks", []) if "tasks" in t else [] for t in data]
@@ -128,8 +125,16 @@ def parse_playbooks(test_module):
                            "builtins.__import__", side_effect=import_mock
                        ):
                            # pylint: disable=no-value-for-parameter
-                            loader = SourceFileLoader(playbook, source)
+                            try:
-                            loader.exec_module(types.ModuleType(loader.name))
+                                loader = SourceFileLoader(playbook, source)
                                loader.exec_module(
                                    types.ModuleType(loader.name)
                                )
                            except Exception:  # pylint: disable=broad-except
                                # If import fails, we'll assume there's no
                                # plugin to be loaded. This is of little risk
                                # it is rare that a plugin includes another.
                                pass
                        # pylint: disable=no-member
                        candidates = [
                            f.split(".")[1:]
@@ -154,7 +159,7 @@ def map_test_module_sources(base):
    """Create a map of 'test-modules' to 'plugin-sources', from 'base'."""
    # Find root directory of playbook tests.
    script_dir = os.path.dirname(__file__)
-    test_root = os.path.realpath(os.path.join(script_dir, f"../{base}"))
+    test_root = os.path.realpath(os.path.join(script_dir, f"../../../{base}"))
    # create modules:source_files map
    _result = {}
    for test_module in [d for d in os.scandir(test_root) if d.is_dir()]:
@@ -165,7 +170,7 @@ def map_test_module_sources(base):
 def usage(err=0):
-    print("filter_plugins.py [-h|--help] [-p|--pytest] PY_SRC...")
+    print("get_test_modules.py [-h|--help] [-p|--pytest] PY_SRC...")
    print(
        """
 Print a comma-separated list of modules that should be tested if
--- a/infra/azure/scripts/set_test_modules
+++ b/infra/azure/scripts/set_test_modules
@@ -0,0 +1,67 @@
 #!/bin/bash -eu
 # This file shoud be source'd (. set_test_modules) rather than executed.
 #
 # Set SKIP_GIT_TEST="True" or use -a to prevent git modification comparison.
 #
 RED="\033[31;1m"
 RST="\033[0m"
 die() {
    echo -e "${RED}${*}${RST}" >&2
 }
 BASEDIR="$(readlink -f "$(dirname "${BASH_SOURCE[0]}")")"
 TOPDIR="$(readlink -f "${BASEDIR}/../../..")"
 [ -n "$(command -v python3)" ] && python="$(command -v python3)" || python="$(command -v python2)"
 pushd "${TOPDIR}" >/dev/null 2>&1 || die "Failed to change directory."
 SKIP_GIT_TEST=${SKIP_GIT_TEST:-"False"}
 while getopts ":a" opt
 do
    case "${opt}" in
        a) SKIP_GIT_TEST="True" ;;
        *) ;; # ignore other options
    esac
 done
 files_list=$(mktemp)
 enabled_modules="None"
 enabled_tests="None"
 if [ "${SKIP_GIT_TEST}" != "True" ]
 then
    remote="$(basename "$(mktemp -u remote_XXXXXX)")"
    git remote add "${remote}" https://github.com/freeipa/ansible-freeipa
    git fetch --prune --no-tags --quiet "${remote}"
    git diff "${remote}/master" --name-only > "${files_list}"
    git remote remove "${remote}"
    # shellcheck disable=SC2046
    enabled_modules="$(${python} "${BASEDIR}/get_test_modules.py" $(cat "${files_list}"))"
    [ -z "${enabled_modules}" ] && enabled_modules="None"
    # Get individual tests that should be executed
    mapfile -t tests < <(sed -n 's#.*/\(test_[^/]*\).yml#\1#p' "${files_list}" | tr -d " ")
    [ ${#tests[@]} -gt 0 ] && enabled_tests=$(IFS=, ; echo "${tests[*]}")
    [ -z "${enabled_tests}" ] && enabled_tests="None"
    [ -n "${enabled_tests}" ] && IPA_ENABLED_TESTS="${enabled_tests},${IPA_ENABLED_TESTS}"
    [ -n "${enabled_modules}" ] && IPA_ENABLED_MODULES="${enabled_modules},${IPA_ENABLED_MODULES}"
    rm -f "${files_list}"
 fi
 # Get all modules that should have tests executed
 export IPA_ENABLED_MODULES
 export IPA_ENABLED_TESTS
 echo "IPA_ENABLED_MODULES = [${IPA_ENABLED_MODULES}]"
 echo "IPA_ENABLED_TESTS = [${IPA_ENABLED_TESTS}]"
 popd >/dev/null 2>&1 || die "Failed to change back to original directory."
--- a/infra/azure/templates/build_container.yml
+++ b/infra/azure/templates/build_container.yml
@@ -0,0 +1,45 @@
 ---
 parameters:
  - name: distro
    type: string
  - name: python_version
    type: string
    default: 3.x
  - name: ansible_core_version
    default: ""
 jobs:
 - job: BuildTestImage_${{ join('_', split(parameters.distro, '-')) }}
  displayName: Build ${{ parameters.distro }} test container
  steps:
  - task: UsePythonVersion@0
    inputs:
      versionSpec: '${{ parameters.python_version }}'
  - script: python -m pip install --upgrade pip "ansible-core${{ parameters.ansible_core_version }}"
    retryCountOnTaskFailure: 5
    displayName: Install tools
  - script: ansible-galaxy collection install containers.podman
    displayName: Install Ansible Galaxy collections
  - script: infra/image/build.sh -s ${{ parameters.distro }}
    displayName: Build ${{ parameters.distro }} base image
    env:
      ANSIBLE_ROLES_PATH: "${PWD}/roles"
      ANSIBLE_LIBRARY: "${PWD}/plugins/modules"
      ANSIBLE_MODULE_UTILS: "${PWD}/plugins/module_utils"
  - script: podman login -u="$QUAY_ROBOT_USERNAME" -p="$QUAY_ROBOT_TOKEN" quay.io
    displayName: Registry login
    env:
      # Secrets needs to be mapped as env vars to work properly
      QUAY_ROBOT_TOKEN: $(QUAY_ROBOT_TOKEN)
  - script: |
