diff --git a/.ansible-freeipa.metadata b/.ansible-freeipa.metadata
new file mode 100644
index 0000000..a2316e2
--- /dev/null
+++ b/.ansible-freeipa.metadata
@@ -0,0 +1 @@
+1d86f49f014b14a569969b4f859fb017f26de285 SOURCES/ansible-freeipa-0.3.8.tar.gz
diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..4ecd66b
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1 @@
+SOURCES/ansible-freeipa-0.3.8.tar.gz
diff --git a/SOURCES/ansible-freeipa-0.3.8-Replace-json_query-in-tests-user-test_users_absent.y_rhbz#1992997.patch b/SOURCES/ansible-freeipa-0.3.8-Replace-json_query-in-tests-user-test_users_absent.y_rhbz#1992997.patch
new file mode 100644
index 0000000..bbdc232
--- /dev/null
+++ b/SOURCES/ansible-freeipa-0.3.8-Replace-json_query-in-tests-user-test_users_absent.y_rhbz#1992997.patch
@@ -0,0 +1,34 @@
+From 545d1c742231ea3151a6b0474de4c198dcbc8604 Mon Sep 17 00:00:00 2001
+From: Thomas Woerner <twoerner@redhat.com>
+Date: Wed, 11 Aug 2021 11:24:36 +0200
+Subject: [PATCH] Replace json_query in tests/user/test_users_absent.yml
+
+json_query is not part of Ansible Core. As this is the only used module
+that is not in Core it has been replaced by constructig a new dict with
+the needed user names from users dict using a loop and set_fact.
+---
+ tests/user/test_users_absent.yml | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/tests/user/test_users_absent.yml b/tests/user/test_users_absent.yml
+index 752b241..d211816 100644
+--- a/tests/user/test_users_absent.yml
++++ b/tests/user/test_users_absent.yml
+@@ -12,8 +12,13 @@
+     include_vars:
+       file: users.json
+ 
++  - name: Create dict with user names
++    set_fact:
++      user_names: "{{ user_names | default([]) + [{ 'name': item.name }] }}"
++    loop: "{{ users }}"
++
+   - name: Users absent len:{{ users | length }}
+     ipauser:
+       ipaadmin_password: SomeADMINpassword
+-      users: "{{ users | json_query('[*].{name: name}') }}"
++      users: "{{ user_names }}"
+       state: absent
+-- 
+2.31.1
+
diff --git a/SPECS/ansible-freeipa.spec b/SPECS/ansible-freeipa.spec
new file mode 100644
index 0000000..d116e14
--- /dev/null
+++ b/SPECS/ansible-freeipa.spec
@@ -0,0 +1,350 @@
+# Turn off automatic python byte compilation because these are Ansible
+# roles and the files are transferred to the node and compiled there with
+# the python version used in the node
+%define __brp_python_bytecompile %{nil}
+
+%global python %{__python3}
+
+Summary: Roles and playbooks to deploy FreeIPA servers, replicas and clients
+Name: ansible-freeipa
+Version: 0.3.8
+Release: 3%{?dist}
+URL: https://github.com/freeipa/ansible-freeipa
+License: GPLv3+
+Source: https://github.com/freeipa/ansible-freeipa/archive/v%{version}.tar.gz#/%{name}-%{version}.tar.gz
+Patch1: ansible-freeipa-0.3.8-Replace-json_query-in-tests-user-test_users_absent.y_rhbz#1992997.patch
+BuildArch: noarch
+%if 0%{?fedora} >= 35 || 0%{?rhel} >= 9
+Requires: ansible-core
+%endif
+
+%description
+Ansible roles and playbooks to install and uninstall FreeIPA servers, replicas and clients. Also modules for group, host, topology and user management.
+
+Note: The Ansible playbooks and roles require a configured Ansible environment where the Ansible nodes are reachable and are properly set up to have an IP address and a working package manager.
+Features
+
+- Server, replica and client deployment
+- Cluster deployments: Server, replicas and clients in one playbook
+- One-time-password (OTP) support for client installation
+- Repair mode for clients
+- Backup and restore, also to and from controller
+- Modules for automembership rule management
+- Modules for config management
+- Modules for delegation management
+- Modules for dns config management
+- Modules for dns forwarder management
+- Modules for dns record management
+- Modules for dns zone management
+- Modules for group management
+- Modules for hbacrule management
+- Modules for hbacsvc management
+- Modules for hbacsvcgroup management
+- Modules for host management
+- Modules for hostgroup management
+- Modules for location management
+- Modules for permission management
+- Modules for privilege management
+- Modules for pwpolicy management
+- Modules for role management
+- Modules for self service management
+- Modules for server management
+- Modules for service management
+- Modules for sudocmd management
+- Modules for sudocmdgroup management
+- Modules for sudorule management
+- Modules for topology management
+- Modules for trust management
+- Modules for user management
+- Modules for vault management
+
+Supported FreeIPA Versions
+
+FreeIPA versions 4.6 and up are supported by all roles.
