2022-06-29 23:55:22 +02:00
|
|
|
---
|
|
|
|
- hosts: krypton.n39.eu
|
|
|
|
become: true
|
|
|
|
|
|
|
|
vars:
|
|
|
|
ansible_python_interpreter: /usr/bin/python3
|
|
|
|
|
|
|
|
data_dir: "/srv/data"
|
|
|
|
|
2022-07-05 20:52:03 +02:00
|
|
|
dehydrated_certs_dir: "/usr/local/etc/dehydrated"
|
|
|
|
|
|
|
|
docker_ip_ranges: ["172.16.0.0/12", "192.168.0.0/16"]
|
|
|
|
|
2022-07-05 20:37:07 +02:00
|
|
|
openldap_image_version: 1.5.0
|
|
|
|
openldap_data: "{{ data_dir }}/openldap"
|
|
|
|
openldap_domain: "ldap.n39.eu"
|
2022-07-05 20:52:03 +02:00
|
|
|
ldap_domain: "netz39.de"
|
2022-07-05 20:37:07 +02:00
|
|
|
ldap_org: "Netz39 e.V."
|
2022-07-05 20:52:03 +02:00
|
|
|
ldap_base_dn: "dc=netz39,dc=de"
|
2022-07-05 20:37:07 +02:00
|
|
|
|
2022-06-29 23:55:22 +02:00
|
|
|
roles:
|
|
|
|
- role: docker_setup
|
|
|
|
vars:
|
|
|
|
docker_data_root: "/srv/docker"
|
2022-09-06 20:13:40 +02:00
|
|
|
- role: apache
|
|
|
|
- role: apache-letsencrypt # Uses configuration from dehydrated setup
|
|
|
|
- role: ansible-role-dehydrated
|
|
|
|
vars:
|
|
|
|
dehydrated_contact_email: "{{ server_admin }}"
|
|
|
|
dehydrated_domains:
|
|
|
|
- role: penguineer.dehydrated_cron
|
2022-06-29 23:55:22 +02:00
|
|
|
|
|
|
|
tasks:
|
|
|
|
|
2022-07-05 20:37:07 +02:00
|
|
|
# - name: Setup dehydrated challenge endpoint for {{ openldap_domain }}
|
|
|
|
# include_role:
|
|
|
|
# name: setup-http-dehydrated
|
|
|
|
# vars:
|
|
|
|
# site_name: "{{ openldap_domain }}"
|
|
|
|
|
|
|
|
- name: Ensure openLDAP directories are present.
|
|
|
|
file:
|
|
|
|
path: "{{ item }}"
|
|
|
|
state: directory
|
|
|
|
with_items:
|
|
|
|
- "{{ openldap_data }}/ldap"
|
|
|
|
- "{{ openldap_data }}/slapd"
|
|
|
|
- "{{ openldap_data }}/ldif"
|
2022-07-05 20:49:34 +02:00
|
|
|
- "{{ dehydrated_certs_dir }}/certs/{{ openldap_domain }}"
|
2022-07-05 20:37:07 +02:00
|
|
|
|
|
|
|
- name: Ensure container for openLDAP is running.
|
|
|
|
docker_container:
|
|
|
|
name: openLDAP
|
|
|
|
image: "osixia/openldap:{{ openldap_image_version }}"
|
|
|
|
detach: yes
|
|
|
|
state: started
|
|
|
|
restart_policy: unless-stopped
|
|
|
|
container_default_behavior: no_defaults
|
|
|
|
pull: true
|
|
|
|
env:
|
|
|
|
LDAP_LOG_LEVEL: "256"
|
|
|
|
LDAP_ORGANISATION: "{{ldap_org}}"
|
|
|
|
LDAP_DOMAIN: "{{ldap_domain}}"
|
|
|
|
LDAP_BASE_DN: "{{ldap_base_dn}}"
|
|
|
|
LDAP_READONLY_USER: "false"
|
|
|
|
|
|
|
|
LDAP_ADMIN_PASSWORD: "{{ldap_admin_password}}"
|
2022-07-05 20:52:03 +02:00
|
|
|
# LDAP_CONFIG_PASSWORD: "{{ldap_config_password}}"
|
2022-07-05 20:37:07 +02:00
|
|
|
|
|
|
|
LDAP_RFC2307BIS_SCHEMA: "true"
|
|
|
|
|
|
|
|
LDAP_TLS_CIPHER_SUITE: "SECURE256:-VERS-SSL3.0"
|
|
|
|
|
2022-07-05 20:52:03 +02:00
|
|
|
LDAP_REPLICATION: "no"
|
2022-07-05 20:37:07 +02:00
|
|
|
|
|
|
|
KEEP_EXISTING_CONFIG: "false"
|
|
|
|
LDAP_REMOVE_CONFIG_AFTER_SETUP: "true"
|
|
|
|
published_ports:
|
2022-07-05 20:52:03 +02:00
|
|
|
- "389:389" # unencrypted/STARTTLS
|
|
|
|
- "636:636" # SSL
|
2022-07-05 20:37:07 +02:00
|
|
|
volumes:
|
|
|
|
- "{{ openldap_data }}/ldap:/var/lib/ldap"
|
|
|
|
- "{{ openldap_data }}/slapd:/etc/ldap/slapd.d"
|
2022-07-05 20:49:34 +02:00
|
|
|
- "{{ dehydrated_certs_dir }}/certs/{{ openldap_domain }}:/container/service/slapd/assets/certs"
|
2022-07-05 20:37:07 +02:00
|
|
|
- "{{ openldap_data }}/ldif/custom-element.ldif:/container/service/slapd/assets/config/bootstrap/ldif/custom/01_netz39.ldif"
|
|
|
|
timeout: 500
|
|
|
|
command: "--copy-service --loglevel debug"
|
|
|
|
|
2022-07-05 20:52:03 +02:00
|
|
|
- name: Ensure UFW is installed
|
|
|
|
ansible.builtin.package:
|
|
|
|
name: ufw
|
|
|
|
state: present
|
|
|
|
|
2022-07-05 20:37:07 +02:00
|
|
|
- name: Allow access to openLDAP from local docker container [1/2]
|
|
|
|
become: true
|
|
|
|
community.general.ufw:
|
|
|
|
rule: allow
|
|
|
|
port: '389'
|
|
|
|
proto: tcp
|
|
|
|
from: "{{ item }}"
|
|
|
|
comment: LDAP Docker Access
|
|
|
|
loop: "{{ docker_ip_ranges }}"
|
|
|
|
|
|
|
|
- name: Allow access to openLDAP from local docker container [2/2]
|
|
|
|
become: true
|
|
|
|
community.general.ufw:
|
|
|
|
rule: allow
|
|
|
|
port: '636'
|
|
|
|
proto: tcp
|
|
|
|
from: "{{ item }}"
|
|
|
|
comment: LDAP Docker Access
|
|
|
|
loop: "{{ docker_ip_ranges }}"
|
|
|
|
|
2022-06-29 23:55:22 +02:00
|
|
|
handlers:
|