      podman push quay.io/ansible-freeipa/upstream-tests:${{parameters.distro}}-base quay.io/ansible-freeipa/upstream-tests:${{ parameters.distro }}-base
    displayName: Push base image
  - script: |
      podman push quay.io/ansible-freeipa/upstream-tests:${{ parameters.distro }}-server quay.io/ansible-freeipa/upstream-tests:${{ parameters.distro }}-server
    displayName: Push server image
--- a/infra/azure/templates/group_tests.yml
+++ b/infra/azure/templates/group_tests.yml
@@ -0,0 +1,30 @@
 ---
 parameters:
  - name: distro
    type: string
    default: fedora-latest
  - name: build_number
    type: string
  - name: ansible_version
    type: string
    default: ""
  - name: skip_git_test
    type: boolean
    default: false
  - name: test_galaxy
    type: boolean
    default: false
 jobs:
 - ${{ each group in split('1,2,3', ',') }}:
  - template: run_tests.yml
    parameters:
      group_number: ${{ group }}
      number_of_groups: 3
      build_number: ${{ parameters.build_number }}
      distro: ${{ parameters.distro }}
      ansible_version: ${{ parameters.ansible_version }}
      python_version: '< 3.12'
      skip_git_test: ${{ parameters.skip_git_test }}
      test_galaxy: ${{ parameters.test_galaxy }}
--- a/infra/azure/templates/prepare_environment.yaml
+++ b/infra/azure/templates/prepare_environment.yaml
@@ -0,0 +1,30 @@
 ---
 parameters:
  - name: distro
    type: string
    default: fedora-latest
  - name: ansible_version
    type: string
    default: ""
  - name: python_version
    type: string
    default: 3.x
  - name: build_number
    type: string
 steps:
  - task: UsePythonVersion@0
    inputs:
      versionSpec: '${{ parameters.python_version }}'
  - script: |
      pip install "ansible${{ parameters.ansible_version }}" -r requirements-tests.txt
    retryCountOnTaskFailure: 5
    displayName: Install test dependencies
  - script: ansible-galaxy collection install -r requirements-podman.yml
    retryCountOnTaskFailure: 5
    displayName: Install Ansible collections
  - script: infra/image/start.sh ${{ parameters.distro }}-server
    displayName: Setup target container for ${{ parameters.distro }}
--- a/infra/azure/templates/run_tests.yml
+++ b/infra/azure/templates/run_tests.yml
@@ -0,0 +1,98 @@
 ---
 parameters:
  - name: group_number
    type: number
    default: 1
  - name: number_of_groups
    type: number
    default: 1
  - name: distro
    type: string
    default: fedora-latest
  - name: ansible_version
    type: string
    default: ""
  - name: python_version
    type: string
    default: 3.x
  - name: build_number
    type: string
  - name: skip_git_test
    type: boolean
    default: true
  - name: test_type
    type: string
    default: "playbook"
  - name: test_galaxy
    type: boolean
    default: false
 jobs:
 - job: Test_Group${{ parameters.group_number }}
  displayName: Run playbook tests ${{ parameters.distro }} (${{ parameters.group_number }}/${{ parameters.number_of_groups }})
  timeoutInMinutes: 360
  variables:
  - template: variables.yaml
  - template: variables_${{ parameters.distro }}.yaml
  steps:
  - template: prepare_environment.yaml
    parameters:
      build_number: ${{ parameters.build_number }}
      distro: ${{ parameters.distro }}
      ansible_version: ${{ parameters.ansible_version }}
      python_version: ${{ parameters.python_version }}
  - bash: echo "##vso[task.setvariable variable=TOPDIR]${PWD}"
    displayName: Set repo rootdir
  - script: |
      . "${TOPDIR}/infra/azure/scripts/set_test_modules"
      python3 utils/check_test_configuration.py ${{ parameters.distro }}
    displayName: Check test configuration
    env:
       SKIP_GIT_TEST: ${{ parameters.skip_git_test }}
  - script: |
      git fetch --unshallow
      utils/build-galaxy-release.sh -i
    retryCountOnTaskFailure: 5
    displayName: Build Galaxy release
    condition: ${{ parameters.test_galaxy }}
  - script: |
      echo "PWD: ${PWD}"
      echo "TOPDIR: ${TOPDIR}"
      echo "ROLES: ${ANSIBLE_ROLES_PATH}"
      echo "LIBRARY: ${ANSIBLE_LIBRARY}"
      echo "MODULE_UTILS: ${ANSIBLE_MODULE_UTILS}"
      . "${TOPDIR}/infra/azure/scripts/set_test_modules"
      [ "${{ parameters.test_galaxy }}" == "True"  ] && cd ~/.ansible/collections/ansible_collections/freeipa/ansible_freeipa
      pytest \
          -m "${{ parameters.test_type }}" \
          --verbose \
          --color=yes \
          --splits=${{ parameters.number_of_groups }} \
          --group=${{ parameters.group_number }} \
          --randomly-seed=$(date "+%Y%m%d") \
          --suppress-no-test-exit-code \
          --junit-xml=TEST-results-pr-check.xml
    displayName: Run playbook tests
    env:
      SKIP_GIT_TEST: ${{ parameters.skip_git_test }}
      ${{ if not(parameters.test_galaxy)  }}:
        ANSIBLE_ROLES_PATH: "${PWD}/roles"
        ANSIBLE_LIBRARY: "${PWD}/plugins"
        ANSIBLE_MODULE_UTILS: "${PWD}/plugins/module_utils"
      IPA_SERVER_HOST: ansible-freeipa-tests
      RUN_TESTS_IN_DOCKER: podman
      IPA_DISABLED_MODULES: ${{ variables.ipa_disabled_modules }}
      IPA_DISABLED_TESTS: ${{ variables.ipa_disabled_tests }}
      IPA_ENABLED_MODULES: ${{ variables.ipa_enabled_modules }}
      IPA_ENABLED_TESTS: ${{ variables.ipa_enabled_tests }}
      IPA_VERBOSITY: "-vvv"
  - task: PublishTestResults@2
    inputs:
      mergeTestResults: true
      testRunTitle: PlaybookTests-Build${{ parameters.build_number }}
    condition: succeededOrFailed()
--- a/infra/azure/templates/variables.yaml
+++ b/infra/azure/templates/variables.yaml
@@ -15,8 +15,9 @@
 #
 ---
 variables:
