diff --git a/roles/ipabackup/tasks/backup.yml b/roles/ipabackup/tasks/backup.yml
index 5fcb65cf13291ae81c944e65f112f3b5ee264b4d..fb4cb2497c9c84ffeac2889545cccd9a449c10da 100644
--- a/roles/ipabackup/tasks/backup.yml
+++ b/roles/ipabackup/tasks/backup.yml
@@ -14,6 +14,7 @@
register: result_ipabackup
- name: Handle backup
+ when: ipabackup_to_controller
block:
- name: Get ipabackup_item from stderr or stdout output
ansible.builtin.set_fact:
@@ -37,5 +38,3 @@
- name: Remove backup on server
ansible.builtin.include_tasks: "{{ role_path }}/tasks/remove_backup_from_server.yml"
when: not ipabackup_keep_on_server
-
- when: ipabackup_to_controller
diff --git a/roles/ipabackup/tasks/main.yml b/roles/ipabackup/tasks/main.yml
index 7b323990a3d9b6a10b7e09cbf960b8b0cac0f118..01fb10b82738d9668c1ffe3f4d6c257479f3974d 100644
--- a/roles/ipabackup/tasks/main.yml
+++ b/roles/ipabackup/tasks/main.yml
@@ -50,6 +50,10 @@
(state == "copied" or state == "restored" or state == "absent")
- name: Get all backup names for copy to controller
+ when: state is defined and
+ ((state == "copied" and ipabackup_to_controller) or
+ state == "absent") and
+ ipabackup_name is defined and ipabackup_name == "all"
block:
- name: Get list of all backups on IPA server
ansible.builtin.shell:
@@ -62,12 +66,8 @@
ansible.builtin.set_fact:
ipabackup_names: "{{ result_backup_find_backup_files.stdout_lines }}"
- when: state is defined and
- ((state == "copied" and ipabackup_to_controller) or
- state == "absent") and
- ipabackup_name is defined and ipabackup_name == "all"
-
- name: Set ipabackup_names from ipabackup_name
+ when: ipabackup_names is not defined and ipabackup_name is defined
block:
- name: Fail on ipabackup_name all
ansible.builtin.fail:
@@ -83,7 +83,6 @@
ansible.builtin.set_fact:
ipabackup_names: "{{ ipabackup_name }}"
when: ipabackup_name | type_debug == "list"
- when: ipabackup_names is not defined and ipabackup_name is defined
- name: Set empty ipabackup_names if ipabackup_name is not defined
ansible.builtin.set_fact:
@@ -91,6 +90,8 @@
when: ipabackup_names is not defined and ipabackup_name is not defined
- name: Process "{{ ipabackup_names }}"
+ when: state is defined and
+ ((state == "copied" and ipabackup_to_controller) or state == "absent")
block:
- name: Copy backup from IPA server
ansible.builtin.include_tasks: "{{ role_path }}/tasks/copy_backup_from_server.yml"
@@ -112,9 +113,6 @@
loop_var: main_item
when: state is defined and state == "absent"
- when: state is defined and
- ((state == "copied" and ipabackup_to_controller) or state == "absent")
