Merge pull request #1033 from t-woerner/use_ipabackup_item_again

ipabackup: Use ipabackup_item again in copy_backup_to_server
2026-03-27 13:53:06 +00:00 · 2023-01-31 10:29:55 -03:00 · 2023-01-31 10:16:53 +01:00 · 2023-01-23 20:07:38 +01:00 · 2023-01-23 14:42:43 -03:00 · 2023-01-19 15:48:32 -03:00
366 changed files with 12383 additions and 7504 deletions
--- a/.ansible-lint
+++ b/.ansible-lint
@@ -10,10 +10,17 @@ exclude_paths:
  - molecule/
  - tests/azure/
  - meta/runtime.yml
+  - requirements-docker.yml
+  - requirements-podman.yml

 kinds:
  - playbook: '**/tests/**/test_*.yml'
  - playbook: '**/playbooks/**/*.yml'
+  - playbook: '**/tests/ca-less/install_*_without_ca.yml'
+  - playbook: '**/tests/ca-less/clean_up_certificates.yml'
+  - playbook: '**/tests/external-signed-ca-with-automatic-copy/install-server-with-external-ca-with-automatic-copy.yml'
+  - playbook: '**/tests/external-signed-ca-with-manual-copy/install-server-with-external-ca-with-manual-copy.yml'
+  - playbook: '**/tests/user/create_users_json.yml'
  - tasks: '**/tasks_*.yml'
  - tasks: '**/env_*.yml'

@@ -26,6 +33,8 @@ skip_list:
  - '305'  # Use shell only when shell functionality is required
  - '306'  # risky-shell-pipe
  - yaml   # yamllint should be executed separately.
+  - experimental   # Do not run any experimental tests
+  - name[template] # Allow Jinja templating inside task names

 use_default_rules: true

--- a/.github/workflows/ansible-test.yml
+++ b/.github/workflows/ansible-test.yml
@@ -8,7 +8,7 @@ jobs:
    name: Verify ansible-test sanity
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3.1.0
        with:
          fetch-depth: 0
      - name: Install virtualenv using pip
--- a/.github/workflows/docs.yml
+++ b/.github/workflows/docs.yml
@@ -4,42 +4,14 @@ on:
  - push
  - pull_request
 jobs:
-  check_docs_29:
-    name: Check Ansible Documentation with Ansible 2.9.
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v2
-      - uses: actions/setup-python@v2
-        with:
-          python-version: '3.x'
-      - name: Install Ansible 2.9
-        run: |
-          python -m pip install "ansible < 2.10"
-      - name: Run ansible-doc-test
-        run: |
-          ANSIBLE_LIBRARY="." ANSIBLE_DOC_FRAGMENT_PLUGINS="." python utils/ansible-doc-test -v roles plugins
-
-  check_docs_2_11:
-    name: Check Ansible Documentation with ansible-core 2.11.
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v2
-      - uses: actions/setup-python@v2
-        with:
-          python-version: '3.x'
-      - name: Install Ansible 2.11
-        run: |
-          python -m pip install "ansible-core >=2.11,<2.12"
-      - name: Run ansible-doc-test
-        run: |
-          ANSIBLE_LIBRARY="." ANSIBLE_DOC_FRAGMENT_PLUGINS="." python utils/ansible-doc-test -v roles plugins
-
-  check_docs_2_12:
+  check_docs_oldest_supported:
    name: Check Ansible Documentation with ansible-core 2.12.
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v2
-      - uses: actions/setup-python@v2
+      - uses: actions/checkout@v3.1.0
+        with:
+          fetch-depth: 0
+      - uses: actions/setup-python@v4.3.0
        with:
          python-version: '3.x'
      - name: Install Ansible 2.12
@@ -47,15 +19,50 @@ jobs:
          python -m pip install "ansible-core >=2.12,<2.13"
      - name: Run ansible-doc-test
        run: |
-          python -m pip install "ansible-core >=2.12,<2.13"
          ANSIBLE_LIBRARY="." ANSIBLE_DOC_FRAGMENT_PLUGINS="." python utils/ansible-doc-test -v roles plugins

-  check_docs_latest:
+  check_docs_previous:
+    name: Check Ansible Documentation with ansible-core 2.13.
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3.1.0
+        with:
+          fetch-depth: 0
+      - uses: actions/setup-python@v4.3.0
+        with:
+          python-version: '3.x'
+      - name: Install Ansible 2.13
+        run: |
+          python -m pip install "ansible-core >=2.13,<2.14"
+      - name: Run ansible-doc-test
+        run: |
+          ANSIBLE_LIBRARY="." ANSIBLE_DOC_FRAGMENT_PLUGINS="." python utils/ansible-doc-test -v roles plugins
+
+  check_docs_current:
+    name: Check Ansible Documentation with ansible-core 2.14.
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3.1.0
+        with:
+          fetch-depth: 0
+      - uses: actions/setup-python@v4.3.0
+        with:
+          python-version: '3.x'
+      - name: Install Ansible 2.14
+        run: |
+          python -m pip install "ansible-core >=2.14,<2.15"
+      - name: Run ansible-doc-test
+        run: |
+          ANSIBLE_LIBRARY="." ANSIBLE_DOC_FRAGMENT_PLUGINS="." python utils/ansible-doc-test -v roles plugins
+
+  check_docs_ansible_latest:
    name: Check Ansible Documentation with latest Ansible version.
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v2
-      - uses: actions/setup-python@v2
+      - uses: actions/checkout@v3.1.0
+        with:
+          fetch-depth: 0
+      - uses: actions/setup-python@v4.3.0
        with:
          python-version: '3.x'
      - name: Install Ansible-latest
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -8,36 +8,40 @@ jobs:
    name: Verify ansible-lint
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v2
-      - uses: actions/setup-python@v2
+      - uses: actions/checkout@v3.1.0
+        with:
+          fetch-depth: 0
+      - uses: actions/setup-python@v4.3.0
        with:
          python-version: "3.x"
      - name: Run ansible-lint
        run: |
-          pip install ansible-core==2.11.6 ansible-lint
-          find playbooks roles tests -name '*.yml' ! -name "env_*" ! -name "tasks_*" -exec ansible-lint --force-color {} \+
-        env:
-          ANSIBLE_MODULE_UTILS: plugins/module_utils
-          ANSIBLE_LIBRARY: plugins/modules
-          ANSIBLE_DOC_FRAGMENT_PLUGINS: plugins/doc_fragments
+          pip install "ansible-core >=2.14,<2.15" ansible-lint
+          utils/build-galaxy-release.sh -ki
+          cd .galaxy-build
+          ansible-lint

  yamllint:
    name: Verify yamllint
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v2
-      - uses: actions/setup-python@v2
+      - uses: actions/checkout@v3.1.0
+        with:
+          fetch-depth: 0
+      - uses: actions/setup-python@v4.3.0
        with:
          python-version: "3.x"
      - name: Run yaml-lint
-        uses: ibiqlik/action-yamllint@v1
+        uses: ibiqlik/action-yamllint@v3.1.1

  pydocstyle:
    name: Verify pydocstyle
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v2
-      - uses: actions/setup-python@v2
+      - uses: actions/checkout@v3.1.0
+        with:
+          fetch-depth: 0
+      - uses: actions/setup-python@v4.3.0
        with:
          python-version: "3.x"
      - name: Run pydocstyle
@@ -49,32 +53,38 @@ jobs:
    name: Verify flake8
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v2
-      - uses: actions/setup-python@v2
+      - uses: actions/checkout@v3.1.0
+        with:
+          fetch-depth: 0
+      - uses: actions/setup-python@v4.3.0
        with:
          python-version: "3.x"
      - name: Run flake8
        run: |
-            pip install flake8
+            pip install flake8 flake8-bugbear
            flake8

  pylint:
    name: Verify pylint
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v2
-      - uses: actions/setup-python@v2
+      - uses: actions/checkout@v3.1.0
+        with:
+          fetch-depth: 0
+      - uses: actions/setup-python@v4.3.0
        with:
          python-version: "3.x"
      - name: Run pylint
        run: |
-            pip install pylint==2.12.2
+            pip install pylint==2.14.4 wrapt==1.14.0
            pylint plugins roles --disable=import-error

  shellcheck:
    name: Shellcheck
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3.1.0
+        with:
+          fetch-depth: 0
      - name: Run ShellCheck
-        uses: ludeeus/action-shellcheck@1.1.0
+        uses: ludeeus/action-shellcheck@master
--- a/.github/workflows/readme.yml
+++ b/.github/workflows/readme.yml
@@ -8,7 +8,9 @@ jobs:
    name: Verify readme
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3.1.0
+        with:
+          fetch-depth: 0
      - name: Run readme test
        run: |
          error=0
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -1,7 +1,7 @@
 ---
 repos:
 - repo: https://github.com/ansible/ansible-lint.git
-  rev: v5.3.2
+  rev: v6.6.1
  hooks:
  - id: ansible-lint
    always_run: false
@@ -11,20 +11,20 @@ repos:
    entry: |
        env ANSIBLE_LIBRARY=./plugins/modules ANSIBLE_MODULE_UTILS=./plugins/module_utils ANSIBLE_DOC_FRAGMENT_PLUGINS=./plugins/doc_fragments ansible-lint
 - repo: https://github.com/adrienverge/yamllint.git
-  rev: v1.26.1
+  rev: v1.28.0
  hooks:
  - id: yamllint
    files: \.(yaml|yml)$
- repo: https://gitlab.com/pycqa/flake8
-  rev: 3.9.2
+- repo: https://github.com/pycqa/flake8
+  rev: 5.0.3
  hooks:
  - id: flake8
- repo: https://gitlab.com/pycqa/pydocstyle
-  rev: 6.1.1
+- repo: https://github.com/pycqa/pydocstyle
+  rev: 6.0.0
  hooks:
  - id: pydocstyle
 - repo: https://github.com/pycqa/pylint
-  rev: v2.12.2
+  rev: v2.14.4
  hooks:
  - id: pylint
    args:
--- a/README-config.md
+++ b/README-config.md
@@ -65,6 +65,9 @@ Example playbook to read config options:
        maxusername: 64
 ```

+
+Example playbook to set global configuration options:
+
 ```yaml
 ---
 - name: Playbook to ensure some config options are set
@@ -79,6 +82,40 @@ Example playbook to read config options:
 ```


+Example playbook to enable SID and generate users and groups SIDs:
+
+```yaml
+---
+- name: Playbook to ensure SIDs are enabled and users and groups have SIDs
+  hosts: ipaserver
+  become: no
+  gather_facts: no
+
+  tasks:
+    - name: Enable SID and generate users and groups SIDS
+      ipaconfig:
+        ipaadmin_password: SomeADMINpassword
+        enable_sid: yes
+        add_sids: yes
+```
+
+Example playbook to change IPA domain NetBIOS name:
+
+```yaml
+---
+- name: Playbook to change IPA domain netbios name
+  hosts: ipaserver
+  become: no
+  gather_facts: no
+
+  tasks:
+    - name: Set IPA domain netbios name
+      ipaconfig:
+        ipaadmin_password: SomeADMINpassword
+        enable_sid: yes
+        netbios_name: IPADOM
+```
+
 Variables
 =========

@@ -111,6 +148,9 @@ Variable | Description | Required
 `user_auth_type` \| `ipauserauthtype` |  set default types of supported user authentication (choices: `password`, `radius`, `otp`, `disabled`). Use `""` to clear this variable. | no
 `domain_resolution_order` \| `ipadomainresolutionorder` | Set list of domains used for short name qualification | no
 `ca_renewal_master_server` \| `ipacarenewalmasterserver`| Renewal master for IPA certificate authority. | no
+`enable_sid` | New users and groups automatically get a SID assigned. Cannot be deactivated once activated. Requires IPA 4.9.8+. (bool) | no
+`netbios_name` | NetBIOS name of the IPA domain. Requires IPA 4.9.8+ and SID generation to be activated. | no
+`add_sids` | Add SIDs for existing users and groups. Requires IPA 4.9.8+ and SID generation to be activated. (bool) | no


 Return Values
@@ -140,6 +180,8 @@ Variable | Description | Returned When
 &nbsp; | `user_auth_type` | &nbsp;
 &nbsp; | `domain_resolution_order` | &nbsp;
 &nbsp; | `ca_renewal_master_server` | &nbsp;
+&nbsp; | `enable_sid` | &nbsp;
+&nbsp; | `netbios_name` | &nbsp;

 All returned fields take the same form as their namesake input parameters

--- a/README-netgroup.md
+++ b/README-netgroup.md
@@ -0,0 +1,179 @@
+Netgroup module
+============
+
+Description
+-----------
+
+The netgroup module allows to ensure presence and absence of netgroups.
+
+Features
+--------
+
+* Netgroup management
+
+
+Supported FreeIPA Versions
+--------------------------
+
+FreeIPA versions 4.4.0 and up are supported by the ipanetgroup module.
+
+
+Requirements
+------------
+
+**Controller**
+* Ansible version: 2.8+
+
+**Node**
+* Supported FreeIPA version (see above)
+
+
+Usage
+=====
+
+Example inventory file
+
+```ini
+[ipaserver]
+ipaserver.test.local
+```
+
+
+Example playbook to make sure netgroup "my_netgroup1" is present:
+
+```yaml
+---
+- name: Playbook to manage IPA netgroup.
+  hosts: ipaserver
+  become: no
+
+  tasks:
+  - name: Ensure netgroup my_netgroup1 is present
+    ipanetgroup:
+      ipaadmin_password: SomeADMINpassword
+      name: my_netgroup1
+      description: My netgroup 1
+```
+
+
+Example playbook to make sure netgroup "my_netgroup1" is absent:
+
+```yaml
+---
+- name: Playbook to manage IPA netgroup.
+  hosts: ipaserver
+  become: no
+
+  tasks:
+  - name: Ensure netgroup my_netgroup1 is absent
+    ipanetgroup:
+      ipaadmin_password: SomeADMINpassword
+      name: my_netgroup1
+      state: absent
+```
+
+
+Example playbook to make sure netgroup is present with user "user1"
+
+```yaml
+---
+- name: Playbook to manage IPA netgroup.
+  hosts: ipaserver
+  become: no
+
+  tasks:
+  - name: Ensure netgroup is present with user "user1"
+    ipanetgroup:
+      ipaadmin_password: SomeADMINpassword
+      name: TestNetgroup1
+      user: user1
+      action: member
+```
+
+
+Example playbook to make sure netgroup user, "user1", is absent
+
+```yaml
+---
+- name: Playbook to manage IPA netgroup.
+  hosts: ipaserver
+  become: no
+
+  tasks:
+  - name: Ensure netgroup user, "user1", is absent
+    ipanetgroup:
+      ipaadmin_password: SomeADMINpassword
+      name: TestNetgroup1
+      user: "user1"
+      action: member
+      state: absent
+```
+
+
+Example playbook to make sure netgroup is present with members
+
+```yaml
+---
+- name: Playbook to manage IPA netgroup.
+  hosts: ipaserver
+  become: no
+
+  tasks:
+  - name: Ensure netgroup members are present
+    ipanetgroup:
+      ipaadmin_password: SomeADMINpassword
+      name: TestNetgroup1
+      user: user1,user2
+      group: group1
+      host: host1
+      hostgroup: ipaservers
+      netgroup: admins
+      action: member
+```
+
+
+Example playbook to make sure 2 netgroups TestNetgroup1, admins are absent
+
+```yaml
+---
+- name: Playbook to manage IPA netgroup.
+  hosts: ipaserver
+  become: no
+
+  tasks:
+  - name: Ensure netgroups are absent
+    ipanetgroup:
+      ipaadmin_password: SomeADMINpassword
+      name:
+      - TestNetgroup1
+      - admins
+      state: absent
+```
+
+
+Variables
+---------
+
+Variable | Description | Required
+-------- | ----------- | --------
+`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
+`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
+`ipaapi_context` | The context in which the module will execute. Executing in a server context is preferred. If not provided context will be determined by the execution environment. Valid values are `server` and `client`. | no
+`ipaapi_ldap_cache` | Use LDAP cache for IPA connection. The bool setting defaults to yes. (bool) | no
+`name` \| `cn` | The list of netgroup name strings. | yes
+`description` | Netgroup description | no
+`nisdomain` | NIS domain name | no
+`nomembers` | Suppress processing of membership attributes. (bool) | no
+`user` | List of user name strings assigned to this netgroup. | no
+`group` | List of group name strings assigned to this netgroup. | no
+`host` | List of host name strings assigned to this netgroup. | no
+`hostgroup` | List of hostgroup name strings assigned to this netgroup. | no
+`netgroup` | List of netgroup name strings assigned to this netgroup. | no
+`action` | Work on group or member level. It can be on of `member` or `netgroup` and defaults to `netgroup`. | no
+`state` | The state to ensure. It can be one of `present`, `absent`, default: `present`. | no
+
+
+Authors
+=======
+
+Denis Karpelevich
--- a/README-pwpolicy.md
+++ b/README-pwpolicy.md
@@ -87,6 +87,36 @@ Example playbook to ensure maxlife is set to 49 in global policy:
      maxlife: 49
 ```

+Example playbook to ensure password grace period is set to 3 in global policy:
+
+```yaml
+---
+- name: Playbook to handle pwpolicies
+  hosts: ipaserver
+  become: true
+
+  tasks:
+  # Ensure maxlife is set to 49 in global policy
+  - ipapwpolicy:
+      ipaadmin_password: SomeADMINpassword
+      gracelimit: 3
+```
+
+Example playbook to ensure password grace period is set to unlimited in global policy:
+
+```yaml
+---
+- name: Playbook to handle pwpolicies
+  hosts: ipaserver
+  become: true
+
+  tasks:
+  # Ensure maxlife is set to 49 in global policy
+  - ipapwpolicy:
+      ipaadmin_password: SomeADMINpassword
+      gracelimit: -1
+```
+

 Variables
 =========
@@ -107,6 +137,11 @@ Variable | Description | Required
 `maxfail` \| `krbpwdmaxfailure` | Consecutive failures before lockout. (int) | no
 `failinterval` \| `krbpwdfailurecountinterval` | Period after which failure count will be reset in seconds. (int) | no
 `lockouttime` \| `krbpwdlockoutduration` | Period for which lockout is enforced in seconds. (int) | no
+`maxrepeat` \| `ipapwdmaxrepeat` | Maximum number of same consecutive characters. Requires IPA 4.9+ (int) | no
+`maxsequence` \| `ipapwdmaxsequence` |  The maximum length of monotonic character sequences (abcd). Requires IPA 4.9+ (int) | no
+`dictcheck` \| `ipapwdictcheck` | Check if the password is a dictionary word. Requires IPA 4.9+ (int) | no
+`usercheck` \| `ipapwdusercheck` | Check if the password contains the username. Requires IPA 4.9+ (int) | no
+`gracelimit` \| `passwordgracelimit` |  Number of LDAP authentications allowed after expiration. Requires IPA 4.9.10 (int) | no
 `state` | The state to ensure. It can be one of `present` or `absent`, default: `present`. | yes


--- a/README-sudorule.md
+++ b/README-sudorule.md
@@ -129,6 +129,7 @@ Variable | Description | Required
 `nomembers` | Suppress processing of membership attributes. (bool) | no
 `host` | List of host name strings assigned to this sudorule. | no
 `hostgroup` | List of host group name strings assigned to this sudorule. | no
+`hostmask` | List of host masks of allowed hosts | no
 `user` | List of user name strings assigned to this sudorule. | no
 `group` | List of user group name strings assigned to this sudorule. | no
 `allow_sudocmd` | List of sudocmd name strings assigned to the allow group of this sudorule. | no
--- a/README-user.md
+++ b/README-user.md
@@ -381,8 +381,8 @@ Variable | Description | Required

 Variable | Description | Required
 -------- | ----------- | --------
-`first` \| `givenname` | The first name string. | no
-`last` \| `sn` | The last name string. | no
+`first` \| `givenname` | The first name string. Required if user does not exist. | no
+`last` \| `sn` | The last name string. Required if user does not exist. | no
 `fullname` \| `cn` | The full name string. | no
 `displayname` | The display name string. | no
 `homedir` | The home directory string. | no
--- a/README-vault.md
+++ b/README-vault.md
@@ -222,8 +222,8 @@ Variable | Description | Required
 `password_file` \| `vault_password_file` \| `old_password_file`| File containing Base64 encoded Vault password. | no
 `new_password` | Vault new password. | no
 `new_password_file` | File containing Base64 encoded new Vault password. | no
-`public_key ` \| `vault_public_key` \| `ipavaultpublickey` | Base64 encoded vault public key. | no
-`public_key_file` \| `vault_public_key_file` | Path to file with public key. | no
+`public_key ` \| `vault_public_key` \| `ipavaultpublickey` \| `new_public_key` | Base64 encoded vault public key. | no
+`public_key_file` \| `vault_public_key_file` \| `new_public_key_file` | Path to file with public key. | no
 `private_key `\| `vault_private_key` \| `ipavaultprivatekey` | Base64 encoded vault private key. Used only to retrieve data. | no
 `private_key_file` \| `vault_private_key_file` | Path to file with private key. Used only to retrieve data. | no
 `salt` \| `vault_salt` \| `ipavaultsalt` | Vault salt. | no
--- a/README.md
+++ b/README.md
@@ -31,6 +31,7 @@ Features
 * Modules for hostgroup management
 * Modules for idrange management
 * Modules for location management
+* Modules for netgroup management
 * Modules for permission management
 * Modules for privilege management
 * Modules for pwpolicy management
@@ -68,7 +69,6 @@ Requirements

 **Controller**
 * Ansible version: 2.8+ (ansible-freeipa is an Ansible Collection)
-* /usr/bin/kinit is required on the controller if a one time password (OTP) is used

 **Node**
 * Supported FreeIPA version (see above)
@@ -288,7 +288,7 @@ ipaserver_domain=test.local
 ipaserver_realm=TEST.LOCAL
 ```

-For enhanced security it is possible to use a auto-generated one-time-password (OTP). This will be generated on the controller using the (first) server.
+For enhanced security it is possible to use a auto-generated one-time-password (OTP). This will be generated on the (first) server.

 To enable the generation of the one-time-password:
 ```yaml
@@ -450,6 +450,7 @@ Modules in plugin/modules
 * [ipahostgroup](README-hostgroup.md)
 * [idrange](README-idrange.md)
 * [ipalocation](README-location.md)
+* [ipanetgroup](README-netgroup.md)
 * [ipapermission](README-permission.md)
 * [ipaprivilege](README-privilege.md)
 * [ipapwpolicy](README-pwpolicy.md)
--- a/playbooks/automount/automount-map-absent.yaml
+++ b/playbooks/automount/automount-map-absent.yaml
@@ -4,7 +4,7 @@
  become: no

  tasks:
-  - name: ensure map TestMap is absent
+  - name: Ensure map TestMap is absent
    ipaautomountmap:
      ipaadmin_password: SomeADMINpassword
      name: TestMap
--- a/playbooks/automount/automount-map-present.yaml
+++ b/playbooks/automount/automount-map-present.yaml
@@ -4,7 +4,7 @@
  become: no

  tasks:
-  - name: ensure map TestMap is present
+  - name: Ensure map TestMap is present
    ipaautomountmap:
      ipaadmin_password: SomeADMINpassword
      name: TestMap
--- a/playbooks/config/change-ipa-domain-netbios-name.yml
+++ b/playbooks/config/change-ipa-domain-netbios-name.yml
@@ -0,0 +1,12 @@
+---
+- name: Playbook to change IPA domain netbios name
+  hosts: ipaserver
+  become: no
+  gather_facts: no
+
+  tasks:
+    - name: Set IPA domain netbios name
+      ipaconfig:
+        ipaadmin_password: SomeADMINpassword
+        enable_sid: yes
+        netbios_name: IPADOM
--- a/playbooks/config/generate-users-groups-sids.yml
+++ b/playbooks/config/generate-users-groups-sids.yml
@@ -0,0 +1,12 @@
+---
+- name: Playbook to ensure SIDs are enabled and users and groups have SIDs
+  hosts: ipaserver
+  become: no
+  gather_facts: no
+
+  tasks:
+    - name: Enable SID and generate users and groups SIDS
+      ipaconfig:
+        ipaadmin_password: SomeADMINpassword
+        enable_sid: yes
+        add_sids: yes
--- a/playbooks/config/retrieve-config.yml
+++ b/playbooks/config/retrieve-config.yml
@@ -1,5 +1,5 @@
 ---
- name: Playbook to handle global DNS configuration
+- name: Playbook to handle global IPA configuration
  hosts: ipaserver
  become: no
  gather_facts: no
@@ -11,5 +11,5 @@
    register: serverconfig

  - name: Display current configuration.
-    debug:
+    ansible.builtin.debug:
      msg: "{{ serverconfig }}"
--- a/playbooks/config/set-ca-renewal-master-server.yml
+++ b/playbooks/config/set-ca-renewal-master-server.yml
@@ -1,11 +1,11 @@
 ---
- name: Playbook to handle global DNS configuration
+- name: Playbook to handle global IPA configuration
  hosts: ipaserver
  become: no
  gather_facts: no

  tasks:
-  - name: set ca_renewal_master_server
+  - name: Set ca_renewal_master_server
    ipaconfig:
      ipaadmin_password: SomeADMINpassword
      ca_renewal_master_server: carenewal.example.com
--- a/playbooks/dnszone/dnszone-all-params.yml
+++ b/playbooks/dnszone/dnszone-all-params.yml
@@ -1,5 +1,5 @@
 ---
- name: dnszone present
+- name: All dnszone parameters
  hosts: ipaserver
  become: true

--- a/playbooks/dnszone/dnszone-present.yml
+++ b/playbooks/dnszone/dnszone-present.yml
@@ -1,5 +1,5 @@
 ---
- name: dnszone present
+- name: Dnszone present
  hosts: ipaserver
  become: true

--- a/playbooks/dnszone/dnszone-reverse-from-ip.yml
+++ b/playbooks/dnszone/dnszone-reverse-from-ip.yml
@@ -11,5 +11,5 @@
    register: result

  - name: Zone name inferred from `name_from_ip`
-    debug:
+    ansible.builtin.debug:
      msg: "Zone created: {{ result.dnszone.name }}"
--- a/playbooks/host/ensure_host_with_randompassword.yml
+++ b/playbooks/host/ensure_host_with_randompassword.yml
@@ -14,5 +14,5 @@
    register: ipahost

  - name: Print generated random password
-    debug:
+    ansible.builtin.debug:
      var: ipahost.host.randompassword
--- a/playbooks/host/host-present-with-randompassword.yml
+++ b/playbooks/host/host-present-with-randompassword.yml
@@ -13,5 +13,5 @@
    register: ipahost

  - name: Print generated random password
-    debug:
+    ansible.builtin.debug:
      var: ipahost.host.randompassword
--- a/playbooks/host/hosts-present-with-randompasswords.yml
+++ b/playbooks/host/hosts-present-with-randompasswords.yml
@@ -17,9 +17,9 @@
    register: ipahost

  - name: Print generated random password for host01.example.com
-    debug:
+    ansible.builtin.debug:
      var: ipahost.host["host01.example.com"].randompassword

  - name: Print generated random password for host02.example.com
-    debug:
+    ansible.builtin.debug:
      var: ipahost.host["host02.example.com"].randompassword
--- a/playbooks/netgroup/netgroup-absent.yml
+++ b/playbooks/netgroup/netgroup-absent.yml
@@ -0,0 +1,12 @@
+---
+- name: Netgroup absent example
+  hosts: ipaserver
+  become: no
+  gather_facts: no
+
+  tasks:
+  - name: Ensure netgroup my_netgroup1 is absent
+    ipanetgroup:
+      ipaadmin_password: SomeADMINpassword
+      name: my_netgroup1
+      state: absent
--- a/playbooks/netgroup/netgroup-member-absent.yml
+++ b/playbooks/netgroup/netgroup-member-absent.yml
@@ -0,0 +1,14 @@
+---
+- name: Netgroup absent example
+  hosts: ipaserver
+  become: no
+  gather_facts: no
+
+  tasks:
+  - name: Ensure netgroup user, "user1", is absent
+    ipanetgroup:
+      ipaadmin_password: SomeADMINpassword
+      name: TestNetgroup1
+      user: "user1"
+      action: member
+      state: absent
--- a/playbooks/netgroup/netgroup-member-present.yml
+++ b/playbooks/netgroup/netgroup-member-present.yml
@@ -0,0 +1,13 @@
+---
+- name: Netgroup member present example
+  hosts: ipaserver
+  become: no
+  gather_facts: no
+
+  tasks:
+  - name: Ensure netgroup is present with user "user1"
+    ipanetgroup:
+      ipaadmin_password: SomeADMINpassword
+      name: TestNetgroup1
+      user: user1
+      action: member
--- a/playbooks/netgroup/netgroup-present.yml
+++ b/playbooks/netgroup/netgroup-present.yml
@@ -0,0 +1,12 @@
+---
+- name: Netgroup present example
+  hosts: ipaserver
+  become: no
+  gather_facts: no
+
+  tasks:
+  - name: Ensure netgroup my_netgroup1 is present
+    ipanetgroup:
+      ipaadmin_password: SomeADMINpassword
+      name: my_netgroup1
+      description: My netgroup 1
--- a/playbooks/pwpolicy/pwpolicy_grace_limit.yml
+++ b/playbooks/pwpolicy/pwpolicy_grace_limit.yml
@@ -0,0 +1,11 @@
+---
+- name: Playbook to manage password policy
+  hosts: ipaserver
+  become: no
+  gather_facts: no
+
+  tasks:
+  - name: Set password policy grace limit.
+    ipapwpolicy:
+      ipaadmin_password: SomeADMINpassword
+      gracelimit: 3
--- a/playbooks/pwpolicy/pwpolicy_password_check.yml
+++ b/playbooks/pwpolicy/pwpolicy_password_check.yml
@@ -0,0 +1,14 @@
+---
+- name: Playbook to manage password policy
+  hosts: ipaserver
+  become: no
+  gather_facts: no
+
+  tasks:
+  - name: Set password checking parameters.
+    ipapwpolicy:
+      ipaadmin_password: SomeADMINpassword
+      maxrepeat: 2
+      maxsequence: 3
+      dictcheck: yes
+      usercheck: yes
--- a/playbooks/sudorule/ensure-sudorule-hostmask-member-is-absent.yml
+++ b/playbooks/sudorule/ensure-sudorule-hostmask-member-is-absent.yml
@@ -0,0 +1,14 @@
+---
+- name: Playbook to manage sudorule
+  hosts: ipaserver
+  become: no
+  gather_facts: no
+
+  tasks:
+  - name: Ensure hostmask network is absent in sudorule
+    ipasudorule:
+      ipaadmin_password: SomeADMINpassword
+      name: testrule1
+      hostmask: 192.168.122.37/24
+      action: member
+      state: absent
--- a/playbooks/sudorule/ensure-sudorule-hostmask-member-is-present.yml
+++ b/playbooks/sudorule/ensure-sudorule-hostmask-member-is-present.yml
@@ -0,0 +1,13 @@
+---
+- name: Playbook to manage sudorule
+  hosts: ipaserver
+  become: no
+  gather_facts: no
+
+  tasks:
+  - name: Ensure hostmask network is present in sudorule
+    ipasudorule:
+      ipaadmin_password: SomeADMINpassword
+      name: testrule1
+      hostmask: 192.168.122.37/24
+      action: member
--- a/playbooks/trust/add-trust.yml
+++ b/playbooks/trust/add-trust.yml
@@ -4,7 +4,7 @@
  become: true

  tasks:
-    - name: ensure the trust is present
+    - name: Ensure the trust is present
      ipatrust:
        ipaadmin_password: SomeADMINpassword
        realm: windows.local
--- a/playbooks/trust/del-trust.yml
+++ b/playbooks/trust/del-trust.yml
@@ -4,7 +4,7 @@
  become: true

  tasks:
-    - name: ensure the trust is absent
+    - name: Ensure the trust is absent
      ipatrust:
        ipaadmin_password: SomeADMINpassword
        realm: windows.local
--- a/playbooks/user/ensure_user_with_randompassword.yml
+++ b/playbooks/user/ensure_user_with_randompassword.yml
@@ -15,5 +15,5 @@
    register: ipauser

  - name: Print generated random password
-    debug:
+    ansible.builtin.debug:
      var: ipauser.user.randompassword
--- a/playbooks/user/ensure_users_with_randompasswords.yml
+++ b/playbooks/user/ensure_users_with_randompasswords.yml
@@ -20,9 +20,9 @@
    register: ipauser

  - name: Print generated random password for user1
-    debug:
+    ansible.builtin.debug:
      var: ipauser.user.user1.randompassword

  - name: Print generated random password for user2
-    debug:
+    ansible.builtin.debug:
      var: ipauser.user.user2.randompassword
--- a/playbooks/vault/retrive-data-asymmetric-vault.yml
+++ b/playbooks/vault/retrive-data-asymmetric-vault.yml
@@ -15,5 +15,5 @@
      register: result
      no_log: true
    - name: Display retrieved data.
-      debug:
+      ansible.builtin.debug:
        msg: "Data: {{ result.vault.data }}"
--- a/playbooks/vault/retrive-data-symmetric-vault.yml
+++ b/playbooks/vault/retrive-data-symmetric-vault.yml
@@ -15,5 +15,5 @@
      register: result
      no_log: true
    - name: Display retrieved data.
-      debug:
+      ansible.builtin.debug:
        msg: "Data: {{ result.vault.data }}"
--- a/playbooks/vault/vault-is-present-with-password-file.yml
+++ b/playbooks/vault/vault-is-present-with-password-file.yml
@@ -6,7 +6,7 @@

  tasks:
  - name: Copy file containing password to server.
-    copy:
+    ansible.builtin.copy:
      src: "{{ playbook_dir }}/password.txt"
      dest: "{{ ansible_facts['env'].HOME }}/password.txt"
      owner: "{{ ansible_user }}"
@@ -20,6 +20,6 @@
      vault_type: symmetric
      vault_password_file: "{{ ansible_facts['env'].HOME }}/password.txt"
  - name: Remove file containing password from server.
-    file:
+    ansible.builtin.file:
      path: "{{ ansible_facts['env'].HOME }}/password.txt"
      state: absent
--- a/playbooks/vault/vault-is-present-with-public-key-file.yml
+++ b/playbooks/vault/vault-is-present-with-public-key-file.yml
@@ -11,7 +11,7 @@

  tasks:
  - name: Copy public key file to server.
-    copy:
+    ansible.builtin.copy:
      src: "{{ playbook_dir }}/public.pem"
      dest: "{{ ansible_facts['env'].HOME }}/public.pem"
      owner: "{{ ansible_user }}"
@@ -25,6 +25,6 @@
      vault_type: asymmetric
      vault_public_key_file: "{{ ansible_facts['env'].HOME }}/public.pem"
  - name: Remove public key file from server.
-    file:
+    ansible.builtin.file:
      path: "{{ ansible_facts['env'].HOME }}/public.pem"
      state: absent
--- a/plugins/doc_fragments/ipamodule_base_docs.py
+++ b/plugins/doc_fragments/ipamodule_base_docs.py
@@ -30,15 +30,18 @@ options:
  ipaadmin_principal:
    description: The admin principal.
    default: admin
+    type: str
  ipaadmin_password:
    description: The admin password.
    required: false
+    type: str
  ipaapi_context:
    description: |
      The context in which the module will execute. Executing in a
      server context is preferred. If not provided context will be
      determined by the execution environment.
    choices: ["server", "client"]
+    type: str
    required: false
  ipaapi_ldap_cache:
    description: Use LDAP cache for IPA connection.
--- a/plugins/module_utils/ansible_freeipa_module.py
+++ b/plugins/module_utils/ansible_freeipa_module.py
--- a/plugins/modules/ipaautomember.py
+++ b/plugins/modules/ipaautomember.py
@@ -3,8 +3,9 @@
 # Authors:
 #   Mark Hahl <mhahl@redhat.com>
 #   Jake Reynolds <jakealexis@gmail.com>
+#   Thomas Woerner <twoerner@redhat.com>
 #
-# Copyright (C) 2021 Red Hat
+# Copyright (C) 2021-2022 Red Hat
 # see file 'COPYING' for use and warranty information
 #
 # This program is free software; you can redistribute it and/or modify
@@ -34,21 +35,24 @@ ANSIBLE_METADATA = {
 DOCUMENTATION = """
 ---
 module: ipaautomember
-short description: Add and delete FreeIPA Auto Membership Rules.
+short_description: Add and delete FreeIPA Auto Membership Rules.
 description: Add, modify and delete an IPA Auto Membership Rules.
 extends_documentation_fragment:
  - ipamodule_base_docs
 options:
  name:
    description: The automember rule
-    required: true
+    required: false
+    type: list
+    elements: str
    aliases: ["cn"]
  description:
    description: A description of this auto member rule
    required: false
+    type: str
  automember_type:
    description: Grouping to which the rule applies
-    required: true
+    required: false
    type: str
    choices: ["group", "hostgroup"]
  exclusive:
@@ -56,7 +60,7 @@ options:
    type: list
    elements: dict
    aliases: ["automemberexclusiveregex"]
-    options:
+    suboptions:
      key:
        description: The attribute of the regex
        type: str
@@ -70,7 +74,7 @@ options:
    type: list
    elements: dict
    aliases: ["automemberinclusiveregex"]
-    options:
+    suboptions:
      key:
        description: The attribute of the regex
        type: str
@@ -82,10 +86,12 @@ options:
  users:
    description: Users to rebuild membership for.
    type: list
+    elements: str
    required: false
  hosts:
    description: Hosts to rebuild membership for.
    type: list
+    elements: str
    required: false
  no_wait:
    description: Don't wait for rebuilding membership.
@@ -95,16 +101,18 @@ options:
    type: str
  action:
    description: Work on automember or member level
+    type: str
    default: automember
    choices: ["member", "automember"]
  state:
    description: State to ensure
+    type: str
    default: present
    choices: ["present", "absent", "rebuilt", "orphans_removed"]
 author:
-    - Mark Hahl
-    - Jake Reynolds
-    - Thomas Woerner
+  - Mark Hahl (@mhahl)
+  - Jake Reynolds (@jake2184)
+  - Thomas Woerner (@t-woerner)
 """

