diff --git a/README.md b/README.md
index 461ffae..4aa441c 100644
--- a/README.md
+++ b/README.md
@@ -1,7 +1,7 @@
 role-ipa-server
 =========
 
-A brief description of the role goes here.
+This role is used to build freeipa server
 
 Requirements
 ------------
@@ -11,7 +11,7 @@ No requirements
 Role Variables
 --------------
 
-Server specific variables (i.e. mountpoint info) should be defined from the playbook-builder
+No role specific variables
 
 Dependencies
 ------------
@@ -23,8 +23,8 @@ Example Playbook Template
 
 Playbook creation should be handled by playbook-builder. To include role in a playbook, add one of these lines (changing version/branch as needed) to the template with other core entries:
 
-role:mount:v1.0:core,mount
-role:mount:testing:core,mount
+role:ipa-server:v1.0:workload,ipa-server
+role:ipa-server:testing:workload,ipa-server
 
 License
 -------
diff --git a/defaults/main.yml b/defaults/main.yml
index a0eb46b..b98a086 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -1,3 +1,3 @@
 #SPDX-License-Identifier: MIT-0
 ---
-# defaults file for ${REPO_NAME}
+# defaults file forrole-ipa-server
diff --git a/files/replicate.sh b/files/replicate.sh
new file mode 100644
index 0000000..e77de83
--- /dev/null
+++ b/files/replicate.sh
@@ -0,0 +1,16 @@
+read -s -p "Admin Password:" ADMIN_PASSWORD
+echo ""
+read -s -p "Directory Manager Password:" DM_PASSWORD
+echo ""
+read -p "Server to replicate (default ipa.actcur.com):" SERVER
+
+if [ -z $SERVER ]
+then
+    SERVER="ipa.actcur.com"
+fi
+
+ipa-client-install -U -p admin -w $ADMIN_PASSWORD --server=$SERVER --domain actcur.com  --mkhomedir  --force-join
+
+ipa-replica-install --skip-mem-check
+
+ipa-ca-install -p $DM_PASSWORD
diff --git a/files/setup-le.sh b/files/setup-le.sh
new file mode 100644
index 0000000..72052e8
--- /dev/null
+++ b/files/setup-le.sh
@@ -0,0 +1,36 @@
+FQDN=$(hostname -f)
+mkdir -p "/etc/ssl/$FQDN"
+
+#get x1 root
+curl -o  "/etc/ssl/$FQDN/x1.der" "https://x1.i.lencr.org"
+openssl x509 -inform der -in /etc/ssl/$FQDN/x1.der -out /etc/ssl/$FQDN/x1.pem
+
+#get x2 root
+curl -o  "/etc/ssl/$FQDN/x2.der" "https://x2.i.lencr.org"
+openssl x509 -inform der -in /etc/ssl/$FQDN/x2.der -out /etc/ssl/$FQDN/x2.pem
+
+#get issuer
+openssl x509 -noout -text -in crt.pem  | grep i.lencr.org | grep -Po http.+
+issuer=`openssl x509 -noout -text -in /etc/letsencrypt/live/$FQDN/fullchain.pem | grep Issuer | grep Encrypt | grep -Po "(?<=CN=).*" | tr '[:upper:]' '[:lower:]'`
+
+curl -o  "/etc/ssl/$FQDN/$issuer.der" "https://$issuer.i.lencr.org"
+openssl x509 -inform der -in /etc/ssl/$FQDN/$issuer.der -out /etc/ssl/$FQDN/$issuer.pem
+
+
+ipa-cacert-manage install "/etc/ssl/$FQDN/x1.pem"
+ipa-cacert-manage install "/etc/ssl/$FQDN/x2.pem"
+ipa-cacert-manage install "/etc/ssl/$FQDN/$issuer.pem"
+
+ipa-certupdate
+
+if ! [[ -L /var/lib/ipa/certs/httpd.crt ]]
+then
+    mv /var/lib/ipa/certs/httpd.crt /var/lib/ipa/certs/httpd.crt.bak
+    ln -s /etc/letsencrypt/live/$FQDN/cert.pem /var/lib/ipa/certs/httpd.crt
+fi
+
+if ! [[ -L /var/lib/ipa/private/httpd.key ]]
+then
+    mv /var/lib/ipa/private/httpd.key /var/lib/ipa/private/httpd.key.bak
+    ln -s /etc/letsencrypt/live/$FQDN/privkey.pem /var/lib/ipa/private/httpd.key
+fi
\ No newline at end of file
diff --git a/handlers/main.yml b/handlers/main.yml
index 192bcab..a28e14e 100644
--- a/handlers/main.yml
+++ b/handlers/main.yml
@@ -1,3 +1,7 @@
 #SPDX-License-Identifier: MIT-0
 ---
-# handlers file for ${REPO_NAME}
+# handlers file for role-ipa-server
+- name: restart httpd
+  service:
+    name: httpd
+    state: restarted
diff --git a/tasks/main.yml b/tasks/main.yml
index 0482006..ae8a3a2 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -1,3 +1,48 @@
 #SPDX-License-Identifier: MIT-0
 ---
-# tasks file for ${REPO_NAME}
+# tasks file for role-ipa-server
+- name: install freeipa-server
+  ansible.builtin.package:
+    name: freeipa-server
+    state: present
+
+- name: install ipa-server-dns
+  ansible.builtin.package:
+    name: ipa-server-dns
+    state: present
+
+#this should be moved to a dedicated firewall role down the road
+- name: permit ipa-server traffic through firewall
+  ansible.posix.firewalld:
+    service: freeipa-4
+    state: enabled
+    permanent: true
+    immediate: true
+    offline: true
+
+- name: deploy replication script
+  ansible.builtin.copy:
+    src: files/replicate.sh
+    dest: /scripts/replicate.sh
+
+#this should be moved to dedicated selinux role down the road
+- name: Disable SELinux
+  ansible.posix.selinux:
+    state: disabled
+
+# create letsencrypt setup script if certbot is enabled
+- name: check if letsencrypt is set up
+  ansible.builtin.command: '[ -d "/etc/letsencrypt/" ]'
+  register: result
+  ignore_errors: true
+
+- name: check if ipaserver is ready
+  ansible.builtin.command: '[ -d "/var/lib/ipa/certs/" ]'
+  register: result2
+  ignore_errors: true
+
+- name: deploy letsencrypt setup script
+  ansible.builtin.copy:
+    src: files/setup-le.sh
+    dest: /scripts/setup-le.sh
+  when: (result is succeeded) and (result2 is succeeded)
\ No newline at end of file
diff --git a/tests/test.yml b/tests/test.yml
index a1c8646..7e88656 100644
--- a/tests/test.yml
+++ b/tests/test.yml
@@ -3,4 +3,4 @@
 - hosts: localhost
   remote_user: root
   roles:
-    - ${REPO_NAME}
+    - role-ipa-server
diff --git a/vars/main.yml b/vars/main.yml
index f31a73e..83e9f8b 100644
--- a/vars/main.yml
+++ b/vars/main.yml
@@ -1,3 +1,3 @@
 #SPDX-License-Identifier: MIT-0
 ---
-# vars file for ${REPO_NAME}
+# vars file for role-ipa-server
\ No newline at end of file