Move LDAP from pottwal to krypton
This commit is contained in:
parent
5fe1256a5e
commit
142fd23720
2 changed files with 87 additions and 87 deletions
87
krypton.yml
87
krypton.yml
|
|
@ -7,6 +7,11 @@
|
||||||
|
|
||||||
data_dir: "/srv/data"
|
data_dir: "/srv/data"
|
||||||
|
|
||||||
|
openldap_image_version: 1.5.0
|
||||||
|
openldap_data: "{{ data_dir }}/openldap"
|
||||||
|
openldap_domain: "ldap.n39.eu"
|
||||||
|
ldap_org: "Netz39 e.V."
|
||||||
|
|
||||||
roles:
|
roles:
|
||||||
- role: docker_setup
|
- role: docker_setup
|
||||||
vars:
|
vars:
|
||||||
|
|
@ -14,4 +19,86 @@
|
||||||
|
|
||||||
tasks:
|
tasks:
|
||||||
|
|
||||||
|
# - name: Setup dehydrated challenge endpoint for {{ openldap_domain }}
|
||||||
|
# include_role:
|
||||||
|
# name: setup-http-dehydrated
|
||||||
|
# vars:
|
||||||
|
# site_name: "{{ openldap_domain }}"
|
||||||
|
|
||||||
|
- name: Ensure openLDAP directories are present.
|
||||||
|
file:
|
||||||
|
path: "{{ item }}"
|
||||||
|
state: directory
|
||||||
|
with_items:
|
||||||
|
- "{{ openldap_data }}/ldap"
|
||||||
|
- "{{ openldap_data }}/slapd"
|
||||||
|
- "{{ openldap_data }}/ldif"
|
||||||
|
# - "{{ dehydrated_certs_dir }}/certs/{{ openldap_domain }}"
|
||||||
|
|
||||||
|
- name: Ensure container for openLDAP is running.
|
||||||
|
docker_container:
|
||||||
|
name: openLDAP
|
||||||
|
image: "osixia/openldap:{{ openldap_image_version }}"
|
||||||
|
detach: yes
|
||||||
|
state: started
|
||||||
|
restart_policy: unless-stopped
|
||||||
|
container_default_behavior: no_defaults
|
||||||
|
pull: true
|
||||||
|
env:
|
||||||
|
LDAP_LOG_LEVEL: "256"
|
||||||
|
LDAP_ORGANISATION: "{{ldap_org}}"
|
||||||
|
LDAP_DOMAIN: "{{ldap_domain}}"
|
||||||
|
LDAP_BASE_DN: "{{ldap_base_dn}}"
|
||||||
|
LDAP_READONLY_USER: "false"
|
||||||
|
|
||||||
|
LDAP_ADMIN_PASSWORD: "{{ldap_admin_password}}"
|
||||||
|
LDAP_CONFIG_PASSWORD: "{{ldap_config_password}}"
|
||||||
|
|
||||||
|
LDAP_RFC2307BIS_SCHEMA: "true"
|
||||||
|
|
||||||
|
LDAP_TLS_CIPHER_SUITE: "SECURE256:-VERS-SSL3.0"
|
||||||
|
|
||||||
|
LDAP_REPLICATION: "{{ldap_replication_enable}}"
|
||||||
|
LDAP_REPLICATION_CONFIG_SYNCPROV: "{{ldap_replication_config_syncprov}}"
|
||||||
|
LDAP_REPLICATION_DB_SYNCPROV: "{{ldap_replication_db_syncprov}}"
|
||||||
|
LDAP_REPLICATION_HOSTS: "{{ldap_replication_hosts}}"
|
||||||
|
|
||||||
|
KEEP_EXISTING_CONFIG: "false"
|
||||||
|
LDAP_REMOVE_CONFIG_AFTER_SETUP: "true"
|
||||||
|
published_ports:
|
||||||
|
- "{{ldap_ip}}:389:389" # unencrypted/STARTTLS
|
||||||
|
- "{{ldap_ip}}:636:636" # SSL
|
||||||
|
volumes:
|
||||||
|
- "{{ openldap_data }}/ldap:/var/lib/ldap"
|
||||||
|
- "{{ openldap_data }}/slapd:/etc/ldap/slapd.d"
|
||||||
|
# - "{{ dehydrated_certs_dir }}/certs/{{ openldap_domain }}:/container/service/slapd/assets/certs"
|
||||||
|
- "{{ openldap_data }}/ldif/custom-element.ldif:/container/service/slapd/assets/config/bootstrap/ldif/custom/01_netz39.ldif"