 EXAMPLES = """
@@ -208,7 +216,6 @@ EXAMPLES = """
 RETURN = """
 """

-
 from ansible.module_utils.ansible_freeipa_module import (
    IPAAnsibleModule, compare_args_ipa, gen_add_del_lists, ipalib_errors, DN
 )
@@ -315,7 +322,8 @@ def main():
                           aliases=["automemberinclusiveregex"],
                           default=None,
                           options=dict(
-                               key=dict(type="str", required=True),
+                               key=dict(type="str", required=True,
+                                        no_log=False),
                               expression=dict(type="str", required=True)
                           ),
                           elements="dict",
@@ -324,12 +332,13 @@ def main():
                           aliases=["automemberexclusiveregex"],
                           default=None,
                           options=dict(
-                               key=dict(type="str", required=True),
+                               key=dict(type="str", required=True,
+                                        no_log=False),
                               expression=dict(type="str", required=True)
                           ),
                           elements="dict",
                           required=False),
-            name=dict(type="list", aliases=["cn"],
+            name=dict(type="list", elements="str", aliases=["cn"],
                      default=None, required=False),
            description=dict(type="str", default=None),
            automember_type=dict(type='str', required=False,
@@ -341,8 +350,8 @@ def main():
            state=dict(type="str", default="present",
                       choices=["present", "absent", "rebuilt",
                                "orphans_removed"]),
-            users=dict(type="list", default=None),
-            hosts=dict(type="list", default=None),
+            users=dict(type="list", elements="str", default=None),
+            hosts=dict(type="list", elements="str", default=None),
        ),
        supports_check_mode=True,
    )
--- a/plugins/modules/ipaautomountkey.py
+++ b/plugins/modules/ipaautomountkey.py
@@ -3,8 +3,9 @@

 # Authors:
 #   Chris Procter <cprocter@redhat.com>
+#   Thomas Woerner <twoerner@redhat.com>
 #
-# Copyright (C) 2021 Red Hat
+# Copyright (C) 2021-2022 Red Hat
 # see file 'COPYING' for use and warranty information
 #
 # This program is free software; you can redistribute it and/or modify
@@ -34,39 +35,43 @@ ANSIBLE_METADATA = {
 DOCUMENTATION = '''
 ---
 module: ipaautomountkey
-author: chris procter
+author:
+  - Chris Procter (@chr15p))
+  - Thomas Woerner (@t-woerner)
 short_description: Manage FreeIPA autommount map
 description:
 - Add, delete, and modify an IPA automount map
+extends_documentation_fragment:
+  - ipamodule_base_docs
 options:
-  ipaadmin_principal:
-    description: The admin principal
-    default: admin
-  ipaadmin_password:
-    description: The admin password
-    required: False
  location:
    description: automount location map is in
+    type: str
    required: True
-    choices: ["automountlocationcn", "automountlocation"]
+    aliases: ["automountlocationcn", "automountlocation"]
  mapname:
    description: automount map to be managed
-    choices: ["map", "automountmapname", "automountmap"]
+    type: str
+    aliases: ["map", "automountmapname", "automountmap"]
    required: True
  key:
    description: automount key to be managed
+    type: str
    required: True
-    choices: ["name", "automountkey"]
-  newkey:
+    aliases: ["name", "automountkey"]
+  rename:
    description: key to change to if state is 'renamed'
-    required: True
-    choices: ["newname", "newautomountkey"]
+    type: str
+    required: False
+    aliases: ["new_name", "newautomountkey"]
  info:
    description: Mount information for the key
-    required: True
-    choices: ["information", "automountinformation"]
+    type: str
+    required: False
+    aliases: ["information", "automountinformation"]
  state:
    description: State to ensure
+    type: str
    required: False
    default: present
    choices: ["present", "absent", "renamed"]
@@ -193,7 +198,7 @@ def main():
            state=dict(
                type='str',
                choices=['present', 'absent', 'renamed'],
-                required=None,
+                required=False,
                default='present',
            ),
            location=dict(
@@ -215,6 +220,7 @@ def main():
                type="str",
                aliases=["name", "automountkey"],
                required=True,
+                no_log=False,
            ),
            info=dict(
                type="str",
--- a/plugins/modules/ipaautomountlocation.py
+++ b/plugins/modules/ipaautomountlocation.py
@@ -1,8 +1,9 @@
 # -*- coding: utf-8 -*-
 # Authors:
 #   Chris Procter <cprocter@redhat.com>
+#   Thomas Woerner <twoerner@redhat.com>
 #
-# Copyright (C) 2021 Red Hat
+# Copyright (C) 2021-2022 Red Hat
 # see file 'COPYING' for use and warranty information
 #
 # This program is free software; you can redistribute it and/or modify
@@ -32,7 +33,9 @@ ANSIBLE_METADATA = {
 DOCUMENTATION = '''
 ---
 module: ipaautomountlocation
-author: chris procter
+author:
+  - Chris Procter (@chr15p)
+  - Thomas Woerner (@t-woerner)
 short_description: Manage FreeIPA autommount locations
 description:
 - Add and delete an IPA automount location
@@ -42,10 +45,13 @@ options:
  name:
    description: The automount location to be managed
    required: true
+    type: list
+    elements: str
    aliases: ["cn","location"]
  state:
    description: State to ensure
    required: false
+    type: str
    default: present
    choices: ["present", "absent"]
 '''
@@ -116,9 +122,8 @@ def main():
                       default='present',
                       choices=['present', 'absent']
                       ),
-            name=dict(type="list",
+            name=dict(type="list", elements="str",
                      aliases=["cn", "location"],
-                      default=None,
                      required=True
                      ),
        ),
--- a/plugins/modules/ipaautomountmap.py
+++ b/plugins/modules/ipaautomountmap.py
@@ -2,8 +2,9 @@
 # -*- coding: utf-8 -*-
 # Authors:
 #   Chris Procter <cprocter@redhat.com>
+#   Thomas Woerner <twoerner@redhat.com>
 #
-# Copyright (C) 2021 Red Hat
+# Copyright (C) 2021-2022 Red Hat
 # see file 'COPYING' for use and warranty information
 #
 # This program is free software; you can redistribute it and/or modify
@@ -33,31 +34,34 @@ ANSIBLE_METADATA = {
 DOCUMENTATION = '''
 ---
 module: ipaautomountmap
-author: Chris Procter
+author:
+  - Chris Procter (@chr15p)
+  - Thomas Woerner (@t-woerner)
 short_description: Manage FreeIPA autommount map
 description:
 - Add, delete, and modify an IPA automount map
+extends_documentation_fragment:
+  - ipamodule_base_docs
 options:
-  ipaadmin_principal:
-    description: The admin principal.
-    default: admin
-  ipaadmin_password:
-    description: The admin password.
-    required: false
  automountlocation:
    description: automount location map is anchored to
-    choices: ["location", "automountlocationcn"]
+    type: str
+    aliases: ["location", "automountlocationcn"]
    required: True
  name:
    description: automount map to be managed.
-    choices: ["mapname", "map", "automountmapname"]
+    type: list
+    elements: str
+    aliases: ["mapname", "map", "automountmapname"]
    required: True
  desc:
    description: description of automount map.
-    choices: ["description"]
+    type: str
+    aliases: ["description"]
    required: false
  state:
    description: State to ensure
+    type: str
    required: false
    default: present
    choices: ["present", "absent"]
@@ -122,7 +126,7 @@ class AutomountMap(IPAAnsibleModule):

        self.params_fail_used_invalid(invalid, state)

-    def get_args(self, mapname, desc):  # pylint: disable=no-self-use
+    def get_args(self, mapname, desc):
        # automountmapname is required for all automountmap operations.
        if not mapname:
            self.fail_json(msg="automountmapname cannot be None or empty.")
@@ -169,12 +173,10 @@ def main():
                       ),
            location=dict(type="str",
                          aliases=["automountlocation", "automountlocationcn"],
-                          default=None,
                          required=True
                          ),
-            name=dict(type="list",
+            name=dict(type="list", elements="str",
                      aliases=["mapname", "map", "automountmapname"],
-                      default=None,
                      required=True
                      ),
            desc=dict(type="str",
--- a/plugins/modules/ipaconfig.py
+++ b/plugins/modules/ipaconfig.py
@@ -2,8 +2,9 @@

 # Authors:
 #   Chris Procter <cprocter@redhat.com>
+#   Thomas Woerner <twoerner@redhat.com>
 #
-# Copyright (C) 2020 Red Hat
+# Copyright (C) 2020-2022 Red Hat
 # see file 'COPYING' for use and warranty information
 #
 # This program is free software; you can redistribute it and/or modify
@@ -32,8 +33,10 @@ ANSIBLE_METADATA = {

 DOCUMENTATION = '''
 ---
-module: ipa_config
-author: chris procter
+module: ipaconfig
+author:
+  - Chris Procter (@chr15p)
+  - Thomas Woerner (@t-woerner)
 short_description: Modify IPA global config options
 description:
 - Modify IPA global config options
@@ -43,48 +46,60 @@ options:
    maxusername:
        description: Set the maximum username length between 1-255
        required: false
+        type: int
        aliases: ['ipamaxusernamelength']
    maxhostname:
        description: Set the maximum hostname length between 64-255
        required: false
+        type: int
        aliases: ['ipamaxhostnamelength']
    homedirectory:
        description: Set the default location of home directories
        required: false
+        type: str
        aliases: ['ipahomesrootdir']
    defaultshell:
        description: Set the default shell for new users
        required: false
+        type: str
        aliases: ['ipadefaultloginshell', 'loginshell']
    defaultgroup:
        description: Set the default group for new users
        required: false
+        type: str
        aliases: ['ipadefaultprimarygroup']
    emaildomain:
        description: Set the default e-mail domain
        required: false
+        type: str
        aliases: ['ipadefaultemaildomain']
    searchtimelimit:
        description:
        - Set maximum amount of time (seconds) for a search
        - values -1 to 2147483647 (-1 or 0 is unlimited)
        required: false
+        type: int
        aliases: ['ipasearchtimelimit']
    searchrecordslimit:
        description:
        - Set maximum number of records to search
        - values -1 to 2147483647 (-1 or 0 is unlimited)
        required: false
+        type: int
        aliases: ['ipasearchrecordslimit']
    usersearch:
        description:
        - Set comma-separated list of fields to search for user search
        required: false
+        type: list
+        elements: str
        aliases: ['ipausersearchfields']
    groupsearch:
        description:
        - Set comma-separated list of fields to search for group search
        required: false
+        type: list
+        elements: str
        aliases: ['ipagroupsearchfields']
    enable_migration:
        description: Enable migration mode
@@ -95,22 +110,26 @@ options:
        description: Set default group objectclasses (comma-separated list)
        required: false
        type: list
+        elements: str
        aliases: ['ipagroupobjectclasses']
    userobjectclasses:
        description: Set default user objectclasses (comma-separated list)
        required: false
        type: list
+        elements: str
        aliases: ['ipauserobjectclasses']
    pwdexpnotify:
        description:
        - Set number of days's notice of impending password expiration
        - values 0 to 2147483647
        required: false
+        type: int
        aliases: ['ipapwdexpadvnotify']
    configstring:
        description: Set extra hashes to generate in password plug-in
        required: false
        type: list
+        elements: str
        choices:
        - "AllowNThash"
        - "KDC:Disable Last Success"
@@ -122,32 +141,55 @@ options:
        description: Set order in increasing priority of SELinux users
        required: false
        type: list
+        elements: str
        aliases: ['ipaselinuxusermaporder']
    selinuxusermapdefault:
        description: Set default SELinux user when no match found in map rule
        required: false
+        type: str
        aliases: ['ipaselinuxusermapdefault']
    pac_type:
        description: set default types of PAC supported for services
        required: false
        type: list
+        elements: str
        choices: ["MS-PAC", "PAD", "nfs:NONE", ""]
        aliases: ["ipakrbauthzdata"]
    user_auth_type:
        description: set default types of supported user authentication
        required: false
        type: list
+        elements: str
        choices: ["password", "radius", "otp", "disabled", ""]
        aliases: ["ipauserauthtype"]
    ca_renewal_master_server:
        description: Renewal master for IPA certificate authority.
        required: false
-        type: string
+        type: str
    domain_resolution_order:
        description: set list of domains used for short name qualification
        required: false
        type: list
+        elements: str
        aliases: ["ipadomainresolutionorder"]
+    enable_sid:
+        description: >
+          New users and groups automatically get a SID assigned.
+          Cannot be deactivated once activated. Requires IPA 4.9.8+.
+        required: false
+        type: bool
+    netbios_name:
+        description: >
+          NetBIOS name of the IPA domain. Requires IPA 4.9.8+
+          and SID generation to be activated.
+        required: false
+        type: str
+    add_sids:
+        description: >
+          Add SIDs for existing users and groups. Requires IPA 4.9.8+
+          and SID generation to be activated.
+        required: false
+        type: bool
 '''

 EXAMPLES = '''
@@ -169,6 +211,24 @@ EXAMPLES = '''
        ipaadmin_password: SomeADMINpassword
        defaultshell: /bin/bash
        maxusername: 64
+
+- name: Playbook to enable SID and generate users and groups SIDs
+  hosts: ipaserver
+  tasks:
+    - name: Enable SID and generate users and groups SIDS
+      ipaconfig:
+        ipaadmin_password: SomeADMINpassword
+        enable_sid: yes
+        add_sids: yes
+
+- name: Playbook to change IPA domain netbios name
+  hosts: ipaserver
+  tasks:
+    - name: Enable SID and generate users and groups SIDS
+      ipaconfig:
+        ipaadmin_password: SomeADMINpassword
+        enable_sid: yes
+        netbios_name: IPADOM
 '''

 RETURN = '''
@@ -176,38 +236,48 @@ config:
  description: Dict of all global config options
  returned: When no options are set
  type: dict
-  options:
+  contains:
    maxusername:
        description: maximum username length
+        type: int
        returned: always
    maxhostname:
        description: maximum hostname length
+        type: int
        returned: always
    homedirectory:
        description: default location of home directories
+        type: str
        returned: always
    defaultshell:
        description: default shell for new users
+        type: str
        returned: always
    defaultgroup:
        description: default group for new users
+        type: str
        returned: always
    emaildomain:
        description: default e-mail domain
+        type: str
        returned: always
    searchtimelimit:
        description: maximum amount of time (seconds) for a search
+        type: int
        returned: always
    searchrecordslimit:
        description: maximum number of records to search
+        type: int
        returned: always
    usersearch:
-        description: comma-separated list of fields to search in user search
+        description: list of fields to search in user search
        type: list
+        elements: str
        returned: always
    groupsearch:
-        description: comma-separated list of fields to search in group search
+        description: list of fields to search in group search
        type: list
+        elements: str
        returned: always
    enable_migration:
        description: Enable migration mode
@@ -216,37 +286,59 @@ config:
    groupobjectclasses:
        description: default group objectclasses (comma-separated list)
        type: list
+        elements: str
        returned: always
    userobjectclasses:
        description: default user objectclasses (comma-separated list)
        type: list
+        elements: str
        returned: always
    pwdexpnotify:
        description: number of days's notice of impending password expiration
+        type: str
        returned: always
    configstring:
        description: extra hashes to generate in password plug-in
        type: list
+        elements: str
        returned: always
    selinuxusermaporder:
        description: order in increasing priority of SELinux users
+        type: list
+        elements: str
        returned: always
    selinuxusermapdefault:
        description: default SELinux user when no match is found in map rule
+        type: str
        returned: always
    pac_type:
        description: default types of PAC supported for services
        type: list
+        elements: str
        returned: always
    user_auth_type:
        description: default types of supported user authentication
+        type: str
        returned: always
    ca_renewal_master_server:
        description: master for IPA certificate authority.
+        type: str
        returned: always
    domain_resolution_order:
        description: list of domains used for short name qualification
+        type: list
+        elements: str
        returned: always
+    enable_sid:
+        description: >
+          new users and groups automatically get a SID assigned.
+          Requires IPA 4.9.8+.
+        type: str
+        returned: always
+    netbios_name:
+        description: NetBIOS name of the IPA domain. Requires IPA 4.9.8+.
+        type: str
+        returned: if enable_sid is True
 '''


@@ -260,6 +352,28 @@ def config_show(module):
    return _result["result"]


+def get_netbios_name(module):
+    try:
+        _result = module.ipa_command_no_name("trustconfig_show", {"all": True})
+    except Exception:  # pylint: disable=broad-except
+        return None
+    else:
+        return _result["result"]["ipantflatname"][0]
+
+
+def is_enable_sid(module):
+    """When 'enable_sid' is true admin user and admins group have SID set."""
+    _result = module.ipa_command("user_show", "admin", {"all": True})
+    sid = _result["result"].get("ipantsecurityidentifier", [""])
+    if not sid[0].endswith("-500"):
+        return False
+    _result = module.ipa_command("group_show", "admins", {"all": True})
+    sid = _result["result"].get("ipantsecurityidentifier", [""])
+    if not sid[0].endswith("-512"):
+        return False
+    return True
+
+
 def main():
    ansible_module = IPAAnsibleModule(
        argument_spec=dict(
@@ -281,39 +395,45 @@ def main():
                                 aliases=['ipasearchtimelimit']),
            searchrecordslimit=dict(type="int", required=False,
                                    aliases=['ipasearchrecordslimit']),
-            usersearch=dict(type="list", required=False,
+            usersearch=dict(type="list", elements="str", required=False,
                            aliases=['ipausersearchfields']),
-            groupsearch=dict(type="list", required=False,
+            groupsearch=dict(type="list", elements="str", required=False,
                             aliases=['ipagroupsearchfields']),
            enable_migration=dict(type="bool", required=False,
                                  aliases=['ipamigrationenabled']),
-            groupobjectclasses=dict(type="list", required=False,
+            groupobjectclasses=dict(type="list", elements="str",
+                                    required=False,
                                    aliases=['ipagroupobjectclasses']),
-            userobjectclasses=dict(type="list", required=False,
+            userobjectclasses=dict(type="list", elements="str", required=False,
                                   aliases=['ipauserobjectclasses']),
            pwdexpnotify=dict(type="int", required=False,
                              aliases=['ipapwdexpadvnotify']),
-            configstring=dict(type="list", required=False,
+            configstring=dict(type="list", elements="str", required=False,
                              aliases=['ipaconfigstring'],
                              choices=["AllowNThash",
                                       "KDC:Disable Last Success",
                                       "KDC:Disable Lockout",
                                       "KDC:Disable Default Preauth for SPNs",
                                       ""]),  # noqa E128
-            selinuxusermaporder=dict(type="list", required=False,
+            selinuxusermaporder=dict(type="list", elements="str",
+                                     required=False,
                                     aliases=['ipaselinuxusermaporder']),
            selinuxusermapdefault=dict(type="str", required=False,
                                       aliases=['ipaselinuxusermapdefault']),
-            pac_type=dict(type="list", required=False,
+            pac_type=dict(type="list", elements="str", required=False,
                          aliases=["ipakrbauthzdata"],
                          choices=["MS-PAC", "PAD", "nfs:NONE", ""]),
-            user_auth_type=dict(type="list", required=False,
+            user_auth_type=dict(type="list", elements="str", required=False,
                                choices=["password", "radius", "otp",
                                         "disabled", ""],
                                aliases=["ipauserauthtype"]),
            ca_renewal_master_server=dict(type="str", required=False),
-            domain_resolution_order=dict(type="list", required=False,
-                                         aliases=["ipadomainresolutionorder"])
+            domain_resolution_order=dict(type="list", elements="str",
+                                         required=False,
+                                         aliases=["ipadomainresolutionorder"]),
+            enable_sid=dict(type="bool", required=False),
+            add_sids=dict(type="bool", required=False),
+            netbios_name=dict(type="str", required=False),
        ),
        supports_check_mode=True,
    )
@@ -344,7 +464,10 @@ def main():
        "pac_type": "ipakrbauthzdata",
        "user_auth_type": "ipauserauthtype",
        "ca_renewal_master_server": "ca_renewal_master_server",
-        "domain_resolution_order": "ipadomainresolutionorder"
+        "domain_resolution_order": "ipadomainresolutionorder",
+        "enable_sid": "enable_sid",
+        "netbios_name": "netbios_name",
+        "add_sids": "add_sids",
    }
    allow_empty_string = ["pac_type", "user_auth_type", "configstring"]
    reverse_field_map = {v: k for k, v in field_map.items()}
@@ -394,11 +517,52 @@ def main():
    changed = False
    exit_args = {}

-    # Connect to IPA API
-    with ansible_module.ipa_connect():
+    # Connect to IPA API (enable_sid requires context == 'client')
+    with ansible_module.ipa_connect(context="client"):
+        has_enable_sid = ansible_module.ipa_command_param_exists(
+            "config_mod", "enable_sid")

        result = config_show(ansible_module)
+
        if params:
+            enable_sid = params.get("enable_sid")
+            sid_is_enabled = has_enable_sid and is_enable_sid(ansible_module)
+
+            if sid_is_enabled and enable_sid is False:
+                ansible_module.fail_json(msg="SID cannot be disabled.")
+
+            netbios_name = params.get("netbios_name")
+            add_sids = params.get("add_sids")
+            if has_enable_sid:
+                if (
+                    netbios_name
+                    and netbios_name == get_netbios_name(ansible_module)
+                ):
+                    del params["netbios_name"]
+                    netbios_name = None
+                if not add_sids and "add_sids" in params:
+                    del params["add_sids"]
+                if any([netbios_name, add_sids]):
+                    if sid_is_enabled:
+                        params["enable_sid"] = True
+                    else:
+                        if not enable_sid:
+                            ansible_module.fail_json(
+                                msg="SID generation must be enabled for "
+                                    "'netbios_name' and 'add_sids'. Use "
+                                    "'enable_sid: yes'."
+                            )
+                else:
+                    if sid_is_enabled and "enable_sid" in params:
+                        del params["enable_sid"]
+
+            else:
+                if any([enable_sid, netbios_name, add_sids is not None]):
+                    ansible_module.fail_json(
+                        msg="This version of IPA does not support enable_sid, "
+                            "add_sids or netbios_name setting through the "
+                            "config module"
+                    )
            params = {
                k: v for k, v in params.items()
                if k not in result or result[k] != v
@@ -458,6 +622,10 @@ def main():
            # Add empty domain_resolution_order if it is not set
            if "domain_resolution_order" not in exit_args:
                exit_args["domain_resolution_order"] = []
+            # Set enable_sid
+            if has_enable_sid:
+                exit_args["enable_sid"] = is_enable_sid(ansible_module)
+                exit_args["netbios_name"] = get_netbios_name(ansible_module)

    # Done
    ansible_module.exit_json(changed=changed, config=exit_args)
--- a/plugins/modules/ipadelegation.py
+++ b/plugins/modules/ipadelegation.py
@@ -3,7 +3,7 @@
 # Authors:
 #   Thomas Woerner <twoerner@redhat.com>
 #
-# Copyright (C) 2020 Red Hat
+# Copyright (C) 2020-2022 Red Hat
 # see file 'COPYING' for use and warranty information
 #
 # This program is free software; you can redistribute it and/or modify
@@ -32,40 +32,52 @@ ANSIBLE_METADATA = {
 DOCUMENTATION = """
 ---
 module: ipadelegation
-short description: Manage FreeIPA delegations
+short_description: Manage FreeIPA delegations
 description: Manage FreeIPA delegations and delegation attributes
 extends_documentation_fragment:
  - ipamodule_base_docs
 options:
  name:
    description: The list of delegation name strings.
+    type: list
+    elements: str
    required: true
    aliases: ["aciname"]
  permission:
    description: Permissions to grant (read, write). Default is write.
+    type: list
+    elements: str
    required: false
    aliases: ["permissions"]
  attribute:
    description: Attribute list to which the delegation applies
+    type: list
+    elements: str
    required: false
    aliases: ["attrs"]
  membergroup:
    description: User group to apply delegation to
+    type: str
    required: false
    aliases: ["memberof"]
  group:
    description: User group ACI grants access to
+    type: str
    required: false
  action:
    description: Work on delegation or member level.
+    type: str
    choices: ["delegation", "member"]
    default: delegation
    required: false
  state:
    description: The state to ensure.
+    type: str
    choices: ["present", "absent"]
    default: present
-    required: true
+    required: false
+author:
+  - Thomas Woerner (@t-woerner)
 """

 EXAMPLES = """
@@ -143,13 +155,13 @@ def main():
    ansible_module = IPAAnsibleModule(
        argument_spec=dict(
            # general
-            name=dict(type="list", aliases=["aciname"], default=None,
+            name=dict(type="list", elements="str", aliases=["aciname"],
                      required=True),
            # present
-            permission=dict(required=False, type='list',
+            permission=dict(required=False, type='list', elements="str",
                            aliases=["permissions"], default=None),
-            attribute=dict(required=False, type='list', aliases=["attrs"],
-                           default=None),
+            attribute=dict(required=False, type='list', elements="str",
+                           aliases=["attrs"], default=None),
            membergroup=dict(type="str", aliases=["memberof"], default=None),
            group=dict(type="str", default=None),
            action=dict(type="str", default="delegation",
--- a/plugins/modules/ipadnsconfig.py
+++ b/plugins/modules/ipadnsconfig.py
@@ -2,8 +2,9 @@

 # Authors:
 #   Rafael Guterres Jeffman <rjeffman@redhat.com>
+#   Thomas Woerner <twoerner@redhat.com>
 #
-# Copyright (C) 2019 Red Hat
+# Copyright (C) 2019-2022 Red Hat
 # see file 'COPYING' for use and warranty information
 #
 # This program is free software; you can redistribute it and/or modify
@@ -33,7 +34,7 @@ ANSIBLE_METADATA = {
 DOCUMENTATION = """
 ---
 module: ipadnsconfig
-short description: Manage FreeIPA dnsconfig
+short_description: Manage FreeIPA dnsconfig
 description: Manage FreeIPA dnsconfig
 extends_documentation_fragment:
  - ipamodule_base_docs
@@ -41,20 +42,25 @@ options:
  forwarders:
    description: The list of global DNS forwarders.
    required: false
-    options:
+    type: list
+    elements: dict
+    suboptions:
      ip_address:
        description: The forwarder nameserver IP address list (IPv4 and IPv6).
+        type: str
        required: true
      port:
        description: The port to forward requests to.
+        type: int
        required: false
  forward_policy:
    description:
      Global forwarding policy. Set to "none" to disable any configured
      global forwarders.
+    type: str
    required: false
    choices: ['only', 'first', 'none']
-    alias: ["forwardpolicy"]
+    aliases: ["forwardpolicy"]
  allow_sync_ptr:
    description:
      Allow synchronization of forward (A, AAAA) and reverse (PTR) records.
@@ -64,14 +70,19 @@ options:
    description: |
      Work on dnsconfig or member level. It can be one of `member` or
      `dnsconfig`. Only `forwarders` can be managed with `action: member`.
+    type: str
    default: "dnsconfig"
    choices: ["member", "dnsconfig"]
  state:
    description: |
      The state to ensure. It can be one of `present` or `absent`.
      `absent` can only be used with `action: member` and `forwarders`.
+    type: str
    default: present
    choices: ["present", "absent"]
+author:
+  - Rafael Guterres Jeffman (@rjeffman)
+  - Thomas Woerner (@t-woerner)
 """

 EXAMPLES = """
@@ -183,14 +194,15 @@ def gen_args(module, state, action, dnsconfig, forwarders, forward_policy,

 def main():
    forwarder_spec = dict(
-        ip_address=dict(type=str, required=True),
-        port=dict(type=int, required=False, default=None)
+        ip_address=dict(type="str", required=True),
+        port=dict(type="int", required=False, default=None)
    )

    ansible_module = IPAAnsibleModule(
        argument_spec=dict(
            # dnsconfig
-            forwarders=dict(type='list', default=None, required=False,
+            forwarders=dict(type='list', elements="dict", default=None,
+                            required=False,
                            options=dict(**forwarder_spec)),
            forward_policy=dict(type='str', required=False, default=None,
                                choices=['only', 'first', 'none'],
--- a/plugins/modules/ipadnsforwardzone.py
+++ b/plugins/modules/ipadnsforwardzone.py
@@ -2,8 +2,9 @@

 # Authors:
 #   Chris Procter <cprocter@redhat.com>
+#   Thomas Woerner <twoerner@redhat.com>
 #
-# Copyright (C) 2019 Red Hat
+# Copyright (C) 2019-2022 Red Hat
 # see file 'COPYING' for use and warranty information
 #
 # This program is free software; you can redistribute it and/or modify
@@ -32,53 +33,68 @@ ANSIBLE_METADATA = {

 DOCUMENTATION = '''
 ---
-module: ipa_dnsforwardzone
-author: chris procter
+module: ipadnsforwardzone
+author:
+  - Chris Procter (@chr15p)
+  - Thomas Woerner (@t-woerner)
 short_description: Manage FreeIPA DNS Forwarder Zones
 description:
- Add and delete an IPA DNS Forwarder Zones using IPA API
+  - Add and delete an IPA DNS Forwarder Zones using IPA API
 extends_documentation_fragment:
  - ipamodule_base_docs
 options:
  name:
    description:
    - The DNS zone name which needs to be managed.
+    type: list
+    elements: str
    required: true
    aliases: ["cn"]
+  action:
+    description: |
+      Work on dnsforwardzone or member level. It can be one of `member` or
+      `dnsforwardzone`.
+    type: str
+    default: "dnsforwardzone"
+    choices: ["member", "dnsforwardzone"]
  state:
    description: State to ensure
+    type: str
    required: false
    default: present
    choices: ["present", "absent", "enabled", "disabled"]
  forwarders:
    description:
    - List of the DNS servers to forward to
+    type: list
+    elements: dict
    aliases: ["idnsforwarders"]
-    options:
+    suboptions:
      ip_address:
        description: Forwarder IP address (either IPv4 or IPv6).
-        required: false
-        type: string
+        required: true
+        type: str
      port:
        description: Forwarder port.
        required: false
        type: int
  forwardpolicy:
    description: Per-zone conditional forwarding policy
+    type: str
    required: false
-    default: only
    choices: ["only", "first", "none"]
-    aliases: ["idnsforwarders", "forward_policy"]
+    aliases: ["idnsforwardpolicy", "forward_policy"]
  skip_overlap_check:
    description:
    - Force DNS zone creation even if it will overlap with an existing zone.
+    type: bool
    required: false
-    default: false
  permission:
    description:
    - Allow DNS Forward Zone to be managed.
    required: false
    type: bool
+    aliases: ["managedby"]
 '''

 EXAMPLES = '''
@@ -180,7 +196,7 @@ def main():
    ansible_module = IPAAnsibleModule(
        argument_spec=dict(
            # general
-            name=dict(type="list", aliases=["cn"], default=None,
+            name=dict(type="list", elements="str", aliases=["cn"],
                      required=True),
            forwarders=dict(type="list", default=None, required=False,
                            aliases=["idnsforwarders"], elements='dict',
--- a/plugins/modules/ipadnsrecord.py
+++ b/plugins/modules/ipadnsrecord.py
@@ -2,8 +2,9 @@