-
# Fail with more than one entry in ipabackup_names for copy to sever and
# restore.
@@ -127,6 +125,10 @@
# Use only first item in ipabackup_names for copy to server and for restore.
- name: Process "{{ ipabackup_names[0] }}"
+ when: ipabackup_from_controller or
+ (state|default("present") == "copied" and not ipabackup_to_controller)
+ vars:
+ ipabackup_name: "{{ ipabackup_names[0] }}"
block:
- name: Copy backup to server
ansible.builtin.include_tasks: "{{ role_path }}/tasks/copy_backup_to_server.yml"
@@ -135,11 +137,6 @@
ansible.builtin.include_tasks: "{{ role_path }}/tasks/restore.yml"
when: state|default("present") == "restored"
- vars:
- ipabackup_name: "{{ ipabackup_names[0] }}"
- when: ipabackup_from_controller or
- (state|default("present") == "copied" and not ipabackup_to_controller)
-
- name: Restore IPA server
ansible.builtin.include_tasks: "{{ role_path }}/tasks/restore.yml"
vars:
diff --git a/roles/ipabackup/tasks/restore.yml b/roles/ipabackup/tasks/restore.yml
index ca11a8c6cf4698ad5a47ff938af594cc07a5bde2..27e3c7d636203d328ac08a41573853dfc78e52da 100644
--- a/roles/ipabackup/tasks/restore.yml
+++ b/roles/ipabackup/tasks/restore.yml
@@ -55,6 +55,7 @@
### INSTALL PACKAGES
- name: Package installation
+ when: ipabackup_install_packages | bool
block:
- name: Ensure that IPA server packages are installed
ansible.builtin.package:
@@ -79,11 +80,10 @@
state: present
when: ipabackup_setup_firewalld | bool
- when: ipabackup_install_packages | bool
-
### START FIREWALLD
- name: Firewall configuration
+ when: ipabackup_setup_firewalld | bool
block:
- name: Ensure that firewalld is running
ansible.builtin.systemd:
@@ -106,8 +106,6 @@
>/dev/null
when: ipabackup_firewalld_zone is defined
- when: ipabackup_setup_firewalld | bool
-
### RESTORE
- name: Restore backup
diff --git a/roles/ipaclient/tasks/install.yml b/roles/ipaclient/tasks/install.yml
index 174eefaf9ffc1611c4524d1120d284a498825717..8c1286cb41404626a90061fbd5a09828554cac5d 100644
--- a/roles/ipaclient/tasks/install.yml
+++ b/roles/ipaclient/tasks/install.yml
@@ -29,6 +29,8 @@
when: ipaadmin_principal is undefined and ipaclient_keytab is undefined
- name: Install - DNS resolver configuration
+ when: ipaclient_configure_dns_resolver | bool
+ and not ipaclient_on_master | bool
block:
- name: Install - Fail on missing ipaclient_domain and ipaserver_domain
@@ -47,9 +49,6 @@
searchdomains: "{{ ipaserver_domain | default(ipaclient_domain) }}"
state: present
- when: ipaclient_configure_dns_resolver | bool
- and not ipaclient_on_master | bool
-
- name: Install - IPA client test
ipaclient_test:
### basic ###
@@ -76,6 +75,9 @@
register: result_ipaclient_test
- name: Install - Client deployment
+ when: not ansible_check_mode and
+ not (result_ipaclient_test.client_already_configured and
+ not ipaclient_allow_repair | bool and not ipaclient_force_join | bool)
block:
- name: Install - Cleanup leftover ccache
ansible.builtin.file:
@@ -130,6 +132,7 @@
# If a keytab is specified in the hostent, then the hostent will be disabled
# if ipaclient_use_otp is set.
- name: Install - Obtain OTP
+ when: ipaclient_use_otp | bool and ipaclient_otp is not defined
block:
- name: Install - Keytab or password is required for getting otp
ansible.builtin.fail:
@@ -175,9 +178,6 @@
ipaadmin_orig_password: "{{ ipaadmin_password | default(omit) }}"
ipaadmin_password: "{{ result_ipaclient_get_otp.host.randompassword
if result_ipaclient_get_otp.host is defined }}"
-
- when: ipaclient_use_otp | bool and ipaclient_otp is not defined
-
always:
- name: Install - Remove keytab temporary file
ansible.builtin.file:
@@ -194,7 +194,15 @@
when: ipaclient_otp is defined
- name: Install - Check keytab, principal and keytab
+ when: not ipaclient_on_master | bool
block:
+ # This block is executed only when
+ # not (not ipaclient_on_master | bool and
+ # not result_ipaclient_join.changed and
+ # not ipaclient_allow_repair | bool and
+ # (result_ipaclient_test_keytab.krb5_keytab_ok or
+ # (result_ipaclient_join.already_joined is defined and
+ # result_ipaclient_join.already_joined)))
- name: Install - Check if principal and keytab are set
ansible.builtin.fail:
@@ -208,7 +216,6 @@
and ipaadmin_password is undefined
and ipaadmin_keytab is undefined
and ipaclient_keytab is undefined
- when: not ipaclient_on_master | bool
- name: Install - Purge {{ result_ipaclient_test.realm }} from host keytab
ansible.builtin.command: >
@@ -254,16 +261,14 @@
ipaclient_force_join)
- name: Install - Allow repair checks
+ when: not ipaclient_on_master | bool and
+ not result_ipaclient_join.changed and
+ not ipaclient_allow_repair | bool and
+ (result_ipaclient_test_keytab.krb5_keytab_ok or
+ (result_ipaclient_join.already_joined is defined and
+ result_ipaclient_join.already_joined))
block:
- # This block is executed only when
- # not (not ipaclient_on_master | bool and
- # not result_ipaclient_join.changed and
- # not ipaclient_allow_repair | bool and
- # (result_ipaclient_test_keytab.krb5_keytab_ok or
- # (result_ipaclient_join.already_joined is defined and
- # result_ipaclient_join.already_joined)))
-
- - name: krb5 configuration not correct
+ - name: The krb5 configuration is not correct
ansible.builtin.fail:
msg: >
The krb5 configuration is not correct, please enable allow_repair
@@ -278,14 +283,14 @@
msg: >
The ca.crt file is missing, please enable allow_repair to fix this.