-  empty: true
+  # empty: true
  # ipa_enabled_modules: >-
  # ipa_enabled_tests: >-
-  # ipa_disabled_modules: >-
+  ipa_disabled_modules: >-
    config
  # ipa_disabled_tests: >-
--- a/infra/azure/templates/variables_c10s.yaml
+++ b/infra/azure/templates/variables_c10s.yaml
--- a/infra/azure/templates/variables_c8s.yaml
+++ b/infra/azure/templates/variables_c8s.yaml
--- a/infra/azure/templates/variables_c9s.yaml
+++ b/infra/azure/templates/variables_c9s.yaml
@@ -0,0 +1,21 @@
 #
 # Variables must be defined as comma separated lists.
 # For easier management of items to enable/disable,
 # use one test/module on each line, followed by a comma.
 #
 # Example:
 #
 # ipa_disabled_modules: >-
 #   dnsconfig,
 #   group,
 #   hostgroup
 #
 # If no variables are set, set "empty: true" as at least
 # one item is needed in the set.
 ---
 variables:
  empty: true
 #   ipa_enabled_modules: >-
 #   ipa_enabled_tests: >-
 #   ipa_disabled_modules: >-
 #   ipa_disabled_tests: >-
--- a/infra/azure/templates/variables_centos-7.yaml
+++ b/infra/azure/templates/variables_centos-7.yaml
--- a/infra/azure/templates/variables_fedora-latest.yaml
+++ b/infra/azure/templates/variables_fedora-latest.yaml
--- a/infra/azure/templates/variables_fedora-rawhide.yaml
+++ b/infra/azure/templates/variables_fedora-rawhide.yaml
--- a/infra/image/build-inventory
+++ b/infra/image/build-inventory
@@ -0,0 +1,15 @@
 [ipaserver]
 ansible-freeipa-image-builder ansible_connection=podman
 [ipaserver:vars]
 ipaadmin_password=SomeADMINpassword
 ipadm_password=SomeDMpassword
 ipaserver_domain=test.local
 ipaserver_realm=TEST.LOCAL
 ipaserver_setup_dns=true
 ipaserver_auto_forwarders=true
 ipaserver_no_dnssec_validation=true
 ipaserver_auto_reverse=true
 ipaserver_setup_kra=true
 ipaserver_setup_firewalld=false
 ipaclient_no_ntp=true
--- a/infra/image/build.sh
+++ b/infra/image/build.sh
@@ -0,0 +1,137 @@
 #!/bin/bash -eu
 BASEDIR="$(readlink -f "$(dirname "$0")")"
 TOPDIR="$(readlink -f "${BASEDIR}/../..")"
 # shellcheck disable=SC1091
 . "${BASEDIR}/shcontainer"
 # shellcheck disable=SC1091
 . "${TOPDIR}/utils/shfun"
 valid_distro() {
    find "${BASEDIR}/dockerfile" -type f -printf "%f\n" | tr "\n" " "
 }
 usage() {
    local prog="${0##*/}"
    cat << EOF
 usage: ${prog} [-h] [-n HOSTNAME] [-s] distro
    ${prog} build a container image to test ansible-freeipa.
 EOF
 }
 help() {
    cat << EOF
 positional arguments:
    distro    The base distro to build the test container.
              Availble distros: $(valid_distro)
 optional arguments:
    -n HOSTNAME   Container hostname
    -p            Give extended privileges to the container
    -s            Deploy IPA server
 EOF
 }
 name="ansible-freeipa-image-builder"
 hostname="ipaserver.test.local"
 cpus="2"
 memory="3g"
 quayname="quay.io/ansible-freeipa/upstream-tests"
 deploy_server="N"
 deploy_capabilities="SYS_ADMIN,SYSLOG"
 capabilities=""
 while getopts ":hn:s" option
 do
    case "${option}" in
        h) help && exit 0 ;;
        n) hostname="${OPTARG}" ;;
        s) deploy_server="Y" ;;
        *) die -u "Invalid option: ${option}" ;;
    esac
 done
 shift $((OPTIND - 1))
 distro=${1:-}
 [ -n "${distro}" ] || die "Distro needs to be given.\nUse one of: $(valid_distro)"
 [ -f "${BASEDIR}/dockerfile/${distro}" ] \
  || die "${distro} is not a valid distro target.\nUse one of: $(valid_distro)"
 container_check
 if [ "${deploy_server}" == "Y" ]
 then
    capabilities="${deploy_capabilities}"
    [ -n "$(command -v "ansible-playbook")" ] || die "ansible-playbook is required to install FreeIPA."
    deploy_playbook="${TOPDIR}/playbooks/install-server.yml"
    [ -f "${deploy_playbook}" ] || die "Can't find playbook '${deploy_playbook}'"
    inventory_file="${BASEDIR}/build-inventory"
    [ -f "${inventory_file}" ] || die "Can't find inventory '${inventory_file}'"
 fi
 container_state=$(container_get_state "${name}")
 tag="${distro}-base"
 server_tag="${distro}-server"
 container_remove_image_if_exists "${tag}"
 [ "${deploy_server}" == "Y" ] && \
    container_remove_image_if_exists "${server_tag}"
 container_build "${tag}" "${BASEDIR}/dockerfile/${distro}" "${BASEDIR}"
 container_create "${name}" "${tag}" \
    "hostname=${hostname}" \
    "memory=${memory}" \
    "cpus=${cpus}" \
    "${capabilities:+capabilities=$capabilities}"
 container_commit "${name}" "${quayname}:${tag}"
 if [ "${deploy_server}" == "Y" ]
 then
    deployed=false
    # Set path to ansible-freeipa roles
    [ -z "${ANSIBLE_ROLES_PATH:-""}" ] && export ANSIBLE_ROLES_PATH="${TOPDIR}/roles"
    # Install collection containers.podman if not available
    if [ -z "$(ansible-galaxy collection list containers.podman)" ]
    then
        tmpdir="$(mktemp -d)"
        export ANSIBLE_COLLECTIONS_PATH="${tmpdir}"
        ansible-galaxy collection install -p "${tmpdir}" containers.podman
    fi
    [ "${container_state}" != "running" ] && container_start "${name}"
    container_wait_for_journald "${name}"
    log info "= Deploying IPA ="
    if ansible-playbook -u root -i "${inventory_file}" "${deploy_playbook}"
    then
        deployed=true
    fi
    echo
    if $deployed; then
        log info "= Enabling services ="
        container_exec "${name}" systemctl enable fixnet
        container_exec "${name}" systemctl enable fixipaip
        echo
    fi
    container_stop "${name}"
    $deployed || die "Deployment failed"
    container_commit "${name}" "${quayname}:${server_tag}"
 fi
 log info "= DONE: Image created. ="
--- a/infra/image/dockerfile/c10s
+++ b/infra/image/dockerfile/c10s
@@ -0,0 +1,39 @@
 FROM quay.io/centos/centos:stream10
 ENV container=podman
 RUN rm -fv /var/cache/dnf/metadata_lock.pid; \
 dnf makecache; \
 dnf --assumeyes install \
    /usr/bin/dnf-3 \
    sudo \
    bash \
    systemd \
    procps-ng \
    iproute \
    hostname; \
 rm -rf /var/cache/dnf/;
 RUN (cd /lib/systemd/system/; \
    if [ -e dbus-broker.service ] && [ ! -e dbus.service ]; then \
       ln -s dbus-broker.service dbus.service; \
    fi \
 )
 COPY system-service/container-ipa.target /lib/systemd/system/
 RUN systemctl set-default container-ipa.target
 RUN (cd /etc/systemd/system/; \
    rm -rf multi-user.target.wants \
 	&& mkdir container-ipa.target.wants \
 	&& ln -s container-ipa.target.wants multi-user.target.wants \
 )
 COPY system-service/fixnet.sh /root/
 COPY system-service/fixipaip.sh /root/
 COPY system-service/fixnet.service /etc/systemd/system/
 COPY system-service/fixipaip.service /etc/systemd/system/
 RUN chmod +x /root/fixnet.sh /root/fixipaip.sh
 STOPSIGNAL RTMIN+3
 VOLUME ["/sys/fs/cgroup"]
 CMD ["/usr/sbin/init"]
--- a/infra/image/dockerfile/c8s
+++ b/infra/image/dockerfile/c8s
@@ -0,0 +1,43 @@
 FROM quay.io/centos/centos:stream8
 ENV container=podman
 RUN rm -fv /var/cache/dnf/metadata_lock.pid; \
 sed -i s/mirror.centos.org/vault.centos.org/g /etc/yum.repos.d/*.repo; \
 sed -i s/^#.*baseurl=http/baseurl=http/g /etc/yum.repos.d/*.repo; \
 sed -i s/^mirrorlist=http/#mirrorlist=http/g /etc/yum.repos.d/*.repo; \
 dnf makecache; \
 dnf --assumeyes install \
    /usr/bin/dnf-3 \
    sudo \
    bash \
    systemd \
    procps-ng \
    iproute; \
 dnf clean all; \
 rm -rf /var/cache/dnf/;
 RUN (cd /lib/systemd/system/; \
    if [ -e dbus-broker.service ] && [ ! -e dbus.service ]; then \
       ln -s dbus-broker.service dbus.service; \
    fi \
 )
 COPY system-service/container-ipa.target /lib/systemd/system/
 RUN systemctl set-default container-ipa.target
 RUN (cd /etc/systemd/system/; \
    rm -rf multi-user.target.wants \
 	&& mkdir container-ipa.target.wants \
 	&& ln -s container-ipa.target.wants multi-user.target.wants \
 )
 COPY system-service/fixnet.sh /root/
 COPY system-service/fixipaip.sh /root/
 COPY system-service/fixnet.service /etc/systemd/system/
 COPY system-service/fixipaip.service /etc/systemd/system/
 RUN chmod +x /root/fixnet.sh /root/fixipaip.sh
 STOPSIGNAL RTMIN+3
 VOLUME ["/sys/fs/cgroup"]
 CMD ["/usr/sbin/init"]
--- a/infra/image/dockerfile/c9s
+++ b/infra/image/dockerfile/c9s
@@ -0,0 +1,38 @@
 FROM quay.io/centos/centos:stream9
 ENV container=podman
 RUN rm -fv /var/cache/dnf/metadata_lock.pid; \
 dnf makecache; \
 dnf --assumeyes install \
    /usr/bin/dnf-3 \
    sudo \
    bash \
    systemd \
    procps-ng \
    iproute; \
 rm -rf /var/cache/dnf/;
 RUN (cd /lib/systemd/system/; \
    if [ -e dbus-broker.service ] && [ ! -e dbus.service ]; then \
       ln -s dbus-broker.service dbus.service; \
    fi \
 )
 COPY system-service/container-ipa.target /lib/systemd/system/
 RUN systemctl set-default container-ipa.target
 RUN (cd /etc/systemd/system/; \
    rm -rf multi-user.target.wants \
 	&& mkdir container-ipa.target.wants \
 	&& ln -s container-ipa.target.wants multi-user.target.wants \
 )
 COPY system-service/fixnet.sh /root/
 COPY system-service/fixipaip.sh /root/
 COPY system-service/fixnet.service /etc/systemd/system/
 COPY system-service/fixipaip.service /etc/systemd/system/
 RUN chmod +x /root/fixnet.sh /root/fixipaip.sh
 STOPSIGNAL RTMIN+3
 VOLUME ["/sys/fs/cgroup"]
 CMD ["/usr/sbin/init"]
--- a/infra/image/dockerfile/fedora-latest
+++ b/infra/image/dockerfile/fedora-latest
@@ -0,0 +1,41 @@
 FROM fedora:latest
 ENV container=podman
 RUN rm -fv /var/cache/dnf/metadata_lock.pid; \
 dnf makecache; \
 dnf --assumeyes install \
    /usr/bin/python3 \
    /usr/bin/python3-config \
    python3-libdnf5 \
    sudo \
    bash \
    systemd \
    procps-ng \
    iproute; \
 dnf clean all; \
 rm -rf /var/cache/dnf/;
 RUN (cd /lib/systemd/system/; \
    if [ -e dbus-broker.service ] && [ ! -e dbus.service ]; then \
       ln -s dbus-broker.service dbus.service; \
    fi \
 )
 COPY system-service/container-ipa.target /lib/systemd/system/
 RUN systemctl set-default container-ipa.target
 RUN (cd /etc/systemd/system/; \
    rm -rf multi-user.target.wants \
 	&& mkdir container-ipa.target.wants \
 	&& ln -s container-ipa.target.wants multi-user.target.wants \
 )
 COPY system-service/fixnet.sh /root/
 COPY system-service/fixipaip.sh /root/
 COPY system-service/fixnet.service /etc/systemd/system/
 COPY system-service/fixipaip.service /etc/systemd/system/
 RUN chmod +x /root/fixnet.sh /root/fixipaip.sh
 STOPSIGNAL RTMIN+3
 VOLUME ["/sys/fs/cgroup"]
 CMD ["/usr/sbin/init"]
--- a/infra/image/dockerfile/fedora-rawhide
+++ b/infra/image/dockerfile/fedora-rawhide
@@ -0,0 +1,41 @@
 FROM fedora:rawhide
 ENV container=podman
 RUN rm -fv /var/cache/dnf/metadata_lock.pid; \
 dnf makecache; \
 dnf --assumeyes install \
    /usr/bin/python3 \
    /usr/bin/python3-config \
    python3-libdnf5 \
    sudo \
    bash \
    systemd \
    procps-ng \
    iproute; \
 dnf clean all; \
 rm -rf /var/cache/dnf/;
 RUN (cd /lib/systemd/system/; \
    if [ -e dbus-broker.service ] && [ ! -e dbus.service ]; then \
       ln -s dbus-broker.service dbus.service; \
    fi \
 )
 COPY system-service/container-ipa.target /lib/systemd/system/
 RUN systemctl set-default container-ipa.target
 RUN (cd /etc/systemd/system/; \
    rm -rf multi-user.target.wants \
 	&& mkdir container-ipa.target.wants \
 	&& ln -s container-ipa.target.wants multi-user.target.wants \
 )
 COPY system-service/fixnet.sh /root/
 COPY system-service/fixipaip.sh /root/
 COPY system-service/fixnet.service /etc/systemd/system/
 COPY system-service/fixipaip.service /etc/systemd/system/
 RUN chmod +x /root/fixnet.sh /root/fixipaip.sh
 STOPSIGNAL RTMIN+3
 VOLUME ["/sys/fs/cgroup"]
 CMD ["/usr/sbin/init"]
--- a/infra/image/inventory
+++ b/infra/image/inventory
@@ -0,0 +1,6 @@
 [ipaserver]
 ansible-freeipa-tests ansible_connection=podman
 [ipaserver:vars]
 ipaadmin_password=SomeADMINpassword
 ipadm_password=SomeDMpassword
--- a/infra/image/shcontainer
+++ b/infra/image/shcontainer
@@ -0,0 +1,197 @@
 #!/bin/bash -eu
 # This file is meant to be source'd by other scripts
 SCRIPTDIR="$(dirname -- "$(readlink -f "${BASH_SOURCE[0]}")")"
 TOPDIR="$(readlink -f "${SCRIPTDIR}/../..")"