 # Authors:
 #   Rafael Guterres Jeffman <rjeffman@redhat.com>
+#   Thomas Woerner <twoerner@redhat.com>
 #
-# Copyright (C) 2020 Red Hat
+# Copyright (C) 2020-2022 Red Hat
 # see file 'COPYING' for use and warranty information
 #
 # This program is free software; you can redistribute it and/or modify
@@ -34,7 +35,7 @@ ANSIBLE_METADATA = {
 DOCUMENTATION = """
 ---
 module: ipadnsrecord
-short description: Manage FreeIPA DNS records
+short_description: Manage FreeIPA DNS records
 description: Manage FreeIPA DNS records
 extends_documentation_fragment:
  - ipamodule_base_docs
@@ -42,19 +43,24 @@ options:
  records:
    description: The list of user dns records dicts
    required: false
-    options:
+    type: list
+    elements: dict
+    suboptions:
      name:
        description: The DNS record name to manage.
+        type: str
        aliases: ["record_name"]
        required: true
      zone_name:
        description: |
          The DNS zone name to which DNS record needs to be managed.
          Required if not provided globally.
+        type: str
        aliases: ["dnszone"]
        required: false
      record_type:
        description: The type of DNS record.
+        type: str
        choices: ["A", "AAAA", "A6", "AFSDB", "CERT", "CNAME", "DLV", "DNAME",
                  "DS", "KX", "LOC", "MX", "NAPTR", "NS", "PTR", "SRV",
                  "SSHFP", "TLSA", "TXT", "URI"]
@@ -63,6 +69,7 @@ options:
        description: Manage DNS record name with these values.
        required: false
        type: list
+        elements: str
      record_ttl:
        description: Set the TTL for the record.
        required: false
@@ -73,92 +80,132 @@ options:
        type: bool
      a_rec:
        description: Raw A record.
+        type: list
+        elements: str
        required: false
        aliases: ["a_record"]
      aaaa_rec:
        description: Raw AAAA record.
+        type: list
+        elements: str
        required: false
        aliases: ["aaaa_record"]
      a6_rec:
        description: Raw A6 record.
+        type: list
+        elements: str
        required: false
        aliases: ["a6_record"]
      afsdb_rec:
        description: Raw AFSDB record.
+        type: list
+        elements: str
        required: false
        aliases: ["afsdb_record"]
      cert_rec:
        description: Raw CERT record.
+        type: list
+        elements: str
        required: false
        aliases: ["cert_record"]
      cname_rec:
        description: Raw CNAME record.
+        type: list
+        elements: str
        required: false
        aliases: ["cname_record"]
      dlv_rec:
        description: Raw DLV record.
+        type: list
+        elements: str
        required: false
        aliases: ["dlv_record"]
      dname_rec:
        description: Raw DNAM record.
+        type: list
+        elements: str
        required: false
        aliases: ["dname_record"]
      ds_rec:
        description: Raw DS record.
+        type: list
+        elements: str
        required: false
        aliases: ["ds_record"]
      kx_rec:
        description: Raw KX record.
+        type: list
+        elements: str
        required: false
        aliases: ["kx_record"]
      loc_rec:
        description: Raw LOC record.
+        type: list
+        elements: str
        required: false
        aliases: ["loc_record"]
      mx_rec:
        description: Raw MX record.
+        type: list
+        elements: str
        required: false
        aliases: ["mx_record"]
      naptr_rec:
        description: Raw NAPTR record.
+        type: list
+        elements: str
        required: false
        aliases: ["naptr_record"]
      ns_rec:
        description: Raw NS record.
+        type: list
+        elements: str
        required: false
        aliases: ["ns_record"]
      ptr_rec:
        description: Raw PTR record.
+        type: list
+        elements: str
        required: false
        aliases: ["ptr_record"]
      srv_rec:
        description: Raw SRV record.
+        type: list
+        elements: str
        required: false
        aliases: ["srv_record"]
      sshfp_rec:
        description: Raw SSHFP record.
+        type: list
+        elements: str
        required: false
        aliases: ["sshfp_record"]
      tlsa_rec:
        description: Raw TLSA record.
+        type: list
+        elements: str
        required: false
        aliases: ["tlsa_record"]
      txt_rec:
        description: Raw TXT record.
+        type: list
+        elements: str
        required: false
        aliases: ["txt_record"]
      uri_rec:
        description: Raw URI record.
+        type: list
+        elements: str
        required: false
        aliases: ["uri_record"]
      ip_address:
        description: IP adresses for A or AAAA records.
        required: false
-        type: string
+        type: str
      a_ip_address:
        description: IP adresses for A records.
        required: false
-        type: string
+        type: str
      a_create_reverse:
        description: |
          Create reverse record for A records.
@@ -168,7 +215,7 @@ options:
      aaaa_ip_address:
        description: IP adresses for AAAA records.
        required: false
-        type: string
+        type: str
      aaaa_create_reverse:
        description: |
          Create reverse record for AAAA records.
@@ -185,6 +232,7 @@ options:
      a6_data:
        description: A6 record data.
        required: false
+        type: str
      afsdb_subtype:
        description: AFSDB Subtype
        required: false
@@ -192,7 +240,7 @@ options:
      afsdb_hostname:
        description: AFSDB Hostname
        required: false
-        type: string
+        type: str
      cert_type:
        description: CERT Certificate Type
        required: false
@@ -208,13 +256,13 @@ options:
      cert_certificate_or_crl:
        description: CERT Certificate or Certificate Revocation List (CRL).
        required: false
-        type: string
+        type: str
      cname_hostname:
        description: A hostname which this alias hostname points to.
        required: false
-        type: string
+        type: str
      dlv_key_tag:
-        description: DS Key Tag
+        description: DLV Key Tag
        required: false
        type: int
      dlv_algorithm:
@@ -228,11 +276,11 @@ options:
      dlv_digest:
        description: DLV Digest
        required: false
-        type: string
+        type: str
      dname_target:
        description: DNAME Target
        required: false
-        type: string
+        type: str
      ds_key_tag:
        description: DS Key Tag
        required: false
@@ -248,7 +296,7 @@ options:
      ds_digest:
        description: DS Digest
        required: false
-        type: string
+        type: str
      kx_preference:
        description: |
          Preference given to this exchanger. Lower values are more preferred.
@@ -257,7 +305,7 @@ options:
      kx_exchanger:
        description: A host willing to act as a key exchanger.
        required: false
-        type: string
+        type: str
      loc_lat_deg:
        description: LOC Degrees Latitude
        required: false
@@ -274,6 +322,7 @@ options:
        description: LOC Direction Latitude
        required: false
        choices: ["N", "S"]
+        type: str
      loc_lon_deg:
        description: LOC Degrees Longitude
        required: false
@@ -290,6 +339,7 @@ options:
        description: LOC Direction Longitude
        required: false
        choices: ["E", "W"]
+        type: str
      loc_altitude:
        description: LOC Altitude
        required: false
@@ -314,7 +364,7 @@ options:
      mx_exchanger:
        description: A host willing to act as a mail exchanger.
        required: false
-        type: string
+        type: str
      naptr_order:
        description: NAPTR Order
        required: false
@@ -326,27 +376,27 @@ options:
      naptr_flags:
        description: NAPTR Flags
        required: false
-        type: string
+        type: str
      naptr_service:
        description: NAPTR Service
        required: false
-        type: string
+        type: str
      naptr_regexp:
        description: NAPTR Regular Expression
        required: false
-        type: string
+        type: str
      naptr_replacement:
        description: NAPTR Replacement
        required: false
-        type: string
+        type: str
      ns_hostname:
        description: NS Hostname
        required: false
-        type: string
+        type: str
      ptr_hostname:
        description: The hostname this reverse record points to.
        required: false
-        type: string
+        type: str
      srv_priority:
        description: |
          Lower number means higher priority. Clients will attempt to contact
@@ -366,7 +416,7 @@ options:
          The domain name of the target host or '.' if the service is decidedly
          not available at this domain.
        required: false
-        type: string
+        type: str
      sshfp_algorithm:
        description: SSHFP Algorithm
        required: False
@@ -378,11 +428,11 @@ options:
      sshfp_fingerprint:
        description: SSHFP Fingerprint
        required: False
-        type: string
+        type: str
      txt_data:
        description: TXT Text Data
        required: false
-        type: string
+        type: str
      tlsa_cert_usage:
        description: TLSA Certificate Usage
        required: false
@@ -398,11 +448,11 @@ options:
      tlsa_cert_association_data:
        description: TLSA Certificate Association Data
        required: false
-        type: string
+        type: str
      uri_target:
        description: Target Uniform Resource Identifier according to RFC 3986.
        required: false
-        type: string
+        type: str
      uri_priority:
        description: |
          Lower number means higher priority. Clients will attempt to contact
@@ -413,27 +463,31 @@ options:
        description: Relative weight for entries with the same priority.
        required: false
        type: int
+  name:
+    description: The DNS record name to manage.
+    type: list
+    elements: str
+    aliases: ["record_name"]
+    required: false
  zone_name:
    description: |
      The DNS zone name to which DNS record needs to be managed.
      Required if not provided globally.
+    type: str
    aliases: ["dnszone"]
    required: false
-  name:
-    description: The DNS record name to manage.
-    aliases: ["record_name"]
-    required: true
  record_type:
    description: The type of DNS record.
-    required: false
+    type: str
    choices: ["A", "AAAA", "A6", "AFSDB", "CERT", "CNAME", "DLV", "DNAME",
-              "DS", "KX", "LOC", "MX", "NAPTR", "NS", "PTR", "SRV", "SSHFP",
-              "TLSA", "TXT", "URI"]
+              "DS", "KX", "LOC", "MX", "NAPTR", "NS", "PTR", "SRV",
+              "SSHFP", "TLSA", "TXT", "URI"]
    default: "A"
  record_value:
-    description: Manage DNS record name with this values.
+    description: Manage DNS record name with these values.
    required: false
    type: list
+    elements: str
  record_ttl:
    description: Set the TTL for the record.
    required: false
@@ -444,99 +498,132 @@ options:
    type: bool
  a_rec:
    description: Raw A record.
+    type: list
+    elements: str
    required: false
    aliases: ["a_record"]
  aaaa_rec:
    description: Raw AAAA record.
+    type: list
+    elements: str
    required: false
    aliases: ["aaaa_record"]
  a6_rec:
    description: Raw A6 record.
+    type: list
+    elements: str
    required: false
    aliases: ["a6_record"]
  afsdb_rec:
    description: Raw AFSDB record.
+    type: list
+    elements: str
    required: false
    aliases: ["afsdb_record"]
  cert_rec:
    description: Raw CERT record.
+    type: list
+    elements: str
    required: false
    aliases: ["cert_record"]
  cname_rec:
    description: Raw CNAME record.
+    type: list
+    elements: str
    required: false
    aliases: ["cname_record"]
  dlv_rec:
    description: Raw DLV record.
+    type: list
+    elements: str
    required: false
    aliases: ["dlv_record"]
  dname_rec:
    description: Raw DNAM record.
+    type: list
+    elements: str
    required: false
    aliases: ["dname_record"]
  ds_rec:
    description: Raw DS record.
+    type: list
+    elements: str
    required: false
    aliases: ["ds_record"]
  kx_rec:
    description: Raw KX record.
+    type: list
+    elements: str
    required: false
    aliases: ["kx_record"]
  loc_rec:
    description: Raw LOC record.
+    type: list
+    elements: str
    required: false
    aliases: ["loc_record"]
  mx_rec:
    description: Raw MX record.
+    type: list
+    elements: str
    required: false
    aliases: ["mx_record"]
  naptr_rec:
    description: Raw NAPTR record.
+    type: list
+    elements: str
    required: false
    aliases: ["naptr_record"]
  ns_rec:
    description: Raw NS record.
+    type: list
+    elements: str
    required: false
    aliases: ["ns_record"]
  ptr_rec:
    description: Raw PTR record.
+    type: list
+    elements: str
    required: false
    aliases: ["ptr_record"]
  srv_rec:
    description: Raw SRV record.
+    type: list
+    elements: str
    required: false
    aliases: ["srv_record"]
  sshfp_rec:
    description: Raw SSHFP record.
+    type: list
+    elements: str
    required: false
    aliases: ["sshfp_record"]
  tlsa_rec:
    description: Raw TLSA record.
+    type: list
+    elements: str
    required: false
    aliases: ["tlsa_record"]
  txt_rec:
    description: Raw TXT record.
+    type: list
+    elements: str
    required: false
    aliases: ["txt_record"]
  uri_rec:
    description: Raw URI record.
+    type: list
+    elements: str
    required: false
    aliases: ["uri_record"]
  ip_address:
-    description: IP adresses for A ar AAAA.
+    description: IP adresses for A or AAAA records.
    required: false
-    type: string
-  create_reverse:
-    description: |
-      Create reverse record for A or AAAA record types.
-      There is no equivalent to remove reverse records.
-    type: bool
-    required: false
-    aliases: ["reverse"]
+    type: str
  a_ip_address:
    description: IP adresses for A records.
    required: false
-    type: string
+    type: str
  a_create_reverse:
    description: |
      Create reverse record for A records.
@@ -546,13 +633,24 @@ options:
  aaaa_ip_address:
    description: IP adresses for AAAA records.
    required: false
-    type: string
+    type: str
  aaaa_create_reverse:
    description: |
      Create reverse record for AAAA records.
      There is no equivalent to remove reverse records.
    type: bool
    required: false
+  create_reverse:
+    description: |
+      Create reverse record for A or AAAA record types.
+      There is no equivalent to remove reverse records.
+    type: bool
+    required: false
+    aliases: ["reverse"]
+  a6_data:
+    description: A6 record data.
+    required: false
+    type: str
  afsdb_subtype:
    description: AFSDB Subtype
    required: false
@@ -560,7 +658,7 @@ options:
  afsdb_hostname:
    description: AFSDB Hostname
    required: false
-    type: string
+    type: str
  cert_type:
    description: CERT Certificate Type
    required: false
@@ -574,13 +672,13 @@ options:
    required: false
    type: int
  cert_certificate_or_crl:
-    description: CERT Certificate/CRL
+    description: CERT Certificate or Certificate Revocation List (CRL).
    required: false
-    type: string
+    type: str
  cname_hostname:
    description: A hostname which this alias hostname points to.
    required: false
-    type: string
+    type: str
  dlv_key_tag:
    description: DS Key Tag
    required: false
@@ -596,11 +694,11 @@ options:
  dlv_digest:
    description: DLV Digest
    required: false
-    type: string
+    type: str
  dname_target:
    description: DNAME Target
    required: false
-    type: string
+    type: str
  ds_key_tag:
    description: DS Key Tag
    required: false
@@ -616,7 +714,7 @@ options:
  ds_digest:
    description: DS Digest
    required: false
-    type: string
+    type: str
  kx_preference:
    description: |
      Preference given to this exchanger. Lower values are more preferred.
@@ -625,7 +723,7 @@ options:
  kx_exchanger:
    description: A host willing to act as a key exchanger.
    required: false
-    type: string
+    type: str
  loc_lat_deg:
    description: LOC Degrees Latitude
    required: false
@@ -642,6 +740,7 @@ options:
    description: LOC Direction Latitude
    required: false
    choices: ["N", "S"]
+    type: str
  loc_lon_deg:
    description: LOC Degrees Longitude
    required: false
@@ -658,6 +757,7 @@ options:
    description: LOC Direction Longitude
    required: false
    choices: ["E", "W"]
+    type: str
  loc_altitude:
    description: LOC Altitude
    required: false
@@ -682,7 +782,7 @@ options:
  mx_exchanger:
    description: A host willing to act as a mail exchanger.
    required: false
-    type: string
+    type: str
  naptr_order:
    description: NAPTR Order
    required: false
@@ -694,31 +794,31 @@ options:
  naptr_flags:
    description: NAPTR Flags
    required: false
-    type: string
+    type: str
  naptr_service:
    description: NAPTR Service
    required: false
-    type: string
+    type: str
  naptr_regexp:
    description: NAPTR Regular Expression
    required: false
-    type: string
+    type: str
  naptr_replacement:
    description: NAPTR Replacement
    required: false
-    type: string
+    type: str
  ns_hostname:
    description: NS Hostname
    required: false
-    type: string
+    type: str
  ptr_hostname:
    description: The hostname this reverse record points to.
    required: false
-    type: string
+    type: str
  srv_priority:
    description: |
-      Lower number means higher priority. Clients will attempt to contact the
-      server with the lowest-numbered priority they can reach.
+      Lower number means higher priority. Clients will attempt to contact
+      the server with the lowest-numbered priority they can reach.
    required: false
    type: int
  srv_weight:
@@ -731,26 +831,26 @@ options:
    type: int
  srv_target:
    description: |
-      The domain name of the target host or '.' if the service is decidedly not
-      available at this domain.
+      The domain name of the target host or '.' if the service is decidedly
+      not available at this domain.
    required: false
-    type: string
+    type: str
  sshfp_algorithm:
    description: SSHFP Algorithm
-    required: false
+    required: False
    type: int
  sshfp_fp_type:
    description: SSHFP Fingerprint Type
-    required: false
+    required: False
    type: int
  sshfp_fingerprint:
    description: SSHFP Fingerprint
-    required: false
-    type: string
+    required: False
+    type: str
  txt_data:
    description: TXT Text Data
    required: false
-    type: string
+    type: str
  tlsa_cert_usage:
    description: TLSA Certificate Usage
    required: false
@@ -766,15 +866,15 @@ options:
  tlsa_cert_association_data:
    description: TLSA Certificate Association Data
    required: false
-    type: string
+    type: str
  uri_target:
    description: Target Uniform Resource Identifier according to RFC 3986.
    required: false
-    type: string
+    type: str
  uri_priority:
    description: |
-      Lower number means higher priority. Clients will attempt to contact the
-      URI with the lowest-numbered priority they can reach.
+      Lower number means higher priority. Clients will attempt to contact
+      the URI with the lowest-numbered priority they can reach.
    required: false
    type: int
  uri_weight:
@@ -783,11 +883,12 @@ options:
    type: int
  state:
    description: State to ensure
+    type: str
    default: present
-    choices: ["present", "absent"]
-
+    choices: ["present", "absent", "disabled"]
 author:
-    - Rafael Guterres Jeffman
+  - Rafael Guterres Jeffman (@rjeffman)
+  - Thomas Woerner (@t-woerner)
 """

 EXAMPLES = """
@@ -866,8 +967,13 @@ RETURN = """
 from ansible.module_utils._text import to_text
 from ansible.module_utils.ansible_freeipa_module import \
    IPAAnsibleModule, is_ipv4_addr, is_ipv6_addr, ipalib_errors
-import dns.reversename
-import dns.resolver
+try:
+    import dns.reversename
+    import dns.resolver
+except ImportError as _err:
+    MODULE_IMPORT_ERROR = str(_err)
+else:
+    MODULE_IMPORT_ERROR = None

 from ansible.module_utils import six

@@ -1015,29 +1121,49 @@ def configure_module():
                                  "DLV", "DNAME", "DS", "KX", "LOC", "MX",
                                  "NAPTR", "NS", "PTR", "SRV", "SSHFP", "TLSA",
                                  "TXT", "URI"]),
-        record_value=dict(type='list', required=False),
+        record_value=dict(type='list', elements='str', required=False),
        record_ttl=dict(type='int', required=False),
        del_all=dict(type='bool', required=False),
-        a_rec=dict(type='list', required=False, aliases=['a_record']),
-        aaaa_rec=dict(type='list', required=False, aliases=['aaaa_record']),
-        a6_rec=dict(type='list', required=False, aliases=['a6_record']),
-        afsdb_rec=dict(type='list', required=False, aliases=['afsdb_record']),
-        cert_rec=dict(type='list', required=False, aliases=['cert_record']),
-        cname_rec=dict(type='list', required=False, aliases=['cname_record']),
-        dlv_rec=dict(type='list', required=False, aliases=['dlv_record']),
-        dname_rec=dict(type='list', required=False, aliases=['dname_record']),
-        ds_rec=dict(type='list', required=False, aliases=['ds_record']),
-        kx_rec=dict(type='list', required=False, aliases=['kx_record']),
-        loc_rec=dict(type='list', required=False, aliases=['loc_record']),
-        mx_rec=dict(type='list', required=False, aliases=['mx_record']),
-        naptr_rec=dict(type='list', required=False, aliases=['naptr_record']),
-        ns_rec=dict(type='list', required=False, aliases=['ns_record']),
-        ptr_rec=dict(type='list', required=False, aliases=['ptr_record']),
-        srv_rec=dict(type='list', required=False, aliases=['srv_record']),
-        sshfp_rec=dict(type='list', required=False, aliases=['sshfp_record']),
-        tlsa_rec=dict(type='list', required=False, aliases=['tlsa_record']),
-        txt_rec=dict(type='list', required=False, aliases=['txt_record']),
-        uri_rec=dict(type='list', required=False, aliases=['uri_record']),
+        a_rec=dict(type='list', elements='str', required=False,
+                   aliases=['a_record']),
+        aaaa_rec=dict(type='list', elements='str', required=False,
+                      aliases=['aaaa_record']),
+        a6_rec=dict(type='list', elements='str', required=False,
+                    aliases=['a6_record']),
+        afsdb_rec=dict(type='list', elements='str', required=False,
+                       aliases=['afsdb_record']),
+        cert_rec=dict(type='list', elements='str', required=False,
+                      aliases=['cert_record']),
+        cname_rec=dict(type='list', elements='str', required=False,
+                       aliases=['cname_record']),
+        dlv_rec=dict(type='list', elements='str', required=False,
+                     aliases=['dlv_record']),
+        dname_rec=dict(type='list', elements='str', required=False,
+                       aliases=['dname_record']),
+        ds_rec=dict(type='list', elements='str', required=False,
+                    aliases=['ds_record']),
+        kx_rec=dict(type='list', elements='str', required=False,
+                    aliases=['kx_record']),
+        loc_rec=dict(type='list', elements='str', required=False,
+                     aliases=['loc_record']),
+        mx_rec=dict(type='list', elements='str', required=False,
+                    aliases=['mx_record']),
+        naptr_rec=dict(type='list', elements='str', required=False,
+                       aliases=['naptr_record']),
+        ns_rec=dict(type='list', elements='str', required=False,
+                    aliases=['ns_record']),
+        ptr_rec=dict(type='list', elements='str', required=False,
+                     aliases=['ptr_record']),
+        srv_rec=dict(type='list', elements='str', required=False,
+                     aliases=['srv_record']),
+        sshfp_rec=dict(type='list', elements='str', required=False,
+                       aliases=['sshfp_record']),
+        tlsa_rec=dict(type='list', elements='str', required=False,
+                      aliases=['tlsa_record']),
+        txt_rec=dict(type='list', elements='str', required=False,
+                     aliases=['txt_record']),
+        uri_rec=dict(type='list', elements='str', required=False,
+                     aliases=['uri_record']),
        ip_address=dict(type='str', required=False),
        create_reverse=dict(type='bool', required=False, aliases=['reverse']),
        a_ip_address=dict(type='str', required=False),
@@ -1048,16 +1174,16 @@ def configure_module():
        afsdb_subtype=dict(type='int', required=False),
        afsdb_hostname=dict(type='str', required=False),
        cert_type=dict(type='int', required=False),
-        cert_key_tag=dict(type='int', required=False),
+        cert_key_tag=dict(type='int', required=False, no_log=True),
        cert_algorithm=dict(type='int', required=False),
        cert_certificate_or_crl=dict(type='str', required=False),
        cname_hostname=dict(type='str', required=False),
-        dlv_key_tag=dict(type='int', required=False),
+        dlv_key_tag=dict(type='int', required=False, no_log=True),
        dlv_algorithm=dict(type='int', required=False),
        dlv_digest_type=dict(type='int', required=False),
        dlv_digest=dict(type='str', required=False),
        dname_target=dict(type='str', required=False),
-        ds_key_tag=dict(type='int', required=False),
+        ds_key_tag=dict(type='int', required=False, no_log=True),
        ds_algorithm=dict(type='int', required=False),
        ds_digest_type=dict(type='int', required=False),
        ds_digest=dict(type='str', required=False),
@@ -1066,11 +1192,11 @@ def configure_module():
        loc_lat_deg=dict(type='int', required=False),
        loc_lat_min=dict(type='int', required=False),
        loc_lat_sec=dict(type='float', required=False),
-        loc_lat_dir=dict(type='str', required=False),
+        loc_lat_dir=dict(type='str', required=False, choices=["N", "S"]),
        loc_lon_deg=dict(type='int', required=False),
        loc_lon_min=dict(type='int', required=False),
        loc_lon_sec=dict(type='float', required=False),
-        loc_lon_dir=dict(type='str', required=False),
+        loc_lon_dir=dict(type='str', required=False, choices=["E", "W"]),
        loc_altitude=dict(type='float', required=False),
        loc_size=dict(type='float', required=False),
        loc_h_precision=dict(type='float', required=False),
@@ -1105,10 +1231,14 @@ def configure_module():
    ansible_module = IPAAnsibleModule(
        argument_spec=dict(
            # general
-            name=dict(type="list", aliases=["record_name"], default=None,
-                      required=False),
+            name=dict(type="list", elements="str", aliases=["record_name"],
+                      default=None, required=False),

+            # Use elements="str" and not elements="dict" for records:
+            # elements="dict" will create dicts with all unused parameters
+            # set to None. This breaks the module logic.
            records=dict(type="list",
+                         elements="dict",
                         default=None,
                         options=dict(
                             # Here name is a simple string
@@ -1131,6 +1261,9 @@ def configure_module():

    ansible_module._ansible_debug = True

+    if MODULE_IMPORT_ERROR is not None:
+        ansible_module.fail_json(msg=MODULE_IMPORT_ERROR)
+
    return ansible_module


@@ -1436,6 +1569,14 @@ def main():
                msg="Only one record can be added at a time.")

    if records is not None:
+        # Remove all keys that have a None value from the dicts in records
+        # list.
+        # This is needed after setting elements="dict" for records and makes
+        # it behave like before with elements=None.
+        for record in records:
+            for key in list(record):
+                if record[key] is None:
+                    del record[key]
        names = records

    # Init
--- a/plugins/modules/ipadnszone.py
+++ b/plugins/modules/ipadnszone.py
@@ -2,8 +2,9 @@

 # Authors:
 #   Sergio Oliveira Campos <seocam@redhat.com>
+#   Thomas Woerner <twoerner@redhat.com>
 #
-# Copyright (C) 2020 Red Hat
+# Copyright (C) 2020-2022 Red Hat
 # see file 'COPYING' for use and warranty information
 #
 # This program is free software; you can redistribute it and/or modify
@@ -32,16 +33,17 @@ ANSIBLE_METADATA = {
 DOCUMENTATION = """
 ---
 module: ipadnszone
-short description: Manage FreeIPA dnszone
+short_description: Manage FreeIPA dnszone
 description: Manage FreeIPA dnszone
 extends_documentation_fragment:
  - ipamodule_base_docs
 options:
  name:
    description: The zone name string.
-    required: true
+    required: false
    type: list
-    alises: ["zone_name"]
+    elements: str
+    aliases: ["zone_name"]
  name_from_ip:
    description: |
      Derive zone name from reverse of IP (PTR).
@@ -51,17 +53,22 @@ options:
  forwarders:
    description: The list of global DNS forwarders.
    required: false
-    options:
+    type: list
+    elements: dict
+    suboptions:
      ip_address:
        description: The forwarder nameserver IP address list (IPv4 and IPv6).
+        type: str
        required: true
      port:
        description: The port to forward requests to.
+        type: int
        required: false
  forward_policy:
    description:
      Global forwarding policy. Set to "none" to disable any configured
      global forwarders.
+    type: str
    required: false
    choices: ['only', 'first', 'none']
  allow_sync_ptr:
@@ -71,6 +78,7 @@ options:
    type: bool
  state:
    description: State to ensure
+    type: str
    default: present
    choices: ["present", "absent", "enabled", "disabled"]
  name_server:
@@ -89,7 +97,7 @@ options:
    description: Allow dynamic updates
    required: false
    type: bool
-    alises: ["dynamicupdate"]
+    aliases: ["dynamicupdate"]
  dnssec:
    description: Allow inline DNSSEC signing of records in the zone
    required: false
@@ -97,11 +105,13 @@ options:
  allow_transfer:
    description: List of IP addresses or networks which are allowed to transfer the zone
    required: false
-    type: bool
+    type: list
+    elements: str
  allow_query:
    description: List of IP addresses or networks which are allowed to issue queries
    required: false
-    type: bool
+    type: list
+    elements: str
  refresh:
    description: SOA record refresh time
    required: false
@@ -141,6 +151,9 @@ options:
    description: Force DNS zone creation even if nameserver is not resolvable
    required: false
    type: bool
+author:
+  - Sergio Oliveira Campos (@seocam)
+  - Thomas Woerner (@t-woerner)
 """  # noqa: E501

 EXAMPLES = """
@@ -195,13 +208,14 @@ dnszone:
  description: DNS Zone dict with zone name infered from `name_from_ip`.
  returned:
    If `state` is `present`, `name_from_ip` is used, and a zone was created.
-  options:
+  type: dict
+  contains:
    name:
      description: The name of the zone created, inferred from `name_from_ip`.
+      type: str
      returned: always
 """

-from ipapython.dnsutil import DNSName  # noqa: E402
 from ansible.module_utils.ansible_freeipa_module import (
    IPAAnsibleModule,
    is_ip_address,
@@ -210,8 +224,9 @@ from ansible.module_utils.ansible_freeipa_module import (
    ipalib_errors,
    compare_args_ipa,
    IPAParamMapping,
+    DNSName,
+    netaddr
 )  # noqa: E402
-import netaddr
 from ansible.module_utils import six


@@ -265,7 +280,8 @@ class DNSZoneModule(IPAAnsibleModule):
        if any(invalid_ips):
            self.fail_json(msg=error_msg % invalid_ips)

-    def is_valid_nsec3param_rec(self, nsec3param_rec):  # pylint: disable=R0201
+    @staticmethod
+    def is_valid_nsec3param_rec(nsec3param_rec):
        try:
            part1, part2, part3, part4 = nsec3param_rec.split(" ")
        except ValueError:
@@ -487,8 +503,8 @@ class DNSZoneModule(IPAAnsibleModule):

 def get_argument_spec():
    forwarder_spec = dict(
-        ip_address=dict(type=str, required=True),
-        port=dict(type=int, required=False, default=None),
+        ip_address=dict(type="str", required=True),
+        port=dict(type="int", required=False, default=None),
    )

    return dict(
@@ -500,11 +516,13 @@ def get_argument_spec():
        ipaadmin_principal=dict(type="str", default="admin"),
        ipaadmin_password=dict(type="str", required=False, no_log=True),
        name=dict(
-            type="list", default=None, required=False, aliases=["zone_name"]
+            type="list", elements="str", default=None, required=False,
+            aliases=["zone_name"]
        ),
        name_from_ip=dict(type="str", default=None, required=False),
        forwarders=dict(
            type="list",
+            elements="dict",
            default=None,
            required=False,
            options=dict(**forwarder_spec),
@@ -526,8 +544,10 @@ def get_argument_spec():
            aliases=["dynamicupdate"],
        ),
        dnssec=dict(type="bool", required=False, default=None),
-        allow_transfer=dict(type="list", required=False, default=None),
-        allow_query=dict(type="list", required=False, default=None),
+        allow_transfer=dict(type="list", elements="str", required=False,
+                            default=None),
+        allow_query=dict(type="list", elements="str", required=False,
+                         default=None),
        refresh=dict(type="int", required=False, default=None),
        retry=dict(type="int", required=False, default=None),
        expire=dict(type="int", required=False, default=None),
--- a/plugins/modules/ipagroup.py
+++ b/plugins/modules/ipagroup.py
@@ -3,7 +3,7 @@
 # Authors:
 #   Thomas Woerner <twoerner@redhat.com>
 #
-# Copyright (C) 2019 Red Hat
+# Copyright (C) 2019-2022 Red Hat
 # see file 'COPYING' for use and warranty information
 #
 # This program is free software; you can redistribute it and/or modify
@@ -32,20 +32,24 @@ ANSIBLE_METADATA = {
 DOCUMENTATION = """
 ---
 module: ipagroup
-short description: Manage FreeIPA groups
+short_description: Manage FreeIPA groups
 description: Manage FreeIPA groups
 extends_documentation_fragment:
  - ipamodule_base_docs
 options:
  name:
    description: The group name
-    required: false
+    type: list
+    elements: str
+    required: true
    aliases: ["cn"]
  description:
    description: The group description
+    type: str
    required: false
  gid:
    description: The GID
+    type: int
    required: false
    aliases: ["gidnumber"]
  nonposix:
@@ -69,49 +73,58 @@ options:
    description: List of user names assigned to this group.
    required: false
    type: list
+    elements: str
  group:
    description: List of group names assigned to this group.
    required: false
    type: list
+    elements: str
  service:
    description:
    - List of service names assigned to this group.
    - Only usable with IPA versions 4.7 and up.
    required: false
    type: list
+    elements: str
  membermanager_user:
    description:
    - List of member manager users assigned to this group.
    - Only usable with IPA versions 4.8.4 and up.
    required: false
    type: list
+    elements: str
  membermanager_group:
    description:
    - List of member manager groups assigned to this group.
    - Only usable with IPA versions 4.8.4 and up.
    required: false
    type: list
+    elements: str
  externalmember:
    description:
    - List of members of a trusted domain in DOM\\name or name@domain form.
    required: false
    type: list
-    ailases: ["ipaexternalmember", "external_member"]
+    elements: str
+    aliases: ["ipaexternalmember", "external_member"]
  idoverrideuser:
    description:
    - User ID overrides to add
    required: false
    type: list
+    elements: str
  action:
    description: Work on group or member level
+    type: str
    default: group
    choices: ["member", "group"]
  state:
    description: State to ensure
+    type: str
    default: present
    choices: ["present", "absent"]
 author:
-    - Thomas Woerner
+  - Thomas Woerner (@t-woerner)
 """

 EXAMPLES = """
@@ -275,7 +288,7 @@ def main():
    ansible_module = IPAAnsibleModule(
        argument_spec=dict(
            # general
-            name=dict(type="list", aliases=["cn"], default=None,
+            name=dict(type="list", elements="str", aliases=["cn"],
                      required=True),
            # present
            description=dict(type="str", default=None),
@@ -284,14 +297,20 @@ def main():
            external=dict(required=False, type='bool', default=None),
            posix=dict(required=False, type='bool', default=None),
            nomembers=dict(required=False, type='bool', default=None),
-            user=dict(required=False, type='list', default=None),
-            group=dict(required=False, type='list', default=None),
-            service=dict(required=False, type='list', default=None),
-            idoverrideuser=dict(required=False, type='list', default=None),
-            membermanager_user=dict(required=False, type='list', default=None),
+            user=dict(required=False, type='list', elements="str",
+                      default=None),
+            group=dict(required=False, type='list', elements="str",
+                       default=None),
+            service=dict(required=False, type='list', elements="str",
+                         default=None),
+            idoverrideuser=dict(required=False, type='list', elements="str",
+                                default=None),
+            membermanager_user=dict(required=False, type='list',
+                                    elements="str", default=None),
            membermanager_group=dict(required=False, type='list',
-                                     default=None),
-            externalmember=dict(required=False, type='list', default=None,
+                                     elements="str", default=None),
+            externalmember=dict(required=False, type='list', elements="str",
+                                default=None,
                                aliases=[
                                    "ipaexternalmember",
                                    "external_member"
--- a/plugins/modules/ipahbacrule.py
+++ b/plugins/modules/ipahbacrule.py
@@ -3,7 +3,7 @@
 # Authors:
 #   Thomas Woerner <twoerner@redhat.com>
 #
-# Copyright (C) 2019 Red Hat
+# Copyright (C) 2019-2022 Red Hat
 # see file 'COPYING' for use and warranty information
 #
 # This program is free software; you can redistribute it and/or modify
@@ -32,30 +32,36 @@ ANSIBLE_METADATA = {
 DOCUMENTATION = """
 ---
 module: ipahbacrule
-short description: Manage FreeIPA HBAC rules
+short_description: Manage FreeIPA HBAC rules
 description: Manage FreeIPA HBAC rules
 extends_documentation_fragment:
  - ipamodule_base_docs
 options:
  name:
    description: The hbacrule name
+    type: list
+    elements: str
    required: true
    aliases: ["cn"]
  description:
    description: The hbacrule description
+    type: str
    required: false
  usercategory:
    description: User category the rule applies to
+    type: str
    required: false
    aliases: ["usercat"]
    choices: ["all", ""]
  hostcategory:
    description: Host category the rule applies to
+    type: str
    required: false
    aliases: ["hostcat"]
    choices: ["all", ""]
  servicecategory:
    description: Service category the rule applies to
+    type: str
    required: false
    aliases: ["servicecat"]
    choices: ["all", ""]
@@ -67,36 +73,44 @@ options:
    description: List of host names assigned to this hbacrule.
    required: false
    type: list
+    elements: str
  hostgroup:
    description: List of host groups assigned to this hbacrule.
    required: false
    type: list
+    elements: str
  hbacsvc:
    description: List of HBAC service names assigned to this hbacrule.
    required: false
    type: list
+    elements: str
  hbacsvcgroup:
    description: List of HBAC service names assigned to this hbacrule.
    required: false
    type: list
+    elements: str
  user:
    description: List of user names assigned to this hbacrule.
    required: false
    type: list
+    elements: str
  group:
    description: List of user groups assigned to this hbacrule.
    required: false
    type: list
+    elements: str
  action:
    description: Work on hbacrule or member level
+    type: str
    default: hbacrule
    choices: ["member", "hbacrule"]
  state:
    description: State to ensure
+    type: str
    default: present
    choices: ["present", "absent", "enabled", "disabled"]
 author:
-    - Thomas Woerner
+  - Thomas Woerner (@t-woerner)
 """

 EXAMPLES = """
@@ -198,7 +212,7 @@ def main():
    ansible_module = IPAAnsibleModule(
        argument_spec=dict(
            # general
-            name=dict(type="list", aliases=["cn"], default=None,
+            name=dict(type="list", elements="str", aliases=["cn"],
                      required=True),
            # present
            description=dict(type="str", default=None),
@@ -209,12 +223,18 @@ def main():
            servicecategory=dict(type="str", default=None,
                                 aliases=["servicecat"], choices=["all", ""]),
            nomembers=dict(required=False, type='bool', default=None),
-            host=dict(required=False, type='list', default=None),
-            hostgroup=dict(required=False, type='list', default=None),
-            hbacsvc=dict(required=False, type='list', default=None),
-            hbacsvcgroup=dict(required=False, type='list', default=None),
-            user=dict(required=False, type='list', default=None),
-            group=dict(required=False, type='list', default=None),
+            host=dict(required=False, type='list', elements="str",
+                      default=None),
+            hostgroup=dict(required=False, type='list', elements="str",
+                           default=None),
+            hbacsvc=dict(required=False, type='list', elements="str",
+                         default=None),
+            hbacsvcgroup=dict(required=False, type='list', elements="str",
+                              default=None),
+            user=dict(required=False, type='list', elements="str",
+                      default=None),
+            group=dict(required=False, type='list', elements="str",
+                       default=None),
            action=dict(type="str", default="hbacrule",
                        choices=["member", "hbacrule"]),
            # state
--- a/plugins/modules/ipahbacsvc.py
+++ b/plugins/modules/ipahbacsvc.py
@@ -3,7 +3,7 @@
 # Authors:
 #   Thomas Woerner <twoerner@redhat.com>
 #
-# Copyright (C) 2019 Red Hat
+# Copyright (C) 2019-2022 Red Hat
 # see file 'COPYING' for use and warranty information
 #
 # This program is free software; you can redistribute it and/or modify
@@ -32,24 +32,28 @@ ANSIBLE_METADATA = {
 DOCUMENTATION = """
 ---
 module: ipahbacsvc
-short description: Manage FreeIPA HBAC Services
+short_description: Manage FreeIPA HBAC Services
 description: Manage FreeIPA HBAC Services
 extends_documentation_fragment:
  - ipamodule_base_docs
 options:
  name:
    description: The group name
-    required: false
+    type: list
+    elements: str
+    required: true
    aliases: ["cn", "service"]
  description:
    description: The HBAC Service description
+    type: str
    required: false
  state:
    description: State to ensure
+    type: str
    default: present
    choices: ["present", "absent"]
 author:
-    - Thomas Woerner
+  - Thomas Woerner (@t-woerner)
 """

 EXAMPLES = """
@@ -102,7 +106,7 @@ def main():
    ansible_module = IPAAnsibleModule(
        argument_spec=dict(
            # general
-            name=dict(type="list", aliases=["cn", "service"], default=None,
+            name=dict(type="list", elements="str", aliases=["cn", "service"],
                      required=True),
            # present