|
||||||
|
timeout: 500
|
||||||
|
# For replication to work correctly, domainname and hostname must be
|
||||||
|
# set correctly so that "hostname"."domainname" equates to the
|
||||||
|
# fully-qualified domain name for the host.
|
||||||
|
domainname: "{{ldap_domainname}}"
|
||||||
|
hostname: "{{ldap_hostname}}"
|
||||||
|
command: "--copy-service --loglevel debug"
|
||||||
|
|
||||||
|
- name: Allow access to openLDAP from local docker container [1/2]
|
||||||
|
become: true
|
||||||
|
community.general.ufw:
|
||||||
|
rule: allow
|
||||||
|
port: '389'
|
||||||
|
proto: tcp
|
||||||
|
from: "{{ item }}"
|
||||||
|
comment: LDAP Docker Access
|
||||||
|
loop: "{{ docker_ip_ranges }}"
|
||||||
|
|
||||||
|
- name: Allow access to openLDAP from local docker container [2/2]
|
||||||
|
become: true
|
||||||
|
community.general.ufw:
|
||||||
|
rule: allow
|
||||||
|
port: '636'
|
||||||
|
proto: tcp
|
||||||
|
from: "{{ item }}"
|
||||||
|
comment: LDAP Docker Access
|
||||||
|
loop: "{{ docker_ip_ranges }}"
|
||||||
|
|
||||||
handlers:
|
handlers:
|
||||||
|
|
|
||||||
87
pottwal.yml
87
pottwal.yml
|
|
@ -23,12 +23,6 @@
|
||||||
hedgedoc_host_port: 8084
|
hedgedoc_host_port: 8084
|
||||||
hedgedoc_image: quay.io/hedgedoc/hedgedoc:1.9.3
|
hedgedoc_image: quay.io/hedgedoc/hedgedoc:1.9.3
|
||||||
|
|
||||||
openldap_image_version: 1.5.0
|
|
||||||
openldap_data: "{{ data_dir }}/openldap"
|
|
||||||
openldap_domain: "ldap.n39.eu"
|
|
||||||
ldap_org: "Netz39 e.V."
|
|
||||||
|
|
||||||
|
|
||||||
roles:
|
roles:
|
||||||
- role: docker_setup
|
- role: docker_setup
|
||||||
vars:
|
vars:
|
||||||
|
|
@ -267,86 +261,5 @@
|
||||||
site_name: pad.n39.eu
|
site_name: pad.n39.eu
|
||||||
proxy_port: "{{ hedgedoc_host_port }}"
|
proxy_port: "{{ hedgedoc_host_port }}"
|
||||||
|
|
||||||
# - name: Setup dehydrated challenge endpoint for {{ openldap_domain }}
|
|
||||||
# include_role:
|
|
||||||
# name: setup-http-dehydrated
|
|
||||||
# vars:
|
|
||||||
# site_name: "{{ openldap_domain }}"
|
|
||||||
|
|
||||||
- name: Ensure openLDAP directories are present.
|
|
||||||
file:
|
|
||||||
path: "{{ item }}"
|
|
||||||
state: directory
|
|
||||||
with_items:
|
|
||||||
- "{{ openldap_data }}/ldap"
|
|
||||||
- "{{ openldap_data }}/slapd"
|
|
||||||
- "{{ openldap_data }}/ldif"
|
|
||||||
# - "{{ dehydrated_certs_dir }}/certs/{{ openldap_domain }}"
|
|
||||||
|
|
||||||
- name: Ensure container for openLDAP is running.
