I would like to install ipa replicas using this role following the guidance here:
https://www.freeipa.org/page/V4/Replica_Setup
which says it should be possible to install a replica on an already joined machine without needing the admin credentials as long as the machine has been added to the ipaservers group already.

The current code does not allow this as the install task is skipped when /etc/ipa/default.conf is already there. It would be good to be able to override this creates check.

Hey @arnoxit, technically this should be possible, yes.

Actually one challenge over here is that FreeIPA is generating /etc/ipa/default.conf during the ipa-{server,replica}-install process. Ansible is calling those commands with some arguments and is not in control of the file. That basically means that even if there would be some "ignore if the file is already there" pattern would be added to this module the command will be executed every time Ansible is running. Which would remove idempotence - and this should be avoided by any chance.
Another side effect would also be that all ipa services would be restarted every time Ansible is running.

If you have some ideas and / or suggestions how to sort this out please feel free to send a PR.