 . "${TOPDIR}/utils/shfun"
 container_create() {
    local name=${1}
    local image=${2}
    shift 2
    declare -a extra_opts=()
    for opt in "$@"
    do
        [ -z "${opt}" ] && continue
        case "${opt}" in
            hostname=*) extra_opts+=("--${opt}") ;;
            cpus=*) extra_opts+=("--${opt}") ;;
            memory=*) extra_opts+=("--${opt}") ;;
            capabilities=*) extra_opts+=("--cap-add=${opt##*=}") ;;
            *) log error "container_create: Invalid option: ${opt}" ;;
        esac
    done
    # ensure default values are set
    [[ " ${extra_opts[*]} " =~ " --cpus=" ]] || extra_opts+=("--cpus=2")
    [[ " ${extra_opts[*]} " =~ " --hostname=" ]] \
        || extra_opts+=("--hostname=ipaserver.test.local")
    log info "= Creating ${name} ="
    podman create \
           --security-opt label=disable \
           --network bridge:interface_name=eth0 \
           --systemd true \
           --name "${name}" \
           --memory-swap -1 \
           --no-hosts \
           --replace \
           "${extra_opts[@]}" \
           "${image}"
    echo
 }
 container_start() {
    local name="${1}"
    log info "= Starting ${name} ="
    podman start "${name}"
    echo
 }
 container_stop() {
    local name="${1}"
    log info "= Stopping ${name} ="
    podman stop "${name}"
    echo
 }
 container_wait_for_journald() {
    local name=${1}
    log info "= Waiting till systemd-journald is running ="
    max=20
    wait=2
    count=0
    while ! podman exec "${name}" ps -x | grep -q "systemd-journald"
    do
        if [ $count -ge $max ]; then
            die "Timeout: systemd-journald is not starting up"
        fi
        count=$((count+1))
        log info "Waiting ${wait} seconds .."
        sleep ${wait}
    done
    log info "done"
    echo
 }
 container_wait_up() {
    local name="${1}"
    log info "= Waiting till all services are started ="
    max=20
    wait=15
    count=0
    while podman exec "${name}" systemctl list-jobs | \
        grep -qvi "no jobs running"
    do
        if [ $count -ge $max ]; then
            die "Timeout: Services are not starting up"
        fi
        count=$((count+1))
        log info "Waiting ${wait} seconds .."
        sleep ${wait}
    done
    log info "done"
    echo
 }
 container_build() {
    local tag="${1}"
    local file="${2}"
    local dir="${3}"
    log info "= Building ${tag} ="
    podman build -t "${tag}" -f "${file}" "${dir}"
    echo
 }
 container_commit() {
    local name="${1}"
    local image="${2}"
    log info "= Committing \"${image}\" ="
    podman commit "${name}" "${image}"
    echo
 }
 container_exec() {
    local name="${1}"
    shift 1
    # "@Q" is only needed for the log output, the exec command is properly
    # working without also for args containing spaces.
    log info "= Executing \"${*@Q}\" ="
    podman exec -t "${name}" "${@}"
    echo
 }
 container_remove_image_if_exists()
 {
    # In older (as in Ubuntu 22.04) podman versions,
    # 'podman image rm --force' fails if the image
    # does not exist.
    local tag_to_remove="${1}"
    if podman image exists "${tag_to_remove}"
    then
        log info "= Cleanup ${tag_to_remove} ="
        podman image rm "${tag_to_remove}" --force
        echo
    fi
 }
 container_get_state()
 {
    local name="${1}"
    state=$(podman ps -q --all --format "{{.State}}" --filter "name=${name}")
    echo "${state}"
 }
 container_pull() {
    local source="${1}"
    image=$(podman pull "${source}")
    echo "${image}"
 }
 container_image_list() {
    local source="${1}"
    # Append "$" for an exact match if the source does not end with ":" to
    # search for the repo only.
    if [[ ${source} != *: ]]; then
        source="${source}$"
    fi
    image=$(podman image list --format "{{ .Repository }}:{{ .Tag }}" | \
                grep "^${source}")
    echo "${image}"
 }
 container_check() {
    [ -n "$(command -v "podman")" ] || die "podman is required."
 }
 container_copy() {
    local name="${1}"
    local source="${2}"
    local destination="${3}"
    log info "= Copying ${source} to ${name}:${destination} ="
    podman cp "${source}" "${name}:${destination}"
    echo
 }
 container_fetch() {
    local name="${1}"
    local source="${2}"
    local destination="${3}"
    log info "= Copying ${name}:${source} to ${destination} ="
    podman cp "${name}:${source}" "${destination}"
    echo
 }
--- a/infra/image/start.sh
+++ b/infra/image/start.sh
@@ -0,0 +1,95 @@
 #!/bin/bash -eu
 BASEDIR="$(readlink -f "$(dirname "$0")")"
 TOPDIR="$(readlink -f "${BASEDIR}/../..")"
 # shellcheck disable=SC1091
 . "${BASEDIR}/shcontainer"
 # shellcheck disable=SC1091
 . "${TOPDIR}/utils/shfun"
 usage() {
    local prog="${0##*/}"
    cat << EOF
 usage: ${prog} [-h] [-l] [-n HOSTNAME ] image
    ${prog} start a prebuilt ansible-freeipa test container image.
 EOF
 }
 help() {
    cat << EOF
 positional arguments:
    image    The image to start, leave empty to get list of images
 optional arguments:
    -h            Show this message
    -l            Try to use local image first, if not found download.
    -n HOSTNAME   Set container hostname
 NOTE:
    - The hostname must be the same as the hostname of the container
      when FreeIPA was deployed. Use only if you built the image and
      defined its hostname.
 EOF
 }
 list_images() {
    local quay_api="https://quay.io/api/v1/repository/ansible-freeipa/upstream-tests/tag"
    log info "Available images on quay:"
    curl --silent -L "${quay_api}" | jq '.tags[]|.name' | tr -d '"'| sort | uniq | sed "s/.*/    &/"
    echo
    log info "Local images (use -l):"
    local_image=$(container_image_list "${repo}:")
    echo "${local_image}" | sed -e "s/.*://" | sed "s/.*/    &/"
    echo
 }
 repo="quay.io/ansible-freeipa/upstream-tests"
 name="ansible-freeipa-tests"
 hostname="ipaserver.test.local"
 try_local_first="N"
 while getopts ":hln:" option
 do
    case "${option}" in
        h) help && exit 0 ;;
        l) try_local_first="Y" ;;
        n) hostname="${OPTARG}" ;;
        *) die -u "Invalid option: ${option}" ;;
    esac
 done
 shift $((OPTIND - 1))
 image=${1:-}
 container_check
 if [ -z "${image}" ]; then
    list_images
    exit 0
 fi
 local_image=
 if [ "${try_local_first}" == "Y" ]; then
    log info "= Trying to use local image first ="
    local_image=$(container_image_list "${repo}:${image}")
    [ -n "${local_image}" ] && log info "Found ${local_image}"
    echo
 fi
 if [ -z "${local_image}" ]; then
    log info "= Downloading from quay ="
    local_image=$(container_pull "${repo}:${image}")
    echo
 fi
 [ -z "${local_image}" ] && die "Image '${image}' is not valid"
 container_create "${name}" "${local_image}" "hostname=${hostname}"
 container_start "${name}"
 container_wait_for_journald "${name}"
 container_wait_up "${name}"
 log info "Container ${name} is ready to be used."