--- a/plugins/modules/ipahbacsvcgroup.py
+++ b/plugins/modules/ipahbacsvcgroup.py
@@ -3,7 +3,7 @@
 # Authors:
 #   Thomas Woerner <twoerner@redhat.com>
 #
-# Copyright (C) 2019 Red Hat
+# Copyright (C) 2019-2022 Red Hat
 # see file 'COPYING' for use and warranty information
 #
 # This program is free software; you can redistribute it and/or modify
@@ -33,36 +33,42 @@ ANSIBLE_METADATA = {
 DOCUMENTATION = """
 ---
 module: ipahbacsvcgroup
-short description: Manage FreeIPA hbacsvcgroups
+short_description: Manage FreeIPA hbacsvcgroups
 description: Manage FreeIPA hbacsvcgroups
 extends_documentation_fragment:
  - ipamodule_base_docs
 options:
  name:
    description: The hbacsvcgroup name
-    required: false
+    type: list
+    elements: str
+    required: true
    aliases: ["cn"]
  description:
    description: The hbacsvcgroup description
+    type: str
    required: false
  hbacsvc:
    description: List of hbacsvc names assigned to this hbacsvcgroup.
    required: false
    type: list
+    elements: str
  nomembers:
    description: Suppress processing of membership attributes
    required: false
    type: bool
  action:
    description: Work on hbacsvcgroup or member level
+    type: str
    default: hbacsvcgroup
    choices: ["member", "hbacsvcgroup"]
  state:
    description: State to ensure
+    type: str
    default: present
    choices: ["present", "absent"]
 author:
-    - Thomas Woerner
+  - Thomas Woerner (@t-woerner)
 """

 EXAMPLES = """
@@ -159,12 +165,13 @@ def main():
    ansible_module = IPAAnsibleModule(
        argument_spec=dict(
            # general
-            name=dict(type="list", aliases=["cn"], default=None,
+            name=dict(type="list", elements="str", aliases=["cn"],
                      required=True),
            # present
            description=dict(type="str", default=None),
            nomembers=dict(required=False, type='bool', default=None),
-            hbacsvc=dict(required=False, type='list', default=None),
+            hbacsvc=dict(required=False, type='list', elements="str",
+                         default=None),
            action=dict(type="str", default="hbacsvcgroup",
                        choices=["member", "hbacsvcgroup"]),
            # state
--- a/plugins/modules/ipahost.py
+++ b/plugins/modules/ipahost.py
@@ -3,7 +3,7 @@
 # Authors:
 #   Thomas Woerner <twoerner@redhat.com>
 #
-# Copyright (C) 2019 Red Hat
+# Copyright (C) 2019-2022 Red Hat
 # see file 'COPYING' for use and warranty information
 #
 # This program is free software; you can redistribute it and/or modify
@@ -32,122 +32,157 @@ ANSIBLE_METADATA = {
 DOCUMENTATION = """
 ---
 module: ipahost
-short description: Manage FreeIPA hosts
+short_description: Manage FreeIPA hosts
 description: Manage FreeIPA hosts
 extends_documentation_fragment:
  - ipamodule_base_docs
 options:
  name:
    description: The full qualified domain name.
+    type: list
+    elements: str
    aliases: ["fqdn"]
-    required: true
-
+    required: false
  hosts:
    description: The list of user host dicts
    required: false
-    options:
+    type: list
+    elements: dict
+    suboptions:
      name:
        description: The host (internally uid).
+        type: str
        aliases: ["fqdn"]
        required: true
      description:
        description: The host description
+        type: str
        required: false
      locality:
        description: Host locality (e.g. "Baltimore, MD")
+        type: str
        required: false
      location:
        description: Host location (e.g. "Lab 2")
+        type: str
        aliases: ["ns_host_location"]
        required: false
      platform:
        description: Host hardware platform (e.g. "Lenovo T61")
+        type: str
        aliases: ["ns_hardware_platform"]
        required: false
      os:
        description: Host operating system and version (e.g. "Fedora 9")
+        type: str
        aliases: ["ns_os_version"]
        required: false
      password:
        description: Password used in bulk enrollment
+        type: str
        aliases: ["user_password", "userpassword"]
        required: false
      random:
        description:
          Initiate the generation of a random password to be used in bulk
          enrollment
+        type: bool
        aliases: ["random_password"]
        required: false
      certificate:
        description: List of base-64 encoded host certificates
        type: list
+        elements: str
        aliases: ["usercertificate"]
        required: false
      managedby_host:
        description: List of hosts that can manage this host
        type: list
-        aliases: ["principalname", "krbprincipalname"]
+        elements: str
        required: false
      principal:
        description: List of principal aliases for this host
        type: list
+        elements: str
        aliases: ["principalname", "krbprincipalname"]
        required: false
      allow_create_keytab_user:
        description: Users allowed to create a keytab of this host
+        type: list
+        elements: str
        aliases: ["ipaallowedtoperform_write_keys_user"]
        required: false
      allow_create_keytab_group:
        description: Groups allowed to create a keytab of this host
+        type: list
+        elements: str
        aliases: ["ipaallowedtoperform_write_keys_group"]
        required: false
      allow_create_keytab_host:
        description: Hosts allowed to create a keytab of this host
+        type: list
+        elements: str
        aliases: ["ipaallowedtoperform_write_keys_host"]
        required: false
      allow_create_keytab_hostgroup:
        description: Hostgroups allowed to create a keytab of this host
+        type: list
+        elements: str
        aliases: ["ipaallowedtoperform_write_keys_hostgroup"]
        required: false
      allow_retrieve_keytab_user:
        description: Users allowed to retrieve a keytab of this host
+        type: list
+        elements: str
        aliases: ["ipaallowedtoperform_read_keys_user"]
        required: false
      allow_retrieve_keytab_group:
        description: Groups allowed to retrieve a keytab of this host
+        type: list
+        elements: str
        aliases: ["ipaallowedtoperform_read_keys_group"]
        required: false
      allow_retrieve_keytab_host:
        description: Hosts allowed to retrieve a keytab of this host
+        type: list
+        elements: str
        aliases: ["ipaallowedtoperform_read_keys_host"]
        required: false
      allow_retrieve_keytab_hostgroup:
        description: Hostgroups allowed to retrieve a keytab of this host
+        type: list
+        elements: str
        aliases: ["ipaallowedtoperform_read_keys_hostgroup"]
        required: false
      mac_address:
        description: List of hardware MAC addresses.
        type: list
+        elements: str
        aliases: ["macaddress"]
        required: false
      sshpubkey:
        description: List of SSH public keys
        type: list
+        elements: str
        aliases: ["ipasshpubkey"]
        required: false
      userclass:
        description:
          Host category (semantics placed on this attribute are for local
          interpretation)
+        type: list
+        elements: str
        aliases: ["class"]
        required: false
      auth_ind:
        description:
-          Defines a whitelist for Authentication Indicators. Use 'otp' to allow
-          OTP-based 2FA authentications. Use 'radius' to allow RADIUS-based 2FA
-          authentications. Other values may be used for custom configurations.
-          Use empty string to reset auth_ind to the initial value.
+          Defines an allow list for Authentication Indicators. Use 'otp'
+          to allow OTP-based 2FA authentications. Use 'radius' to allow
+          RADIUS-based 2FA authentications. Other values may be used
+          for custom configurations. Use empty string to reset auth_ind
+          to the initial value.
        type: list
+        elements: str
        aliases: ["krbprincipalauthind"]
        choices: ["radius", "otp", "pkinit", "hardened", ""]
        required: false
@@ -169,15 +204,18 @@ options:
        required: false
      force:
        description: Force host name even if not in DNS
+        type: bool
        required: false
      reverse:
        description: Reverse DNS detection
-        default: true
+        type: bool
        required: false
      ip_address:
        description:
          The host IP address list (IPv4 and IPv6). No IP address conflict
          check will be done.
+        type: list
+        elements: str
        aliases: ["ipaddress"]
        required: false
      update_dns:
@@ -185,105 +223,138 @@ options:
          Controls the update of the DNS SSHFP records for existing hosts and
          the removal of all DNS entries if a host gets removed with state
          absent.
+        type: bool
+        aliases: ["updatedns"]
        required: false
  description:
    description: The host description
+    type: str
    required: false
  locality:
    description: Host locality (e.g. "Baltimore, MD")
+    type: str
    required: false
  location:
    description: Host location (e.g. "Lab 2")
+    type: str
    aliases: ["ns_host_location"]
    required: false
  platform:
    description: Host hardware platform (e.g. "Lenovo T61")
+    type: str
    aliases: ["ns_hardware_platform"]
    required: false
  os:
    description: Host operating system and version (e.g. "Fedora 9")
+    type: str
    aliases: ["ns_os_version"]
    required: false
  password:
    description: Password used in bulk enrollment
+    type: str
    aliases: ["user_password", "userpassword"]
    required: false
  random:
    description:
      Initiate the generation of a random password to be used in bulk
      enrollment
+    type: bool
    aliases: ["random_password"]
    required: false
  certificate:
    description: List of base-64 encoded host certificates
    type: list
+    elements: str
    aliases: ["usercertificate"]
    required: false
  managedby_host:
    description: List of hosts that can manage this host
    type: list
-    aliases: ["principalname", "krbprincipalname"]
+    elements: str
    required: false
  principal:
    description: List of principal aliases for this host
    type: list
+    elements: str
    aliases: ["principalname", "krbprincipalname"]
    required: false
  allow_create_keytab_user:
    description: Users allowed to create a keytab of this host
+    type: list
+    elements: str
    aliases: ["ipaallowedtoperform_write_keys_user"]
    required: false
  allow_create_keytab_group:
    description: Groups allowed to create a keytab of this host
+    type: list
+    elements: str
    aliases: ["ipaallowedtoperform_write_keys_group"]
    required: false
  allow_create_keytab_host:
    description: Hosts allowed to create a keytab of this host
+    type: list
+    elements: str
    aliases: ["ipaallowedtoperform_write_keys_host"]
    required: false
  allow_create_keytab_hostgroup:
    description: Hostgroups allowed to create a keytab of this host
+    type: list
+    elements: str
    aliases: ["ipaallowedtoperform_write_keys_hostgroup"]
    required: false
  allow_retrieve_keytab_user:
    description: Users allowed to retrieve a keytab of this host
+    type: list
+    elements: str
    aliases: ["ipaallowedtoperform_read_keys_user"]
    required: false
  allow_retrieve_keytab_group:
    description: Groups allowed to retrieve a keytab of this host
+    type: list
+    elements: str
    aliases: ["ipaallowedtoperform_read_keys_group"]
    required: false
  allow_retrieve_keytab_host:
    description: Hosts allowed to retrieve a keytab of this host
+    type: list
+    elements: str
    aliases: ["ipaallowedtoperform_read_keys_host"]
    required: false
  allow_retrieve_keytab_hostgroup:
    description: Hostgroups allowed to retrieve a keytab of this host
+    type: list
+    elements: str
    aliases: ["ipaallowedtoperform_read_keys_hostgroup"]
    required: false
  mac_address:
    description: List of hardware MAC addresses.
    type: list
+    elements: str
    aliases: ["macaddress"]
    required: false
  sshpubkey:
    description: List of SSH public keys
    type: list
+    elements: str
    aliases: ["ipasshpubkey"]
    required: false
  userclass:
    description:
      Host category (semantics placed on this attribute are for local
      interpretation)
+    type: list
+    elements: str
    aliases: ["class"]
    required: false
  auth_ind:
    description:
-      Defines a whitelist for Authentication Indicators. Use 'otp' to allow
-      OTP-based 2FA authentications. Use 'radius' to allow RADIUS-based 2FA
-      authentications. Other values may be used for custom configurations.
-      Use empty string to reset auth_ind to the initial value.
+      Defines an allow list for Authentication Indicators. Use 'otp'
+      to allow OTP-based 2FA authentications. Use 'radius' to allow
+      RADIUS-based 2FA authentications. Other values may be used
+      for custom configurations. Use empty string to reset auth_ind
+      to the initial value.
    type: list
+    elements: str
    aliases: ["krbprincipalauthind"]
    choices: ["radius", "otp", "pkinit", "hardened", ""]
    required: false
@@ -298,21 +369,25 @@ options:
    aliases: ["ipakrbokasdelegate"]
    required: false
  ok_to_auth_as_delegate:
-    description: The service is allowed to authenticate on behalf of a client
+    description:
+      The service is allowed to authenticate on behalf of a client
    type: bool
    aliases: ["ipakrboktoauthasdelegate"]
    required: false
  force:
    description: Force host name even if not in DNS
+    type: bool
    required: false
  reverse:
    description: Reverse DNS detection
-    default: true
+    type: bool
    required: false
  ip_address:
    description:
      The host IP address list (IPv4 and IPv6). No IP address conflict
      check will be done.
+    type: list
+    elements: str
    aliases: ["ipaddress"]
    required: false
  update_dns:
@@ -320,23 +395,27 @@ options:
      Controls the update of the DNS SSHFP records for existing hosts and
      the removal of all DNS entries if a host gets removed with state
      absent.
+    type: bool
+    aliases: ["updatedns"]
    required: false
  update_password:
    description:
      Set password for a host in present state only on creation or always
-    default: 'always'
+    type: str
    choices: ["always", "on_create"]
  action:
    description: Work on host or member level
+    type: str
    default: "host"
    choices: ["member", "host"]
  state:
    description: State to ensure
+    type: str
    default: present
    choices: ["present", "absent",
              "disabled"]
 author:
-    - Thomas Woerner
+  - Thomas Woerner (@t-woerner)
 """

 EXAMPLES = """
@@ -389,17 +468,19 @@ host:
  description: Host dict with random password
  returned: If random is yes and user did not exist or update_password is yes
  type: dict
-  options:
+  contains:
    randompassword:
      description: The generated random password
+      type: str
      returned: If only one user is handled by the module
    name:
      description: The user name of the user that got a new random password
      returned: If several users are handled by the module
      type: dict
-      options:
+      contains:
        randompassword:
          description: The generated random password
+          type: str
          returned: always
 """

@@ -626,52 +707,52 @@ def main():
                      default=None, no_log=True),
        random=dict(type="bool", aliases=["random_password"],
                    default=None),
-        certificate=dict(type="list", aliases=["usercertificate"],
-                         default=None),
-        managedby_host=dict(type="list",
-                            default=None),
-        principal=dict(type="list", aliases=["krbprincipalname"],
+        certificate=dict(type="list", elements="str",
+                         aliases=["usercertificate"], default=None),
+        managedby_host=dict(type="list", elements="str", default=None),
+        principal=dict(type="list", elements="str",
+                       aliases=["principalname", "krbprincipalname"],
                       default=None),
        allow_create_keytab_user=dict(
-            type="list",
+            type="list", elements="str",
            aliases=["ipaallowedtoperform_write_keys_user"],
-            default=None),
+            default=None, no_log=False),
        allow_create_keytab_group=dict(
-            type="list",
+            type="list", elements="str",
            aliases=["ipaallowedtoperform_write_keys_group"],
-            default=None),
+            default=None, no_log=False),
        allow_create_keytab_host=dict(
-            type="list",
+            type="list", elements="str",
            aliases=["ipaallowedtoperform_write_keys_host"],
-            default=None),
+            default=None, no_log=False),
        allow_create_keytab_hostgroup=dict(
-            type="list",
+            type="list", elements="str",
            aliases=["ipaallowedtoperform_write_keys_hostgroup"],
-            default=None),
+            default=None, no_log=False),
        allow_retrieve_keytab_user=dict(
-            type="list",
-            aliases=["ipaallowedtoperform_write_keys_user"],
-            default=None),
+            type="list", elements="str",
+            aliases=["ipaallowedtoperform_read_keys_user"],
+            default=None, no_log=False),
        allow_retrieve_keytab_group=dict(
-            type="list",
-            aliases=["ipaallowedtoperform_write_keys_group"],
-            default=None),
+            type="list", elements="str",
+            aliases=["ipaallowedtoperform_read_keys_group"],
+            default=None, no_log=False),
        allow_retrieve_keytab_host=dict(
-            type="list",
-            aliases=["ipaallowedtoperform_write_keys_host"],
-            default=None),
+            type="list", elements="str",
+            aliases=["ipaallowedtoperform_read_keys_host"],
+            default=None, no_log=False),
        allow_retrieve_keytab_hostgroup=dict(
-            type="list",
-            aliases=["ipaallowedtoperform_write_keys_hostgroup"],
-            default=None),
-        mac_address=dict(type="list", aliases=["macaddress"],
+            type="list", elements="str",
+            aliases=["ipaallowedtoperform_read_keys_hostgroup"],
+            default=None, no_log=False),
+        mac_address=dict(type="list", elements="str", aliases=["macaddress"],
                         default=None),
-        sshpubkey=dict(type="str", aliases=["ipasshpubkey"],
+        sshpubkey=dict(type="list", elements="str", aliases=["ipasshpubkey"],
                       default=None),
-        userclass=dict(type="list", aliases=["class"],
+        userclass=dict(type="list", elements="str", aliases=["class"],
                       default=None),
-        auth_ind=dict(type='list', aliases=["krbprincipalauthind"],
-                      default=None,
+        auth_ind=dict(type='list', elements="str",
+                      aliases=["krbprincipalauthind"], default=None,
                      choices=['radius', 'otp', 'pkinit', 'hardened', '']),
        requires_pre_auth=dict(type="bool", aliases=["ipakrbrequirespreauth"],
                               default=None),
@@ -682,7 +763,7 @@ def main():
                                    default=None),
        force=dict(type='bool', default=None),
        reverse=dict(type='bool', default=None),
-        ip_address=dict(type="list", aliases=["ipaddress"],
+        ip_address=dict(type="list", elements="str", aliases=["ipaddress"],
                        default=None),
        update_dns=dict(type="bool", aliases=["updatedns"],
                        default=None),
@@ -695,8 +776,8 @@ def main():
    ansible_module = IPAAnsibleModule(
        argument_spec=dict(
            # general
-            name=dict(type="list", aliases=["fqdn"], default=None,
-                      required=False),
+            name=dict(type="list", elements="str", aliases=["fqdn"],
+                      default=None, required=False),

            hosts=dict(type="list", default=None,
                       options=dict(
@@ -762,7 +843,8 @@ def main():
    allow_retrieve_keytab_hostgroup = ansible_module.params_get(
        "allow_retrieve_keytab_hostgroup")
    mac_address = ansible_module.params_get("mac_address")
-    sshpubkey = ansible_module.params_get("sshpubkey")
+    sshpubkey = ansible_module.params_get("sshpubkey",
+                                          allow_empty_string=True)
    userclass = ansible_module.params_get("userclass")
    auth_ind = ansible_module.params_get("auth_ind", allow_empty_string=True)
    requires_pre_auth = ansible_module.params_get("requires_pre_auth")
--- a/plugins/modules/ipahostgroup.py
+++ b/plugins/modules/ipahostgroup.py
@@ -3,7 +3,7 @@
 # Authors:
 #   Thomas Woerner <twoerner@redhat.com>
 #
-# Copyright (C) 2019 Red Hat
+# Copyright (C) 2019-2022 Red Hat
 # see file 'COPYING' for use and warranty information
 #
 # This program is free software; you can redistribute it and/or modify
@@ -33,17 +33,20 @@ ANSIBLE_METADATA = {
 DOCUMENTATION = """
 ---
 module: ipahostgroup
-short description: Manage FreeIPA hostgroups
+short_description: Manage FreeIPA hostgroups
 description: Manage FreeIPA hostgroups
 extends_documentation_fragment:
  - ipamodule_base_docs
 options:
  name:
    description: The hostgroup name
-    required: false
+    type: list
+    elements: str
+    required: true
    aliases: ["cn"]
  description:
    description: The hostgroup description
+    type: str
    required: false
  nomembers:
    description: Suppress processing of membership attributes
@@ -53,38 +56,45 @@ options:
    description: List of host names assigned to this hostgroup.
    required: false
    type: list
+    elements: str
  hostgroup:
    description: List of hostgroup names assigned to this hostgroup.
    required: false
    type: list
+    elements: str
  membermanager_user:
    description:
    - List of member manager users assigned to this hostgroup.
    - Only usable with IPA versions 4.8.4 and up.
    required: false
    type: list
+    elements: str
  membermanager_group:
    description:
    - List of member manager groups assigned to this hostgroup.
    - Only usable with IPA versions 4.8.4 and up.
    required: false
    type: list
+    elements: str
  rename:
    description:
    - Rename hostgroup to the given name.
    - Only usable with IPA versions 4.8.7 and up.
+    type: str
    required: false
    aliases: ["new_name"]
  action:
    description: Work on hostgroup or member level
+    type: str
    default: hostgroup
    choices: ["member", "hostgroup"]
  state:
    description: State to ensure
+    type: str
    default: present
    choices: ["present", "absent", "renamed"]
 author:
-    - Thomas Woerner
+  - Thomas Woerner (@t-woerner)
 """

 EXAMPLES = """
@@ -185,16 +195,19 @@ def main():
    ansible_module = IPAAnsibleModule(
        argument_spec=dict(
            # general
-            name=dict(type="list", aliases=["cn"], default=None,
+            name=dict(type="list", elements="str", aliases=["cn"],
                      required=True),
            # present
            description=dict(type="str", default=None),
            nomembers=dict(required=False, type='bool', default=None),
-            host=dict(required=False, type='list', default=None),
-            hostgroup=dict(required=False, type='list', default=None),
-            membermanager_user=dict(required=False, type='list', default=None),
+            host=dict(required=False, type='list', elements="str",
+                      default=None),
+            hostgroup=dict(required=False, type='list', elements="str",
+                           default=None),
+            membermanager_user=dict(required=False, type='list',
+                                    elements="str", default=None),
            membermanager_group=dict(required=False, type='list',
-                                     default=None),
+                                     elements="str", default=None),
            rename=dict(required=False, type='str', default=None,
                        aliases=["new_name"]),
            action=dict(type="str", default="hostgroup",
--- a/plugins/modules/ipaidrange.py
+++ b/plugins/modules/ipaidrange.py
@@ -2,6 +2,7 @@

 # Authors:
 #   Rafael Guterres Jeffman <rjeffman@redhat.com>
+#   Thomas Woerner <twoerner@redhat.com>
 #
 # Copyright (C) 2022 Red Hat
 # see file 'COPYING' for use and warranty information
@@ -32,7 +33,7 @@ ANSIBLE_METADATA = {
 DOCUMENTATION = """
 ---
 module: ipaidrange
-short description: Manage FreeIPA idrange
+short_description: Manage FreeIPA idrange
 description: Manage FreeIPA idrange
 extends_documentation_fragment:
  - ipamodule_base_docs
@@ -40,6 +41,8 @@ extends_documentation_fragment:
 options:
  name:
    description: The list of idrange name strings.
+    type: list
+    elements: str
    required: true
    aliases: ["cn"]
  base_id:
@@ -64,33 +67,37 @@ options:
    aliases: ["ipasecondarybaserid"]
  idrange_type:
    description: ID range type.
-    type: string
+    type: str
    required: false
    choices: ["ipa-ad-trust", "ipa-ad-trust-posix", "ipa-local"]
    aliases: ["iparangetype"]
  dom_sid:
    description: Domain SID of the trusted domain.
-    type: string
+    type: str
    required: false
    aliases: ["ipanttrusteddomainsid"]
  dom_name:
    description: |
      Domain name of the trusted domain. Can only be used when
      `ipaapi_context: server`.
-    type: string
+    type: str
    required: false
    aliases: ["ipanttrusteddomainname"]
  auto_private_groups:
    description: Auto creation of private groups.
-    type: string
+    type: str
    required: false
    choices: ["true", "false", "hybrid"]
    aliases: ["ipaautoprivategroups"]
  state:
    description: The state to ensure.
+    type: str
    choices: ["present", "absent"]
    default: present
-    required: true
+    required: false
+author:
+  - Rafael Guterres Jeffman (@rjeffman)
+  - Thomas Woerner (@t-woerner)
 """

 EXAMPLES = """
@@ -184,8 +191,8 @@ def main():
    ansible_module = IPAAnsibleModule(
        argument_spec=dict(
            # general
-            name=dict(type="list", aliases=["cn"],
-                      default=None, required=True),
+            name=dict(type="list", elements="str", aliases=["cn"],
+                      required=True),
            # present
            base_id=dict(required=False, type='int',
                         aliases=["ipabaseid"], default=None),
--- a/plugins/modules/ipalocation.py
+++ b/plugins/modules/ipalocation.py
@@ -3,7 +3,7 @@
 # Authors:
 #   Thomas Woerner <twoerner@redhat.com>
 #
-# Copyright (C) 2020 Red Hat
+# Copyright (C) 2020-2022 Red Hat
 # see file 'COPYING' for use and warranty information
 #
 # This program is free software; you can redistribute it and/or modify
@@ -32,23 +32,29 @@ ANSIBLE_METADATA = {
 DOCUMENTATION = """
 ---
 module: ipalocation
-short description: Manage FreeIPA location
+short_description: Manage FreeIPA location
 description: Manage FreeIPA location
 extends_documentation_fragment:
  - ipamodule_base_docs
 options:
  name:
    description: The list of location name strings.
+    type: list
+    elements: str
    required: true
    aliases: ["idnsname"]
  description:
    description: The IPA location string
+    type: str
    required: false
  state:
    description: The state to ensure.
+    type: str
    choices: ["present", "absent"]
    default: present
-    required: true
+    required: false
+author:
+  - Thomas Woerner (@t-woerner)
 """

 EXAMPLES = """
@@ -94,8 +100,8 @@ def gen_args(description):
 def main():
    ansible_module = IPAAnsibleModule(
        argument_spec=dict(
-            name=dict(type="list", aliases=["idnsname"],
-                      default=None, required=True),
+            name=dict(type="list", elements="str", aliases=["idnsname"],
+                      required=True),
            # present
            description=dict(required=False, type='str', default=None),
            # state
--- a/plugins/modules/ipanetgroup.py
+++ b/plugins/modules/ipanetgroup.py
@@ -0,0 +1,434 @@
+# -*- coding: utf-8 -*-
+
+# Authors:
+#   Denis Karpelevich <dkarpele@redhat.com>
+#
+# Copyright (C) 2022 Red Hat
+# see file 'COPYING' for use and warranty information
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+from __future__ import (absolute_import, division, print_function)
+
+__metaclass__ = type
+
+ANSIBLE_METADATA = {
+    "metadata_version": "1.0",
+    "supported_by": "community",
+    "status": ["preview"],
+}
+
+DOCUMENTATION = """
+---
+module: ipanetgroup
+short_description: NIS entities can be stored in netgroups.
+description: |
+  A netgroup is a group used for permission checking.
+  It can contain both user and host values.
+extends_documentation_fragment:
+  - ipamodule_base_docs
+  - ipamodule_base_docs.delete_continue
+options:
+  name:
+    description: The list of netgroup name strings.
+    required: true
+    type: list
+    elements: str
+    aliases: ["cn"]
+  description:
+    description: Netgroup description
+    required: false
+    type: str
+    aliases: ["desc"]
+  nisdomain:
+    description: NIS domain name
+    required: false
+    type: str
+    aliases: ["nisdomainname"]
+  nomembers:
+    description: Suppress processing of membership attributes
+    required: false
+    type: bool
+  user:
+    description: List of user names assigned to this netgroup.
+    required: false
+    type: list
+    elements: str
+    aliases: ["users"]
+  group:
+    description: List of group names assigned to this netgroup.
+    required: false
+    type: list
+    elements: str
+    aliases: ["groups"]
+  host:
+    description: List of host names assigned to this netgroup.
+    required: false
+    type: list
+    elements: str
+    aliases: ["hosts"]
+  hostgroup:
+    description: List of host group names assigned to this netgroup.
+    required: false
+    type: list
+    elements: str
+    aliases: ["hostgroups"]
+  netgroup:
+    description: List of netgroup names assigned to this netgroup.
+    required: false
+    type: list
+    elements: str
+    aliases: ["netgroups"]
+  action:
+    description: Work on netgroup or member level
+    required: false
+    default: netgroup
+    choices: ["member", "netgroup"]
+  state:
+    description: The state to ensure.
+    choices: ["present", "absent"]
+    default: present
+author:
+    - Denis Karpelevich (@dkarpele)
+"""
+
+EXAMPLES = """
+- name: Ensure netgroup my_netgroup1 is present
+  ipanetgroup:
+    ipaadmin_password: SomeADMINpassword
+    name: my_netgroup1
+    description: My netgroup 1
+
+- name: Ensure netgroup my_netgroup1 is absent
+  ipanetgroup:
+    ipaadmin_password: SomeADMINpassword
+    name: my_netgroup1
+    state: absent
+
+- name: Ensure netgroup is present with user "user1"
+  ipanetgroup:
+    ipaadmin_password: SomeADMINpassword
+    name: TestNetgroup1
+    user: user1
+    action: member
+
+- name: Ensure netgroup user, "user1", is absent
+  ipanetgroup:
+    ipaadmin_password: SomeADMINpassword
+    name: TestNetgroup1
+    user: "user1"
+    action: member
+    state: absent
+
+- name: Ensure netgroup is present with members
+  ipanetgroup:
+    ipaadmin_password: SomeADMINpassword
+    name: TestNetgroup1
+    user: user1,user2
+    group: group1
+    host: host1
+    hostgroup: ipaservers
+    netgroup: admins
+    action: member
+
+- name: Ensure 2 netgroups TestNetgroup1, admins are absent
+  ipanetgroup:
+    ipaadmin_password: SomeADMINpassword
+    name:
+    - TestNetgroup1
+    - admins
+    state: absent
+"""
+
+RETURN = """
+"""
+
+
+from ansible.module_utils.ansible_freeipa_module import \
+    IPAAnsibleModule, compare_args_ipa, gen_add_del_lists, \
+    gen_add_list, gen_intersection_list, ensure_fqdn
+
+
+def find_netgroup(module, name):
+    """Find if a netgroup with the given name already exist."""
+    _args = {
+        "all": True,
+        "cn": name,
+    }
+
+    # `netgroup_find` is used here instead of `netgroup_show` to workaround
+    # FreeIPA bug https://pagure.io/freeipa/issue/9284.
+    # `ipa netgroup-show hostgroup` shows hostgroup - it's a bug.
+    # `ipa netgroup-find hostgroup` doesn't show hostgroup - it's correct.
+    _result = module.ipa_command("netgroup_find", name, _args)
+
+    if len(_result["result"]) > 1:
+        module.fail_json(
+            msg="There is more than one netgroup '%s'" % name)
+    elif len(_result["result"]) == 1:
+        return _result["result"][0]
+
+    return None
+
+
+def gen_args(description, nisdomain, nomembers):
+    _args = {}
+    if description is not None:
+        _args["description"] = description
+    if nisdomain is not None:
+        _args["nisdomainname"] = nisdomain
+    if nomembers is not None:
+        _args["nomembers"] = nomembers
+
+    return _args
+
+
+def gen_member_args(user, group, host, hostgroup, netgroup):
+    _args = {}
+    if user is not None:
+        _args["memberuser_user"] = user
+    if group is not None:
+        _args["memberuser_group"] = group
+    if host is not None:
+        _args["memberhost_host"] = host
+    if hostgroup is not None:
+        _args["memberhost_hostgroup"] = hostgroup
+    if netgroup is not None:
+        _args["member_netgroup"] = netgroup
+
+    return _args
+
+
+def main():
+    ansible_module = IPAAnsibleModule(
+        argument_spec=dict(
+            # general
+            name=dict(type="list", elements="str", aliases=["cn"],
+                      required=True),
+            # present
+            description=dict(required=False, type='str',
+                             aliases=["desc"], default=None),
+            nisdomain=dict(required=False, type='str',
+                           aliases=["nisdomainname"], default=None),
+            nomembers=dict(required=False, type='bool', default=None),
+            user=dict(required=False, type='list', elements="str",
+                      aliases=["users"], default=None),
+            group=dict(required=False, type='list', elements="str",
+                       aliases=["groups"], default=None),
+            host=dict(required=False, type='list', elements="str",
+                      aliases=["hosts"], default=None),
+            hostgroup=dict(required=False, type='list', elements="str",
+                           aliases=["hostgroups"], default=None),
+            netgroup=dict(required=False, type='list', elements="str",
+                          aliases=["netgroups"], default=None),
+            action=dict(required=False, type="str", default="netgroup",
+                        choices=["member", "netgroup"]),
+            # state
+            state=dict(type="str", default="present",
+                       choices=["present", "absent"]),
+        ),
+        supports_check_mode=True,
+        ipa_module_options=["delete_continue"],
+    )
+
+    ansible_module._ansible_debug = True
+
+    # Get parameters
+
+    # general
+    names = ansible_module.params_get("name")
+
+    # present
+    description = ansible_module.params_get("description")
+    nisdomain = ansible_module.params_get("nisdomain")
+    nomembers = ansible_module.params_get("nomembers")
+    user = ansible_module.params_get_lowercase("user")
+    group = ansible_module.params_get_lowercase("group")
+    host = ansible_module.params_get_lowercase("host")
+    hostgroup = ansible_module.params_get_lowercase("hostgroup")
+    netgroup = ansible_module.params_get_lowercase("netgroup")
+    action = ansible_module.params_get("action")
+
+    # state
+    state = ansible_module.params_get("state")
+
+    # Check parameters
+
+    invalid = []
+
+    if state == "present":
+        if len(names) != 1:
+            ansible_module.fail_json(
+                msg="Only one netgroup can be added at a time.")
+        if action == "member":
+            invalid = ["description", "nisdomain", "nomembers"]
+
+    if state == "absent":
+        if len(names) < 1:
+            ansible_module.fail_json(msg="No name given.")
+        if len(names) != 1 and action == "member":
+            ansible_module.fail_json(msg="Members can be removed only from one"
+                                         " netgroup at a time.")
+        invalid = ["description", "nisdomain", "nomembers"]
+        if action == "netgroup":
+            invalid.extend(["user", "group", "host", "hostgroup", "netgroup"])
+
+    ansible_module.params_fail_used_invalid(invalid, state)
+
+    # Init
+
+    exit_args = {}
+
+    # Connect to IPA API
+    with ansible_module.ipa_connect():
+        # Ensure fqdn host names, use default domain for simple names
+        if host is not None:
+            default_domain = ansible_module.ipa_get_domain()
+            host = [ensure_fqdn(_host, default_domain).lower()
+                    for _host in host]
+
+        commands = []
+        for name in names:
+            # Make sure netgroup exists
+            res_find = find_netgroup(ansible_module, name)
+
+            user_add, user_del = [], []
+            group_add, group_del = [], []
+            host_add, host_del = [], []
+            hostgroup_add, hostgroup_del = [], []
+            netgroup_add, netgroup_del = [], []
+
+            # Create command
+            if state == "present":
+                # Generate args
+                args = gen_args(description, nisdomain, nomembers)
+
+                if action == "netgroup":
+                    # Found the netgroup
+                    if res_find is not None:
+                        # For all settings is args, check if there are
+                        # different settings in the find result.
+                        # If yes: modify
+                        if not compare_args_ipa(ansible_module, args,
+                                                res_find):
+                            commands.append([name, "netgroup_mod", args])
+                    else:
+                        commands.append([name, "netgroup_add", args])
+                        res_find = {}
+
+                    member_args = gen_member_args(
+                        user, group, host, hostgroup, netgroup
+                    )
+                    if not compare_args_ipa(ansible_module, member_args,
+                                            res_find):
+                        # Generate addition and removal lists
+                        user_add, user_del = gen_add_del_lists(
+                            user, res_find.get("memberuser_user"))
+
+                        group_add, group_del = gen_add_del_lists(
+                            group, res_find.get("memberuser_group"))
+
+                        host_add, host_del = gen_add_del_lists(
+                            host, res_find.get("memberhost_host"))
+
+                        hostgroup_add, hostgroup_del = gen_add_del_lists(
+                            hostgroup, res_find.get("memberhost_hostgroup"))
+
+                        netgroup_add, netgroup_del = gen_add_del_lists(
+                            netgroup, res_find.get("member_netgroup"))
+
+                elif action == "member":
+                    if res_find is None:
+                        ansible_module.fail_json(msg="No netgroup '%s'" % name)
+
+                    # Reduce add lists for memberuser_user, memberuser_group,
+                    # member_service and member_external to new entries
+                    # only that are not in res_find.
+                    user_add = gen_add_list(
+                        user, res_find.get("memberuser_user"))
+                    group_add = gen_add_list(
+                        group, res_find.get("memberuser_group"))
+                    host_add = gen_add_list(
+                        host, res_find.get("memberhost_host"))
+                    hostgroup_add = gen_add_list(
+                        hostgroup, res_find.get("memberhost_hostgroup"))
+                    netgroup_add = gen_add_list(
+                        netgroup, res_find.get("member_netgroup"))
+
+            elif state == "absent":
+                if action == "netgroup":
+                    if res_find is not None:
+                        commands.append([name, "netgroup_del", {}])
+
+                elif action == "member":
+                    if res_find is None:
+                        ansible_module.fail_json(msg="No netgroup '%s'" % name)
+                    user_del = gen_intersection_list(
+                        user, res_find.get("memberuser_user"))
+                    group_del = gen_intersection_list(
+                        group, res_find.get("memberuser_group"))
+                    host_del = gen_intersection_list(
+                        host, res_find.get("memberhost_host"))
+                    hostgroup_del = gen_intersection_list(
+                        hostgroup, res_find.get("memberhost_hostgroup"))
+                    netgroup_del = gen_intersection_list(
+                        netgroup, res_find.get("member_netgroup"))
+
+            else:
+                ansible_module.fail_json(msg="Unknown state '%s'" % state)
+
+            # manage members
+            # setup member args for add/remove members.
+            add_member_args = {
+                "user": user_add,
+                "group": group_add,
+                "host": host_add,
+                "hostgroup": hostgroup_add,
+                "netgroup": netgroup_add
+            }
+
+            del_member_args = {
+                "user": user_del,
+                "group": group_del,
+                "host": host_del,
+                "hostgroup": hostgroup_del,
+                "netgroup": netgroup_del
+            }
+
+            # Add members
+            add_members = any([user_add, group_add, host_add,
+                               hostgroup_add, netgroup_add])
+            if add_members:
+                commands.append(
+                    [name, "netgroup_add_member", add_member_args]
+                )
+            # Remove members
+            remove_members = any([user_del, group_del, host_del,
+                                  hostgroup_del, netgroup_del])
+            if remove_members:
+                commands.append(
+                    [name, "netgroup_remove_member", del_member_args]
+                )
+        # Execute commands
+
+        changed = ansible_module.execute_ipa_commands(
+            commands, fail_on_member_errors=True)
+
+    # Done
+
+    ansible_module.exit_json(changed=changed, **exit_args)
+
+
+if __name__ == "__main__":
+    main()
--- a/plugins/modules/ipapermission.py
+++ b/plugins/modules/ipapermission.py
@@ -2,8 +2,9 @@

 # Authors:
 #   Seth Kress <kresss@gmail.com>
+#   Thomas Woerner <twoerner@redhat.com>
 #
-# Copyright (C) 2020 Red Hat
+# Copyright (C) 2020-2022 Red Hat
 # see file 'COPYING' for use and warranty information
 #
 # This program is free software; you can redistribute it and/or modify
@@ -32,13 +33,15 @@ ANSIBLE_METADATA = {
 DOCUMENTATION = """
 ---
 module: ipapermission
-short description: Manage FreeIPA permission
+short_description: Manage FreeIPA permission
 description: Manage FreeIPA permission and permission members
 extends_documentation_fragment:
  - ipamodule_base_docs
 options:
  name:
    description: The permission name string.
+    type: list
+    elements: str
    required: true
    aliases: ["cn"]
  right:
@@ -46,52 +49,64 @@ options:
    required: false
    choices: ["read", "search", "compare", "write", "add", "delete", "all"]
    type: list
+    elements: str
    aliases: ["ipapermright"]
  attrs:
    description: All attributes to which the permission applies
    required: false
    type: list
+    elements: str
  bindtype:
    description: Bind rule type
    required: false
-    choices: ["permission", "all", "anonymous"]
+    type: str
+    choices: ["permission", "all", "anonymous", "self"]
    aliases: ["ipapermbindruletype"]
  subtree:
    description: Subtree to apply permissions to
+    type: str
    required: false
    aliases: ["ipapermlocation"]
-  filter:
+  extra_target_filter:
    description: Extra target filter
    required: false
    type: list
-    aliases: ["extratargetfilter"]
+    elements: str
+    aliases: ["filter", "extratargetfilter"]
  rawfilter:
    description: All target filters
    required: false
    type: list
+    elements: str
    aliases: ["ipapermtargetfilter"]
  target:
    description: Optional DN to apply the permission to
+    type: str
    required: false
    aliases: ["ipapermtarget"]
  targetto:
    description: Optional DN subtree where an entry can be moved to
+    type: str
    required: false
    aliases: ["ipapermtargetto"]
  targetfrom:
    description: Optional DN subtree from where an entry can be moved
+    type: str
    required: false
    aliases: ["ipapermtargetfrom"]
  memberof:
    description: Target members of a group (sets memberOf targetfilter)
    required: false
    type: list
+    elements: str
  targetgroup:
    description: User group to apply permissions to (sets target)
+    type: str
    required: false
    aliases: ["targetgroup"]
  object_type:
    description: Type of IPA object (sets subtree and objectClass targetfilter)
+    type: str
    required: false
    aliases: ["type"]
  no_members:
@@ -100,18 +115,24 @@ options:
    type: bool
  rename:
    description: Rename the permission object
+    type: str
    required: false
    aliases: ["new_name"]
  action:
    description: Work on permission or member privilege level.
+    type: str
    choices: ["permission", "member"]
    default: permission
    required: false
  state:
    description: The state to ensure.
+    type: str
    choices: ["present", "absent", "renamed"]
    default: present
-    required: true
+    required: false
+author:
+  - Seth Kress (@kresss)
+  - Thomas Woerner (@t-woerner)
 """

 EXAMPLES = """
@@ -203,24 +224,26 @@ def main():
    ansible_module = IPAAnsibleModule(
        argument_spec=dict(
            # general
-            name=dict(type="list", aliases=["cn"],
-                      default=None, required=True),
+            name=dict(type="list", elements="str", aliases=["cn"],
+                      required=True),
            # present
-            right=dict(type="list", aliases=["ipapermright"], default=None,
-                       required=False,
+            right=dict(type="list", elements="str", aliases=["ipapermright"],
+                       default=None, required=False,
                       choices=["read", "search", "compare", "write", "add",
                                "delete", "all"]),
-            attrs=dict(type="list", default=None, required=False),
+            attrs=dict(type="list", elements="str", default=None,
+                       required=False),
            # Note: bindtype has a default of permission for Adds.
            bindtype=dict(type="str", aliases=["ipapermbindruletype"],
-                          default=None, require=False, choices=["permission",
+                          default=None, required=False, choices=["permission",
                          "all", "anonymous", "self"]),
            subtree=dict(type="str", aliases=["ipapermlocation"], default=None,
                         required=False),
-            extra_target_filter=dict(type="list", aliases=["filter",
-                                     "extratargetfilter"], default=None,
-                                     required=False),
-            rawfilter=dict(type="list", aliases=["ipapermtargetfilter"],
+            extra_target_filter=dict(type="list", elements="str",
+                                     aliases=["filter", "extratargetfilter"],
+                                     default=None, required=False),
+            rawfilter=dict(type="list", elements="str",
+                           aliases=["ipapermtargetfilter"],
                           default=None, required=False),
            target=dict(type="str", aliases=["ipapermtarget"], default=None,
                        required=False),
@@ -228,11 +251,12 @@ def main():
                          default=None, required=False),
            targetfrom=dict(type="str", aliases=["ipapermtargetfrom"],
                            default=None, required=False),
-            memberof=dict(type="list", default=None, required=False),
+            memberof=dict(type="list", elements="str", default=None,
+                          required=False),
            targetgroup=dict(type="str", default=None, required=False),
            object_type=dict(type="str", aliases=["type"], default=None,
                             required=False),
-            no_members=dict(type=bool, default=None, require=False),
+            no_members=dict(type="bool", default=None, required=False),
            rename=dict(type="str", default=None, required=False,
                        aliases=["new_name"]),
            action=dict(type="str", default="permission",
--- a/plugins/modules/ipaprivilege.py
+++ b/plugins/modules/ipaprivilege.py
@@ -2,8 +2,9 @@

 # Authors:
 #   Rafael Guterres Jeffman <rjeffman@redhat.com>
+#   Thomas Woerner <twoerner@redhat.com>
 #
-# Copyright (C) 2020 Red Hat
+# Copyright (C) 2020-2022 Red Hat
 # see file 'COPYING' for use and warranty information
 #
 # This program is free software; you can redistribute it and/or modify
@@ -35,35 +36,46 @@ ANSIBLE_METADATA = {
 DOCUMENTATION = """
 ---
 module: ipaprivilege
-short description: Manage FreeIPA privilege
+short_description: Manage FreeIPA privilege
 description: Manage FreeIPA privilege and privilege members
 extends_documentation_fragment:
  - ipamodule_base_docs
 options:
  name:
    description: The list of privilege name strings.
+    type: list
+    elements: str
    required: true
    aliases: ["cn"]
  description:
    description: Privilege description
+    type: str
    required: false
  rename:
    description: Rename the privilege object.
+    type: str
    required: false
    aliases: ["new_name"]
  permission:
    description: Permissions to be added to the privilege.
+    type: list
+    elements: str
    required: false
  action:
    description: Work on privilege or member level.
+    type: str
    choices: ["privilege", "member"]
    default: privilege
    required: false
  state:
    description: The state to ensure.
+    type: str
    choices: ["present", "absent", "renamed"]
    default: present
-    required: true
+    required: false
+author:
+  - Rafael Guterres Jeffman (@rjeffman)
+  - Thomas Woerner (@t-woerner)
 """

 EXAMPLES = """
@@ -134,13 +146,14 @@ def main():
    ansible_module = IPAAnsibleModule(
        argument_spec=dict(
            # general
-            name=dict(type="list", aliases=["cn"],
-                      default=None, required=True),
+            name=dict(type="list", elements="str", aliases=["cn"],
+                      required=True),
            # present
            description=dict(required=False, type='str', default=None),
            rename=dict(required=False, type='str', default=None,
                        aliases=["new_name"], ),
-            permission=dict(required=False, type='list', default=None),
+            permission=dict(required=False, type='list', elements="str",
+                            default=None),
            action=dict(type="str", default="privilege",
                        choices=["member", "privilege"]),
            # state
--- a/plugins/modules/ipapwpolicy.py
+++ b/plugins/modules/ipapwpolicy.py
@@ -2,8 +2,9 @@

 # Authors:
 #   Thomas Woerner <twoerner@redhat.com>
+#   Rafael Guterres Jeffman <rjeffman@redhat.com>
 #
-# Copyright (C) 2019 Red Hat
+# Copyright (C) 2019-2022 Red Hat
 # see file 'COPYING' for use and warranty information
 #
 # This program is free software; you can redistribute it and/or modify
@@ -32,70 +33,105 @@ ANSIBLE_METADATA = {
 DOCUMENTATION = """
 ---
 module: ipapwpolicy
-short description: Manage FreeIPA pwpolicies
+short_description: Manage FreeIPA pwpolicies
 description: Manage FreeIPA pwpolicies
+extends_documentation_fragment:
+  - ipamodule_base_docs
 options:
-  ipaadmin_principal:
-    description: The admin principal
-    default: admin
-  ipaadmin_password:
-    description: The admin password
-    required: false
  name:
    description: The group name
+    type: list
+    elements: str
    required: false
    aliases: ["cn"]
  maxlife:
    description: Maximum password lifetime (in days)
-    type: int
+    type: str
    required: false
    aliases: ["krbmaxpwdlife"]
  minlife:
    description: Minimum password lifetime (in hours)
-    type: int
+    type: str
    required: false
    aliases: ["krbminpwdlife"]
  history:
    description: Password history size
-    type: int
+    type: str
    required: false
    aliases: ["krbpwdhistorylength"]
  minclasses:
    description: Minimum number of character classes
-    type: int
+    type: str
    required: false
    aliases: ["krbpwdmindiffchars"]
  minlength:
    description: Minimum length of password
-    type: int
+    type: str
    required: false
    aliases: ["krbpwdminlength"]
  priority:
    description: Priority of the policy (higher number means lower priority)
-    type: int
+    type: str
    required: false
    aliases: ["cospriority"]
  maxfail:
    description: Consecutive failures before lockout
-    type: int
+    type: str
    required: false
    aliases: ["krbpwdmaxfailure"]
  failinterval:
    description: Period after which failure count will be reset (seconds)
-    type: int
+    type: str
    required: false
    aliases: ["krbpwdfailurecountinterval"]
  lockouttime:
    description: Period for which lockout is enforced (seconds)
-    type: int
+    type: str
    required: false
    aliases: ["krbpwdlockoutduration"]
+  maxrepeat:
+    description: >
+      Maximum number of same consecutive characters.
+      Requires IPA 4.9+
+    type: str
+    required: false
+    aliases: ["ipapwdmaxrepeat"]
+  maxsequence:
+    description: >
+      The maximum length of monotonic character sequences (abcd).
+      Requires IPA 4.9+
+    type: str
+    required: false
+    aliases: ["ipapwdmaxsequence"]
+  dictcheck:
+    description: >
+      Check if the password is a dictionary word.
+      Requires IPA 4.9+
+    type: str
+    required: false
+    aliases: ["ipapwdictcheck"]
+  usercheck:
+    description: >
+      Check if the password contains the username.
+      Requires IPA 4.9+
+    type: str
+    required: false
+    aliases: ["ipapwdusercheck"]
+  gracelimit:
+    description: >
+      Number of LDAP authentications allowed after expiration.
+      Requires IPA 4.10.1+
+    type: str
+    required: false
+    aliases: ["passwordgracelimit"]
  state:
    description: State to ensure
+    type: str
    default: present
    choices: ["present", "absent"]
 author:
-    - Thomas Woerner
+  - Thomas Woerner (@t-woerner)
+  - Rafael Guterres Jeffman (@rjeffman)
 """

 EXAMPLES = """
@@ -135,8 +171,10 @@ def find_pwpolicy(module, name):
    return None


-def gen_args(maxlife, minlife, history, minclasses, minlength, priority,
-             maxfail, failinterval, lockouttime):
+def gen_args(module,
+             maxlife, minlife, history, minclasses, minlength, priority,
+             maxfail, failinterval, lockouttime, maxrepeat, maxsequence,
+             dictcheck, usercheck, gracelimit):
    _args = {}
    if maxlife is not None:
        _args["krbmaxpwdlife"] = maxlife
@@ -156,34 +194,91 @@ def gen_args(maxlife, minlife, history, minclasses, minlength, priority,
        _args["krbpwdfailurecountinterval"] = failinterval
    if lockouttime is not None:
        _args["krbpwdlockoutduration"] = lockouttime
+    if maxrepeat is not None:
+        _args["ipapwdmaxrepeat"] = maxrepeat
+    if maxsequence is not None:
+        _args["ipapwdmaxrsequence"] = maxsequence
+    if dictcheck is not None:
+        if module.ipa_check_version("<", "4.9.10"):
+            # Allowed values: "TRUE", "FALSE", ""
+            _args["ipapwddictcheck"] = "TRUE" if dictcheck is True else \
+                "FALSE" if dictcheck is False else dictcheck
+        else:
+            _args["ipapwddictcheck"] = dictcheck
+    if usercheck is not None:
+        if module.ipa_check_version("<", "4.9.10"):
+            # Allowed values: "TRUE", "FALSE", ""
+            _args["ipapwdusercheck"] = "TRUE" if usercheck is True else \
+                "FALSE" if usercheck is False else usercheck
+        else:
+            _args["ipapwdusercheck"] = usercheck
+    if gracelimit is not None:
+        _args["passwordgracelimit"] = gracelimit

    return _args


+def check_supported_params(
+    module, maxrepeat, maxsequence, dictcheck, usercheck, gracelimit
+):
+    # All password checking parameters were added by the same commit,
+    # so we only need to test one of them.
+    has_password_check = module.ipa_command_param_exists(
+        "pwpolicy_add", "ipapwdmaxrepeat")
+    # check if gracelimit is supported
+    has_gracelimit = module.ipa_command_param_exists(
+        "pwpolicy_add", "passwordgracelimit")
+
+    # If needed, report unsupported password checking paramteres
+    if not has_password_check:
+        check_password_params = [maxrepeat, maxsequence, dictcheck, usercheck]
+        unsupported = [
+            x for x in check_password_params if x is not None
+        ]
+        if unsupported:
+            module.fail_json(
+                msg="Your IPA version does not support arguments: "
+                    "maxrepeat, maxsequence, dictcheck, usercheck.")
+
+    if gracelimit is not None and not has_gracelimit:
+        module.fail_json(
+            msg="Your IPA version does not support 'gracelimit'.")
+
+
 def main():
    ansible_module = IPAAnsibleModule(
        argument_spec=dict(
            # general
-            name=dict(type="list", aliases=["cn"], default=None,
-                      required=False),
+            name=dict(type="list", elements="str", aliases=["cn"],
+                      default=None, required=False),
            # present

-            maxlife=dict(type="int", aliases=["krbmaxpwdlife"], default=None),
-            minlife=dict(type="int", aliases=["krbminpwdlife"], default=None),
-            history=dict(type="int", aliases=["krbpwdhistorylength"],
+            maxlife=dict(type="str", aliases=["krbmaxpwdlife"], default=None),
+            minlife=dict(type="str", aliases=["krbminpwdlife"], default=None),
+            history=dict(type="str", aliases=["krbpwdhistorylength"],
                         default=None),
-            minclasses=dict(type="int", aliases=["krbpwdmindiffchars"],
+            minclasses=dict(type="str", aliases=["krbpwdmindiffchars"],
                            default=None),
-            minlength=dict(type="int", aliases=["krbpwdminlength"],
+            minlength=dict(type="str", aliases=["krbpwdminlength"],
                           default=None),
-            priority=dict(type="int", aliases=["cospriority"], default=None),
-            maxfail=dict(type="int", aliases=["krbpwdmaxfailure"],
+            priority=dict(type="str", aliases=["cospriority"], default=None),
+            maxfail=dict(type="str", aliases=["krbpwdmaxfailure"],
                         default=None),
-            failinterval=dict(type="int",
+            failinterval=dict(type="str",
                              aliases=["krbpwdfailurecountinterval"],
                              default=None),
-            lockouttime=dict(type="int", aliases=["krbpwdlockoutduration"],
+            lockouttime=dict(type="str", aliases=["krbpwdlockoutduration"],
                             default=None),
+            maxrepeat=dict(type="str", aliases=["ipapwdmaxrepeat"],
+                           default=None),
+            maxsequence=dict(type="str", aliases=["ipapwdmaxsequence"],
+                             default=None),
+            dictcheck=dict(type="str", aliases=["ipapwdictcheck"],
+                           default=None),
+            usercheck=dict(type="str", aliases=["ipapwusercheck"],
+                           default=None),
+            gracelimit=dict(type="str", aliases=["passwordgracelimit"],
+                            default=None),
            # state
            state=dict(type="str", default="present",
                       choices=["present", "absent"]),
@@ -208,6 +303,11 @@ def main():
    maxfail = ansible_module.params_get("maxfail")
    failinterval = ansible_module.params_get("failinterval")
    lockouttime = ansible_module.params_get("lockouttime")
+    maxrepeat = ansible_module.params_get("maxrepeat")
+    maxsequence = ansible_module.params_get("maxsequence")
+    dictcheck = ansible_module.params_get("dictcheck")
+    usercheck = ansible_module.params_get("usercheck")
+    gracelimit = ansible_module.params_get("gracelimit")

    # state
    state = ansible_module.params_get("state")
@@ -231,10 +331,57 @@ def main():
                msg="'global_policy' can not be made absent.")
        invalid = ["maxlife", "minlife", "history", "minclasses",
                   "minlength", "priority", "maxfail", "failinterval",
-                   "lockouttime"]
+                   "lockouttime", "maxrepeat", "maxsequence", "dictcheck",
+                   "usercheck", "gracelimit"]

    ansible_module.params_fail_used_invalid(invalid, state)

+    # Ensure parameter values are valid and have proper type.
+    def int_or_empty_param(value, param):
+        if value is not None and value != "":
+            try:
+                value = int(value)
+            except ValueError:
+                ansible_module.fail_json(
+                    msg="Invalid value '%s' for argument '%s'" % (value, param)
+                )
+        return value
+
+    maxlife = int_or_empty_param(maxlife, "maxlife")
+    minlife = int_or_empty_param(minlife, "minlife")
+    history = int_or_empty_param(history, "history")
+    minclasses = int_or_empty_param(minclasses, "minclasses")
+    minlength = int_or_empty_param(minlength, "minlength")
+    priority = int_or_empty_param(priority, "priority")
+    maxfail = int_or_empty_param(maxfail, "maxfail")
+    failinterval = int_or_empty_param(failinterval, "failinterval")
+    lockouttime = int_or_empty_param(lockouttime, "lockouttime")
+    maxrepeat = int_or_empty_param(maxrepeat, "maxrepeat")
+    maxsequence = int_or_empty_param(maxsequence, "maxsequence")
+    gracelimit = int_or_empty_param(gracelimit, "gracelimit")
+
+    def bool_or_empty_param(value, param):  # pylint: disable=R1710
+        # As of Ansible 2.14, values True, False, Yes an No, with variable
+        # capitalization are accepted by Ansible.
+        if not value:
+            return value
+        if value in ["TRUE", "True", "true", "YES", "Yes", "yes"]:
+            return True
+        if value in ["FALSE", "False", "false", "NO", "No", "no"]:
+            return False
+        ansible_module.fail_json(
+            msg="Invalid value '%s' for argument '%s'." % (value, param)
+        )
+
+    dictcheck = bool_or_empty_param(dictcheck, "dictcheck")
+    usercheck = bool_or_empty_param(usercheck, "usercheck")
+
+    # Ensure gracelimit has proper limit.
+    if gracelimit:
+        if gracelimit < -1:
+            ansible_module.fail_json(
+                msg="'gracelimit' must be no less than -1")
+
    # Init

    changed = False
@@ -242,6 +389,11 @@ def main():

    with ansible_module.ipa_connect():

+        check_supported_params(
+            ansible_module, maxrepeat, maxsequence, dictcheck, usercheck,
+            gracelimit
+        )
+
        commands = []

        for name in names:
@@ -251,9 +403,11 @@ def main():
            # Create command
            if state == "present":
                # Generate args
-                args = gen_args(maxlife, minlife, history, minclasses,
+                args = gen_args(ansible_module,
+                                maxlife, minlife, history, minclasses,
                                minlength, priority, maxfail, failinterval,
-                                lockouttime)
+                                lockouttime, maxrepeat, maxsequence, dictcheck,
+                                usercheck, gracelimit)

                # Found the pwpolicy
                if res_find is not None:
--- a/plugins/modules/iparole.py
+++ b/plugins/modules/iparole.py
@@ -3,8 +3,9 @@

 # Authors:
 #   Rafael Guterres Jeffman <rjeffman@redhat.com>
+#   Thomas Woerner <twoerner@redhat.com>
 #
-# Copyright (C) 2020 Red Hat
+# Copyright (C) 2020-2022 Red Hat
 # see file 'COPYING' for use and warranty information
 #
 # This program is free software; you can redistribute it and/or modify
@@ -34,47 +35,71 @@ ANSIBLE_METADATA = {
 DOCUMENTATION = """
 ---
 module: iparole
-short description: Manage FreeIPA role
+short_description: Manage FreeIPA role
 description: Manage FreeIPA role
 extends_documentation_fragment:
  - ipamodule_base_docs
 options:
-  role:
+  name:
    description: The list of role name strings.
+    type: list
+    elements: str
    required: true
    aliases: ["cn"]
  description:
    description: A description for the role.
+    type: str
    required: false
  rename:
    description: Rename the role object.
+    type: str
    required: false
    aliases: ["new_name"]
+  privilege:
+    description: List of privileges
+    type: list
+    elements: str
+    required: false
  user:
    description: List of users.
+    type: list
+    elements: str
    required: false
  group:
    description: List of groups.
+    type: list
+    elements: str
    required: false
  host:
    description: List of hosts.
+    type: list
+    elements: str
    required: false
  hostgroup:
    description: List of hostgroups.
+    type: list
+    elements: str
    required: false
  service:
    description: List of services.
+    type: list
+    elements: str
    required: false
  action:
    description: Work on role or member level.
+    type: str
    choices: ["role", "member"]
    default: role
    required: false
  state:
    description: The state to ensure.
+    type: str
    choices: ["present", "absent", "renamed"]
    default: present
-    required: true
+    required: false
+author:
+  - Rafael Guterres Jeffman (@rjeffman)
+  - Thomas Woerner (@t-woerner)
 """

 EXAMPLES = """
@@ -394,19 +419,25 @@ def create_module():
    ansible_module = IPAAnsibleModule(
        argument_spec=dict(
            # generalgroups
-            name=dict(type="list", aliases=["cn"], default=None,
+            name=dict(type="list", elements="str", aliases=["cn"],
                      required=True),
            # present
            description=dict(required=False, type="str", default=None),
            rename=dict(required=False, type="str", default=None,
                        aliases=["new_name"]),
            # members
-            privilege=dict(required=False, type='list', default=None),
-            user=dict(required=False, type='list', default=None),
-            group=dict(required=False, type='list', default=None),
-            host=dict(required=False, type='list', default=None),
-            hostgroup=dict(required=False, type='list', default=None),
-            service=dict(required=False, type='list', default=None),
+            privilege=dict(required=False, type='list', elements="str",
+                           default=None),
+            user=dict(required=False, type='list', elements="str",
+                      default=None),
+            group=dict(required=False, type='list', elements="str",
+                       default=None),
+            host=dict(required=False, type='list', elements="str",
+                      default=None),
+            hostgroup=dict(required=False, type='list', elements="str",
+                           default=None),
+            service=dict(required=False, type='list', elements="str",
+                         default=None),

            # state
            action=dict(type="str", default="role",
--- a/plugins/modules/ipaselfservice.py
+++ b/plugins/modules/ipaselfservice.py
@@ -3,7 +3,7 @@
 # Authors:
 #   Thomas Woerner <twoerner@redhat.com>
 #
-# Copyright (C) 2020 Red Hat
+# Copyright (C) 2020-2022 Red Hat
 # see file 'COPYING' for use and warranty information
 #
 # This program is free software; you can redistribute it and/or modify
@@ -32,33 +32,43 @@ ANSIBLE_METADATA = {
 DOCUMENTATION = """
 ---
 module: ipaselfservice
-short description: Manage FreeIPA selfservices
+short_description: Manage FreeIPA selfservices
 description: Manage FreeIPA selfservices and selfservice attributes
 extends_documentation_fragment:
  - ipamodule_base_docs
 options:
  name:
    description: The list of selfservice name strings.
+    type: list
+    elements: str
    required: true
    aliases: ["aciname"]
  permission:
    description: Permissions to grant (read, write). Default is write.
+    type: list
+    elements: str
    required: false
    aliases: ["permissions"]
  attribute:
    description: Attribute list to which the selfservice applies
+    type: list
+    elements: str
    required: false
    aliases: ["attrs"]
  action:
    description: Work on selfservice or member level.
+    type: str
    choices: ["selfservice", "member"]
    default: selfservice
    required: false
  state:
    description: The state to ensure.
+    type: str
    choices: ["present", "absent"]
    default: present
-    required: true
+    required: false
+author:
+  - Thomas Woerner (@t-woerner)
 """

 EXAMPLES = """
@@ -130,13 +140,13 @@ def main():
    ansible_module = IPAAnsibleModule(
        argument_spec=dict(
            # general
-            name=dict(type="list", aliases=["aciname"], default=None,
+            name=dict(type="list", elements="str", aliases=["aciname"],
                      required=True),
            # present
-            permission=dict(required=False, type='list',
+            permission=dict(required=False, type='list', elements="str",
                            aliases=["permissions"], default=None),
-            attribute=dict(required=False, type='list', aliases=["attrs"],
-                           default=None),
+            attribute=dict(required=False, type='list', elements="str",
+                           aliases=["attrs"], default=None),
            action=dict(type="str", default="selfservice",
                        choices=["member", "selfservice"]),
            # state
--- a/plugins/modules/ipaserver.py
+++ b/plugins/modules/ipaserver.py
@@ -3,7 +3,7 @@
 # Authors:
 #   Thomas Woerner <twoerner@redhat.com>
 #
-# Copyright (C) 2021 Red Hat
+# Copyright (C) 2021-2022 Red Hat
 # see file 'COPYING' for use and warranty information
 #
 # This program is free software; you can redistribute it and/or modify
@@ -32,13 +32,15 @@ ANSIBLE_METADATA = {
 DOCUMENTATION = """
 ---
 module: ipaserver
-short description: Manage FreeIPA server
+short_description: Manage FreeIPA server
 description: Manage FreeIPA server
 extends_documentation_fragment:
  - ipamodule_base_docs
 options:
  name:
    description: The list of server name strings.
+    type: list
+    elements: str
    required: true
    aliases: ["cn"]
  location:
@@ -46,6 +48,7 @@ options:
      The server location string.
      "" for location reset.
      Only in state: present.
+    type: str
    required: false
    aliases: ["ipalocation_location"]
  service_weight:
@@ -96,9 +99,12 @@ options:
    type: bool
  state:
    description: The state to ensure.
+    type: str
    choices: ["present", "absent"]
    default: present
-    required: true
+    required: false
+author:
+  - Thomas Woerner (@t-woerner)
 """

 EXAMPLES = """
@@ -244,8 +250,8 @@ def main():
    ansible_module = IPAAnsibleModule(
        argument_spec=dict(
            # general
-            name=dict(type="list", aliases=["cn"],
-                      default=None, required=True),
+            name=dict(type="list", elements="str", aliases=["cn"],
+                      required=True),
            # present
            location=dict(required=False, type='str',
                          aliases=["ipalocation_location"], default=None),
--- a/plugins/modules/ipaservice.py
+++ b/plugins/modules/ipaservice.py
@@ -2,8 +2,9 @@

 # Authors:
 #   Rafael Guterres Jeffman <rjeffman@redhat.com>
+#   Thomas Woerner <twoerner@redhat.com>
 #
-# Copyright (C) 2019 Red Hat
+# Copyright (C) 2019-2022 Red Hat
 # see file 'COPYING' for use and warranty information
 #
 # This program is free software; you can redistribute it and/or modify
@@ -33,28 +34,34 @@ ANSIBLE_METADATA = {
 DOCUMENTATION = """
 ---
 module: ipaservice
-short description: Manage FreeIPA service
+short_description: Manage FreeIPA service
 description: Manage FreeIPA service
 extends_documentation_fragment:
  - ipamodule_base_docs
 options:
  name:
    description: The service to manage
+    type: list
+    elements: str
    required: true
    aliases: ["service"]
  certificate:
    description: Base-64 encoded service certificate.
    required: false
    type: list
+    elements: str
    aliases: ["usercertificate"]
  pac_type:
    description: Supported PAC type.
    required: false
    choices: ["MS-PAC", "PAD", "NONE", ""]
    type: list
+    elements: str
    aliases: ["pac_type", "ipakrbauthzdata"]
  auth_ind:
-    description: Defines a whitelist for Authentication Indicators.
+    description: Defines an allow list for Authentication Indicators.
+    type: list
+    elements: str
    required: false
    choices: ["otp", "radius", "pkinit", "hardened", ""]
    aliases: ["krbprincipalauthind"]
@@ -70,24 +77,22 @@ options:
    description: Pre-authentication is required for the service.
    required: false
    type: bool
-    default: False
    aliases: ["ipakrbrequirespreauth"]
  ok_as_delegate:
    description: Client credentials may be delegated to the service.
    required: false
    type: bool
-    default: False
    aliases: ["ipakrbokasdelegate"]
  ok_to_auth_as_delegate:
    description: Allow service to authenticate on behalf of a client.
    required: false
    type: bool
-    default: False
    aliases: ["ipakrboktoauthasdelegate"]
  principal:
    description: List of principal aliases for the service.
    required: false
    type: list
+    elements: str
    aliases: ["krbprincipalname"]
  smb:
    description: Add a SMB service.
@@ -101,63 +106,75 @@ options:
    description: Host that can manage the service.
    required: false
    type: list
+    elements: str
    aliases: ["managedby_host"]
  allow_create_keytab_user:
    description: Users allowed to create a keytab of this host.
    required: false
    type: list
+    elements: str
    aliases: ["ipaallowedtoperform_write_keys_user"]
  allow_create_keytab_group:
    description: Groups allowed to create a keytab of this host.
    required: false
    type: list
+    elements: str
    aliases: ["ipaallowedtoperform_write_keys_group"]
  allow_create_keytab_host:
    description: Hosts allowed to create a keytab of this host.
    required: false
    type: list
+    elements: str
    aliases: ["ipaallowedtoperform_write_keys_host"]
  allow_create_keytab_hostgroup:
    description: Host group allowed to create a keytab of this host.
    required: false
    type: list
+    elements: str
    aliases: ["ipaallowedtoperform_write_keys_hostgroup"]
  allow_retrieve_keytab_user:
    description: User allowed to retrieve a keytab of this host.
    required: false
    type: list
+    elements: str
    aliases: ["ipaallowedtoperform_read_keys_user"]
  allow_retrieve_keytab_group:
    description: Groups allowed to retrieve a keytab of this host.
    required: false
    type: list
+    elements: str
    aliases: ["ipaallowedtoperform_read_keys_group"]
  allow_retrieve_keytab_host:
    description: Hosts allowed to retrieve a keytab of this host.
    required: false
    type: list
+    elements: str
    aliases: ["ipaallowedtoperform_read_keys_host"]
  allow_retrieve_keytab_hostgroup:
    description: Host groups allowed to retrieve a keytab of this host.
    required: false
    type: list
+    elements: str
    aliases: ["ipaallowedtoperform_read_keys_hostgroup"]
-  continue:
+  delete_continue:
    description:
      Continuous mode. Don't stop on errors. Valid only if `state` is `absent`.
    required: false
-    default: True
    type: bool
+    aliases: ["continue"]
  action:
    description: Work on service or member level
+    type: str
    default: service
    choices: ["member", "service"]
  state:
    description: State to ensure
+    type: str
    default: present
    choices: ["present", "absent", "disabled"]
 author:
-    - Rafael Jeffman
+  - Rafael Guterres Jeffman (@rjeffman)
+  - Thomas Woerner (@t-woerner)
 """

 EXAMPLES = """
@@ -346,18 +363,20 @@ def init_ansible_module():
    ansible_module = IPAAnsibleModule(
        argument_spec=dict(
            # general
-            name=dict(type="list", aliases=["service"], default=None,
+            name=dict(type="list", elements="str", aliases=["service"],
                      required=True),
            # service attributesstr
-            certificate=dict(type="list", aliases=['usercertificate'],
+            certificate=dict(type="list", elements="str",
+                             aliases=['usercertificate'],
                             default=None, required=False),
-            principal=dict(type="list", aliases=["krbprincipalname"],
-                           default=None),
+            principal=dict(type="list", elements="str",
+                           aliases=["krbprincipalname"], default=None),
            smb=dict(type="bool", required=False),
            netbiosname=dict(type="str", required=False),
-            pac_type=dict(type="list", aliases=["ipakrbauthzdata"],
+            pac_type=dict(type="list", elements="str",
+                          aliases=["ipakrbauthzdata"],
                          choices=["MS-PAC", "PAD", "NONE", ""]),
-            auth_ind=dict(type="list",
+            auth_ind=dict(type="list", elements="str",
                          aliases=["krbprincipalauthind"],
                          choices=["otp", "radius", "pkinit", "hardened", ""]),
            skip_host_check=dict(type="bool"),
@@ -367,30 +386,31 @@ def init_ansible_module():
            ok_as_delegate=dict(type="bool", aliases=["ipakrbokasdelegate"]),
            ok_to_auth_as_delegate=dict(type="bool",
                                        aliases=["ipakrboktoauthasdelegate"]),
-            host=dict(type="list", aliases=["managedby_host"], required=False),
+            host=dict(type="list", elements="str", aliases=["managedby_host"],
+                      required=False),
            allow_create_keytab_user=dict(
-                type="list", required=False,
+                type="list", elements="str", required=False, no_log=False,
                aliases=['ipaallowedtoperform_write_keys_user']),
            allow_retrieve_keytab_user=dict(
-                type="list", required=False,
+                type="list", elements="str", required=False, no_log=False,
                aliases=['ipaallowedtoperform_read_keys_user']),
            allow_create_keytab_group=dict(
-                type="list", required=False,
+                type="list", elements="str", required=False, no_log=False,
                aliases=['ipaallowedtoperform_write_keys_group']),
            allow_retrieve_keytab_group=dict(
-                type="list", required=False,
+                type="list", elements="str", required=False, no_log=False,
                aliases=['ipaallowedtoperform_read_keys_group']),
            allow_create_keytab_host=dict(
-                type="list", required=False,
+                type="list", elements="str", required=False, no_log=False,
                aliases=['ipaallowedtoperform_write_keys_host']),
            allow_retrieve_keytab_host=dict(
-                type="list", required=False,
+                type="list", elements="str", required=False, no_log=False,
                aliases=['ipaallowedtoperform_read_keys_host']),
            allow_create_keytab_hostgroup=dict(
-                type="list", required=False,
+                type="list", elements="str", required=False, no_log=False,
                aliases=['ipaallowedtoperform_write_keys_hostgroup']),
            allow_retrieve_keytab_hostgroup=dict(
-                type="list", required=False,
+                type="list", elements="str", required=False, no_log=False,
                aliases=['ipaallowedtoperform_read_keys_hostgroup']),
            delete_continue=dict(type="bool", required=False,
                                 aliases=['continue']),
--- a/plugins/modules/ipaservicedelegationrule.py
+++ b/plugins/modules/ipaservicedelegationrule.py
@@ -32,7 +32,7 @@ ANSIBLE_METADATA = {
 DOCUMENTATION = """
 ---
 module: ipaservicedelegationrule
-short description: Manage FreeIPA servicedelegationrule
+short_description: Manage FreeIPA servicedelegationrule
 description: |
  Manage FreeIPA servicedelegationrule and servicedelegationrule members
 extends_documentation_fragment:
@@ -40,6 +40,8 @@ extends_documentation_fragment:
 options:
  name:
    description: The list of servicedelegationrule name strings.
+    type: list
+    elements: str
    required: true
    aliases: ["cn"]
  principal:
@@ -49,22 +51,30 @@ options:
      host/fqdn@REALM, alias$, alias$@REALM, where fqdn and fqdn@REALM
      are host principals and the same as host/fqdn and host/fqd
      Host princpals are only usable with IPA versions 4.9.0 and up.
+    type: list
+    elements: str
    required: false
  target:
    description: |
      The list of service delegation targets.
+    type: list
+    elements: str
    required: false
    aliases: ["servicedelegationtarget"]
  action:
    description: Work on servicedelegationrule or member level.
+    type: str
    choices: ["servicedelegationrule", "member"]
    default: servicedelegationrule
    required: false
  state:
    description: The state to ensure.
+    type: str
    choices: ["present", "absent"]
    default: present
-    required: true
+    required: false
+author:
+  - Thomas Woerner (@t-woerner)
 """

 EXAMPLES = """
@@ -161,11 +171,12 @@ def main():
    ansible_module = IPAAnsibleModule(
        argument_spec=dict(
            # general
-            name=dict(type="list", aliases=["cn"], default=None,
+            name=dict(type="list", elements="str", aliases=["cn"],
                      required=True),
            # present
-            principal=dict(required=False, type='list', default=None),
-            target=dict(required=False, type='list',
+            principal=dict(required=False, type='list', elements="str",
+                           default=None),
+            target=dict(required=False, type='list', elements="str",
                        aliases=["servicedelegationtarget"], default=None),

            action=dict(type="str", default="servicedelegationrule",
--- a/plugins/modules/ipaservicedelegationtarget.py
+++ b/plugins/modules/ipaservicedelegationtarget.py
@@ -32,7 +32,7 @@ ANSIBLE_METADATA = {
 DOCUMENTATION = """
 ---
 module: ipaservicedelegationtarget
-short description: Manage FreeIPA servicedelegationtarget
+short_description: Manage FreeIPA servicedelegationtarget
 description: |
  Manage FreeIPA servicedelegationtarget and servicedelegationtarget members
 extends_documentation_fragment:
@@ -40,6 +40,8 @@ extends_documentation_fragment:
 options:
  name:
    description: The list of servicedelegationtarget name strings.
+    type: list
+    elements: str
    required: true
    aliases: ["cn"]
  principal:
@@ -49,17 +51,23 @@ options:
      host/fqdn@REALM, alias$, alias$@REALM, where fqdn and fqdn@REALM
      are host principals and the same as host/fqdn and host/fqdn@REALM.
      Host princpals are only usable with IPA versions 4.9.0 and up.
+    type: list
+    elements: str
    required: false
  action:
    description: Work on servicedelegationtarget or member level.
+    type: str
    choices: ["servicedelegationtarget", "member"]
    default: servicedelegationtarget
    required: false
  state:
    description: The state to ensure.
+    type: str
    choices: ["present", "absent"]
    default: present
-    required: true
+    required: false
+author:
+  - Thomas Woerner (@t-woerner)
 """

 EXAMPLES = """
@@ -121,10 +129,11 @@ def main():
    ansible_module = IPAAnsibleModule(
        argument_spec=dict(
            # general
-            name=dict(type="list", aliases=["cn"], default=None,
+            name=dict(type="list", elements="str", aliases=["cn"],
                      required=True),
            # present
-            principal=dict(required=False, type='list', default=None),
+            principal=dict(required=False, type='list', elements="str",
+                           default=None),

            action=dict(type="str", default="servicedelegationtarget",
                        choices=["member", "servicedelegationtarget"]),
--- a/plugins/modules/ipasudocmd.py
+++ b/plugins/modules/ipasudocmd.py
@@ -2,8 +2,9 @@

 # Authors:
 #   Rafael Guterres Jeffman <rjeffman@redhat.com>
+#   Thomas Woerner <twoerner@redhat.com>
 #
-# Copyright (C) 2019 Red Hat
+# Copyright (C) 2019-2022 Red Hat
 # see file 'COPYING' for use and warranty information
 #
 # This program is free software; you can redistribute it and/or modify
@@ -33,24 +34,29 @@ ANSIBLE_METADATA = {
 DOCUMENTATION = """
 ---
 module: ipasudocmd
-short description: Manage FreeIPA sudo command
+short_description: Manage FreeIPA sudo command
 description: Manage FreeIPA sudo command
 extends_documentation_fragment:
  - ipamodule_base_docs
 options:
  name:
    description: The sudo command
+    type: list
+    elements: str
    required: true
    aliases: ["sudocmd"]
  description:
    description: The command description
+    type: str
    required: false
  state:
    description: State to ensure
+    type: str
    default: present
    choices: ["present", "absent"]
 author:
-    - Rafael Jeffman
+  - Rafael Guterres Jeffman (@rjeffman)
+  - Thomas Woerner (@t-woerner)
 """

 EXAMPLES = """
@@ -103,7 +109,7 @@ def main():
    ansible_module = IPAAnsibleModule(
        argument_spec=dict(
            # general
-            name=dict(type="list", aliases=["sudocmd"], default=None,
+            name=dict(type="list", elements="str", aliases=["sudocmd"],
                      required=True),
            # present
            description=dict(type="str", default=None),
--- a/plugins/modules/ipasudocmdgroup.py
+++ b/plugins/modules/ipasudocmdgroup.py
@@ -2,8 +2,9 @@

 # Authors:
 #   Rafael Guterres Jeffman <rjeffman@redhat.com>
+#   Thomas Woerner <twoerner@redhat.com>
 #
-# Copyright (C) 2019 Red Hat
+# Copyright (C) 2019-2022 Red Hat
 # see file 'COPYING' for use and warranty information
 #
 # This program is free software; you can redistribute it and/or modify
@@ -33,17 +34,20 @@ ANSIBLE_METADATA = {
 DOCUMENTATION = """
 ---
 module: ipasudocmdgroup
-short description: Manage FreeIPA sudocmd groups
+short_description: Manage FreeIPA sudocmd groups
 description: Manage FreeIPA sudocmd groups
 extends_documentation_fragment:
  - ipamodule_base_docs
 options:
  name:
    description: The sudocmodgroup name
-    required: false
+    type: list
+    elements: str
+    required: true
    aliases: ["cn"]
  description:
    description: The sudocmdgroup description
+    type: str
    required: false
  nomembers:
    description: Suppress processing of membership attributes
@@ -53,16 +57,20 @@ options:
    description: List of sudocmds assigned to this sudocmdgroup.
    required: false
    type: list
+    elements: str
  action:
    description: Work on sudocmdgroup or member level
-    default: hostgroup
+    type: str
+    default: sudocmdgroup
    choices: ["member", "sudocmdgroup"]
  state:
    description: State to ensure
+    type: str
    default: present
    choices: ["present", "absent"]
 author:
-    - Rafael Guterres Jeffman
+  - Rafael Guterres Jeffman (@rjeffman)
+  - Thomas Woerner (@t-woerner)
 """

 EXAMPLES = """
@@ -140,12 +148,13 @@ def main():
    ansible_module = IPAAnsibleModule(
        argument_spec=dict(
            # general
-            name=dict(type="list", aliases=["cn"], default=None,
+            name=dict(type="list", elements="str", aliases=["cn"],
                      required=True),
            # present
            description=dict(type="str", default=None),
            nomembers=dict(required=False, type='bool', default=None),
-            sudocmd=dict(required=False, type='list', default=None),
+            sudocmd=dict(required=False, type='list', elements="str",
+                         default=None),
            action=dict(type="str", default="sudocmdgroup",
                        choices=["member", "sudocmdgroup"]),
            # state
--- a/plugins/modules/ipasudorule.py
+++ b/plugins/modules/ipasudorule.py
@@ -2,8 +2,9 @@

 # Authors:
 #   Rafael Guterres Jeffman <rjeffman@redhat.com>
+#   Thomas Woerner <twoerner@redhat.com>
 #
-# Copyright (C) 2019 Red Hat
+# Copyright (C) 2019-2022 Red Hat
 # see file 'COPYING' for use and warranty information
 #
 # This program is free software; you can redistribute it and/or modify
@@ -32,36 +33,46 @@ ANSIBLE_METADATA = {
 DOCUMENTATION = """
 ---
 module: ipasudorule
-short description: Manage FreeIPA sudo rules
+short_description: Manage FreeIPA sudo rules
 description: Manage FreeIPA sudo rules
 extends_documentation_fragment:
  - ipamodule_base_docs
 options:
  name:
    description: The sudorule name
+    type: list
+    elements: str
    required: true
    aliases: ["cn"]
  description:
    description: The sudorule description
+    type: str
    required: false
  user:
    description: List of users assigned to the sudo rule.
+    type: list
+    elements: str
    required: false
  usercategory:
    description: User category the sudo rule applies to
+    type: str
    required: false
    choices: ["all", ""]
    aliases: ["usercat"]
  group:
    description: List of user groups assigned to the sudo rule.
+    type: list
+    elements: str
    required: false
  runasgroupcategory:
    description: RunAs Group category applied to the sudo rule.
+    type: str
    required: false
    choices: ["all", ""]
    aliases: ["runasgroupcat"]
  runasusercategory:
    description: RunAs User category applied to the sudorule.
+    type: str
    required: false
    choices: ["all", ""]
    aliases: ["runasusercat"]
@@ -73,12 +84,15 @@ options:
    description: List of host names assigned to this sudorule.
    required: false
    type: list
+    elements: str
  hostgroup:
    description: List of host groups assigned to this sudorule.
    required: false
    type: list
+    elements: str
  hostcategory:
    description: Host category the sudo rule applies to.
+    type: str
    required: false
    choices: ["all", ""]
    aliases: ["hostcat"]
@@ -86,20 +100,25 @@ options:
    description: List of allowed sudocmds assigned to this sudorule.
    required: false
    type: list
+    elements: str
  allow_sudocmdgroup:
    description: List of allowed sudocmd groups assigned to this sudorule.
    required: false
    type: list
+    elements: str
  deny_sudocmd:
    description: List of denied sudocmds assigned to this sudorule.
    required: false
    type: list
+    elements: str
  deny_sudocmdgroup:
    description: List of denied sudocmd groups assigned to this sudorule.
    required: false
    type: list
+    elements: str
  cmdcategory:
    description: Command category the sudo rule applies to
+    type: str
    required: false
    choices: ["all", ""]
    aliases: ["cmdcat"]
@@ -107,29 +126,41 @@ options:
    description: Order to apply this rule.
    required: false
    type: int
+    aliases: ["sudoorder"]
  sudooption:
    description: List of sudo options.
    required: false
    type: list
+    elements: str
    aliases: ["options"]
  runasuser:
    description: List of users for Sudo to execute as.
    required: false
    type: list
+    elements: str
  runasgroup:
    description: List of groups for Sudo to execute as.
    required: false
    type: list
+    elements: str
+  hostmask:
+    description: Host masks of allowed hosts.
+    required: false
+    type: list
+    elements: str
  action:
    description: Work on sudorule or member level
+    type: str
    default: sudorule
    choices: ["member", "sudorule"]
  state:
    description: State to ensure
+    type: str
    default: present
    choices: ["present", "absent", "enabled", "disabled"]
 author:
-    - Rafael Jeffman
+  - Rafael Guterres Jeffman (@rjeffman)
+  - Thomas Woerner (@t-woerner)
 """

 EXAMPLES = """
@@ -162,19 +193,28 @@ EXAMPLES = """
    hostgroup: cluster
    action: member

-# Ensure sudo rule for usercategory "all"
+# Ensure sudo rule for usercategory "all" is enabled
 - ipasudorule:
    ipaadmin_password: SomeADMINpassword
    name: allusers
    usercategory: all
-    action: enabled
+    state: enabled

-# Ensure sudo rule for hostcategory "all"
+# Ensure sudo rule for hostcategory "all" is enabled
 - ipasudorule:
    ipaadmin_password: SomeADMINpassword
    name: allhosts
    hostcategory: all
-    action: enabled
+    state: enabled
+
+# Ensure sudo rule applies for hosts with hostmasks
+- ipasudorule:
+    ipaadmin_password: SomeADMINpassword
+    name: testrule1
+    hostmask:
+    - 192.168.122.1/24
+    - 192.168.120.1/24
+    action: member

 # Ensure Sudo Rule tesrule1 is absent
 - ipasudorule:
@@ -188,7 +228,7 @@ RETURN = """

 from ansible.module_utils.ansible_freeipa_module import \
    IPAAnsibleModule, compare_args_ipa, gen_add_del_lists, gen_add_list, \
-    gen_intersection_list, api_get_domain, ensure_fqdn
+    gen_intersection_list, api_get_domain, ensure_fqdn, netaddr, to_text


 def find_sudorule(module, name):
@@ -236,7 +276,7 @@ def main():
    ansible_module = IPAAnsibleModule(
        argument_spec=dict(
            # general
-            name=dict(type="list", aliases=["cn"], default=None,
+            name=dict(type="list", elements="str", aliases=["cn"],
                      required=True),
            # present
            description=dict(required=False, type="str", default=None),
@@ -245,14 +285,24 @@ def main():
            hostcategory=dict(required=False, type="str", default=None,
                              choices=["all", ""], aliases=['hostcat']),
            nomembers=dict(required=False, type='bool', default=None),
-            host=dict(required=False, type='list', default=None),
-            hostgroup=dict(required=False, type='list', default=None),
-            user=dict(required=False, type='list', default=None),
-            group=dict(required=False, type='list', default=None),
-            allow_sudocmd=dict(required=False, type="list", default=None),
-            deny_sudocmd=dict(required=False, type="list", default=None),
-            allow_sudocmdgroup=dict(required=False, type="list", default=None),
-            deny_sudocmdgroup=dict(required=False, type="list", default=None),
+            host=dict(required=False, type='list', elements="str",
+                      default=None),
+            hostgroup=dict(required=False, type='list', elements="str",
+                           default=None),
+            hostmask=dict(required=False, type='list', elements="str",
+                          default=None),
+            user=dict(required=False, type='list', elements="str",
+                      default=None),
+            group=dict(required=False, type='list', elements="str",
+                       default=None),
+            allow_sudocmd=dict(required=False, type="list", elements="str",
+                               default=None),
+            deny_sudocmd=dict(required=False, type="list", elements="str",
+                              default=None),
+            allow_sudocmdgroup=dict(required=False, type="list",
+                                    elements="str", default=None),
+            deny_sudocmdgroup=dict(required=False, type="list", elements="str",
+                                   default=None),
            cmdcategory=dict(required=False, type="str", default=None,
                             choices=["all", ""], aliases=['cmdcat']),
            runasusercategory=dict(required=False, type="str", default=None,
@@ -261,11 +311,13 @@ def main():
            runasgroupcategory=dict(required=False, type="str", default=None,
                                    choices=["all", ""],
                                    aliases=['runasgroupcat']),
-            runasuser=dict(required=False, type="list", default=None),
-            runasgroup=dict(required=False, type="list", default=None),
+            runasuser=dict(required=False, type="list", elements="str",
+                           default=None),
+            runasgroup=dict(required=False, type="list", elements="str",
+                            default=None),
            order=dict(type="int", required=False, aliases=['sudoorder']),
-            sudooption=dict(required=False, type='list', default=None,
-                            aliases=["options"]),
+            sudooption=dict(required=False, type='list', elements="str",
+                            default=None, aliases=["options"]),
            action=dict(type="str", default="sudorule",
                        choices=["member", "sudorule"]),
            # state
@@ -298,6 +350,7 @@ def main():
    nomembers = ansible_module.params_get("nomembers")  # noqa
    host = ansible_module.params_get("host")
    hostgroup = ansible_module.params_get_lowercase("hostgroup")
+    hostmask = ansible_module.params_get("hostmask")
    user = ansible_module.params_get_lowercase("user")
    group = ansible_module.params_get_lowercase("group")
    allow_sudocmd = ansible_module.params_get('allow_sudocmd')
@@ -315,6 +368,10 @@ def main():
    # state
    state = ansible_module.params_get("state")

+    # ensure hostmasks are network cidr
+    if hostmask is not None:
+        hostmask = [to_text(netaddr.IPNetwork(x).cidr) for x in hostmask]
+
    # Check parameters
    invalid = []

@@ -346,7 +403,7 @@ def main():
                   "cmdcategory", "runasusercategory",
                   "runasgroupcategory", "nomembers", "order"]
        if action == "sudorule":
-            invalid.extend(["host", "hostgroup", "user", "group",
+            invalid.extend(["host", "hostgroup", "hostmask", "user", "group",
                            "runasuser", "runasgroup", "allow_sudocmd",
                            "allow_sudocmdgroup", "deny_sudocmd",
                            "deny_sudocmdgroup", "sudooption"])
@@ -360,7 +417,7 @@ def main():
                "disabled")
        invalid = ["description", "usercategory", "hostcategory",
                   "cmdcategory", "runasusercategory", "runasgroupcategory",
-                   "nomembers", "nomembers", "host", "hostgroup",
+                   "nomembers", "nomembers", "host", "hostgroup", "hostmask",
                   "user", "group", "allow_sudocmd", "allow_sudocmdgroup",
                   "deny_sudocmd", "deny_sudocmdgroup", "runasuser",
                   "runasgroup", "order", "sudooption"]
@@ -389,6 +446,7 @@ def main():
        user_add, user_del = [], []
        group_add, group_del = [], []
        hostgroup_add, hostgroup_del = [], []
+        hostmask_add, hostmask_del = [], []
        allow_cmd_add, allow_cmd_del = [], []
        allow_cmdgroup_add, allow_cmdgroup_del = [], []
        deny_cmd_add, deny_cmd_del = [], []
@@ -454,6 +512,9 @@ def main():
                    hostgroup_add, hostgroup_del = gen_add_del_lists(
                        hostgroup, res_find.get('memberhost_hostgroup', []))

+                    hostmask_add, hostmask_del = gen_add_del_lists(
+                        hostmask, res_find.get('hostmask', []))
+
                    user_add, user_del = gen_add_del_lists(
                        user, res_find.get('memberuser_user', []))

@@ -520,6 +581,9 @@ def main():
                    if hostgroup is not None:
                        hostgroup_add = gen_add_list(
                            hostgroup, res_find.get("memberhost_hostgroup"))
+                    if hostmask is not None:
+                        hostmask_add = gen_add_list(
+                            hostmask, res_find.get("hostmask"))
                    if user is not None:
                        user_add = gen_add_list(
                            user, res_find.get("memberuser_user"))
@@ -592,6 +656,10 @@ def main():
                        hostgroup_del = gen_intersection_list(
                            hostgroup, res_find.get("memberhost_hostgroup"))

+                    if hostmask is not None:
+                        hostmask_del = gen_intersection_list(
+                            hostmask, res_find.get("hostmask"))
+
                    if user is not None:
                        user_del = gen_intersection_list(
                            user, res_find.get("memberuser_user"))
@@ -683,18 +751,19 @@ def main():

            # Manage members.
            # Manage hosts and hostgroups
-            if host_add or hostgroup_add:
-                commands.append([name, "sudorule_add_host",
-                                 {
-                                     "host": host_add,
-                                     "hostgroup": hostgroup_add,
-                                 }])
-            if host_del or hostgroup_del:
-                commands.append([name, "sudorule_remove_host",
-                                 {
-                                     "host": host_del,
-                                     "hostgroup": hostgroup_del,
-                                 }])
+            if any([host_add, hostgroup_add, hostmask_add]):
+                params = {"host": host_add, "hostgroup": hostgroup_add}
+                # An empty Hostmask cannot be used, or IPA API will fail.
+                if hostmask_add:
+                    params["hostmask"] = hostmask_add
+                commands.append([name, "sudorule_add_host", params])
+
+            if any([host_del, hostgroup_del, hostmask_del]):
+                params = {"host": host_del, "hostgroup": hostgroup_del}
+                # An empty Hostmask cannot be used, or IPA API will fail.
+                if hostmask_del:
+                    params["hostmask"] = hostmask_del
+                commands.append([name, "sudorule_remove_host", params])

            # Manage users and groups
            if user_add or group_add:
--- a/plugins/modules/ipatopologysegment.py
+++ b/plugins/modules/ipatopologysegment.py
@@ -3,7 +3,7 @@
 # Authors:
 #   Thomas Woerner <twoerner@redhat.com>
 #
-# Copyright (C) 2019 Red Hat
+# Copyright (C) 2019-2022 Red Hat
 # see file 'COPYING' for use and warranty information
 #
 # This program is free software; you can redistribute it and/or modify
@@ -32,36 +32,44 @@ ANSIBLE_METADATA = {
 DOCUMENTATION = """
 ---
 module: ipatopologysegment
-short description: Manage FreeIPA topology segments
+short_description: Manage FreeIPA topology segments
 description: Manage FreeIPA topology segments
 extends_documentation_fragment:
  - ipamodule_base_docs
 options:
  suffix:
    description: Topology suffix
+    type: str
    required: true
    choices: ["domain", "ca", "domain+ca"]
  name:
    description: Topology segment name, unique identifier.
+    type: str
    required: false
    aliases: ["cn"]
  left:
    description: Left replication node - an IPA server
+    type: str
+    required: false
    aliases: ["leftnode"]
  right:
    description: Right replication node - an IPA server
+    type: str
+    required: false
    aliases: ["rightnode"]
  direction:
    description: The direction a segment will be reinitialized
+    type: str
    required: false
    choices: ["left-to-right", "right-to-left"]
  state:
    description: State to ensure
+    type: str
    default: present
    choices: ["present", "absent", "enabled", "disabled", "reinitialized",
              "checked" ]
 author:
-    - Thomas Woerner
+  - Thomas Woerner (@t-woerner)
 """

 EXAMPLES = """
@@ -178,7 +186,8 @@ def find_left_right_cn(module, suffix, left, right, name):
 def main():
    ansible_module = IPAAnsibleModule(
        argument_spec=dict(
-            suffix=dict(choices=["domain", "ca", "domain+ca"], required=True),
+            suffix=dict(type="str", choices=["domain", "ca", "domain+ca"],
+                        required=True),
            name=dict(type="str", aliases=["cn"], default=None),
            left=dict(type="str", aliases=["leftnode"], default=None),
            right=dict(type="str", aliases=["rightnode"], default=None),
--- a/plugins/modules/ipatopologysuffix.py
+++ b/plugins/modules/ipatopologysuffix.py
@@ -3,7 +3,7 @@
 # Authors:
 #   Thomas Woerner <twoerner@redhat.com>
 #
-# Copyright (C) 2019 Red Hat
+# Copyright (C) 2019-2022 Red Hat
 # see file 'COPYING' for use and warranty information
 #
 # This program is free software; you can redistribute it and/or modify
@@ -32,21 +32,23 @@ ANSIBLE_METADATA = {
 DOCUMENTATION = """
 ---
 module: ipatopologysuffix
-short description: Verify FreeIPA topology suffix
+short_description: Verify FreeIPA topology suffix
 description: Verify FreeIPA topology suffix
 extends_documentation_fragment:
  - ipamodule_base_docs
 options:
  suffix:
    description: Topology suffix
+    type: str
    required: true
    choices: ["domain", "ca"]
  state:
    description: State to ensure
+    type: str
    default: verified
    choices: ["verified"]
 author:
-    - Thomas Woerner
+  - Thomas Woerner (@t-woerner)
 """

 EXAMPLES = """
@@ -65,7 +67,7 @@ from ansible.module_utils.ansible_freeipa_module import IPAAnsibleModule
 def main():
    ansible_module = IPAAnsibleModule(
        argument_spec=dict(
-            suffix=dict(choices=["domain", "ca"], required=True),
+            suffix=dict(type="str", choices=["domain", "ca"], required=True),
            state=dict(type="str", default="verified",
                       choices=["verified"]),
        ),
--- a/plugins/modules/ipatrust.py
+++ b/plugins/modules/ipatrust.py
@@ -2,8 +2,9 @@

 # Authors:
 #   Rob Verduijn <rob.verduijn@gmail.com>
+#   Thomas Woerner <twoerner@redhat.com>
 #
-# Copyright (C) 2019 By Rob Verduijn
+# Copyright (C) 2019-2022 By Rob Verduijn
 # see file 'COPYING' for use and warranty information
 #
 # This program is free software; you can redistribute it and/or modify
@@ -39,62 +40,75 @@ options:
  realm:
    description:
    - Realm name
+    type: str
    required: true
  trust_type:
    description:
    - Trust type (ad for Active Directory, default)
+    type: str
    default: ad
    required: false
    choices: ["ad"]
  admin:
    description:
    - Active Directory domain administrator
+    type: str
    required: false
  password:
    description:
    - Active Directory domain administrator's password
+    type: str
    required: false
  server:
    description:
    - Domain controller for the Active Directory domain (optional)
+    type: str
    required: false
  trust_secret:
    description:
    - Shared secret for the trust
+    type: str
    required: false
  base_id:
    description:
    - First Posix ID of the range reserved for the trusted domain
+    type: int
    required: false
  range_size:
    description:
    - Size of the ID range reserved for the trusted domain
+    type: int
+    default: 200000
  range_type:
    description:
    - Type of trusted domain ID range, one of ipa-ad-trust, ipa-ad-trust-posix
+    type: str
+    choices: ["ipa-ad-trust-posix", "ipa-ad-trust"]
    default: ipa-ad-trust
    required: false
  two_way:
    description:
    - Establish bi-directional trust. By default trust is inbound one-way only.
+    type: bool
    default: false
    required: false
-    choices: ["true", "false"]
  external:
    description:
    - Establish external trust to a domain in another forest.
    - The trust is not transitive beyond the domain.
+    type: bool
    default: false
    required: false
-    choices: ["true", "false"]
  state:
    description: State to ensure
+    type: str
    default: present
-    required: true
+    required: false
    choices: ["present", "absent"]

 author:
-    - Rob Verduijn
+  - Rob Verduijn (@RobVerduijn)
+  - Thomas Woerner (@t-woerner)
 """

 EXAMPLES = """
@@ -188,7 +202,7 @@ def main():
    ansible_module = IPAAnsibleModule(
        argument_spec=dict(
            # general
-            realm=dict(type="str", default=None, required=True),
+            realm=dict(type="str", required=True),
            # state
            state=dict(type="str", default="present",
                       choices=["present", "absent"]),
--- a/plugins/modules/ipauser.py
+++ b/plugins/modules/ipauser.py
@@ -3,7 +3,7 @@
 # Authors:
 #   Thomas Woerner <twoerner@redhat.com>
 #
-# Copyright (C) 2019 Red Hat
+# Copyright (C) 2019-2022 Red Hat
 # see file 'COPYING' for use and warranty information
 #
 # This program is free software; you can redistribute it and/or modify
@@ -32,50 +32,68 @@ ANSIBLE_METADATA = {
 DOCUMENTATION = """
 ---
 module: ipauser
-short description: Manage FreeIPA users
+short_description: Manage FreeIPA users
 description: Manage FreeIPA users
 extends_documentation_fragment:
  - ipamodule_base_docs
 options:
  name:
    description: The list of users (internally uid).
+    type: list
+    elements: str
    required: false
+    aliases: ["login"]
  users:
    description: The list of user dicts (internally uid).
-    options:
+    type: list
+    elements: dict
+    suboptions:
      name:
        description: The user (internally uid).
+        type: str
        required: true
+        aliases: ["login"]
      first:
-        description: The first name
+        description: The first name. Required if user does not exist.
+        type: str
        required: false
        aliases: ["givenname"]
      last:
-        description: The last name
+        description: The last name. Required if user doesnot exst.
+        type: str
        required: false
        aliases: ["sn"]
      fullname:
        description: The full name
+        type: str
        required: false
        aliases: ["cn"]
      displayname:
        description: The display name
+        type: str
        required: false
      initials:
        description: Initials
+        type: str
        required: false
      homedir:
        description: The home directory
+        type: str
        required: false
      shell:
        description: The login shell
+        type: str
        required: false
        aliases: ["loginshell"]
      email:
        description: List of email addresses
+        type: list
+        elements: str
        required: false
      principal:
        description: The kerberos principal
+        type: list
+        elements: str
        required: false
        aliases: ["principalname", "krbprincipalname"]
      principalexpiration:
@@ -84,6 +102,7 @@ options:
          (possible formats: YYYYMMddHHmmssZ, YYYY-MM-ddTHH:mm:ssZ,
          YYYY-MM-ddTHH:mmZ, YYYY-MM-ddZ, YYYY-MM-dd HH:mm:ssZ,
          YYYY-MM-dd HH:mmZ) The trailing 'Z' can be skipped.
+        type: str
        required: false
        aliases: ["krbprincipalexpiration"]
      passwordexpiration:
@@ -93,10 +112,12 @@ options:
          YYYY-MM-ddTHH:mmZ, YYYY-MM-ddZ, YYYY-MM-dd HH:mm:ssZ,
          YYYY-MM-dd HH:mmZ) The trailing 'Z' can be skipped.
          Only usable with IPA versions 4.7 and up.
+        type: str
        required: false
        aliases: ["krbpasswordexpiration"]
      password:
        description: The user password
+        type: str
        required: false
      random:
        description: Generate a random user password
@@ -104,57 +125,81 @@ options:
        type: bool
      uid:
        description: The UID
+        type: int
        required: false
        aliases: ["uidnumber"]
      gid:
        description: The GID
+        type: int
        required: false
        aliases: ["gidnumber"]
      city:
        description: City
+        type: str
        required: false
      userstate:
        description: State/Province
+        type: str
        required: false
        aliases: ["st"]
      postalcode:
        description: Postalcode/ZIP
+        type: str
        required: false
        aliases: ["zip"]
      phone:
        description: List of telephone numbers
+        type: list
+        elements: str
        required: false
        aliases: ["telephonenumber"]
      mobile:
        description: List of mobile telephone numbers
+        type: list
+        elements: str
        required: false
      pager:
        description: List of pager numbers
+        type: list
+        elements: str
        required: false
      fax:
        description: List of fax numbers
+        type: list
+        elements: str
        required: false
        aliases: ["facsimiletelephonenumber"]
      orgunit:
        description: Org. Unit
+        type: str
        required: false
+        aliases: ["ou"]
      title:
        description: The job title
+        type: str
        required: false
      manager:
        description: List of managers
+        type: list
+        elements: str
        required: false
      carlicense:
        description: List of car licenses
+        type: list
+        elements: str
        required: false
      sshpubkey:
        description: List of SSH public keys
        required: false
+        type: list
+        elements: str
        aliases: ["ipasshpubkey"]
      userauthtype:
        description:
          List of supported user authentication types
          Use empty string to reset userauthtype to the initial value.
+        type: list
+        elements: str
        choices: ['password', 'radius', 'otp', '']
        required: false
        aliases: ["ipauserauthtype"]
@@ -162,44 +207,65 @@ options:
        description:
        - User category
        - (semantics placed on this attribute are for local interpretation)
+        type: list
+        elements: str
        required: false
+        aliases: ["class"]
      radius:
        description: RADIUS proxy configuration
+        type: str
        required: false
+        aliases: ["ipatokenradiusconfiglink"]
      radiususer:
        description: RADIUS proxy username
+        type: str
        required: false
+        aliases: ["radiususername", "ipatokenradiususername"]
      departmentnumber:
        description: Department Number
+        type: list
+        elements: str
        required: false
      employeenumber:
        description: Employee Number
+        type: str
        required: false
      employeetype:
        description: Employee Type
+        type: str
        required: false
      preferredlanguage:
        description: Preferred Language
+        type: str
        required: false
      certificate:
        description: List of base-64 encoded user certificates
+        type: list
+        elements: str
        required: false
+        aliases: ["usercertificate"]
      certmapdata:
        description:
        - List of certificate mappings
        - Only usable with IPA versions 4.5 and up.
-        options:
+        type: list
+        elements: dict
+        suboptions:
          certificate:
            description: Base-64 encoded user certificate
+            type: str
            required: false
          issuer:
            description: Issuer of the certificate
+            type: str
            required: false
          subject:
            description: Subject of the certificate
+            type: str
            required: false
          data:
            description: Certmap data
+            type: str
            required: false
        required: false
      noprivate:
@@ -212,35 +278,46 @@ options:
        type: bool
    required: false
  first:
-    description: The first name
+    description: The first name. Required if user does not exist.
+    type: str
    required: false
    aliases: ["givenname"]
  last:
-    description: The last name
+    description: The last name. Required if user doesnot exst.
+    type: str
    required: false
    aliases: ["sn"]
  fullname:
    description: The full name
+    type: str
    required: false
    aliases: ["cn"]
  displayname:
    description: The display name
+    type: str
    required: false
  initials:
    description: Initials
+    type: str
    required: false
  homedir:
    description: The home directory
+    type: str
    required: false
  shell:
    description: The login shell
+    type: str
    required: false
    aliases: ["loginshell"]
  email:
    description: List of email addresses
+    type: list
+    elements: str
    required: false
  principal:
    description: The kerberos principal
+    type: list
+    elements: str
    required: false
    aliases: ["principalname", "krbprincipalname"]
  principalexpiration:
@@ -249,6 +326,7 @@ options:
      (possible formats: YYYYMMddHHmmssZ, YYYY-MM-ddTHH:mm:ssZ,
      YYYY-MM-ddTHH:mmZ, YYYY-MM-ddZ, YYYY-MM-dd HH:mm:ssZ,
      YYYY-MM-dd HH:mmZ) The trailing 'Z' can be skipped.
+    type: str
    required: false
    aliases: ["krbprincipalexpiration"]
  passwordexpiration:
@@ -258,10 +336,12 @@ options:
      YYYY-MM-ddTHH:mmZ, YYYY-MM-ddZ, YYYY-MM-dd HH:mm:ssZ,
      YYYY-MM-dd HH:mmZ) The trailing 'Z' can be skipped.
      Only usable with IPA versions 4.7 and up.
+    type: str
    required: false
    aliases: ["krbpasswordexpiration"]
  password:
    description: The user password
+    type: str
    required: false
  random:
    description: Generate a random user password
@@ -269,57 +349,81 @@ options:
    type: bool
  uid:
    description: The UID
+    type: int
    required: false
    aliases: ["uidnumber"]
  gid:
    description: The GID
+    type: int
    required: false
    aliases: ["gidnumber"]
  city:
    description: City
+    type: str
    required: false
  userstate:
    description: State/Province
+    type: str
    required: false
    aliases: ["st"]
  postalcode:
-    description: ZIP
+    description: Postalcode/ZIP
+    type: str
    required: false
    aliases: ["zip"]
  phone:
    description: List of telephone numbers
+    type: list
+    elements: str
    required: false
    aliases: ["telephonenumber"]
  mobile:
    description: List of mobile telephone numbers
+    type: list
+    elements: str
    required: false
  pager:
    description: List of pager numbers
+    type: list
+    elements: str
    required: false
  fax:
    description: List of fax numbers
+    type: list
+    elements: str
    required: false
    aliases: ["facsimiletelephonenumber"]
  orgunit:
    description: Org. Unit
+    type: str
    required: false
+    aliases: ["ou"]
  title:
    description: The job title
+    type: str
    required: false
  manager:
    description: List of managers
+    type: list
+    elements: str
    required: false
  carlicense:
    description: List of car licenses
+    type: list
+    elements: str
    required: false
  sshpubkey:
    description: List of SSH public keys
    required: false
+    type: list
+    elements: str
    aliases: ["ipasshpubkey"]
  userauthtype:
    description:
      List of supported user authentication types
      Use empty string to reset userauthtype to the initial value.
+    type: list
+    elements: str
    choices: ['password', 'radius', 'otp', '']
    required: false
    aliases: ["ipauserauthtype"]
@@ -327,44 +431,65 @@ options:
    description:
    - User category
    - (semantics placed on this attribute are for local interpretation)
+    type: list
+    elements: str
    required: false
+    aliases: ["class"]
  radius:
    description: RADIUS proxy configuration
+    type: str
    required: false
+    aliases: ["ipatokenradiusconfiglink"]
  radiususer:
    description: RADIUS proxy username
+    type: str
    required: false
+    aliases: ["radiususername", "ipatokenradiususername"]
  departmentnumber:
    description: Department Number
+    type: list
+    elements: str
    required: false
  employeenumber:
    description: Employee Number
+    type: str
    required: false
  employeetype:
    description: Employee Type
+    type: str
    required: false
  preferredlanguage:
    description: Preferred Language
+    type: str
    required: false
  certificate:
    description: List of base-64 encoded user certificates
+    type: list
+    elements: str
    required: false
+    aliases: ["usercertificate"]
  certmapdata:
    description:
    - List of certificate mappings
    - Only usable with IPA versions 4.5 and up.
-    options:
+    type: list
+    elements: dict
+    suboptions:
      certificate:
        description: Base-64 encoded user certificate
+        type: str
        required: false
      issuer:
        description: Issuer of the certificate
+        type: str
        required: false
      subject:
        description: Subject of the certificate
+        type: str
        required: false
      data:
        description: Certmap data
+        type: str
        required: false
    required: false
  noprivate:
@@ -378,24 +503,27 @@ options:
  preserve:
    description: Delete a user, keeping the entry available for future use
    required: false
+    type: bool
  update_password:
    description:
      Set password for a user in present state only on creation or always
-    default: "always"
+    type: str
    choices: ["always", "on_create"]
    required: false
  action:
    description: Work on user or member level
+    type: str
    default: "user"
    choices: ["member", "user"]
  state:
    description: State to ensure
+    type: str
    default: present
    choices: ["present", "absent",
              "enabled", "disabled",
              "unlocked", "undeleted"]
 author:
-    - Thomas Woerner
+  - Thomas Woerner (@t-woerner)
 """