+
+The client role supports versions 4.4 and up, the server role is working with versions 4.5 and up, the replica role is currently only working with versions 4.6 and up.
+Supported Distributions
+
+- RHEL/CentOS 7.4+
+- Fedora 26+
+- Ubuntu
+- Debian 10+ (ipaclient only, no server or replica!)
+
+Requirements
+
+  Controller
+
+  - Ansible version: 2.8+ (ansible-freeipa is an Ansible Collection)
+    /usr/bin/kinit is required on the controller if a one time password (OTP)
+    is used
+  - python3-gssapi is required on the controller if a one time password (OTP)
+    is used with keytab to install the client.
+
+  Node
+
+  - Supported FreeIPA version (see above)
+  - Supported distribution (needed for package installation only, see above)
+
+Limitations
+
+External signed CA is now supported. But the currently needed two step process
+is an issue for the processing in a simple playbook.
+Work is planned to have a new method to handle CSR for external signed CAs in
+a separate step before starting the server installation.
+
+
+%package tests
+Summary: ansible-freeipa tests
+Requires: %{name} = %{version}-%{release}
+
+%description tests
+ansible-freeipa tests.
+
+Please have a look at %{_datadir}/ansible-freeipa/requirements-tests.txt
+to get the needed requrements to run the tests.
+
+
+%prep
+%setup -q
+# Do not create backup files with patches
+%patch1 -p1
+
+# Fix python modules and module utils:
+# - Remove shebang
+# - Remove execute flag
+for i in roles/ipa*/library/*.py roles/ipa*/module_utils/*.py plugins/*/*.py; do
+    sed -i '1{/\/usr\/bin\/python*/d;}' $i
+    chmod a-x $i
+done
+
+for i in utils/*.py utils/ansible-ipa-*-install utils/new_module \
+         utils/changelog utils/ansible-doc-test;
+do
+    sed -i '{s@/usr/bin/python*@%{python}@}' $i
+done
+
+
+%build
+
+%install
+install -m 755 -d %{buildroot}%{_datadir}/ansible/roles/
+cp -rp roles/ipaserver %{buildroot}%{_datadir}/ansible/roles/
+cp -rp roles/ipaserver/README.md README-server.md
+cp -rp roles/ipareplica %{buildroot}%{_datadir}/ansible/roles/
+cp -rp roles/ipareplica/README.md README-replica.md
+cp -rp roles/ipaclient %{buildroot}%{_datadir}/ansible/roles/
+cp -rp roles/ipaclient/README.md README-client.md
+cp -rp roles/ipabackup %{buildroot}%{_datadir}/ansible/roles/
+cp -rp roles/ipabackup/README.md README-backup.md
+install -m 755 -d %{buildroot}%{_datadir}/ansible/plugins/
+cp -rp plugins/* %{buildroot}%{_datadir}/ansible/plugins/
+
+install -m 755 -d %{buildroot}%{_datadir}/ansible-freeipa
+cp requirements*.txt %{buildroot}%{_datadir}/ansible-freeipa/
+cp -rp utils %{buildroot}%{_datadir}/ansible-freeipa/
+install -m 755 -d %{buildroot}%{_datadir}/ansible-freeipa/tests
+cp -rp tests %{buildroot}%{_datadir}/ansible-freeipa/
+
+%files
+%license COPYING
+%{_datadir}/ansible/roles/ipaserver
+%{_datadir}/ansible/roles/ipareplica
+%{_datadir}/ansible/roles/ipaclient
+%{_datadir}/ansible/roles/ipabackup
+%{_datadir}/ansible/plugins/module_utils
+%{_datadir}/ansible/plugins/modules
+%doc README*.md
+%doc playbooks
+%{_datadir}/ansible-freeipa/requirements.txt
+%{_datadir}/ansible-freeipa/requirements-dev.txt
+%{_datadir}/ansible-freeipa/utils
+
+%files tests
+%{_datadir}/ansible-freeipa/tests
+%{_datadir}/ansible-freeipa/requirements-tests.txt
+
+%changelog
+* Mon Aug 16 2021 Thomas Woerner <twoerner@redhat.com> - 0.3.8-3
+- Add requirement for ansible-core
+  Resolves: RHBZ#1993857
+- Remove python3, pip and ansible installation from sanity test
+  Related: RHBZ#1993857
+- Replace json_query in tests/user/test_users_absent.yml
+  Resolves: RHBZ#1992997
+
+* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 0.3.8-2
+- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
+  Related: rhbz#1991688
+
+* Thu Jul 15 2021 Thomas Woerner <twoerner@redhat.com> - 0.3.8-1
+- Update to version 0.3.7 and 0.3.8
