making sure all systems get the ipa client vars

ansible/playbooks/ipaclient.yml

@@ -0,0 +1,7 @@
+---
+
+ipaclient_domain = rockylinux.org
+ipaclient_realm = ROCKYLINUX.ORG
+ipaadmin_principal = admin
+ipaclient_no_ntp = true
+ipaclient_mkhomedir = true

ansible/playbooks/role-rocky-ipa-client.yml

@@ -6,6 +6,7 @@
   become: true
   vars_files:
   - vars/encpass.yml
+  - vars/ipaclient.yml
 
   pre_tasks:
     - name: Check if ansible cannot be run here

ansible/playbooks/vars/encpass.yml

@@ -1,5 +1,9 @@
 ---
-# You must set this up using ansible-vault
+# You must set this up using ansible-vault. Note that each var of a particular
+# group (eg ipa) should have its own vault password separate from the rest. The
+# passwords here should not be unlockable by one single password. It may be
+# beneficial instead to split out the various passwords into separate vars
+# files.
 ipaadmin_password: !vault |
           $ANSIBLE_VAULT;1.1;AES256
           REDACTED