--- a/infra/image/system-service/container-ipa.target
+++ b/infra/image/system-service/container-ipa.target
@@ -0,0 +1,6 @@
 [Unit]
 Description=Minimal target for containerized FreeIPA server
 DefaultDependencies=false
 AllowIsolate=yes
 Requires=systemd-tmpfiles-setup.service systemd-journald.service dbus.service
 After=systemd-tmpfiles-setup.service systemd-journald.service dbus.service
--- a/infra/image/system-service/fixipaip.service
+++ b/infra/image/system-service/fixipaip.service
@@ -0,0 +1,12 @@
 [Unit]
 Description=Fix IPA server IP in IPA Server
 After=ipa.service
 [Service]
 Type=oneshot
 ExecStart=/root/fixipaip.sh
 StandardOutput=journal
 StandardError=journal
 [Install]
 WantedBy=default.target
--- a/infra/image/system-service/fixipaip.sh
+++ b/infra/image/system-service/fixipaip.sh
@@ -0,0 +1,85 @@
 #!/bin/bash -eu
 function valid_fqdn()
 {
    local name="${1}"
    [[ "${name}" =~ [[:space:]] ]] && return 1
    [[ "${name}" =~ \. ]] || return 1
    [[ "${name}" =~ \.\. ]] && return 1
    for i in ${name//./ }; do
        [[ "${i}" =~ ^[a-z0-9_/]+$ ]] || return 1
    done
    [[ "${name}" == "localhost.localdomain" ]] && return 1
    return 0
 }
 function valid_ipv4()
 {
    local ip="${1}"
    local rematch="^([0-9]{1,3}\.){3}[0-9]{1,3}$"
    [[ "${ip}" =~ ${rematch} ]] || return 1
    for i in ${ip//./ }; do
        [[ ${i} -le 255 ]] || return 1
    done
    return 0
 }
 HOSTNAME=$(hostname)
 IP=$(hostname -I | cut -d " " -f 1)
 export KRB5CCNAME=ansible_freeipa_cache
 if [ -z "${HOSTNAME}" ] || ! valid_fqdn "${HOSTNAME}" ; then
    echo "ERROR: Got invalid hostname: '${HOSTNAME}'"
    exit 1
 fi
 if [ -z "${IP}" ] || ! valid_ipv4 "${IP}" ; then
    echo "ERROR: Got invalid IPv4 address: '${IP}'"
    exit 1
 fi
 PTR=$(echo "${IP}" | awk -F"." '{print $4}')
 if [ -z "${PTR}" ] || [ -n "${PTR//[0-9]}" ]; then
    echo "ERROR: Failed to get PTR from IPv4 address: '${PTR}'"
    exit 1
 fi
 FORWARDER=$(grep -s -m 1 ^nameserver /etc/resolv.conf.fixnet | cut -d" " -f 2)
 if [ -z "${FORWARDER}" ] || [ "${FORWARDER}" == "127.0.0.1" ]; then
    FORWARDER="8.8.8.8"
 fi
 echo "Fix IPA:"
 echo "  HOSTNAME: '${HOSTNAME}'"
 echo "  IP: '${IP}'"
 echo "  PTR: '${PTR}'"
 echo "  FORWARDER: '${FORWARDER}'"
 ZONES=$(ipa -e in_server=true dnszone-find --name-from-ip="${HOSTNAME}." \
            --raw --pkey-only | grep "idnsname:" | awk -F": " '{print $2}')
 for zone in ${ZONES}; do
    echo
    if [[ "${zone}" == *".in-addr.arpa."* ]]; then
        echo "Fixing reverse zone ${zone}:"
        OLD_PTR=$(ipa -e in_server=true dnsrecord-find "${zone}" \
                      --ptr-rec="${HOSTNAME}." --raw | grep "idnsname:" | \
                      awk -F": " '{print $2}')
        if [ -z "${OLD_PTR}" ] || [ -n "${OLD_PTR//[0-9]}" ]; then
            echo "ERROR: Failed to get old PTR from '${zone}': '${OLD_PTR}'"
        else
            ipa -e in_server=true dnsrecord-mod "${zone}" "${OLD_PTR}" \
                --ptr-rec="${HOSTNAME}." --rename="${PTR}" || true
        fi
    else
        echo "Fixing forward zone ${zone}:"
        ipa -e in_server=true dnsrecord-mod test.local "${HOSTNAME%%.*}" \
            --a-rec="$IP" || true
        ipa -e in_server=true dnsrecord-mod test.local ipa-ca \
            --a-rec="$IP" || true
    fi
 done
 ipa -e in_server=true dnsserver-mod "${HOSTNAME}" \
    --forwarder="${FORWARDER}" || true
 exit 0
--- a/infra/image/system-service/fixnet.service
+++ b/infra/image/system-service/fixnet.service
@@ -0,0 +1,14 @@
 [Unit]
 Description=Fix server IP in IPA Server
 Wants=network.target
 After=network.target
 Before=ipa.service
 [Service]
 Type=oneshot
 ExecStart=/root/fixnet.sh
 StandardOutput=journal
 StandardError=journal
 [Install]
 WantedBy=ipa.service
--- a/infra/image/system-service/fixnet.sh
+++ b/infra/image/system-service/fixnet.sh
@@ -0,0 +1,66 @@
 #!/bin/bash -eu
 function valid_fqdn()
 {
    local name="${1}"
    [[ "${name}" =~ [[:space:]] ]] && return 1
    [[ "${name}" =~ \. ]] || return 1
    [[ "${name}" =~ \.\. ]] && return 1
    for i in ${name//./ }; do
        [[ "${i}" =~ ^[a-z0-9_/]+$ ]] || return 1
    done
    [[ "${name}" == "localhost.localdomain" ]] && return 1
    return 0
 }
 function valid_ipv4()
 {
    local ip="${1}"
    local rematch="^([0-9]{1,3}\.){3}[0-9]{1,3}$"
    [[ "${ip}" =~ ${rematch} ]] || return 1
    for i in ${ip//./ }; do
        [[ ${i} -le 255 ]] || return 1
    done
    return 0
 }
 HOSTNAME=$(hostname)
 IP=$(hostname -I | cut -d " " -f 1)
 if [ -z "${HOSTNAME}" ] || ! valid_fqdn "${HOSTNAME}" ; then
    echo "ERROR: Failed to retrieve hostname."