+  https://github.com/freeipa/ansible-freeipa/releases/tag/v0.3.7
+  https://github.com/freeipa/ansible-freeipa/releases/tag/v0.3.8
+  Related: RHBZ#1972178
+- automember: Verify condition keys
+  Resolves: RHBZ#1981713
+- automember: Fix result["failed"] issues with conditions
+  Resolves: RHBZ#1981713
+- automember: Fix action to be automember or member, not service
+  Resolves: RHBZ#1981711
+
+* Thu Jun 17 2021 Thomas Woerner <twoerner@redhat.com> - 0.3.6-3
+- Apply fix for ipabackup: Use module to get IPA_BACKUP_DIR from ipaplatform
+  Resolves: RRBZ#1973173
+
+* Mon Jun  7 2021 Thomas Woerner <twoerner@redhat.com> - 0.3.6-1
+- Update to version 0.3.6
+  https://github.com/freeipa/ansible-freeipa/releases/tag/v0.3.6
+  Resolves: RHBZ#1972178
+- ansible-freeipa-tests not in the compose
+  Resolves: RHBZ#1940014
+- Remove unsupported parameter for (ipapermission) module: perm_rights from
+  permission-present.yml
+  Resolves: RHBZ#1973167
+- Sample playbook included for selfservice module is incorrect
+  Resolves: RHBZ#1973166
+- ipa-client-install failing with error code 7(keytab: /usr/sbin/ipa-rmkeytab
+  returned 7)
+  Resolves: RHBZ#1973169
+- New management module ipaserver
+  Resolves: RHBZ#1973171
+- New management module ipaautomember
+  Resolves: RHBZ#1973172
+
+* Thu Apr 15 2021 Mohan Boddu <mboddu@redhat.com> - 0.3.5-2
+- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
+
+* Wed Mar  3 2021 Thomas Woerner <twoerner@redhat.com> - 0.3.5-1
+- Update to version 0.3.5
+  https://github.com/freeipa/ansible-freeipa/releases/tag/v0.3.5
+
+* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 0.3.4-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
+
+* Mon Jan 18 2021 Thomas Woerner <twoerner@redhat.com> - 0.3.4-1
+- Update to version 0.3.4
+  https://github.com/freeipa/ansible-freeipa/releases/tag/v0.3.4
+  https://github.com/freeipa/ansible-freeipa/releases/tag/v0.3.3
+  https://github.com/freeipa/ansible-freeipa/releases/tag/v0.3.2
+
+* Wed Dec  2 2020 Thomas Woerner <twoerner@redhat.com> - 0.3.1-1
+- Update to version 0.3.1
+  https://github.com/freeipa/ansible-freeipa/releases/tag/v0.3.1
+- ipabackup: Fix undefined vars for conditions in shell tasks without else
+
+* Tue Dec  1 2020 Thomas Woerner <twoerner@redhat.com> - 0.3.0-2
+- Ship ipabackup role for backup and restore
+
+* Thu Nov 26 2020 Thomas Woerner <twoerner@redhat.com> - 0.3.0-1
+- Update to version 0.3.0
+  https://github.com/freeipa/ansible-freeipa/releases/tag/v0.3.0
+
+* Fri Oct 09 2020 Thomas Woerner <twoerner@redhat.com> - 0.2.1-1
+- Update to version 0.2.1
+  https://github.com/freeipa/ansible-freeipa/releases/tag/v0.2.1
+- Update to version 0.2.0
+  https://github.com/freeipa/ansible-freeipa/releases/tag/v0.2.0
+- New tests sub package providing upstream tests
+- Utils in /usr/share/ansible-freeipa/utils
+
+* Mon Jul 27 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.1.12-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
+
+* Mon Jun 15 2020 Thomas Woerner <twoerner@redhat.com> - 0.1.12-1
+- Update to version 0.1.12 bug fix only release
+
+* Thu Jun 11 2020 Thomas Woerner <twoerner@redhat.com> - 0.1.11-1
+- Update to version 0.1.11
+  https://github.com/freeipa/ansible-freeipa/releases/tag/v0.1.11
+
+* Mon Apr 27 2020 Thomas Woerner <twoerner@redhat.com> - 0.1.10-1
+- Update to version 0.1.10 with fixes and additional modules
+  https://github.com/freeipa/ansible-freeipa/releases/tag/v0.1.10
+
+* Mon Mar 16 2020 Thomas Woerner <twoerner@redhat.com> - 0.1.9-1
+- Update to version 0.1.8 with lots of fixes and additional modules
+  https://github.com/freeipa/ansible-freeipa/releases/tag/v0.1.9
+
+* Tue Jan 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.1.8-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
+
+* Fri Dec 20 2019 Thomas Woerner <twoerner@redhat.com> - 0.1.8-1
