diff --git a/krypton.yml b/krypton.yml index e3e2c10..d70f2db 100644 --- a/krypton.yml +++ b/krypton.yml @@ -7,6 +7,11 @@ data_dir: "/srv/data" + openldap_image_version: 1.5.0 + openldap_data: "{{ data_dir }}/openldap" + openldap_domain: "ldap.n39.eu" + ldap_org: "Netz39 e.V." + roles: - role: docker_setup vars: @@ -14,4 +19,86 @@ tasks: + # - name: Setup dehydrated challenge endpoint for {{ openldap_domain }} + # include_role: + # name: setup-http-dehydrated + # vars: + # site_name: "{{ openldap_domain }}" + + - name: Ensure openLDAP directories are present. + file: + path: "{{ item }}" + state: directory + with_items: + - "{{ openldap_data }}/ldap" + - "{{ openldap_data }}/slapd" + - "{{ openldap_data }}/ldif" + # - "{{ dehydrated_certs_dir }}/certs/{{ openldap_domain }}" + + - name: Ensure container for openLDAP is running. + docker_container: + name: openLDAP + image: "osixia/openldap:{{ openldap_image_version }}" + detach: yes + state: started + restart_policy: unless-stopped + container_default_behavior: no_defaults + pull: true + env: + LDAP_LOG_LEVEL: "256" + LDAP_ORGANISATION: "{{ldap_org}}" + LDAP_DOMAIN: "{{ldap_domain}}" + LDAP_BASE_DN: "{{ldap_base_dn}}" + LDAP_READONLY_USER: "false" + + LDAP_ADMIN_PASSWORD: "{{ldap_admin_password}}" + LDAP_CONFIG_PASSWORD: "{{ldap_config_password}}" + + LDAP_RFC2307BIS_SCHEMA: "true" + + LDAP_TLS_CIPHER_SUITE: "SECURE256:-VERS-SSL3.0" + + LDAP_REPLICATION: "{{ldap_replication_enable}}" + LDAP_REPLICATION_CONFIG_SYNCPROV: "{{ldap_replication_config_syncprov}}" + LDAP_REPLICATION_DB_SYNCPROV: "{{ldap_replication_db_syncprov}}" + LDAP_REPLICATION_HOSTS: "{{ldap_replication_hosts}}" + + KEEP_EXISTING_CONFIG: "false" + LDAP_REMOVE_CONFIG_AFTER_SETUP: "true" + published_ports: + - "{{ldap_ip}}:389:389" # unencrypted/STARTTLS + - "{{ldap_ip}}:636:636" # SSL + volumes: + - "{{ openldap_data }}/ldap:/var/lib/ldap" + - "{{ openldap_data }}/slapd:/etc/ldap/slapd.d" + # - "{{ dehydrated_certs_dir }}/certs/{{ openldap_domain }}:/container/service/slapd/assets/certs" + - "{{ openldap_data }}/ldif/custom-element.ldif:/container/service/slapd/assets/config/bootstrap/ldif/custom/01_netz39.ldif" + timeout: 500 + # For replication to work correctly, domainname and hostname must be + # set correctly so that "hostname"."domainname" equates to the + # fully-qualified domain name for the host. + domainname: "{{ldap_domainname}}" + hostname: "{{ldap_hostname}}" + command: "--copy-service --loglevel debug" + + - name: Allow access to openLDAP from local docker container [1/2] + become: true + community.general.ufw: + rule: allow + port: '389' + proto: tcp + from: "{{ item }}" + comment: LDAP Docker Access + loop: "{{ docker_ip_ranges }}" + + - name: Allow access to openLDAP from local docker container [2/2] + become: true + community.general.ufw: + rule: allow + port: '636' + proto: tcp + from: "{{ item }}" + comment: LDAP Docker Access + loop: "{{ docker_ip_ranges }}" + handlers: diff --git a/pottwal.yml b/pottwal.yml index c71e11f..c30cea2 