 EXAMPLES = """
@@ -457,17 +585,19 @@ user:
  description: User dict with random password
  returned: If random is yes and user did not exist or update_password is yes
  type: dict
-  options:
+  contains:
    randompassword:
      description: The generated random password
+      type: str
      returned: If only one user is handled by the module
    name:
      description: The user name of the user that got a new random password
      returned: If several users are handled by the module
      type: dict
-      options:
+      contains:
        randompassword:
          description: The generated random password
+          type: str
          returned: always
 """

@@ -752,16 +882,16 @@ def main():
        initials=dict(type="str", default=None),
        homedir=dict(type="str", default=None),
        shell=dict(type="str", aliases=["loginshell"], default=None),
-        email=dict(type="list", default=None),
-        principal=dict(type="list", aliases=["principalname",
-                                             "krbprincipalname"],
+        email=dict(type="list", elements="str", default=None),
+        principal=dict(type="list", elements="str",
+                       aliases=["principalname", "krbprincipalname"],
                       default=None),
        principalexpiration=dict(type="str",
                                 aliases=["krbprincipalexpiration"],
                                 default=None),
        passwordexpiration=dict(type="str",
                                aliases=["krbpasswordexpiration"],
-                                default=None),
+                                default=None, no_log=False),
        password=dict(type="str", default=None, no_log=True),
        random=dict(type='bool', default=None),
        uid=dict(type="int", aliases=["uidnumber"], default=None),
@@ -769,33 +899,34 @@ def main():
        city=dict(type="str", default=None),
        userstate=dict(type="str", aliases=["st"], default=None),
        postalcode=dict(type="str", aliases=["zip"], default=None),
-        phone=dict(type="list", aliases=["telephonenumber"], default=None),
-        mobile=dict(type="list", default=None),
-        pager=dict(type="list", default=None),
-        fax=dict(type="list", aliases=["facsimiletelephonenumber"],
-                 default=None),
+        phone=dict(type="list", elements="str", aliases=["telephonenumber"],
+                   default=None),
+        mobile=dict(type="list", elements="str", default=None),
+        pager=dict(type="list", elements="str", default=None),
+        fax=dict(type="list", elements="str",
+                 aliases=["facsimiletelephonenumber"], default=None),
        orgunit=dict(type="str", aliases=["ou"], default=None),
        title=dict(type="str", default=None),
-        manager=dict(type="list", default=None),
-        carlicense=dict(type="list", default=None),
-        sshpubkey=dict(type="list", aliases=["ipasshpubkey"],
+        manager=dict(type="list", elements="str", default=None),
+        carlicense=dict(type="list", elements="str", default=None),
+        sshpubkey=dict(type="list", elements="str", aliases=["ipasshpubkey"],
                       default=None),
-        userauthtype=dict(type='list', aliases=["ipauserauthtype"],
-                          default=None,
+        userauthtype=dict(type='list', elements="str",
+                          aliases=["ipauserauthtype"], default=None,
                          choices=['password', 'radius', 'otp', '']),
-        userclass=dict(type="list", aliases=["class"],
+        userclass=dict(type="list", elements="str", aliases=["class"],
                       default=None),
        radius=dict(type="str", aliases=["ipatokenradiusconfiglink"],
                    default=None),
        radiususer=dict(type="str", aliases=["radiususername",
                                             "ipatokenradiususername"],
                        default=None),
-        departmentnumber=dict(type="list", default=None),
+        departmentnumber=dict(type="list", elements="str", default=None),
        employeenumber=dict(type="str", default=None),
        employeetype=dict(type="str", default=None),
        preferredlanguage=dict(type="str", default=None),
-        certificate=dict(type="list", aliases=["usercertificate"],
-                         default=None),
+        certificate=dict(type="list", elements="str",
+                         aliases=["usercertificate"], default=None),
        certmapdata=dict(type="list", default=None,
                         options=dict(
                             # Here certificate is a simple string
@@ -812,14 +943,14 @@ def main():
    ansible_module = IPAAnsibleModule(
        argument_spec=dict(
            # general
-            name=dict(type="list", aliases=["login"], default=None,
-                      required=False),
+            name=dict(type="list", elements="str", aliases=["login"],
+                      default=None, required=False),
            users=dict(type="list",
-                       aliases=["login"],
                       default=None,
                       options=dict(
                           # Here name is a simple string
-                           name=dict(type="str", required=True),
+                           name=dict(type="str", required=True,
+                                     aliases=["login"]),
                           # Add user specific parameters
                           **user_spec
                       ),
--- a/plugins/modules/ipavault.py
+++ b/plugins/modules/ipavault.py
@@ -2,8 +2,9 @@

 # Authors:
 #   Rafael Guterres Jeffman <rjeffman@redhat.com>
+#   Thomas Woerner <twoerner@redhat.com>
 #
-# Copyright (C) 2019 Red Hat
+# Copyright (C) 2019-2022 Red Hat
 # see file 'COPYING' for use and warranty information
 #
 # This program is free software; you can redistribute it and/or modify
@@ -32,130 +33,142 @@ ANSIBLE_METADATA = {
 DOCUMENTATION = """
 ---
 module: ipavault
-short description: Manage vaults and secret vaults.
+short_description: Manage vaults and secret vaults.
 description: Manage vaults and secret vaults. KRA service must be enabled.
 extends_documentation_fragment:
  - ipamodule_base_docs
 options:
  name:
    description: The vault name
+    type: list
+    elements: str
    required: true
    aliases: ["cn"]
  description:
    description: The vault description
+    type: str
    required: false
-  public_key:
+  vault_public_key:
    description: Base64 encode public key.
    required: false
-    type: string
-    aliases: ["ipavaultpublickey", "vault_public_key"]
-  public_key_file:
+    type: str
+    aliases: ["ipavaultpublickey", "public_key", "new_public_key"]
+  vault_public_key_file:
    description: Path to file with public key.
    required: false
-    type: string
-    aliases: ["vault_public_key_file"]
+    type: str
+    aliases: ["public_key_file", "new_public_key_file"]
  private_key:
    description: Base64 encode private key.
    required: false
-    type: string
+    type: str
    aliases: ["ipavaultprivatekey", "vault_private_key"]
  private_key_file:
    description: Path to file with private key.
    required: false
-    type: string
+    type: str
    aliases: ["vault_private_key_file"]
  password:
    description: password to be used on symmetric vault.
    required: false
-    type: string
+    type: str
    aliases: ["ipavaultpassword", "vault_password", "old_password"]
  password_file:
    description: file with password to be used on symmetric vault.
    required: false
-    type: string
+    type: str
    aliases: ["vault_password_file", "old_password_file"]
  new_password:
    description: new password to be used on symmetric vault.
    required: false
-    type: string
+    type: str
  new_password_file:
    description: file with new password to be used on symmetric vault.
    required: false
-    type: string
-  salt:
+    type: str
+  vault_salt:
    description: Vault salt.
    required: false
-    type: list
-    aliases: ["ipavaultsalt", "vault_salt"]
+    type: str
+    aliases: ["ipavaultsalt", "salt"]
  vault_type:
    description: Vault types are based on security level.
-    required: true
-    default: symmetric
+    type: str
+    required: false
    choices: ["standard", "symmetric", "asymmetric"]
    aliases: ["ipavaulttype"]
  service:
    description: Any service can own one or more service vaults.
    required: false
-    type: list
+    type: str
  username:
    description: Any user can own one or more user vaults.
    required: false
-    type: string
+    type: str
    aliases: ["user"]
  shared:
    description: Vault is shared.
    required: false
-    type: boolean
+    type: bool
  users:
    description: Users that are member of the vault.
    required: false
    type: list
+    elements: str
  groups:
    description: Groups that are member of the vault.
    required: false
    type: list
+    elements: str
  owners:
    description: Users that are owners of the vault.
    required: false
    type: list
+    elements: str
    aliases: ["ownerusers"]
  ownergroups:
    description: Groups that are owners of the vault.
    required: false
    type: list
+    elements: str
  ownerservices:
    description: Services that are owners of the vault.
    required: false
    type: list
+    elements: str
  services:
    description: Services that are member of the container.
    required: false
    type: list
+    elements: str
  data:
    description: Data to be stored in the vault.
    required: false
-    type: string
+    type: str
    aliases: ["ipavaultdata", "vault_data"]
  in:
    description: Path to file with data to be stored in the vault.
    required: false
-    type: string
+    type: str
    aliases: ["datafile_in"]
  out:
    description: Path to file to store data retrieved from the vault.
    required: false
-    type: string
+    type: str
    aliases: ["datafile_out"]
  action:
    description: Work on vault or member level.
+    type: str
    default: vault
-    choices: ["vault", "member"]
+    choices: ["vault", "data", "member"]
  state:
    description: State to ensure
+    type: str
    default: present
    choices: ["present", "absent", "retrieved"]
 author:
-    - Rafael Jeffman
+  - Rafael Guterres Jeffman (@rjeffman)
+  - Thomas Woerner (@t-woerner)
 """

 EXAMPLES = """
@@ -307,11 +320,11 @@ vault:
  description: Vault dict with archived data.
  returned: If state is `retrieved`.
  type: dict
-  options:
+  contains:
    data:
      description: The vault data.
      returned: always
-      type: string
+      type: str
 """

 import os
@@ -587,7 +600,7 @@ def main():
    ansible_module = IPAAnsibleModule(
        argument_spec=dict(
            # generalgroups
-            name=dict(type="list", aliases=["cn"], default=None,
+            name=dict(type="list", elements="str", aliases=["cn"],
                      required=True),

            description=dict(required=False, type="str", default=None),
@@ -614,13 +627,19 @@ def main():
            service=dict(type="str", required=False, default=None),
            shared=dict(type="bool", required=False, default=None),

-            users=dict(required=False, type='list', default=None),
-            groups=dict(required=False, type='list', default=None),
-            services=dict(required=False, type='list', default=None),
-            owners=dict(required=False, type='list', default=None,
+            users=dict(required=False, type="list", elements="str",
+                       default=None),
+            groups=dict(required=False, type="list", elements="str",
+                        default=None),
+            services=dict(required=False, type="list", elements="str",
+                          default=None),
+            owners=dict(required=False, type="list", elements="str",
+                        default=None,
                        aliases=['ownerusers']),
-            ownergroups=dict(required=False, type='list', default=None),
-            ownerservices=dict(required=False, type='list', default=None),
+            ownergroups=dict(required=False, type="list", elements="str",
+                             default=None),
+            ownerservices=dict(required=False, type="list", elements="str",
+                               default=None),
            vault_data=dict(type="str", required=False, default=None,
                            no_log=True, aliases=['ipavaultdata', 'data']),
            datafile_in=dict(type="str", required=False, default=None,
--- a/requirements-dev.txt
+++ b/requirements-dev.txt
@@ -1,12 +1,10 @@
 -r requirements-tests.txt
 ipdb==0.13.4
-pre-commit
-flake8==4.0.1
-flake8-bugbear
-pylint==2.13.7
+pre-commit==2.20.0
+flake8==5.0.3
+flake8-bugbear==22.10.27
+pylint==2.14.4
+wrapt == 1.14.0
 pydocstyle==6.0.0
-yamllint==1.26.3
-ansible-lint==5.3.2
-dnspython==2.2.0
-netaddr==0.8.0
-gssapi==1.7.2
+yamllint==1.28.0
+ansible-lint==6.6.1
--- a/requirements-docker.yml
+++ b/requirements-docker.yml
@@ -0,0 +1,3 @@
+---
+collections:
+  - name: community.docker
--- a/requirements-podman.yml
+++ b/requirements-podman.yml
@@ -0,0 +1,3 @@
+---
+collections:
+  - name: containers.podman
--- a/requirements-tests.txt
+++ b/requirements-tests.txt
@@ -1,6 +1,8 @@
 -r requirements.txt
-pytest>=2.7
-pytest-sourceorder>=0.5
-pytest-split-tests>=1.0.3
-pytest-testinfra>=5.0
+pytest==7.1.3
+pytest-sourceorder==0.6.0
+pytest-split>=0.8.0
+pytest-custom_exit_code>=0.3.0
+pytest-testinfra==6.8.0
+pytest-randomly==3.12.0
 pyyaml>=3
--- a/roles/ipabackup/library/ipabackup_get_backup_dir.py
+++ b/roles/ipabackup/library/ipabackup_get_backup_dir.py
@@ -3,7 +3,7 @@
 # Authors:
 #   Thomas Woerner <twoerner@redhat.com>
 #
-# Copyright (C) 2021  Red Hat
+# Copyright (C) 2021-2022  Red Hat
 # see file 'COPYING' for use and warranty information
 #
 # This program is free software; you can redistribute it and/or modify
@@ -32,13 +32,12 @@ ANSIBLE_METADATA = {
 DOCUMENTATION = '''
 ---
 module: ipabackup_get_backup_dir
-short description:
+short_description:
  Get IPA_BACKUP_DIR from ipaplatform
 description:
  Get IPA_BACKUP_DIR from ipaplatform
-options:
 author:
-    - Thomas Woerner
+    - Thomas Woerner (@t-woerner)
 '''

 EXAMPLES = '''
@@ -56,7 +55,13 @@ backup_dir:
 '''

 from ansible.module_utils.basic import AnsibleModule
-from ipaplatform.paths import paths
+try:
+    from ipaplatform.paths import paths
+except ImportError as _err:
+    MODULE_IMPORT_ERROR = str(_err)
+    paths = None
+else:
+    MODULE_IMPORT_ERROR = None


 def main():
@@ -65,6 +70,9 @@ def main():
        supports_check_mode=True,
    )

+    if MODULE_IMPORT_ERROR is not None:
+        module.fail_json(msg=MODULE_IMPORT_ERROR)
+
    module.exit_json(changed=False,
                     backup_dir=paths.IPA_BACKUP_DIR)

--- a/roles/ipabackup/meta/main.yml
+++ b/roles/ipabackup/meta/main.yml
@@ -6,15 +6,15 @@ galaxy_info:
  description: A role to backup and restore an IPA server
  company: Red Hat, Inc
  license: GPLv3
-  min_ansible_version: 2.8
+  min_ansible_version: "2.8"
  platforms:
  - name: Fedora
    versions:
    - all
  - name: EL
    versions:
-    - 7
-    - 8
+    - "7"
+    - "8"
  galaxy_tags:
    - identity
    - ipa
--- a/roles/ipabackup/tasks/backup.yml
+++ b/roles/ipabackup/tasks/backup.yml
@@ -2,20 +2,22 @@
 # tasks file for ipabackup

 - name: Create backup
-  shell: >
+  ansible.builtin.shell: >
    ipa-backup
    {{ "--gpg" if ipabackup_gpg | bool else "" }}
-    {{ "--gpg-keyring="+ipabackup_gpg_keyring if ipabackup_gpg_keyring is defined else "" }}
+    {{ "--gpg-keyring=" + ipabackup_gpg_keyring if ipabackup_gpg_keyring is defined else "" }}
    {{ "--data" if ipabackup_data | bool else "" }}
    {{ "--logs" if ipabackup_logs | bool else "" }}
    {{ "--online" if ipabackup_online | bool else "" }}
    {{ "--disable-role-check" if ipabackup_disable_role_check | bool else "" }}
-    {{ "--log-file="+ipabackup_log_file if ipabackup_log_file is defined else "" }}
+    {{ "--log-file=" + ipabackup_log_file if ipabackup_log_file is defined else "" }}
  register: result_ipabackup

- block:
+- name: Handle backup
+  when: ipabackup_to_controller
+  block:
  - name: Get ipabackup_item from stderr or stdout output
-    set_fact:
+    ansible.builtin.set_fact:
      ipabackup_item: "{{ item | regex_search('\n.*/([^\n]+)','\\1') | first }}"
    when: item.find("Backed up to "+ipabackup_dir+"/") > 0
    with_items:
@@ -25,15 +27,14 @@
      label: ""

  - name: Fail on missing ipabackup_item
-    fail: msg="Failed to get ipabackup_item"
+    ansible.builtin.fail:
+      msg: "Failed to get ipabackup_item"
    when: ipabackup_item is not defined

  - name: Copy backup to controller
-    include_tasks: "{{ role_path }}/tasks/copy_backup_from_server.yml"
+    ansible.builtin.include_tasks: "{{ role_path }}/tasks/copy_backup_from_server.yml"
    when: state|default("present") == "present"

  - name: Remove backup on server
-    include_tasks: "{{ role_path }}/tasks/remove_backup_from_server.yml"
+    ansible.builtin.include_tasks: "{{ role_path }}/tasks/remove_backup_from_server.yml"
    when: not ipabackup_keep_on_server
-
-  when: ipabackup_to_controller
--- a/roles/ipabackup/tasks/copy_backup_from_server.yml
+++ b/roles/ipabackup/tasks/copy_backup_from_server.yml
@@ -1,45 +1,47 @@
 ---
 - name: Fail on invalid ipabackup_item
-  fail: msg="ipabackup_item {{ ipabackup_item }} is not valid"
+  ansible.builtin.fail:
+    msg: "ipabackup_item {{ ipabackup_item }} is not valid"
  when: ipabackup_item is not defined or
        ipabackup_item | length < 1 or
        (ipabackup_item.find("ipa-full-") == -1 and
         ipabackup_item.find("ipa-data-") == -1)

 - name: Set controller destination directory
-  set_fact:
-    ipabackup_controller_dir:
-        "{{ ipabackup_controller_path | default(lookup('env','PWD')) }}/{{
+  ansible.builtin.set_fact:
+    __derived_controller_dir:
+        "{{ ipabackup_controller_path | default(lookup('env', 'PWD')) }}/{{
         ipabackup_name_prefix | default(ansible_facts['fqdn']) }}_{{
         ipabackup_item }}/"

 - name: Stat backup on server
-  stat:
+  ansible.builtin.stat:
    path: "{{ ipabackup_dir }}/{{ ipabackup_item }}"
  register: result_backup_stat

 - name: Fail on missing backup directory
-  fail: msg="Unable to find backup {{ ipabackup_item }}"
+  ansible.builtin.fail:
+    msg: "Unable to find backup {{ ipabackup_item }}"
  when: result_backup_stat.stat.isdir is not defined

 - name: Get backup files to copy for "{{ ipabackup_item }}"
-  shell:
+  ansible.builtin.shell:
    find . -type f | cut -d"/" -f 2
  args:
    chdir: "{{ ipabackup_dir }}/{{ ipabackup_item }}"
  register: result_find_backup_files

 - name: Copy server backup files to controller
-  fetch:
+  ansible.builtin.fetch:
    flat: yes
    src: "{{ ipabackup_dir }}/{{ ipabackup_item }}/{{ item }}"
-    dest: "{{ ipabackup_controller_dir }}"
+    dest: "{{ __derived_controller_dir }}"
  with_items:
  - "{{ result_find_backup_files.stdout_lines }}"

 - name: Fix file modes for backup on controller
-  file:
-    dest: "{{ ipabackup_controller_dir }}"
+  ansible.builtin.file:
+    dest: "{{ __derived_controller_dir }}"
    mode: u=rwX,go=
    recurse: yes
  delegate_to: localhost
--- a/roles/ipabackup/tasks/copy_backup_to_server.yml
+++ b/roles/ipabackup/tasks/copy_backup_to_server.yml
@@ -1,41 +1,43 @@
 ---
 - name: Fail on invalid ipabackup_name
-  fail: msg="ipabackup_name {{ ipabackup_name }} is not valid"
+  ansible.builtin.fail:
+    msg: "ipabackup_name {{ ipabackup_name }} is not valid"
  when: ipabackup_name is not defined or
        ipabackup_name | length < 1 or
        (ipabackup_name.find("ipa-full-") == -1 and
         ipabackup_name.find("ipa-data-") == -1)

 - name: Set controller source directory
-  set_fact:
-    ipabackup_controller_dir:
-      "{{ ipabackup_controller_path | default(lookup('env','PWD')) }}"
+  ansible.builtin.set_fact:
+    __derived_controller_dir:
+      "{{ ipabackup_controller_path | default(lookup('env', 'PWD')) }}"

 - name: Set ipabackup_item
-  set_fact:
+  ansible.builtin.set_fact:
    ipabackup_item:
-      "{{ ipabackup_name | regex_search('.*_(ipa-.+)','\\1') | first }}"
+      "{{ ipabackup_name | regex_search('.*_(ipa-.+)', '\\1') | first }}"
  when: "'_ipa-' in ipabackup_name"

 - name: Set ipabackup_item
-  set_fact:
+  ansible.builtin.set_fact:
    ipabackup_item: "{{ ipabackup_name }}"
  when: "'_ipa-' not in ipabackup_name"

 - name: Stat backup to copy
-  stat:
-    path: "{{ ipabackup_controller_dir }}/{{ ipabackup_name }}"
+  ansible.builtin.stat:
+    path: "{{ __derived_controller_dir }}/{{ ipabackup_name }}"
  register: result_backup_stat
  delegate_to: localhost
  become: no

 - name: Fail on missing backup to copy
-  fail: msg="Unable to find backup {{ ipabackup_name }}"
+  ansible.builtin.fail:
+    msg: "Unable to find backup {{ ipabackup_name }}"
  when: result_backup_stat.stat.isdir is not defined

 - name: Copy backup files to server for "{{ ipabackup_item }}"
-  copy:
-    src: "{{ ipabackup_controller_dir }}/{{ ipabackup_name }}/"
+  ansible.builtin.copy:
+    src: "{{ __derived_controller_dir }}/{{ ipabackup_name }}/"
    dest: "{{ ipabackup_dir }}/{{ ipabackup_item }}"
    owner: root
    group: root
--- a/roles/ipabackup/tasks/get_ipabackup_dir.yml
+++ b/roles/ipabackup/tasks/get_ipabackup_dir.yml
@@ -4,5 +4,5 @@
  register: result_ipabackup_get_backup_dir

 - name: Set IPA backup dir
-  set_fact:
+  ansible.builtin.set_fact:
    ipabackup_dir: "{{ result_ipabackup_get_backup_dir.backup_dir }}"
--- a/roles/ipabackup/tasks/main.yml
+++ b/roles/ipabackup/tasks/main.yml
@@ -2,7 +2,8 @@
 # tasks file for ipabackup

 - name: Check for empty vars
-  fail: msg="Variable {{ item }} is empty"
+  ansible.builtin.fail:
+    msg: "Variable {{ item }} is empty"
  when: "item in vars and not vars[item]"
  with_items: "{{ ipabackup_empty_var_checks }}"
  vars:
@@ -18,74 +19,82 @@
    - ipabackup_firewalld_zone

 - name: Set ipabackup_data if ipabackup_data is not set but ipabackup_online is
-  set_fact:
+  ansible.builtin.set_fact:
    ipabackup_data: yes
  when: ipabackup_online | bool and not ipabackup_data | bool

 - name: Fail if ipabackup_from_controller and ipabackup_to_controller are set
-  fail: msg="ipabackup_from_controller and ipabackup_to_controller are set"
+  ansible.builtin.fail:
+    msg: "ipabackup_from_controller and ipabackup_to_controller are set"
  when: ipabackup_from_controller | bool and ipabackup_to_controller | bool

- name: Get ipabackup_dir from IPA installation
-  include_tasks: "{{ role_path }}/tasks/get_ipabackup_dir.yml"
-
- name: Backup IPA server
-  include_tasks: "{{ role_path }}/tasks/backup.yml"
-  when: state|default("present") == "present"
-
 - name: Fail for given ipabackup_name if state is not copied, restored or absent
-  fail: msg="ipabackup_name is given and state is not copied, restored or absent"
+  ansible.builtin.fail:
+    msg: "ipabackup_name is given and state is not copied, restored or absent"
  when: state is not defined or
        (state != "copied" and state != "restored" and state != "absent") and
        ipabackup_name is defined

+- name: Get ipabackup_dir from IPA installation
+  ansible.builtin.include_tasks: "{{ role_path }}/tasks/get_ipabackup_dir.yml"
+
+- name: Backup IPA server
+  ansible.builtin.include_tasks: "{{ role_path }}/tasks/backup.yml"
+  when: state|default("present") == "present"
+
 - name: Fail on missing ipabackup_name
-  fail: msg="ipabackup_name is not set"
+  ansible.builtin.fail:
+    msg: "ipabackup_name is not set"
  when: (ipabackup_name is not defined or not ipabackup_name) and
        state is defined and
        (state == "copied" or state == "restored" or state == "absent")

- block:
+- name: Get all backup names for copy to controller
+  when: state is defined and
+        ((state == "copied" and ipabackup_to_controller) or
+         state == "absent") and
+        ipabackup_name is defined and ipabackup_name == "all"
+  block:
  - name: Get list of all backups on IPA server
-    shell:
+    ansible.builtin.shell:
      find . -name "ipa-full-*" -o -name "ipa-data-*" | cut -d"/" -f 2
    args:
      chdir: "{{ ipabackup_dir }}/"
    register: result_backup_find_backup_files

  - name: Set ipabackup_names using backup list
-    set_fact:
+    ansible.builtin.set_fact:
      ipabackup_names: "{{ result_backup_find_backup_files.stdout_lines }}"

-  when: state is defined and
-        ((state == "copied" and ipabackup_to_controller) or
-         state == "absent") and
-        ipabackup_name is defined and ipabackup_name == "all"
-
- block:
+- name: Set ipabackup_names from ipabackup_name
+  when: ipabackup_names is not defined and ipabackup_name is defined
+  block:
  - name: Fail on ipabackup_name all
-    fail: msg="ipabackup_name can not be all in this case"
+    ansible.builtin.fail:
+      msg: "ipabackup_name can not be all in this case"
    when: ipabackup_name is defined and ipabackup_name == "all"

  - name: Set ipabackup_names from ipabackup_name string
-    set_fact:
+    ansible.builtin.set_fact:
      ipabackup_names: ["{{ ipabackup_name }}"]
    when: ipabackup_name | type_debug != "list"

  - name: Set ipabackup_names from ipabackup_name list
-    set_fact:
+    ansible.builtin.set_fact:
      ipabackup_names: "{{ ipabackup_name }}"
    when: ipabackup_name | type_debug == "list"
-  when: ipabackup_names is not defined and ipabackup_name is defined

 - name: Set empty ipabackup_names if ipabackup_name is not defined
-  set_fact:
+  ansible.builtin.set_fact:
    ipabackup_names: []
  when: ipabackup_names is not defined and ipabackup_name is not defined

- block:
+- name: Process "{{ ipabackup_names }}"
+  when: state is defined and
+        ((state == "copied" and ipabackup_to_controller) or state == "absent")
+  block:
  - name: Copy backup from IPA server
-    include_tasks: "{{ role_path }}/tasks/copy_backup_from_server.yml"
+    ansible.builtin.include_tasks: "{{ role_path }}/tasks/copy_backup_from_server.yml"
    vars:
      ipabackup_item: "{{ main_item | basename }}"
    with_items:
@@ -95,7 +104,7 @@
    when: state is defined and state == "copied"

  - name: Remove backup from IPA server
-    include_tasks: "{{ role_path }}/tasks/remove_backup_from_server.yml"
+    ansible.builtin.include_tasks: "{{ role_path }}/tasks/remove_backup_from_server.yml"
    vars:
      ipabackup_item: "{{ main_item | basename }}"
    with_items:
@@ -104,34 +113,32 @@
      loop_var: main_item
    when: state is defined and state == "absent"

-  when: state is defined and
-        ((state == "copied" and ipabackup_to_controller) or state == "absent")
-
 # Fail with more than one entry in ipabackup_names for copy to sever and
 # restore.

 - name: Fail to copy or restore more than one backup on the server
-  fail: msg="Only one backup can be copied to the server or restored"
+  ansible.builtin.fail:
+    msg: "Only one backup can be copied to the server or restored"
  when: state is defined and (state == "copied" or state == "restored") and
        ipabackup_from_controller | bool and ipabackup_names | length != 1

 # Use only first item in ipabackup_names for copy to server and for restore.

- block:
-  - name: Copy backup to server
-    include_tasks: "{{ role_path }}/tasks/copy_backup_to_server.yml"
-
-  - name: Restore IPA server after copy
-    include_tasks: "{{ role_path }}/tasks/restore.yml"
-    when: state|default("present") == "restored"
-
-  vars:
-    ipabackup_name: "{{ ipabackup_names[0] }}"
+- name: Process "{{ ipabackup_names[0] }}"
  when: ipabackup_from_controller or
        (state|default("present") == "copied" and not ipabackup_to_controller)
+  vars:
+    ipabackup_name: "{{ ipabackup_names[0] }}"
+  block:
+  - name: Copy backup to server
+    ansible.builtin.include_tasks: "{{ role_path }}/tasks/copy_backup_to_server.yml"
+
+  - name: Restore IPA server after copy
+    ansible.builtin.include_tasks: "{{ role_path }}/tasks/restore.yml"
+    when: state|default("present") == "restored"

 - name: Restore IPA server
-  include_tasks: "{{ role_path }}/tasks/restore.yml"
+  ansible.builtin.include_tasks: "{{ role_path }}/tasks/restore.yml"
  vars:
    ipabackup_item: "{{ ipabackup_names[0] | basename }}"
  when: not ipabackup_from_controller and
--- a/roles/ipabackup/tasks/remove_backup_from_server.yml
+++ b/roles/ipabackup/tasks/remove_backup_from_server.yml
@@ -1,5 +1,5 @@
 ---
 - name: Remove backup "{{ ipabackup_item }}"
-  file:
+  ansible.builtin.file:
    path: "{{ ipabackup_dir }}/{{ ipabackup_item }}"
    state: absent
--- a/roles/ipabackup/tasks/restore.yml
+++ b/roles/ipabackup/tasks/restore.yml
@@ -4,7 +4,7 @@
 ### VARIABLES

 - name: Import variables specific to distribution
-  include_vars: "{{ item }}"
+  ansible.builtin.include_vars: "{{ item }}"
  with_first_found:
    - "{{ role_path }}/vars/{{ ansible_facts['distribution'] }}-{{ ansible_facts['distribution_version'] }}.yml"
    - "{{ role_path }}/vars/{{ ansible_facts['distribution'] }}-{{ ansible_facts['distribution_major_version'] }}.yml"
@@ -21,30 +21,32 @@
 ### GET SERVICES FROM BACKUP

 - name: Stat backup on server
-  stat:
+  ansible.builtin.stat:
    path: "{{ ipabackup_dir }}/{{ ipabackup_item }}"
  register: result_backup_stat

 - name: Fail on missing backup directory
-  fail: msg="Unable to find backup {{ ipabackup_item }}"
+  ansible.builtin.fail:
+    msg: "Unable to find backup {{ ipabackup_item }}"
  when: result_backup_stat.stat.isdir is not defined

 - name: Stat header file in backup "{{ ipabackup_item }}"
-  stat:
+  ansible.builtin.stat:
    path: "{{ ipabackup_dir }}/{{ ipabackup_item }}/header"
  register: result_backup_header_stat

 - name: Fail on missing header file in backup
-  fail: msg="Unable to find backup {{ ipabackup_item }} header file"
+  ansible.builtin.fail:
+    msg: "Unable to find backup {{ ipabackup_item }} header file"
  when: result_backup_header_stat.stat.isreg is not defined

 - name: Get services from backup
-  shell: >
+  ansible.builtin.shell: >
    grep "^services = " "{{ ipabackup_dir }}/{{ ipabackup_item }}/header" | cut -d"=" -f2 | tr -d '[:space:]'
  register: result_services_grep

 - name: Set ipabackup_services
-  set_fact:
+  ansible.builtin.set_fact:
    ipabackup_services: "{{ result_services_grep.stdout.split(',') }}"
    ipabackup_service_dns: DNS
    ipabackup_service_adtrust: ADTRUST
@@ -52,78 +54,78 @@

 ### INSTALL PACKAGES

- block:
+- name: Package installation
+  when: ipabackup_install_packages | bool
+  block:
  - name: Ensure that IPA server packages are installed
-    package:
+    ansible.builtin.package:
      name: "{{ ipaserver_packages }}"
      state: present

  - name: Ensure that IPA server packages for dns are installed
-    package:
+    ansible.builtin.package:
      name: "{{ ipaserver_packages_dns }}"
      state: present
    when: ipabackup_service_dns in ipabackup_services

  - name: Ensure that IPA server packages for adtrust are installed
-    package:
+    ansible.builtin.package:
      name: "{{ ipaserver_packages_adtrust }}"
      state: present
    when: ipabackup_service_adtrust in ipabackup_services

  - name: Ensure that firewalld packages are installed
-    package:
+    ansible.builtin.package:
      name: "{{ ipaserver_packages_firewalld }}"
      state: present
    when: ipabackup_setup_firewalld | bool

-  when: ipabackup_install_packages | bool
-
 ### START FIREWALLD

- block:
+- name: Firewall configuration
+  when: ipabackup_setup_firewalld | bool
+  block:
  - name: Ensure that firewalld is running
-    systemd:
+    ansible.builtin.systemd:
      name: firewalld
      enabled: yes
      state: started

  - name: Firewalld - Verify runtime zone "{{ ipabackup_firewalld_zone }}"
-    shell: >
+    ansible.builtin.shell: >
      firewall-cmd
      --info-zone="{{ ipabackup_firewalld_zone }}"
      >/dev/null
    when: ipabackup_firewalld_zone is defined

  - name: Firewalld - Verify permanent zone "{{ ipabackup_firewalld_zone }}"
-    shell: >
+    ansible.builtin.shell: >
      firewall-cmd
      --permanent
      --info-zone="{{ ipabackup_firewalld_zone }}"
      >/dev/null
    when: ipabackup_firewalld_zone is defined

-  when: ipabackup_setup_firewalld | bool
-
 ### RESTORE

 - name: Restore backup
  no_log: True
-  shell: >
+  ansible.builtin.shell: >
    ipa-restore
    {{ ipabackup_item }}
    --unattended
-    {{ "--password="+ipabackup_password if ipabackup_password is defined else "" }}
+    {{ "--password=" + ipabackup_password if ipabackup_password is defined else "" }}
    {{ "--data" if ipabackup_data | bool else "" }}
    {{ "--online" if ipabackup_online | bool else "" }}
-    {{ "--instance="+ipabackup_instance if ipabackup_instance is defined else "" }}
-    {{ "--backend="+ipabackup_backend if ipabackup_backend is defined else "" }}
+    {{ "--instance=" + ipabackup_instance if ipabackup_instance is defined else "" }}
+    {{ "--backend=" + ipabackup_backend if ipabackup_backend is defined else "" }}
    {{ "--no-logs" if ipabackup_no_logs | bool else "" }}
-    {{ "--log-file="+ipabackup_log_file if ipabackup_log_file is defined else "" }}
+    {{ "--log-file=" + ipabackup_log_file if ipabackup_log_file is defined else "" }}
  register: result_iparestore
  ignore_errors: yes

 - name: Report error for restore operation
-  debug:
+  ansible.builtin.debug:
    msg: "{{ result_iparestore.stderr }}"
  when: result_iparestore is failed
  failed_when: yes
@@ -131,10 +133,10 @@
 ### CONFIGURE FIREWALLD

 - name: Configure firewalld
-  command: >
+  ansible.builtin.command: >
    firewall-cmd
    --permanent
-    {{ "--zone="+ipabackup_firewalld_zone if ipabackup_firewalld_zone is defined else "" }}
+    {{ "--zone=" + ipabackup_firewalld_zone if ipabackup_firewalld_zone is defined else "" }}
    --add-service=freeipa-ldap
    --add-service=freeipa-ldaps
    {{ "--add-service=freeipa-trust" if ipabackup_service_adtrust in ipabackup_services else "" }}
@@ -143,9 +145,9 @@
  when: ipabackup_setup_firewalld | bool