+- Update to version 0.1.8 with lots of fixes and additional modules
+  https://github.com/freeipa/ansible-freeipa/releases/tag/v0.1.8
+  https://github.com/freeipa/ansible-freeipa/releases/tag/v0.1.7
+
+* Wed Jul 24 2019 Fedora Release Engineering <releng@fedoraproject.org> - 0.1.6-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
+
+* Tue Jul 23 2019 Thomas Woerner <twoerner@redhat.com> - 0.1.6-1
+- Update to version 0.1.6
+  - Lots of documentation updates in READMEs and modules
+  - library/ipaclient_get_otp: Enable force mode for host_add call (fixes #74)
+  - Flake8 and pylint reated fixes
+  - Fixed wrong path to CheckedIPAddress class in ipareplica_test
+  - Remove unused ipaserver/library/ipaserver.py
+  - No not use wildcard imports for modules
+  - ipareplica: Add support for pki_config_override
+  - ipareplica: Initialize dns.ip_addresses and dns.reverse_zones for dns setup
+  - ipareplica_prepare: Properly initialize pin and cert_name variables
+  - ipareplica: Fail with proper error messages
+  - ipaserver: Properly set settings related to pkcs12 files
+  - ipaclient: RawConfigParser is not always provided by six.moves.configparser
+  - ipaclient_setup_nss: paths.GETENT is not available before
+    freeipa-4.6.90.pre1
+  - ipaserver_test: Initialize value from options.zonemgr
+  - ipareplica_setup_custodia: create_replica only available in newer releases
+  - ipaclient: Fix typo in dnsok assignment for ipaclient_setup_nss
+  - ipa[server,replica]: Set _packages_adtrust for Ubuntu
+  - New build script for galaxy release
+  - New utils script to update module docs
+
+* Tue Jul  9 2019 Thomas Woerner <twoerner@redhat.com> - 0.1.5-2
+- Update README-user.md: Fixed examples, new example
+- ipauser example playbooks: Fixed actions, new example
+
+* Tue Jul  9 2019 Thomas Woerner <twoerner@redhat.com> - 0.1.5-1
+- Update to version 0.1.5
+  - Support for IPA 4.8.0
+  - New user management module
+  - New group management module
+  - ipaserver: Support external signed CA
+  - RHEL-8 specific vars files to be able to install needed modules
+    automatically
+  - ipareplica: Fixes for certmonger and kra setup
+  - New tests folder
+  - OTP related updates to README files
+- Updates of version 0.1.4
+  - ipatopologysegment: Use commands, not command
+- Updates of version 0.1.3
+  - ipaclient_test: Fix Python2 decode use with Python3
+  - Fixed: #86 (AttributeError: 'str' object has no attribute 'decode')
+  - ipaclient_get_otp: Remove ansible_python_interpreter handling
+  - ipaclient: Use omit (None) for password, keytab, no string length checks
+  - ipaclient_join: Support to use ipaadmin_keytab without ipaclient_use_otp
+  - ipaclient: Report error message if ipaclient_get_otp failed
+  - Fixes #17 Improve how tasks manage package installation
+  - ipareplica: The dm password is not needed for ipareplica_master_password
+  - ipareplica: Use ipareplica_server if set
+  - ipatopologysegment: Allow domain+ca suffix, new state: checked
+  - Documentation updates
+  - Cleanups
+- Update of version 0.1.2
+  - Now a new Ansible Collection
+  - Fix gssapi requirement for OTP: It is only needed if keytab is used with
+    OTP now.
+  - Fix wrong ansible argument types
+  - Do not fail on textwrap for replica deployments with CA
+  - Ansible lint and galaxy fixes
+  - Disable automatic removal of replication agreements in uninstall
+  - Enable freeipa-trust service if adtrust is enabled
+  - Add support for hidden replica
+  - New topology managament modules
+  - Add support for pki_config_override
+  - Fix host name setup in server deployment
+  - Fix errors when ipaservers variable is not set
+  - Fix ipaclient install role length typo
+  - Cleanups
+
+* Mon May  6 2019 Thomas Woerner <twoerner@redhat.com> - 0.1.1-1
+- Initial package