Dual-play pattern

Running a play with roles and conditionals alongside additional tasks is somewhat challenging. Rather than running the tasks in a single play, separate the playbook into two distinct plays: primary and replica role applications. Each role requires system/firewall changes before the it can be installed, each service requires a self-signed cert be installed before they can be accessed with HTTPS. Consequently, these tasks can actually become generalized pre and post-tasks for each play. This pattern is acceptable and is also more intuitive.