when: not result_ipaclient_test_keytab.ca_crt_exists
- when: not ipaclient_on_master | bool and
- not result_ipaclient_join.changed and
- not ipaclient_allow_repair | bool and
- (result_ipaclient_test_keytab.krb5_keytab_ok or
- (result_ipaclient_join.already_joined is defined and
- result_ipaclient_join.already_joined))
- name: Install - Configuration
+ when: not (not ipaclient_on_master | bool and
+ not result_ipaclient_join.changed and
+ not ipaclient_allow_repair | bool
+ and (result_ipaclient_test_keytab.krb5_keytab_ok
+ or (result_ipaclient_join.already_joined is defined
+ and result_ipaclient_join.already_joined)))
block:
- name: Install - Configure IPA default.conf
ipaclient_ipa_conf:
@@ -407,18 +412,6 @@
domain: "{{ result_ipaclient_test.domain }}"
nisdomain: "{{ ipaclient_nisdomain | default(omit) }}"
when: not ipaclient_no_nisdomain | bool
-
- when: not (not ipaclient_on_master | bool and
- not result_ipaclient_join.changed and
- not ipaclient_allow_repair | bool
- and (result_ipaclient_test_keytab.krb5_keytab_ok
- or (result_ipaclient_join.already_joined is defined
- and result_ipaclient_join.already_joined)))
-
- when: not ansible_check_mode and
- not (result_ipaclient_test.client_already_configured and
- not ipaclient_allow_repair | bool and not ipaclient_force_join | bool)
-
always:
- name: Install - Restore original admin password if overwritten by OTP
no_log: yes
diff --git a/roles/ipareplica/tasks/install.yml b/roles/ipareplica/tasks/install.yml
index 670a03ae4249b88b08c89f56f0557435e9aa1b63..0e10d9b0c4475b8b5f7361b7cb5a1d197dbc8c96 100644
--- a/roles/ipareplica/tasks/install.yml
+++ b/roles/ipareplica/tasks/install.yml
@@ -2,6 +2,7 @@
# tasks file for ipareplica
- name: Package installation
+ when: ipareplica_install_packages | bool
block:
- name: Install - Ensure IPA replica packages are installed
@@ -27,9 +28,8 @@
state: present
when: ipareplica_setup_firewalld | bool
- when: ipareplica_install_packages | bool
-
- name: Firewall configuration
+ when: ipareplica_setup_firewalld | bool
block:
- name: Firewalld service - Ensure that firewalld is running
ansible.builtin.systemd:
@@ -52,8 +52,6 @@
>/dev/null
when: ipareplica_firewalld_zone is defined
- when: ipareplica_setup_firewalld | bool
-
- name: Install - Set ipareplica_servers
ansible.builtin.set_fact:
ipareplica_servers: "{{ groups['ipaservers'] | list }}"
@@ -104,6 +102,9 @@
register: result_ipareplica_test
- name: Install - Deploy replica
+ when: not ansible_check_mode and
+ not (result_ipareplica_test.client_already_configured is defined or
+ result_ipareplica_test.server_already_configured is defined)
block:
# This block is executed only when
# not ansible_check_mode and
@@ -793,7 +794,3 @@
- "/etc/ipa/.tmp_pkcs12_dirsrv"
- "/etc/ipa/.tmp_pkcs12_http"
- "/etc/ipa/.tmp_pkcs12_pkinit"
-
- when: not ansible_check_mode and
- not (result_ipareplica_test.client_already_configured is defined or
- result_ipareplica_test.server_already_configured is defined)
diff --git a/roles/ipaserver/tasks/install.yml b/roles/ipaserver/tasks/install.yml
index bfb5b7403d83f7ab6b9069b88a6d337e0ef53ff4..74dd5d8b1005489b41a7f4685ff39a05901f87c8 100644
--- a/roles/ipaserver/tasks/install.yml
+++ b/roles/ipaserver/tasks/install.yml
@@ -2,6 +2,7 @@
# tasks file for ipaserver
- name: Install - Package installation
+ when: ipaserver_install_packages | bool
block:
- name: Install - Ensure that IPA server packages are installed
ansible.builtin.package:
@@ -26,9 +27,9 @@
state: present
when: ipaserver_setup_firewalld | bool
- when: ipaserver_install_packages | bool
- name: Install - Firewall configuration
+ when: ipaserver_setup_firewalld | bool
block:
- name: Firewalld service - Ensure that firewalld is running
ansible.builtin.systemd:
@@ -51,9 +52,7 @@
>/dev/null
when: ipaserver_firewalld_zone is defined