 - name: Configure firewalld runtime
-  command: >
+  ansible.builtin.command: >
    firewall-cmd
-    {{ "--zone="+ipabackup_firewalld_zone if ipabackup_firewalld_zone is defined else "" }}
+    {{ "--zone=" + ipabackup_firewalld_zone if ipabackup_firewalld_zone is defined else "" }}
    --add-service=freeipa-ldap
    --add-service=freeipa-ldaps
    {{ "--add-service=freeipa-trust" if ipabackup_service_adtrust in ipabackup_services else "" }}
--- a/roles/ipaclient/README.md
+++ b/roles/ipaclient/README.md
@@ -11,6 +11,7 @@ Features
 * Client deployment
 * One-time-password (OTP) support
 * Repair mode
+* DNS resolver configuration support


 Supported FreeIPA Versions
@@ -32,7 +33,6 @@ Requirements

 **Controller**
 * Ansible version: 2.8+
-* /usr/bin/kinit is required on the controller if a one time password (OTP) is used

 **Node**
 * Supported FreeIPA version (see above)
@@ -107,6 +107,40 @@ Example playbook to setup the IPA client(s) using principal and password from in
    state: present
 ```

+Example inventory file with configuration of dns resolvers:
+
+```ini
+[ipaclients]
+ipaclient1.example.com
+ipaclient2.example.com
+
+[ipaservers]
+ipaserver.example.com
+
+[ipaclients:vars]
+ipaadmin_principal=admin
+ipaadmin_password=MySecretPassword123
+ipaclient_domain=example.com
+ipaclient_configure_dns_resolver=yes
+ipaclient_dns_servers=192.168.100.1
+```
+
+Example inventory file with cleanup of dns resolvers:
+
+```ini
+[ipaclients]
+ipaclient1.example.com
+ipaclient2.example.com
+
+[ipaservers]
+ipaserver.example.com
+
+[ipaclients:vars]
+ipaadmin_principal=admin
+ipaadmin_password=MySecretPassword123
+ipaclient_domain=example.com
+ipaclient_cleanup_dns_resolver=yes
+```

 Playbooks
 =========
@@ -172,7 +206,7 @@ Server Variables
 Variable | Description | Required
 -------- | ----------- | --------
 `ipaservers` | This group is a list of the IPA server full qualified host names. In a topology with a chain of servers and replicas, it is important to use the right server or replica as the server for the client. If there is a need to overwrite the setting for a client in the `ipaclients` group, please use the list `ipaclient_servers` explained below. If no `ipaservers` group is defined than the installation preparation step will try to use DNS autodiscovery to identify the the IPA server using DNS txt records. | mostly
-`ipaadmin_keytab` | The string variable enables the use of an admin keytab as an alternative authentication method. The variable needs to contain the local path to the keytab file. If `ipaadmin_keytab` is used, then `ipaadmin_password` does not need to be set. If `ipaadmin_keytab` is used with `ipaclient_use_otp: yes` then the keytab needs to be available on the controller, else on the client node. The use of full path names is recommended.  | no
+`ipaadmin_keytab` | The string variable enables the use of an admin keytab as an alternative authentication method. The variable needs to contain the local path to the keytab file. If `ipaadmin_keytab` is used, then `ipaadmin_password` does not need to be set. If `ipaadmin_keytab` is used with `ipaclient_use_otp: yes` then the keytab needs to be available on the controller, else on the client node. The use of full path names is recommended. | no
 `ipaadmin_principal` | The string variable only needs to be set if the name of the Kerberos admin principal is not "admin". If `ipaadmin_principal` is not set it will be set internally to "admin". | no
 `ipaadmin_password` | The string variable contains the Kerberos password of the Kerberos admin principal. If `ipaadmin_keytab` is used, then `ipaadmin_password` does not need to be set. | mostly

@@ -198,6 +232,9 @@ Variable | Description | Required
 `ipaclient_allow_repair` | The bool value defines if an already joined or partly set-up client can be repaired. `ipaclient_allow_repair` defaults to `no`. Contrary to `ipaclient_force_join=yes` the host entry will not be changed on the server. | no
 `ipaclient_install_packages` | The bool value defines if the needed packages are installed on the node. `ipaclient_install_packages` defaults to `yes`. | no
 `ipaclient_on_master` | The bool value is only used in the server and replica installation process to install the client part. It should not be set otherwise. `ipaclient_on_master` defaults to `no`. | no
+`ipaclient_configure_dns_resolver` | The bool value defines if the DNS resolver is configured. This is useful if the IPA server has internal DNS support. `ipaclient_dns_server` need to be set also. The installation of packages is happening before the DNS resolver is configured, therefore package installation needs to be possible without the configuration of the DNS resolver. The DNS nameservers are configured for `NetworkManager`, `systemd-resolved` (if installed and enabled) and `/etc/resolv.conf` if neither NetworkManager nor systemd-resolved is used. | no
+`ipaclient_dns_servers` | The list of DNS server IP addresses. This is only useful with `ipaclient_configure_dns_resolver`. | no
+`ipaclient_cleanup_dns_resolver` | The bool value defines if DNS resolvers that have been configured before with `ipaclient_configure_dns_resolver` will be cleaned up again. | no


 Authors
--- a/roles/ipaclient/action_plugins/ipaclient_get_otp.py
+++ b/roles/ipaclient/action_plugins/ipaclient_get_otp.py
@@ -1,247 +0,0 @@
-# Authors:
-#   Florence Blanc-Renaud <frenaud@redhat.com>
-#
-# Copyright (C) 2017  Red Hat
-# see file 'COPYING' for use and warranty information
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation, either version 3 of the License, or
-# (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program.  If not, see <http://www.gnu.org/licenses/>.
-
-from __future__ import (absolute_import, division, print_function)
-
-__metaclass__ = type
-
-import os
-import shutil
-import subprocess
-import tempfile
-from jinja2 import Template
-
-from ansible.errors import AnsibleError
-from ansible.module_utils._text import to_native
-from ansible.plugins.action import ActionBase
-
-
-def run_cmd(args, stdin=None):
-    """Execute an external command."""
-    p_in = None
-    p_out = subprocess.PIPE
-    p_err = subprocess.PIPE
-
-    if stdin:
-        p_in = subprocess.PIPE
-
-    # pylint: disable=invalid-name
-    with subprocess.Popen(
-        args, stdin=p_in, stdout=p_out, stderr=p_err, close_fds=True
-    ) as p:
-        __temp, stderr = p.communicate(stdin)
-
-        if p.returncode != 0:
-            raise RuntimeError(stderr)
-
-
-def kinit_password(principal, password, ccache_name, config):
-    """
-    Perform kinit using principal/password.
-
-    It uses the specified config file to kinit and stores the TGT
-    in ccache_name.
-    """
-    args = ["/usr/bin/kinit", principal, '-c', ccache_name]
-    old_config = os.environ.get('KRB5_CONFIG')
-    os.environ['KRB5_CONFIG'] = config
-
-    try:
-        return run_cmd(args, stdin=password.encode())
-    finally:
-        if old_config is not None:
-            os.environ['KRB5_CONFIG'] = old_config
-        else:
-            os.environ.pop('KRB5_CONFIG', None)
-
-
-def kinit_keytab(principal, keytab, ccache_name, config):
-    """
-    Perform kinit using principal/keytab.
-
-    It uses the specified config file to kinit and stores the TGT
-    in ccache_name.
-    """
-    args = ["/usr/bin/kinit", "-kt", keytab, "-c", ccache_name, principal]
-    old_config = os.environ.get('KRB5_CONFIG')
-    os.environ["KRB5_CONFIG"] = config
-
-    try:
-        return run_cmd(args)
-    finally:
-        if old_config is not None:
-            os.environ["KRB5_CONFIG"] = old_config
-        else:
-            os.environ.pop("KRB5_CONFIG", None)
-
-
-KRB5CONF_TEMPLATE = """
-[logging]
- default = FILE:/var/log/krb5libs.log
- kdc = FILE:/var/log/krb5kdc.log
- admin_server = FILE:/var/log/kadmind.log
-
-[libdefaults]
- default_realm = {{ ipa_realm }}
- dns_lookup_realm = false
- dns_lookup_kdc = true
- rdns = false
- ticket_lifetime = {{ ipa_lifetime }}
- forwardable = true
- udp_preference_limit = 0
- default_ccache_name = KEYRING:persistent:%{uid}
-
-[realms]
- {{ ipa_realm }} = {
-  kdc = {{ ipa_server }}:88
-  master_kdc = {{ ipa_server }}:88
-  admin_server = {{ ipa_server }}:749
-  default_domain = {{ ipa_domain }}
-}
-
-[domain_realm]
- .{{ ipa_domain }} = {{ ipa_realm }}
- {{ ipa_domain }} = {{ ipa_realm }}
-"""
-
-
-class ActionModule(ActionBase):  # pylint: disable=too-few-public-methods
-
-    # pylint: disable=too-many-return-statements
-    def run(self, tmp=None, task_vars=None):
-        """
-        Handle credential cache transfer.
-
-        ipa* commands can either provide a password or a keytab file
-        in order to authenticate on the managed node with Kerberos.
-        The module is using these credentials to obtain a TGT locally on the
-        control node:
-        - need to create a krb5.conf Kerberos client configuration that is
-        using IPA server
-        - set the environment variable KRB5_CONFIG to point to this conf file
-        - set the environment variable KRB5CCNAME to use a specific cache
-        - perform kinit on the control node
-        This command creates the credential cache file
-        - copy the credential cache file on the managed node
-
-        Then the IPA commands can use this credential cache file.
-        """
-        if task_vars is None:
-            task_vars = {}
-
-        # pylint: disable=super-with-arguments
-        result = super(ActionModule, self).run(tmp, task_vars)
-        principal = self._task.args.get('principal', None)
-        keytab = self._task.args.get('keytab', None)
-        password = self._task.args.get('password', None)
-        lifetime = self._task.args.get('lifetime', '1h')
-
-        if (not keytab and not password):
-            result['failed'] = True
-            result['msg'] = "keytab or password is required"
-            return result
-
-        if not principal:
-            result['failed'] = True
-            result['msg'] = "principal is required"
-            return result
-
-        data = self._execute_module(module_name='ipaclient_get_facts',
-                                    module_args={}, task_vars=task_vars)
-
-        try:
-            domain = data['ansible_facts']['ipa']['domain']
-            realm = data['ansible_facts']['ipa']['realm']
-        except KeyError:
-            result['failed'] = True
-            result['msg'] = "The host is not an IPA server"
-            return result
-
-        items = principal.split('@')
-        if len(items) < 2:
-            principal = str('%s@%s' % (principal, realm))
-
-        # Locally create a temp directory to store krb5.conf and ccache
-        local_temp_dir = tempfile.mkdtemp()
-        krb5conf_name = os.path.join(local_temp_dir, 'krb5.conf')
-        ccache_name = os.path.join(local_temp_dir, 'ccache')
-
-        # Create the krb5.conf from the template
-        template = Template(KRB5CONF_TEMPLATE)
-        content = template.render(dict(
-            ipa_server=task_vars['ansible_host'],
-            ipa_domain=domain,
-            ipa_realm=realm,
-            ipa_lifetime=lifetime))
-
-        with open(krb5conf_name, 'w') as f:  # pylint: disable=invalid-name
-            f.write(content)
-
-        if password:
-            try:
-                # perform kinit -c ccache_name -l 1h principal
-                kinit_password(principal, password, ccache_name,
-                               krb5conf_name)
-            except Exception as e:
-                result['failed'] = True
-                result['msg'] = 'kinit %s with password failed: %s' % \
-                    (principal, to_native(e))
-                return result
-
-        else:
-            # Password not supplied, need to use the keytab file
-            # Check if the source keytab exists
-            try:
-                keytab = self._find_needle('files', keytab)
-            except AnsibleError as e:
-                result['failed'] = True
-                result['msg'] = to_native(e)
-                return result
-            # perform kinit -kt keytab
-            try:
-                kinit_keytab(principal, keytab, ccache_name, krb5conf_name)
-            except Exception as e:
-                result['failed'] = True
-                result['msg'] = 'kinit %s with keytab %s failed: %s' % \
-                    (principal, keytab, str(e))
-                return result
-
-        try:
-            # Create the remote tmp dir
-            tmp = self._make_tmp_path()
-            tmp_ccache = self._connection._shell.join_path(
-                tmp, os.path.basename(ccache_name))
-
-            # Copy the ccache to the remote tmp dir
-            self._transfer_file(ccache_name, tmp_ccache)
-            self._fixup_perms2((tmp, tmp_ccache))
-
-            new_module_args = self._task.args.copy()
-            new_module_args.pop('password', None)
-            new_module_args.pop('keytab', None)
-            new_module_args.pop('lifetime', None)
-            new_module_args.update(ccache=tmp_ccache)
-
-            # Execute module
-            result.update(self._execute_module(module_args=new_module_args,
-                                               task_vars=task_vars))
-            return result
-        finally:
-            # delete the local temp directory
-            shutil.rmtree(local_temp_dir, ignore_errors=True)
--- a/roles/ipaclient/defaults/main.yml
+++ b/roles/ipaclient/defaults/main.yml
@@ -28,3 +28,6 @@ ipaclient_request_cert: no

 ### packages ###
 ipaclient_install_packages: yes
+
+ipaclient_configure_dns_resolver: no
+ipaclient_cleanup_dns_resolver: no
--- a/roles/ipaclient/library/ipaclient_api.py
+++ b/roles/ipaclient/library/ipaclient_api.py
@@ -5,7 +5,7 @@
 #
 # Based on ipa-client-install code
 #
-# Copyright (C) 2017  Red Hat
+# Copyright (C) 2017-2022  Red Hat
 # see file 'COPYING' for use and warranty information
 #
 # This program is free software; you can redistribute it and/or modify
@@ -32,25 +32,31 @@ ANSIBLE_METADATA = {'metadata_version': '1.0',
 DOCUMENTATION = '''
 ---
 module: ipaclient_api
-short description:
+short_description:
  Create temporary NSS database, call IPA API for remaining enrollment parts
 description:
  Create temporary NSS database, call IPA API for remaining enrollment parts
 options:
  servers:
    description: Fully qualified name of IPA servers to enroll to
-    required: no
+    type: list
+    elements: str
+    required: yes
  realm:
    description: Kerberos realm name of the IPA deployment
-    required: no
+    type: str
+    required: yes
  hostname:
    description: Fully qualified name of this host
-    required: no
+    type: str
+    required: yes
  debug:
    description: Turn on extra debugging
-    required: yes
+    type: bool
+    required: no
+    default: no
 author:
-    - Thomas Woerner
+    - Thomas Woerner (@t-woerner)
 '''

 EXAMPLES = '''
@@ -70,7 +76,7 @@ ca_enabled:
 subject_base:
  description: The subject base, needed for certmonger
  returned: always
-  type: string
+  type: str
  sample: O=EXAMPLE.COM
 '''

@@ -78,7 +84,7 @@ import os

 from ansible.module_utils.basic import AnsibleModule
 from ansible.module_utils.ansible_ipa_client import (
-    setup_logging,
+    setup_logging, check_imports,
    paths, x509, NUM_VERSION, serialization, certdb, api,
    delete_persistent_client_session_data, write_tmp_file,
    ipa_generate_password, CalledProcessError, errors, disable_ra, DN,
@@ -89,15 +95,16 @@ from ansible.module_utils.ansible_ipa_client import (
 def main():
    module = AnsibleModule(
        argument_spec=dict(
-            servers=dict(required=True, type='list'),
-            realm=dict(required=True),
-            hostname=dict(required=True),
+            servers=dict(required=True, type='list', elements='str'),
+            realm=dict(required=True, type='str'),
+            hostname=dict(required=True, type='str'),
            debug=dict(required=False, type='bool', default="false"),
        ),
-        supports_check_mode=True,
+        supports_check_mode=False,
    )

    module._ansible_debug = True
+    check_imports(module)
    setup_logging()

    realm = module.params.get('realm')
--- a/roles/ipaclient/library/ipaclient_configure_dns_resolver.py
+++ b/roles/ipaclient/library/ipaclient_configure_dns_resolver.py
@@ -0,0 +1,321 @@
+# -*- coding: utf-8 -*-
+
+# Authors:
+#   Thomas Woerner <twoerner@redhat.com>
+#
+# Based on ipaplatform/redhat/tasks.py code from Christian Heimes
+#
+# Copyright (C) 2022 Red Hat
+# see file 'COPYING' for use and warranty information
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+from __future__ import (absolute_import, division, print_function)
+
+__metaclass__ = type
+
+ANSIBLE_METADATA = {
+    'metadata_version': '1.0',
+    'supported_by': 'community',
+    'status': ['preview'],
+}
+
+DOCUMENTATION = """
+---
+module: ipaclient_configure_dns_resolver
+short_description: Configure DNS resolver for IPA client
+description:
+  Configure DNS resolver for IPA client, register files for installer
+options:
+  nameservers:
+    description: The nameservers, required with state:present.
+    type: list
+    elements: str
+    required: false
+  searchdomains:
+    description: The searchdomains, required with state:present.
+    type: list
+    elements: str
+    required: false
+  state:
+    description: The state to ensure.
+    type: str
+    choices: ["present", "absent"]
+    default: present
+    required: false
+author:
+  - Thomas Woerner (@t-woerner)
+"""
+
+EXAMPLES = """
+# Ensure DNS nameservers and domain are configured
+- ipaclient_configure_dns_resolver:
+    nameservers: groups.ipaservers
+    searchdomains: "{{ ipaserver_domain | default(ipaclient_domain) }}"
+# Ensure DNS nameservers and domain are not configured
+- ipaclient_configure_dns_resolver:
+    state: absent
+"""
+
+RETURN = """
+"""
+
+import os
+import os.path
+
+from ansible.module_utils.basic import AnsibleModule
+from ansible.module_utils.ansible_ipa_client import (
+    check_imports, services, tasks, paths, sysrestore, CheckedIPAddress
+)
+try:
+    from ipalib.installdnsforwarders import detect_resolve1_resolv_conf
+except ImportError:
+    def detect_resolve1_resolv_conf():
+        """
+        Detect if /etc/resolv.conf is managed by systemd-resolved.
+
+        See man(5) NetworkManager.conf
+        """
+        systemd_resolv_conf_files = {
+            "/run/systemd/resolve/stub-resolv.conf",
+            "/run/systemd/resolve/resolv.conf",
+            "/lib/systemd/resolv.conf",
+            "/usr/lib/systemd/resolv.conf",
+        }
+
+        try:
+            dest = os.readlink(paths.RESOLV_CONF)
+        except OSError:
+            # not a link
+            return False
+        # convert path relative to /etc/resolv.conf to abs path
+        dest = os.path.normpath(
+            os.path.join(os.path.dirname(paths.RESOLV_CONF), dest)
+        )
+        return dest in systemd_resolv_conf_files
+
+
+if hasattr(paths, "SYSTEMD_RESOLVED_IPA_CONF"):
+    SYSTEMD_RESOLVED_IPA_CONF = paths.SYSTEMD_RESOLVED_IPA_CONF
+else:
+    SYSTEMD_RESOLVED_IPA_CONF = "/etc/systemd/resolved.conf.d/zzz-ipa.conf"
+
+
+if hasattr(paths, "NETWORK_MANAGER_IPA_CONF"):
+    NETWORK_MANAGER_IPA_CONF = paths.NETWORK_MANAGER_IPA_CONF
+else:
+    NETWORK_MANAGER_IPA_CONF = "/etc/NetworkManager/conf.d/zzz-ipa.conf"
+
+
+NM_IPA_CONF = """
+# auto-generated by IPA client installer
+[main]
+dns={dnsprocessing}
+[global-dns]
+searches={searches}
+[global-dns-domain-*]
+servers={servers}
+"""
+
+
+RESOLVE1_IPA_CONF = """
+# auto-generated by IPA client installer
+[Resolve]
+# use DNS servers
+DNS={servers}
+# make default DNS server, add search suffixes
+Domains=~. {searchdomains}
+"""
+
+
+def configure_dns_resolver(nameservers, searchdomains, fstore=None):
+    """
+    Configure global DNS resolver (e.g. /etc/resolv.conf).
+
+    :param nameservers: list of IP addresses
+    :param searchdomains: list of search domaons
+    :param fstore: optional file store for resolv.conf backup
+    """
+    if not nameservers or not isinstance(nameservers, list):
+        raise AssertionError("nameservers must be of type list")
+    if not searchdomains or not isinstance(searchdomains, list):
+        raise AssertionError("searchdomains must be of type list")
+
+    if fstore is not None and not fstore.has_file(paths.RESOLV_CONF):
+        fstore.backup_file(paths.RESOLV_CONF)
+
+    resolve1_enabled = detect_resolve1_resolv_conf()
+    if "NetworkManager" not in services.knownservices:
+        # NetworkManager is not in wellknownservices for old IPA releases
+        # Therefore create own service for it.
+        nm_service = services.service("NetworkManager.service")
+    else:
+        nm_service = services.knownservices['NetworkManager']
+
+    # At first configure systemd-resolved
+    if resolve1_enabled:
+        if not os.path.exists(SYSTEMD_RESOLVED_IPA_CONF):
+            confd = os.path.dirname(SYSTEMD_RESOLVED_IPA_CONF)
+            if not os.path.isdir(confd):
+                os.mkdir(confd)
+                # owned by root, readable by systemd-resolve user
+                os.chmod(confd, 0o755)
+                tasks.restore_context(confd, force=True)
+
+            # Additionally to IPA server code also set servers
+            cfg = RESOLVE1_IPA_CONF.format(
+                servers=' '.join(nameservers),
+                searchdomains=" ".join(searchdomains)
+            )
+            with open(SYSTEMD_RESOLVED_IPA_CONF, "w") as outf:
+                os.fchmod(outf.fileno(), 0o644)
+                outf.write(cfg)
+
+            tasks.restore_context(
+                SYSTEMD_RESOLVED_IPA_CONF, force=True
+            )
+
+            if "systemd-resolved" in services.knownservices:
+                sdrd_service = services.knownservices["systemd-resolved"]
+            else:
+                sdrd_service = services.service("systemd-resolved.service")
+            if sdrd_service.is_enabled():
+                sdrd_service.reload_or_restart()
+
+    # Then configure NetworkManager or resolve.conf
+    if nm_service.is_enabled():
+        if not os.path.exists(NETWORK_MANAGER_IPA_CONF):
+            # write DNS override and reload network manager to have it create
+            # a new resolv.conf. The file is prefixed with ``zzz`` to
+            # make it the last file. Global dns options do not stack and last
+            # man standing wins.
+            if resolve1_enabled:
+                # push DNS configuration to systemd-resolved
+                dnsprocessing = "systemd-resolved"
+            else:
+                # update /etc/resolv.conf
+                dnsprocessing = "default"
+
+            cfg = NM_IPA_CONF.format(
+                dnsprocessing=dnsprocessing,
+                servers=','.join(nameservers),
+                searches=','.join(searchdomains)
+            )
+            with open(NETWORK_MANAGER_IPA_CONF, 'w') as outf:
+                os.fchmod(outf.fileno(), 0o644)
+                outf.write(cfg)
+            # reload NetworkManager
+            nm_service.reload_or_restart()
+
+    # Configure resolv.conf if NetworkManager and systemd-resoled are not
+    # enabled
+    elif not resolve1_enabled:
+        # no NM running, no systemd-resolved detected
+        # fall back to /etc/resolv.conf
+        cfg = [
+            "# auto-generated by IPA installer",
+            "search %s" % ' '.join(searchdomains),
+        ]
+        for nameserver in nameservers:
+            cfg.append("nameserver %s" % nameserver)
+        with open(paths.RESOLV_CONF, 'w') as outf:
+            outf.write('\n'.join(cfg))
+
+
+def unconfigure_dns_resolver(fstore=None):
+    """
+    Unconfigure global DNS resolver (e.g. /etc/resolv.conf).
+
+    :param fstore: optional file store for resolv.conf restore
+    """
+    if fstore is not None and fstore.has_file(paths.RESOLV_CONF):
+        fstore.restore_file(paths.RESOLV_CONF)
+
+    if os.path.isfile(NETWORK_MANAGER_IPA_CONF):
+        os.unlink(NETWORK_MANAGER_IPA_CONF)
+        if "NetworkManager" not in services.knownservices:
+            # NetworkManager is not in wellknownservices for old IPA releases
+            # Therefore create own service for it.
+            nm_service = services.service("NetworkManager.service")
+        else:
+            nm_service = services.knownservices['NetworkManager']
+        if nm_service.is_enabled():
+            nm_service.reload_or_restart()
+
+    if os.path.isfile(SYSTEMD_RESOLVED_IPA_CONF):
+        os.unlink(SYSTEMD_RESOLVED_IPA_CONF)
+        if "systemd-resolved" in services.knownservices:
+            sdrd_service = services.knownservices["systemd-resolved"]
+        else:
+            sdrd_service = services.service("systemd-resolved.service")
+        if sdrd_service.is_enabled():
+            sdrd_service.reload_or_restart()
+
+
+def main():
+    module = AnsibleModule(
+        argument_spec=dict(
+            nameservers=dict(type="list", elements="str", aliases=["cn"],
+                             required=False),
+            searchdomains=dict(type="list", elements="str", aliases=["cn"],
+                               required=False),
+            state=dict(type="str", default="present",
+                       choices=["present", "absent"]),
+        ),
+        supports_check_mode=False,
+    )
+
+    check_imports(module)
+
+    nameservers = module.params.get('nameservers')
+    searchdomains = module.params.get('searchdomains')
+
+    state = module.params.get("state")
+
+    if state == "present":
+        required = ["nameservers", "searchdomains"]
+        for param in required:
+            value = module.params.get(param)
+            if value is None or len(value) < 1:
+                module.fail_json(
+                    msg="Argument '%s' is required for state:present" % param)
+    else:
+        invalid = ["nameservers", "searchdomains"]
+        for param in invalid:
+            if module.params.get(param) is not None:
+                module.fail_json(
+                    msg="Argument '%s' can not be used with state:present" %
+                    param)
+
+    # Check nameservers to contain valid IP addresses
+    if nameservers is not None:
+        for value in nameservers:
+            try:
+                CheckedIPAddress(value)
+            except Exception as e:
+                module.fail_json(
+                    msg="Invalid IP address %s: %s" % (value, str(e)))
+
+    fstore = sysrestore.FileStore(paths.IPA_CLIENT_SYSRESTORE)
+
+    if state == "present":
+        configure_dns_resolver(nameservers, searchdomains, fstore)
+    else:
+        unconfigure_dns_resolver(fstore)
+
+    module.exit_json(changed=True)
+
+
+if __name__ == '__main__':
+    main()
--- a/roles/ipaclient/library/ipaclient_fix_ca.py
+++ b/roles/ipaclient/library/ipaclient_fix_ca.py
@@ -5,7 +5,7 @@
 #
 # Based on ipa-client-install code
 #
-# Copyright (C) 2017  Red Hat
+# Copyright (C) 2017-2022  Red Hat
 # see file 'COPYING' for use and warranty information
 #
 # This program is free software; you can redistribute it and/or modify
@@ -32,25 +32,30 @@ ANSIBLE_METADATA = {'metadata_version': '1.0',
 DOCUMENTATION = '''
 ---
 module: ipaclient_fix_ca
-short description: Fix IPA ca certificate
-description: Repair Fix IPA ca certificate
+short_description: Fix IPA ca certificate
+description: Fix IPA ca certificate
 options:
  servers:
    description: Fully qualified name of IPA servers to enroll to
-    required: no
+    type: list
+    elements: str
+    required: yes
  realm:
    description: Kerberos realm name of the IPA deployment
-    required: no
+    type: str
+    required: yes
  basedn:
    description: The basedn of the IPA server (of the form dc=example,dc=com)
-    required: no
+    type: str
+    required: yes
  allow_repair:
    description: |
      Allow repair of already joined hosts. Contrary to ipaclient_force_join
      the host entry will not be changed on the server
-    required: no
+    type: bool
+    required: yes
 author:
-    - Thomas Woerner
+    - Thomas Woerner (@t-woerner)
 '''

 EXAMPLES = '''
@@ -69,7 +74,7 @@ import os

 from ansible.module_utils.basic import AnsibleModule
 from ansible.module_utils.ansible_ipa_client import (
-    setup_logging,
+    setup_logging, check_imports,
    SECURE_PATH, paths, sysrestore, options, NUM_VERSION, get_ca_cert,
    get_ca_certs, errors
 )
@@ -78,14 +83,15 @@ from ansible.module_utils.ansible_ipa_client import (
 def main():
    module = AnsibleModule(
        argument_spec=dict(
-            servers=dict(required=True, type='list'),
-            realm=dict(required=True),
-            basedn=dict(required=True),
+            servers=dict(required=True, type='list', elements='str'),
+            realm=dict(required=True, type='str'),
+            basedn=dict(required=True, type='str'),
            allow_repair=dict(required=True, type='bool'),
        ),
    )

    module._ansible_debug = True
+    check_imports(module)
    setup_logging()

    servers = module.params.get('servers')
--- a/roles/ipaclient/library/ipaclient_fstore.py
+++ b/roles/ipaclient/library/ipaclient_fstore.py
@@ -5,7 +5,7 @@
 #
 # Based on ipa-client-install code
 #
-# Copyright (C) 2017  Red Hat
+# Copyright (C) 2017-2022  Red Hat
 # see file 'COPYING' for use and warranty information
 #
 # This program is free software; you can redistribute it and/or modify
@@ -34,14 +34,15 @@ ANSIBLE_METADATA = {
 DOCUMENTATION = '''
 ---
 module: ipaclient_fstore
-short description: Backup files using IPA client sysrestore
+short_description: Backup files using IPA client sysrestore
 description: Backup files using IPA client sysrestore
 options:
  backup:
    description: File to backup
-    required: no
+    type: str
+    required: yes
 author:
-    - Thomas Woerner
+    - Thomas Woerner (@t-woerner)
 '''

 EXAMPLES = '''
@@ -55,18 +56,19 @@ RETURN = '''

 from ansible.module_utils.basic import AnsibleModule
 from ansible.module_utils.ansible_ipa_client import (
-    setup_logging, paths, sysrestore
+    setup_logging, check_imports, paths, sysrestore
 )


 def main():
    module = AnsibleModule(
        argument_spec=dict(
-            backup=dict(required=True),
+            backup=dict(required=True, type='str'),
        ),
    )

    module._ansible_debug = True
+    check_imports(module)
    setup_logging()

    backup = module.params.get('backup')
--- a/roles/ipaclient/library/ipaclient_get_facts.py
+++ b/roles/ipaclient/library/ipaclient_get_facts.py
@@ -1,208 +0,0 @@
-# -*- coding: utf-8 -*-
-
-from __future__ import (absolute_import, division, print_function)
-
-__metaclass__ = type
-
-DOCUMENTATION = """
---
-module: ipaclient_get_facts
-short description: Get facts about IPA client and server configuration.
-description: Get facts about IPA client and server configuration.
-author:
-    - Thomas Woerner
-"""
-
-import os
-import re
-from ansible.module_utils import six
-try:
-    from ansible.module_utils.six.moves.configparser import RawConfigParser
-except ImportError:
-    from ConfigParser import RawConfigParser
-
-from ansible.module_utils.basic import AnsibleModule
-
-# pylint: disable=unused-import
-try:
-    from ipalib import api  # noqa: F401
-except ImportError:
-    HAS_IPALIB = False
-else:
-    HAS_IPALIB = True
-    from ipaplatform.paths import paths
-    try:
-        # FreeIPA >= 4.5
-        from ipalib.install import sysrestore
-    except ImportError:
-        # FreeIPA 4.4 and older
-        from ipapython import sysrestore
-
-try:
-    import ipaserver  # noqa: F401
-except ImportError:
-    HAS_IPASERVER = False
-else:
-    HAS_IPASERVER = True
-
-SERVER_SYSRESTORE_STATE = "/var/lib/ipa/sysrestore/sysrestore.state"
-NAMED_CONF = "/etc/named.conf"
-VAR_LIB_PKI_TOMCAT = "/var/lib/pki/pki-tomcat"
-
-
-def is_ntpd_configured():
-    # ntpd is configured when sysrestore.state contains the line
-    # [ntpd]
-    ntpd_conf_section = re.compile(r'^\s*\[ntpd\]\s*$')
-
-    try:
-        # pylint: disable=invalid-name
-        with open(SERVER_SYSRESTORE_STATE) as f:
-            for line in f.readlines():
-                if ntpd_conf_section.match(line):
-                    return True
-        # pylint: enable=invalid-name
-        return False
-    except IOError:
-        return False
-
-
-def is_dns_configured():
-    # dns is configured when /etc/named.conf contains the line
-    # dyndb "ipa" "/usr/lib64/bind/ldap.so" {
-    bind_conf_section = re.compile(r'^\s*dyndb\s+"ipa"\s+"[^"]+"\s+{$')
-
-    try:
-        with open(NAMED_CONF) as f:  # pylint: disable=invalid-name
-            for line in f.readlines():
-                if bind_conf_section.match(line):
-                    return True
-        return False
-    except IOError:
-        return False
-
-
-def is_dogtag_configured(subsystem):
-    # ca / kra is configured when the directory
-    # /var/lib/pki/pki-tomcat/[ca|kra] # exists
-    available_subsystems = {'ca', 'kra'}
-    if subsystem not in available_subsystems:
-        raise AssertionError("Subsystem '%s' not available" % subsystem)
-
-    return os.path.isdir(os.path.join(VAR_LIB_PKI_TOMCAT, subsystem))
-
-
-def is_ca_configured():
-    return is_dogtag_configured('ca')
-
-
-def is_kra_configured():
-    return is_dogtag_configured('kra')
-
-
-def is_client_configured():
-    # IPA Client is configured when /etc/ipa/default.conf exists
-    # and /var/lib/ipa-client/sysrestore/sysrestore.state exists
-
-    fstore = sysrestore.FileStore(paths.IPA_CLIENT_SYSRESTORE)
-    return os.path.isfile(paths.IPA_DEFAULT_CONF) and fstore.has_files()
-
-
-def is_server_configured():
-    # IPA server is configured when /etc/ipa/default.conf exists
-    # and /var/lib/ipa/sysrestore/sysrestore.state exists
-    return (os.path.isfile(paths.IPA_DEFAULT_CONF) and
-            os.path.isfile(SERVER_SYSRESTORE_STATE))
-
-
-def get_ipa_conf():
-    # Extract basedn, realm and domain from /etc/ipa/default.conf
-    parser = RawConfigParser()
-    parser.read(paths.IPA_DEFAULT_CONF)
-    basedn = parser.get('global', 'basedn')
-    realm = parser.get('global', 'realm')
-    domain = parser.get('global', 'domain')
-    return dict(
-        basedn=basedn,
-        realm=realm,
-        domain=domain
-    )
-
-
-def get_ipa_version():
-    try:
-        # pylint: disable=import-outside-toplevel
-        from ipapython import version
-        # pylint: enable=import-outside-toplevel
-    except ImportError:
-        return None
-    else:
-        version_info = []
-        for part in version.VERSION.split('.'):
-            # DEV versions look like:
-            # 4.4.90.201610191151GITd852c00
-            # 4.4.90.dev201701071308+git2e43db1
-            # 4.6.90.pre2
-            if part.startswith('dev') or part.startswith('pre') or \
-               'GIT' in part:
-                version_info.append(part)
-            else:
-                version_info.append(int(part))
-
-        return dict(
-            api_version=version.API_VERSION,
-            num_version=version.NUM_VERSION,
-            vendor_version=version.VENDOR_VERSION,
-            version=version.VERSION,
-            version_info=version_info
-        )
-
-
-def main():
-    module = AnsibleModule(
-        argument_spec={},
-        supports_check_mode=True
-    )
-
-    # The module does not change anything, meaning that
-    # check mode is supported
-
-    facts = dict(
-        packages=dict(
-            ipalib=HAS_IPALIB,
-            ipaserver=HAS_IPASERVER,
-        ),
-        configured=dict(
-            client=False,
-            server=False,
-            dns=False,
-            ca=False,
-            kra=False,
-            ntpd=False
-        )
-    )
-
-    if HAS_IPALIB:
-        if is_client_configured():
-            facts['configured']['client'] = True
-
-            facts['version'] = get_ipa_version()
-            for key, value in six.iteritems(get_ipa_conf()):
-                facts[key] = value
-
-    if HAS_IPASERVER:
-        if is_server_configured():
-            facts['configured']['server'] = True
-            facts['configured']['dns'] = is_dns_configured()
-            facts['configured']['ca'] = is_ca_configured()
-            facts['configured']['kra'] = is_kra_configured()
-            facts['configured']['ntpd'] = is_ntpd_configured()
-
-    module.exit_json(
-        changed=False,
-        ansible_facts=dict(ipa=facts)
-    )
-
-
-if __name__ == '__main__':
-    main()
--- a/Show More
+++ b/Show More