    exit 1
 fi
 if [ -z "${IP}" ] || ! valid_ipv4 "${IP}" ; then
    echo "ERROR: Got invalid IPv4 address: '${IP}'"
    exit 1
 fi
 echo "Fix NET:"
 echo "  HOSTNAME: '${HOSTNAME}'"
 echo "  IP: '${IP}'"
 echo
 if grep -qE "^[^(#\s*)][0-9\.]+\s$HOSTNAME(\s|$)" /etc/hosts
 then
    sed -i.bak -e "s/.*${HOSTNAME}/${IP}\t${HOSTNAME}/" /etc/hosts
 else
    echo -e "$IP\t${HOSTNAME} ${HOSTNAME%%.*}" >> /etc/hosts
 fi
 cp -a /etc/resolv.conf /etc/resolv.conf.fixnet
 cat > /etc/resolv.conf <<EOF
 search ${HOSTNAME#*.}
 nameserver 127.0.0.1
 EOF
 echo "/etc/hosts:"
 cat "/etc/hosts"
 echo
 echo "/etc/resolv.conf:"
 cat "/etc/resolv.conf"
 exit 0
--- a/meta/runtime.yml
+++ b/meta/runtime.yml
@@ -1,2 +1,2 @@
 ---
-requires_ansible: ">=2.9"
+requires_ansible: ">=2.14.0"
--- a/molecule/c8s-build/Dockerfile
+++ b/molecule/c8s-build/Dockerfile
@@ -1,30 +0,0 @@
 FROM quay.io/centos/centos:stream8
 ENV container=docker
 RUN rm -fv /var/cache/dnf/metadata_lock.pid; \
 dnf makecache; \
 dnf --assumeyes install \
    /usr/bin/python3 \
    /usr/bin/python3-config \
    /usr/bin/dnf-3 \
    sudo \
    bash \
    systemd \
    procps-ng \
    iproute && \
 dnf clean all; \
 (cd /lib/systemd/system/sysinit.target.wants/; for i in *; do [ $i == systemd-tmpfiles-setup.service ] || rm -f $i; done); \
 rm -f /lib/systemd/system/multi-user.target.wants/*;\
 rm -f /etc/systemd/system/*.wants/*;\
 rm -f /lib/systemd/system/local-fs.target.wants/*; \
 rm -f /lib/systemd/system/sockets.target.wants/*udev*; \
 rm -f /lib/systemd/system/sockets.target.wants/*initctl*; \
 rm -f /lib/systemd/system/basic.target.wants/*;\
 rm -f /lib/systemd/system/anaconda.target.wants/*; \
 rm -rf /var/cache/dnf/;
 STOPSIGNAL RTMIN+3
 VOLUME ["/sys/fs/cgroup"]
 CMD ["/usr/sbin/init"]
--- a/molecule/c8s-build/molecule.yml
+++ b/molecule/c8s-build/molecule.yml
@@ -1,19 +0,0 @@
 ---
 driver:
  name: docker
 platforms:
  - name: c8s-build
    image: "quay.io/centos/centos:stream8"
    dockerfile: Dockerfile
    hostname: ipaserver.test.local
    dns_servers:
      - 8.8.8.8
    volumes:
      - /sys/fs/cgroup:/sys/fs/cgroup:ro
    command: /usr/sbin/init
    privileged: true
 provisioner:
  name: ansible
  playbooks:
    prepare: ../resources/playbooks/prepare-build.yml
 prerun: false
--- a/molecule/c8s/molecule.yml
+++ b/molecule/c8s/molecule.yml
@@ -1,19 +0,0 @@
 ---
 driver:
  name: docker
 platforms:
  - name: c8s
    image: quay.io/ansible-freeipa/upstream-tests:c8s
    pre_build_image: true
    hostname: ipaserver.test.local
    dns_servers:
      - 127.0.0.1
    volumes:
      - /sys/fs/cgroup:/sys/fs/cgroup:ro
    command: /usr/sbin/init
    privileged: true
 provisioner:
  name: ansible
  playbooks:
    prepare: ../resources/playbooks/prepare.yml
 prerun: false
--- a/molecule/c9s-build/Dockerfile
+++ b/molecule/c9s-build/Dockerfile
@@ -1,29 +0,0 @@
 FROM quay.io/centos/centos:stream9
 ENV container=docker
 RUN rm -fv /var/cache/dnf/metadata_lock.pid; \
 dnf makecache; \
 dnf --assumeyes install \
    /usr/bin/python3 \
    /usr/bin/dnf-3 \
    sudo \
    bash \
    systemd \
    procps-ng \
    iproute && \
 dnf clean all; \
 (cd /lib/systemd/system/sysinit.target.wants/; for i in *; do [ $i == systemd-tmpfiles-setup.service ] || rm -f $i; done); \
 rm -f /lib/systemd/system/multi-user.target.wants/*;\
 rm -f /etc/systemd/system/*.wants/*;\
 rm -f /lib/systemd/system/local-fs.target.wants/*; \
 rm -f /lib/systemd/system/sockets.target.wants/*udev*; \
 rm -f /lib/systemd/system/sockets.target.wants/*initctl*; \
 rm -f /lib/systemd/system/basic.target.wants/*;\
 rm -f /lib/systemd/system/anaconda.target.wants/*; \
 rm -rf /var/cache/dnf/;
 STOPSIGNAL RTMIN+3
 VOLUME ["/sys/fs/cgroup"]
 CMD ["/usr/sbin/init"]
--- a/molecule/c9s-build/molecule.yml
+++ b/molecule/c9s-build/molecule.yml
@@ -1,19 +0,0 @@
 ---
 driver:
  name: docker
 platforms:
  - name: c9s-build
    image: "quay.io/centos/centos:stream9"
    dockerfile: Dockerfile
    hostname: ipaserver.test.local
    dns_servers:
      - 8.8.8.8
    volumes:
      - /sys/fs/cgroup:/sys/fs/cgroup:ro
    command: /usr/sbin/init
    privileged: true
 provisioner:
  name: ansible
  playbooks:
    prepare: ../resources/playbooks/prepare-build.yml
 prerun: false
--- a/molecule/c9s/molecule.yml
+++ b/molecule/c9s/molecule.yml
@@ -1,19 +0,0 @@
 ---
 driver:
  name: docker
 platforms:
  - name: c9s
    image: quay.io/ansible-freeipa/upstream-tests:c9s
    pre_build_image: true
    hostname: ipaserver.test.local
    dns_servers:
      - 127.0.0.1
    volumes:
      - /sys/fs/cgroup:/sys/fs/cgroup:ro
    command: /usr/sbin/init
    privileged: true
 provisioner:
  name: ansible
  playbooks:
    prepare: ../resources/playbooks/prepare.yml
 prerun: false
--- a/molecule/centos-7-build/molecule.yml
+++ b/molecule/centos-7-build/molecule.yml
@@ -1,19 +0,0 @@
 ---
 driver:
  name: docker
 platforms:
  - name: centos-7-build
    image: centos/systemd
    pre_build_image: true
    hostname: ipaserver.test.local
    dns_servers:
      - 8.8.8.8
    volumes:
      - /sys/fs/cgroup:/sys/fs/cgroup:ro
    command: /usr/sbin/init
    privileged: true
 provisioner:
  name: ansible
  playbooks:
