0Ry5/netz39-infra-ansible
1
0
Fork 0
forked from Netz39_Admin/netz39-infra-ansible
Code Pull requests Activity
netz39-infra-ansible/host-krypton.yml
Alexander Dahl 605eca4c38 🚚 roles: dehydrated_cron: Use namespaced name 
Removes the redundant words "ansible" and "role" from the role name
originating from the Git repo name, and uses the author's name as
namespace instead.  This makes it easier to recognize as external role.

Note: the host-wittgenstein recipe already used that new name, but we
did not set it up in requirements, yet.  (How did that ever work?)

Link: https://docs.ansible.com/ansible/latest/galaxy/user_guide.html#installing-multiple-roles-from-a-file
Fixes: f4db6fa395 ("Add Ansible setup for wittgenstein")
2024-12-28 12:16:21 +01:00

136 lines
4 KiB
YAML
Raw Blame History

---
- hosts: krypton.n39.eu
become: true
vars:
ansible_python_interpreter: /usr/bin/python3
data_dir: "/srv/data"
docker_ip_ranges: ["172.16.0.0/12", "192.168.0.0/16"]
openldap_data: "{{ data_dir }}/openldap"
openldap_domain: "ldap.n39.eu"
ldap_domain: "netz39.de"
ldap_org: "Netz39 e.V."
ldap_base_dn: "dc=netz39,dc=de"
entities_validation_svc_host_port: 9001
roles:
# role 'docker_setup' applied through group 'docker_host'
- role: apache
- role: apache_letsencrypt # Uses configuration from dehydrated setup
- role: 24367dfa.dehydrated
vars:
dehydrated_contact_email: "{{ server_admin }}"
dehydrated_domains:
- name: entities-validation.svc.n39.eu
- role: penguineer.dehydrated_cron
tasks:
# - name: Setup dehydrated challenge endpoint for {{ openldap_domain }}
# include_role:
# name: setup-http-dehydrated
# vars:
# site_name: "{{ openldap_domain }}"
- name: Ensure openLDAP directories are present.
file:
path: "{{ item.path }}"
mode: "0755"
state: directory
with_items:
- path: "{{ openldap_data }}/ldap"
- path: "{{ openldap_data }}/slapd"
- path: "{{ openldap_data }}/ldif"
- path: "{{ dehydrated_certs_dir }}/{{ openldap_domain }}"
- name: Ensure container for openLDAP is running.
docker_container:
name: openLDAP
image: osixia/openldap:1.5.0
detach: yes
state: started
restart_policy: unless-stopped
container_default_behavior: no_defaults
pull: true
env:
TZ: "{{ timezone }}"
LDAP_LOG_LEVEL: "256"
LDAP_ORGANISATION: "{{ ldap_org }}"
LDAP_DOMAIN: "{{ ldap_domain }}"
LDAP_BASE_DN: "{{ ldap_base_dn }}"
LDAP_READONLY_USER: "false"
LDAP_ADMIN_PASSWORD: "{{ ldap_admin_password }}"
# LDAP_CONFIG_PASSWORD: "{{ ldap_config_password }}"
LDAP_RFC2307BIS_SCHEMA: "true"
LDAP_TLS_CIPHER_SUITE: "SECURE256:-VERS-SSL3.0"
LDAP_REPLICATION: "no"
KEEP_EXISTING_CONFIG: "false"
LDAP_REMOVE_CONFIG_AFTER_SETUP: "true"
published_ports:
- "389:389" # unencrypted/STARTTLS
- "636:636" # SSL
volumes:
- "{{ openldap_data }}/ldap:/var/lib/ldap"
- "{{ openldap_data }}/slapd:/etc/ldap/slapd.d"
- "{{ dehydrated_certs_dir }}/{{ openldap_domain }}:/container/service/slapd/assets/certs"
- "{{ openldap_data }}/ldif/custom-element.ldif:/container/service/slapd/assets/config/bootstrap/ldif/custom/01_netz39.ldif"
timeout: 500
command: "--copy-service --loglevel debug"
- name: Ensure UFW is installed
ansible.builtin.package:
name: ufw
state: present
- name: Allow access to openLDAP from local docker container [1/2]
become: true
community.general.ufw:
rule: allow
port: '389'
proto: tcp
from: "{{ item }}"
comment: LDAP Docker Access
loop: "{{ docker_ip_ranges }}"
- name: Allow access to openLDAP from local docker container [2/2]
become: true
community.general.ufw:
rule: allow
port: '636'
proto: tcp
from: "{{ item }}"
comment: LDAP Docker Access
loop: "{{ docker_ip_ranges }}"
- name: Ensure container for entities validation service is running
docker_container:
name: entities_validation_svc
image: netz39/entities_validation_svc:v1.0.3
pull: true
state: started
detach: yes
ports:
- "127.0.0.1:{{ entities_validation_svc_host_port }}:8080"
restart_policy: unless-stopped
env:
TZ: "{{ timezone }}"
- name: Setup proxy site entities-validation.svc.n39.eu
include_role:
name: setup_http_site_proxy
vars:
site_name: entities-validation.svc.n39.eu
proxy_port: "{{ entities_validation_svc_host_port }}"
handlers:
View git blame Copy permalink