|
|
||||||
docker_container:
|
|
||||||
name: openLDAP
|
|
||||||
image: "osixia/openldap:{{ openldap_image_version }}"
|
|
||||||
detach: yes
|
|
||||||
state: started
|
|
||||||
restart_policy: unless-stopped
|
|
||||||
container_default_behavior: no_defaults
|
|
||||||
pull: true
|
|
||||||
env:
|
|
||||||
LDAP_LOG_LEVEL: "256"
|
|
||||||
LDAP_ORGANISATION: "{{ldap_org}}"
|
|
||||||
LDAP_DOMAIN: "{{ldap_domain}}"
|
|
||||||
LDAP_BASE_DN: "{{ldap_base_dn}}"
|
|
||||||
LDAP_READONLY_USER: "false"
|
|
||||||
|
|
||||||
LDAP_ADMIN_PASSWORD: "{{ldap_admin_password}}"
|
|
||||||
LDAP_CONFIG_PASSWORD: "{{ldap_config_password}}"
|
|
||||||
|
|
||||||
LDAP_RFC2307BIS_SCHEMA: "true"
|
|
||||||
|
|
||||||
LDAP_TLS_CIPHER_SUITE: "SECURE256:-VERS-SSL3.0"
|
|
||||||
|
|
||||||
LDAP_REPLICATION: "{{ldap_replication_enable}}"
|
|
||||||
LDAP_REPLICATION_CONFIG_SYNCPROV: "{{ldap_replication_config_syncprov}}"
|
|
||||||
LDAP_REPLICATION_DB_SYNCPROV: "{{ldap_replication_db_syncprov}}"
|
|
||||||
LDAP_REPLICATION_HOSTS: "{{ldap_replication_hosts}}"
|
|
||||||
|
|
||||||
KEEP_EXISTING_CONFIG: "false"
|
|
||||||
LDAP_REMOVE_CONFIG_AFTER_SETUP: "true"
|
|
||||||
published_ports:
|
|
||||||
- "{{ldap_ip}}:389:389" # unencrypted/STARTTLS
|
|
||||||
- "{{ldap_ip}}:636:636" # SSL
|
|
||||||
volumes:
|
|
||||||
- "{{ openldap_data }}/ldap:/var/lib/ldap"
|
|
||||||
- "{{ openldap_data }}/slapd:/etc/ldap/slapd.d"
|
|
||||||
# - "{{ dehydrated_certs_dir }}/certs/{{ openldap_domain }}:/container/service/slapd/assets/certs"
|
|
||||||
- "{{ openldap_data }}/ldif/custom-element.ldif:/container/service/slapd/assets/config/bootstrap/ldif/custom/01_netz39.ldif"
|
|
||||||
timeout: 500
|
|
||||||
# For replication to work correctly, domainname and hostname must be
|
|
||||||
# set correctly so that "hostname"."domainname" equates to the
|
|
||||||
# fully-qualified domain name for the host.
|
|
||||||
domainname: "{{ldap_domainname}}"
|
|
||||||
hostname: "{{ldap_hostname}}"
|
|
||||||
command: "--copy-service --loglevel debug"
|
|
||||||
|
|
||||||
- name: Allow access to openLDAP from local docker container [1/2]
|
|
||||||
become: true
|
|
||||||
community.general.ufw:
|
|
||||||
rule: allow
|
|
||||||
port: '389'
|
|
||||||
proto: tcp
|
|
||||||
from: "{{ item }}"
|
|
||||||
comment: LDAP Docker Access
|
|
||||||
loop: "{{ docker_ip_ranges }}"
|
|
||||||
|
|
||||||
- name: Allow access to openLDAP from local docker container [2/2]
|
|
||||||
become: true
|
|
||||||
community.general.ufw:
|
|
||||||
rule: allow
|
|
||||||
port: '636'
|
|
||||||
proto: tcp
|
|
||||||
from: "{{ item }}"
|
|
||||||
comment: LDAP Docker Access
|
|
||||||
loop: "{{ docker_ip_ranges }}"
|
|
||||||
|
|
||||||
handlers:
|
handlers:
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue