```yaml
---
- name: DEBUG - confirm new file is used
  ansible.builtin.debug:
    msg: "🔥 NEW FREEIPA ROLE VERSION IS RUNNING 🔥"

- name: DEBUG - show ipa_admin_password presence
  ansible.builtin.debug:
    msg: "ipa_admin_password={{ ipa_admin_password | default('NOT SET') }}"

- name: Install FreeIPA client packages
  ansible.builtin.package:
    name:
      - freeipa-client
      - sssd
      - sssd-tools
      - oddjob
      - oddjob-mkhomedir
    state: present

- name: Set hostname (FQDN)
  ansible.builtin.hostname:
    name: "{{ inventory_hostname }}.im.lab"

- name: DEBUG - show hostname used
  ansible.builtin.debug:
    msg: "Hostname will be {{ inventory_hostname }}.im.lab"

- name: Enroll to FreeIPA
  ansible.builtin.command: >
    ipa-client-install
    --domain=im.lab
    --realm=IPA.IM.LAB
    --server=ipa.im.lab
    --hostname={{ inventory_hostname }}.im.lab
    --mkhomedir
    --principal=admin
    --password={{ ipa_admin_password }}
    --unattended
  args:
    creates: /etc/ipa/default.conf

- name: Configure SSSD
  freeipa.ansible_freeipa.ipaclient_setup_sssd:
    servers:
      - ipa.im.lab
    domain: im.lab
    realm: IPA.IM.LAB
    hostname: "{{ inventory_hostname }}.im.lab"
    no_krb5_offline_passwords: true
  notify: Restart SSSD

- name: Enable and start SSSD
  ansible.builtin.service:
    name: sssd
    state: started
    enabled: true
```