update handlers and fix template

handlers/main.yml

@@ -9,4 +9,14 @@
   ansible.builtin.service:
     name: named
     state: restarted
+
+- name: enable_firewalld
+  ansible.builtin.service:
+    name: firewalld
+    state: started
+    enabled: true
+
+- name: enable_crb
+  ansible.builtin.shell: "set -o pipefail && /usr/bin/crb enable"
+  changed_when: "1 != 1"
 ...

role-rocky-ipa-replica.yml

@@ -25,40 +25,8 @@
         success_msg: "We are able to run on this node"
         fail_msg: "/etc/no-ansible exists - skipping run on this node"
 
-    - name: Ensure 'dns=none' is set for Network Manager
-      community.general.ini_file:
-        path: /etc/NetworkManager/NetworkManager.conf
-        state: present
-        no_extra_spaces: true
-        section: main
-        option: dns
-        value: none
-        owner: root
-        group: root
-        mode: '0644'
-        backup: true
-      notify:
-        - reload_networkmanager
-
-    - name: Ensure epel-release is installed
-      ansible.builtin.dnf:
-        name: epel-release
-        state: present
-
-    - name: Enable CRB
-      ansible.builtin.shell: "set -o pipefail && /usr/bin/crb enable"
-
-    - name: Install ipa-fas
-      ansible.builtin.dnf:
-        name: ipa-fas
-        state: present
-
-    - name: Open firewalld service before hand
-      ansible.posix.firewalld:
-        service: freeipa-4
-        permanent: true
-        immediate: true
-        state: enabled
+    - name: Perform domain pre-work
+      ansible.builtin.import_tasks: tasks/domain-prework.yml
 
   roles:
     - role: freeipa.ansible_freeipa.ipareplica
@@ -74,5 +42,5 @@
         group: root
 
     - name: Configure recursion for private nets
-      import_tasks: tasks/dns-ext.yml
+      ansible.builtin.import_tasks: tasks/dns-ext.yml
 ...

role-rocky-ipa.yml

@@ -30,40 +30,8 @@
         success_msg: "We are able to run on this node"
         fail_msg: "/etc/no-ansible exists - skipping run on this node"
 
-    - name: Ensure 'dns=none' is set for Network Manager to avoid change
-      community.general.ini_file:
-        path: /etc/NetworkManager/NetworkManager.conf
-        state: present
-        no_extra_spaces: true
-        section: main
-        option: dns
-        value: none
-        owner: root
-        group: root
-        mode: '0644'
-        backup: true
-      notify:
-        - reload_networkmanager
-
-    - name: Ensure epel-release is installed
-      ansible.builtin.dnf:
-        name: epel-release
-        state: present
-
-    - name: Enable CRB
-      ansible.builtin.shell: "set -o pipefail && /usr/bin/crb enable"
-
-    - name: Install ipa-fas
-      ansible.builtin.dnf:
-        name: ipa-fas
-        state: present
-
-    - name: Open firewalld service before hand
-      ansible.posix.firewalld:
-        service: freeipa-4
-        permanent: true
-        immediate: true
-        state: enabled
+    - name: Perform domain pre-work
+      ansible.builtin.import_tasks: tasks/domain-prework.yml
 
   roles:
     - role: freeipa.ansible_freeipa.ipaserver
@@ -84,5 +52,5 @@
         allow_sync_ptr: true
 
     - name: Configure recursion for private nets
-      import_tasks: tasks/dns-ext.yml
+      ansible.builtin.import_tasks: tasks/dns-ext.yml
 ...

tasks/domain-prework.yml

@@ -0,0 +1,42 @@
+---
+- name: Ensure epel-release and firewalld are installed
+  ansible.builtin.dnf:
+    name:
+      - epel-release
+      - firewalld
+    state: present
+  notify:
+    - enable_firewalld
+    - enable_crb
+
+# We need this immediately.
+- name: Flush handlers
+  ansible.builtin.meta: flush_handlers
+
+- name: Ensure 'dns=none' is set for Network Manager
+  community.general.ini_file:
+    path: /etc/NetworkManager/NetworkManager.conf
+    state: present
+    no_extra_spaces: true
+    section: main
+    option: dns
+    value: none
+    owner: root
+    group: root
+    mode: '0644'
+    backup: true
+  notify:
+    - reload_networkmanager
+
+- name: Install ipa-fas
+  ansible.builtin.dnf:
+    name: ipa-fas
+    state: present
+
+- name: Open firewalld service before hand
+  ansible.posix.firewalld:
+    service: freeipa-4
+    permanent: true
+    immediate: true
+    state: enabled
+...

templates/etc/named/ipa-ext.conf

@@ -15,4 +15,4 @@
  * };
  */
 
-acl "trusted_nets" { {{ ipa_trusted_nets|join(';') }} };
+acl "trusted_nets" { {{ ipa_trusted_nets|join(';') }}; };