ipa[server,replica,client]: Do not use meta end_play

Meta end_play has been used as a simple solution to end the playbook
processing in special conditions, like for example when the deployment
was already done before.

meta end_play has been replaced with blocks and conditions for these
blocks.

Fixes: #70 (Avoid using meta end_play)

roles/ipaclient/tasks/install.yml

@@ -53,20 +53,12 @@
     enable_dns_updates: "{{ ipassd_enable_dns_updates }}"
   register: result_ipaclient_test
 
-- meta: end_play
-  when: result_ipaclient_test.client_already_configured and not ipaclient_allow_repair | bool and not ipaclient_force_join | bool
-
-- name: Install - Set default principal if no keytab is given
-  set_fact:
-    ipaadmin_principal: admin
-  when: ipaadmin_principal is undefined and ipaclient_keytab is undefined
-
+- block:
   - name: Install - Cleanup leftover ccache
     file:
       path: "/etc/ipa/.dns_ccache"
       state: absent
 
-- block:
   - name: Install - Configure NTP
     ipaclient_setup_ntp:
       ### basic ###
@@ -143,6 +135,14 @@
     when: ipaclient_use_otp | bool
 
   - block:
+    # This block is executed only when
+    # not (not ipaclient_on_master | bool and
+    #      not result_ipaclient_join.changed and
+    #      not ipaclient_allow_repair | bool and
+    #      (result_ipaclient_test_keytab.krb5_keytab_ok or
+    #       (result_ipaclient_join.already_joined is defined and
+    #        result_ipaclient_join.already_joined)))
+
     - name: Install - Check if principal and keytab are set
       fail: msg="Principal and keytab cannot be used together"
       when: ipaadmin_principal is defined and ipaadmin_principal != "" and ipaclient_keytab is defined and ipaclient_keytab != ""
@@ -187,10 +187,6 @@
     when: not ipaclient_on_master | bool and (not result_ipaclient_test_keytab.krb5_keytab_ok or ipaclient_force_join)
 
   - block:
-    - name: Install - End playbook processing
-      file:
-        path: "/etc/ipa/.dns_ccache"
-        state: absent
     - fail:
         msg: "The krb5 configuration is not correct, please enable allow_repair to fix this."
       when: not result_ipaclient_test_keytab.krb5_conf_ok
@@ -200,9 +196,9 @@
     - fail:
         msg: "The ca.crt file is missing, please enable allow_repair to fix this."
       when: not result_ipaclient_test_keytab.ca_crt_exists
-    - meta: end_play
     when: not ipaclient_on_master | bool and not result_ipaclient_join.changed and not ipaclient_allow_repair | bool and (result_ipaclient_test_keytab.krb5_keytab_ok or (result_ipaclient_join.already_joined is defined and result_ipaclient_join.already_joined))
 
+  - block:
     - name: Install - Configure IPA default.conf
       ipaclient_ipa_conf:
         servers: "{{ result_ipaclient_test.servers }}"
@@ -297,7 +293,9 @@
         nisdomain: "{{ ipaclient_nisdomain | default(omit)}}"
       when: not ipaclient_no_nisdomain | bool
 
-  when: not ansible_check_mode
+    when: not (not ipaclient_on_master | bool and not result_ipaclient_join.changed and not ipaclient_allow_repair | bool and (result_ipaclient_test_keytab.krb5_keytab_ok or (result_ipaclient_join.already_joined is defined and result_ipaclient_join.already_joined)))
+
+  when: not ansible_check_mode and not (result_ipaclient_test.client_already_configured and not ipaclient_allow_repair | bool and not ipaclient_force_join | bool)
 
   always:
   - name: Cleanup leftover ccache

roles/ipareplica/tasks/install.yml

@@ -68,10 +68,11 @@
     no_dnssec_validation: "{{ ipareplica_no_dnssec_validation }}"
   register: result_ipareplica_test
 
-- meta: end_play
-  when: result_ipareplica_test.client_already_configured is defined or result_ipareplica_test.server_already_configured is defined
-
 - block:
+  # This block is executed only when
+  # not ansible_check_mode and
+  # not (result_ipareplica_test.client_already_configured is defined or
+  #      result_ipareplica_test.server_already_configured is defined)
 
   - name: Install - Setup client
     include_role:
@@ -626,4 +627,4 @@
       state: absent
     when: result_ipareplica_enable_ipa.changed
 
-  when: not ansible_check_mode
+  when: not ansible_check_mode and not (result_ipareplica_test.client_already_configured is defined or result_ipareplica_test.server_already_configured is defined)

roles/ipaserver/tasks/install.yml

@@ -93,10 +93,12 @@
     ### additional ###
   register: result_ipaserver_test
 
-- meta: end_play
-  when: not result_ipaserver_test.changed and (result_ipaserver_test.client_already_configured is defined or result_ipaserver_test.server_already_configured is defined)
-
 - block:
+  # This block is executed only when
+  # not ansible_check_mode and
+  # not (not result_ipaserver_test.changed and
+  #      (result_ipaserver_test.client_already_configured is defined or
+  #       result_ipaserver_test.server_already_configured is defined)
 
   - block:
     - name: Install - Master password creation
@@ -390,4 +392,4 @@
       {{ "--add-service=ntp" if not ipaclient_no_ntp | bool else "" }}
     when: ipaserver_setup_firewalld | bool
 
-  when: not ansible_check_mode
+  when: not ansible_check_mode and not (not result_ipaserver_test.changed and (result_ipaserver_test.client_already_configured is defined or result_ipaserver_test.server_already_configured is defined))