    prepare: ../resources/playbooks/prepare-build.yml
 prerun: false
--- a/molecule/centos-7/molecule.yml
+++ b/molecule/centos-7/molecule.yml
@@ -1,19 +0,0 @@
 ---
 driver:
  name: docker
 platforms:
  - name: centos-7
    image: quay.io/ansible-freeipa/upstream-tests:centos-7
    pre_build_image: true
    hostname: ipaserver.test.local
    dns_servers:
      - 127.0.0.1
    volumes:
      - /sys/fs/cgroup:/sys/fs/cgroup:ro
    command: /usr/sbin/init
    privileged: true
 provisioner:
  name: ansible
  playbooks:
    prepare: ../resources/playbooks/prepare.yml
 prerun: false
--- a/molecule/default
+++ b/molecule/default
@@ -1 +0,0 @@
 fedora-latest
--- a/molecule/fedora-latest-build/Dockerfile
+++ b/molecule/fedora-latest-build/Dockerfile
@@ -1,30 +0,0 @@
 FROM fedora:latest
 ENV container=docker
 RUN rm -fv /var/cache/dnf/metadata_lock.pid; \
 dnf makecache; \
 dnf --assumeyes install \
    /usr/bin/python3 \
    /usr/bin/python3-config \
    /usr/bin/dnf-3 \
    sudo \
    bash \
    systemd \
    procps-ng \
    iproute && \
 dnf clean all; \
 (cd /lib/systemd/system/sysinit.target.wants/; for i in *; do [ $i == systemd-tmpfiles-setup.service ] || rm -f $i; done); \
 rm -f /lib/systemd/system/multi-user.target.wants/*;\
 rm -f /etc/systemd/system/*.wants/*;\
 rm -f /lib/systemd/system/local-fs.target.wants/*; \
 rm -f /lib/systemd/system/sockets.target.wants/*udev*; \
 rm -f /lib/systemd/system/sockets.target.wants/*initctl*; \
 rm -f /lib/systemd/system/basic.target.wants/*;\
 rm -f /lib/systemd/system/anaconda.target.wants/*; \
 rm -rf /var/cache/dnf/;
 STOPSIGNAL RTMIN+3
 VOLUME ["/sys/fs/cgroup"]
 CMD ["/usr/sbin/init"]
--- a/molecule/fedora-latest-build/molecule.yml
+++ b/molecule/fedora-latest-build/molecule.yml
@@ -1,19 +0,0 @@
 ---
 driver:
  name: docker
 platforms:
  - name: fedora-latest-build
    image: "fedora:latest"
    dockerfile: Dockerfile
    hostname: ipaserver.test.local
    dns_servers:
      - 8.8.8.8
    volumes:
      - /sys/fs/cgroup:/sys/fs/cgroup:ro
    command: /usr/sbin/init
    privileged: true
 provisioner:
  name: ansible
  playbooks:
    prepare: ../resources/playbooks/prepare-build.yml
 prerun: false
--- a/molecule/fedora-latest/molecule.yml
+++ b/molecule/fedora-latest/molecule.yml
@@ -1,19 +0,0 @@
 ---
 driver:
  name: docker
 platforms:
  - name: fedora-latest
    image: quay.io/ansible-freeipa/upstream-tests:fedora-latest
    pre_build_image: true
    hostname: ipaserver.test.local
    dns_servers:
      - 127.0.0.1
    volumes:
      - /sys/fs/cgroup:/sys/fs/cgroup:ro
    command: /usr/sbin/init
    privileged: true
 provisioner:
  name: ansible
  playbooks:
    prepare: ../resources/playbooks/prepare.yml
 prerun: false
--- a/molecule/fedora-rawhide-build/Dockerfile
+++ b/molecule/fedora-rawhide-build/Dockerfile
@@ -1,30 +0,0 @@
 FROM fedora:rawhide
 ENV container=docker
 RUN rm -fv /var/cache/dnf/metadata_lock.pid; \
 dnf makecache; \
 dnf --assumeyes install \
    /usr/bin/python3 \
    /usr/bin/python3-config \
    /usr/bin/dnf-3 \
    sudo \
    bash \
    systemd \
    procps-ng \
    iproute && \
 dnf clean all; \
 (cd /lib/systemd/system/sysinit.target.wants/; for i in *; do [ $i == systemd-tmpfiles-setup.service ] || rm -f $i; done); \
 rm -f /lib/systemd/system/multi-user.target.wants/*;\
 rm -f /etc/systemd/system/*.wants/*;\
 rm -f /lib/systemd/system/local-fs.target.wants/*; \
 rm -f /lib/systemd/system/sockets.target.wants/*udev*; \
 rm -f /lib/systemd/system/sockets.target.wants/*initctl*; \
 rm -f /lib/systemd/system/basic.target.wants/*;\
 rm -f /lib/systemd/system/anaconda.target.wants/*; \
 rm -rf /var/cache/dnf/;
 STOPSIGNAL RTMIN+3
 VOLUME ["/sys/fs/cgroup"]
 CMD ["/usr/sbin/init"]
--- a/molecule/fedora-rawhide-build/molecule.yml
+++ b/molecule/fedora-rawhide-build/molecule.yml
@@ -1,19 +0,0 @@
 ---
 driver:
  name: docker
 platforms:
  - name: fedora-rawhide-build
    image: "fedora:rawhide"
    dockerfile: Dockerfile
    hostname: ipaserver.test.local
    dns_servers:
      - 8.8.8.8
    volumes:
      - /sys/fs/cgroup:/sys/fs/cgroup:ro
    command: /usr/sbin/init
    privileged: true
 provisioner:
  name: ansible
  playbooks:
    prepare: ../resources/playbooks/prepare-build.yml
 prerun: false
--- a/molecule/fedora-rawhide/molecule.yml
+++ b/molecule/fedora-rawhide/molecule.yml
@@ -1,19 +0,0 @@
 ---
 driver:
  name: docker
 platforms:
  - name: fedora-rawhide
    image: quay.io/ansible-freeipa/upstream-tests:fedora-rawhide
    pre_build_image: true
    hostname: ipaserver.test.local
    dns_servers:
      - 127.0.0.1
    volumes:
      - /sys/fs/cgroup:/sys/fs/cgroup:ro
    command: /usr/sbin/init
    privileged: true
 provisioner:
  name: ansible
  playbooks:
    prepare: ../resources/playbooks/prepare.yml
 prerun: false
--- a/molecule/resources/playbooks/library
+++ b/molecule/resources/playbooks/library
@@ -1 +0,0 @@
 ../../../plugins/modules/
--- a/molecule/resources/playbooks/module_utils
+++ b/molecule/resources/playbooks/module_utils
@@ -1 +0,0 @@
 ../../../plugins/module_utils/
--- a/Show More
+++ b/Show More
`@@ -1,2 +1,2 @@`
	`---`	`---`
	`requires_ansible: ">=2.9"`	`requires_ansible: ">=2.14.0"`