- when: ipaserver_setup_firewalld | bool
-
-- name: Include tasks "{{ role_path }}/tasks/copy_external_cert.yml"
+- name: Copy external cert
ansible.builtin.include_tasks: "{{ role_path }}/tasks/copy_external_cert.yml"
with_items: "{{ ipaserver_external_cert_files_from_controller }}"
when: ipaserver_external_cert_files_from_controller is defined and
@@ -131,14 +130,13 @@
register: result_ipaserver_test
- name: Install - Deploy server
+ when: not ansible_check_mode and not
+ (not result_ipaserver_test.changed and
+ (result_ipaserver_test.client_already_configured is defined or
+ result_ipaserver_test.server_already_configured is defined))
block:
- # This block is executed only when
- # not ansible_check_mode and
- # not (not result_ipaserver_test.changed and
- # (result_ipaserver_test.client_already_configured is defined or
- # result_ipaserver_test.server_already_configured is defined)
-
- name: Install - Obtain master password
+ when: ipaserver_master_password is undefined
block:
- name: Install - Master password creation
no_log: yes
@@ -153,8 +151,6 @@
ipaserver_master_password:
"{{ result_ipaserver_master_password.password }}"
- when: ipaserver_master_password is undefined
-
- name: Install - Server preparation
ipaserver_prepare:
### basic ###
@@ -321,6 +317,7 @@
ipaserver_copy_csr_to_controller | bool
- name: Install - Configure services
+ when: not result_ipaserver_setup_ca.csr_generated | bool
block:
- name: Install - Setup otpd
ipaserver_setup_otpd:
@@ -476,8 +473,6 @@
{{ "--add-service=ntp" if not ipaclient_no_ntp | bool else "" }}
when: ipaserver_setup_firewalld | bool
- when: not result_ipaserver_setup_ca.csr_generated | bool
-
always:
- name: Cleanup temporary files
ansible.builtin.file:
@@ -487,8 +482,3 @@
- "/etc/ipa/.tmp_pkcs12_dirsrv"
- "/etc/ipa/.tmp_pkcs12_http"
- "/etc/ipa/.tmp_pkcs12_pkinit"
-
- when: not ansible_check_mode and not
- (not result_ipaserver_test.changed and
- (result_ipaserver_test.client_already_configured is defined or
- result_ipaserver_test.server_already_configured is defined))
diff --git a/roles/ipasmartcard_client/tasks/main.yml b/roles/ipasmartcard_client/tasks/main.yml
index f7ddb827146fc0578d36d6ff5b54d02cf7a8ae5c..94d1e9c3ceb4ddffdf61c636dc5fe0c7808e9e12 100644
--- a/roles/ipasmartcard_client/tasks/main.yml
+++ b/roles/ipasmartcard_client/tasks/main.yml
@@ -103,6 +103,7 @@
# Ensure /etc/sssd/pki exists
- name: Prepare for authselect
+ when: ipasmartcard_client_vars.USE_AUTHSELECT
block:
- name: Ensure /etc/sssd/pki exists
ansible.builtin.file:
@@ -115,8 +116,6 @@
path: /etc/sssd/pki/sssd_auth_ca_db.pem
state: absent
- when: ipasmartcard_client_vars.USE_AUTHSELECT
-
# Upload smartcard CA certificates to systemwide db
- name: Upload smartcard CA certificates to systemwide db
diff --git a/roles/ipasmartcard_server/tasks/main.yml b/roles/ipasmartcard_server/tasks/main.yml
index 4306a31a4a525370d20fcee64c0891c9cd579aac..a05451a8c2cd5236a98dc6b3bf1191afb8f521e6 100644
--- a/roles/ipasmartcard_server/tasks/main.yml
+++ b/roles/ipasmartcard_server/tasks/main.yml
@@ -168,10 +168,10 @@
# HTTPD IFP
- name: Allow HTTPD ifp
+ when: ipasmartcard_server_vars.allow_httpd_ifp
block:
# Allow Apache to access SSSD IFP
-
- name: Allow Apache to access SSSD IFP
ansible.builtin.command: "{{ ipasmartcard_server_vars.python_interpreter }}"
args:
@@ -192,11 +192,10 @@
name: sssd
state: restarted
- when: ipasmartcard_server_vars.allow_httpd_ifp
-
# Ensure /etc/sssd/pki exists
- name: Prepare for authselect
+ when: ipasmartcard_server_vars.USE_AUTHSELECT
block:
- name: Ensure /etc/sssd/pki exists
ansible.builtin.file:
@@ -209,8 +208,6 @@
path: /etc/sssd/pki/sssd_auth_ca_db.pem
state: absent
- when: ipasmartcard_server_vars.USE_AUTHSELECT
-
# Upload smartcard CA certificates to systemwide db
- name: Upload smartcard CA certificates to systemwide db