100644 --- a/pottwal.yml +++ b/pottwal.yml @@ -23,12 +23,6 @@ hedgedoc_host_port: 8084 hedgedoc_image: quay.io/hedgedoc/hedgedoc:1.9.3 - openldap_image_version: 1.5.0 - openldap_data: "{{ data_dir }}/openldap" - openldap_domain: "ldap.n39.eu" - ldap_org: "Netz39 e.V." - - roles: - role: docker_setup vars: @@ -267,86 +261,5 @@ site_name: pad.n39.eu proxy_port: "{{ hedgedoc_host_port }}" - # - name: Setup dehydrated challenge endpoint for {{ openldap_domain }} - # include_role: - # name: setup-http-dehydrated - # vars: - # site_name: "{{ openldap_domain }}" - - - name: Ensure openLDAP directories are present. - file: - path: "{{ item }}" - state: directory - with_items: - - "{{ openldap_data }}/ldap" - - "{{ openldap_data }}/slapd" - - "{{ openldap_data }}/ldif" - # - "{{ dehydrated_certs_dir }}/certs/{{ openldap_domain }}" - - - name: Ensure container for openLDAP is running. - docker_container: - name: openLDAP - image: "osixia/openldap:{{ openldap_image_version }}" - detach: yes - state: started - restart_policy: unless-stopped - container_default_behavior: no_defaults - pull: true - env: - LDAP_LOG_LEVEL: "256" - LDAP_ORGANISATION: "{{ldap_org}}" - LDAP_DOMAIN: "{{ldap_domain}}" - LDAP_BASE_DN: "{{ldap_base_dn}}" - LDAP_READONLY_USER: "false" - - LDAP_ADMIN_PASSWORD: "{{ldap_admin_password}}" - LDAP_CONFIG_PASSWORD: "{{ldap_config_password}}" - - LDAP_RFC2307BIS_SCHEMA: "true" - - LDAP_TLS_CIPHER_SUITE: "SECURE256:-VERS-SSL3.0" - - LDAP_REPLICATION: "{{ldap_replication_enable}}" - LDAP_REPLICATION_CONFIG_SYNCPROV: "{{ldap_replication_config_syncprov}}" - LDAP_REPLICATION_DB_SYNCPROV: "{{ldap_replication_db_syncprov}}" - LDAP_REPLICATION_HOSTS: "{{ldap_replication_hosts}}" - - KEEP_EXISTING_CONFIG: "false" - LDAP_REMOVE_CONFIG_AFTER_SETUP: "true" - published_ports: - - "{{ldap_ip}}:389:389" # unencrypted/STARTTLS - - "{{ldap_ip}}:636:636" # SSL - volumes: - - "{{ openldap_data }}/ldap:/var/lib/ldap" - - "{{ openldap_data }}/slapd:/etc/ldap/slapd.d" - # - "{{ dehydrated_certs_dir }}/certs/{{ openldap_domain }}:/container/service/slapd/assets/certs" - - "{{ openldap_data }}/ldif/custom-element.ldif:/container/service/slapd/assets/config/bootstrap/ldif/custom/01_netz39.ldif" - timeout: 500 - # For replication to work correctly, domainname and hostname must be - # set correctly so that "hostname"."domainname" equates to the - # fully-qualified domain name for the host. - domainname: "{{ldap_domainname}}" - hostname: "{{ldap_hostname}}" - command: "--copy-service --loglevel debug" - - - name: Allow access to openLDAP from local docker container [1/2] - become: true - community.general.ufw: - rule: allow - port: '389' - proto: tcp - from: "{{ item }}" - comment: LDAP Docker Access - loop: "{{ docker_ip_ranges }}" - - - name: Allow access to openLDAP from local docker container [2/2] - become: true - community.general.ufw: - rule: allow - port: '636' - proto: tcp - from: "{{ item }}" - comment: LDAP Docker Access - loop: "{{ docker_ip_ranges }}" handlers: