netz39-infra-ansible/krypton.yml

115 lines
3.3 KiB
YAML
Raw Normal View History

2022-06-29 23:55:22 +02:00
---
- hosts: krypton.n39.eu
become: true
vars:
ansible_python_interpreter: /usr/bin/python3
data_dir: "/srv/data"
dehydrated_certs_dir: "/usr/local/etc/dehydrated"
docker_ip_ranges: ["172.16.0.0/12", "192.168.0.0/16"]
2022-07-05 20:37:07 +02:00
openldap_image_version: 1.5.0
openldap_data: "{{ data_dir }}/openldap"
openldap_domain: "ldap.n39.eu"
ldap_domain: "netz39.de"
2022-07-05 20:37:07 +02:00
ldap_org: "Netz39 e.V."
ldap_base_dn: "dc=netz39,dc=de"
2022-07-05 20:37:07 +02:00
2022-06-29 23:55:22 +02:00
roles:
- role: docker_setup
vars:
docker_data_root: "/srv/docker"
- role: apache
- role: apache-letsencrypt # Uses configuration from dehydrated setup
- role: ansible-role-dehydrated
vars:
dehydrated_contact_email: "{{ server_admin }}"
dehydrated_domains:
- role: penguineer.dehydrated_cron
2022-06-29 23:55:22 +02:00
tasks:
2022-07-05 20:37:07 +02:00
# - name: Setup dehydrated challenge endpoint for {{ openldap_domain }}
# include_role:
# name: setup-http-dehydrated
# vars:
# site_name: "{{ openldap_domain }}"
- name: Ensure openLDAP directories are present.
file:
path: "{{ item }}"
state: directory
with_items:
- "{{ openldap_data }}/ldap"
- "{{ openldap_data }}/slapd"
- "{{ openldap_data }}/ldif"
- "{{ dehydrated_certs_dir }}/certs/{{ openldap_domain }}"
2022-07-05 20:37:07 +02:00
- name: Ensure container for openLDAP is running.
docker_container:
name: openLDAP
image: "osixia/openldap:{{ openldap_image_version }}"
detach: yes
state: started
restart_policy: unless-stopped
container_default_behavior: no_defaults
pull: true
env:
LDAP_LOG_LEVEL: "256"
LDAP_ORGANISATION: "{{ldap_org}}"
LDAP_DOMAIN: "{{ldap_domain}}"
LDAP_BASE_DN: "{{ldap_base_dn}}"
LDAP_READONLY_USER: "false"
LDAP_ADMIN_PASSWORD: "{{ldap_admin_password}}"
# LDAP_CONFIG_PASSWORD: "{{ldap_config_password}}"
2022-07-05 20:37:07 +02:00
LDAP_RFC2307BIS_SCHEMA: "true"
LDAP_TLS_CIPHER_SUITE: "SECURE256:-VERS-SSL3.0"
LDAP_REPLICATION: "no"
2022-07-05 20:37:07 +02:00
KEEP_EXISTING_CONFIG: "false"
LDAP_REMOVE_CONFIG_AFTER_SETUP: "true"
published_ports:
- "389:389" # unencrypted/STARTTLS
- "636:636" # SSL
2022-07-05 20:37:07 +02:00
volumes:
- "{{ openldap_data }}/ldap:/var/lib/ldap"
- "{{ openldap_data }}/slapd:/etc/ldap/slapd.d"
- "{{ dehydrated_certs_dir }}/certs/{{ openldap_domain }}:/container/service/slapd/assets/certs"
2022-07-05 20:37:07 +02:00
- "{{ openldap_data }}/ldif/custom-element.ldif:/container/service/slapd/assets/config/bootstrap/ldif/custom/01_netz39.ldif"
timeout: 500
command: "--copy-service --loglevel debug"
- name: Ensure UFW is installed
ansible.builtin.package:
name: ufw
state: present
2022-07-05 20:37:07 +02:00
- name: Allow access to openLDAP from local docker container [1/2]
become: true
community.general.ufw:
rule: allow
port: '389'
proto: tcp
from: "{{ item }}"
comment: LDAP Docker Access
loop: "{{ docker_ip_ranges }}"
- name: Allow access to openLDAP from local docker container [2/2]
become: true
community.general.ufw:
rule: allow
port: '636'
proto: tcp
from: "{{ item }}"
comment: LDAP Docker Access
loop: "{{ docker_ip_ranges }}"
2022-06-29 23:55:22 +02:00
handlers: