Merge pull request 'Move LDAP from pottwal to krypton' (!47) from ldap-krypton into master

Reviewed-on: https://gitea.n39.eu/Netz39_Admin/netz39-infra-ansible/pulls/47
2022-07-07 09:49:20 +00:00 · 2022-07-07 09:49:20 +00:00 · 6ac66b6894
commit 6ac66b6894
parent 7f5c9ab44a d0274d7417
3 changed files with 97 additions and 94 deletions
--- a/14
+++ b/14
@ -83,13 +83,6 @@ all:
        38656238663565386631306263333166633064313762343139373735626439666665356530383363
        3134373261386435310a626461376537643937643838636638313033383463356663396464643361
        36333766383139376331336633646633396430323663366636616431643134666536
      ldap_admin_password: !vault |
        $ANSIBLE_VAULT;1.1;AES256
        30646262643765616236666665363366353934333264343064383265316162333033653839396466
        3262306131373461323032363234323161613431613133360a396531343438313165666163646363
        65333334666132313834663839626431373339646631366261316139333233666566383131353035
        3765613264626637660a343562363166313535613964336261356530353732333965313830653865
        39373837643837663630333765306463616234363535613666333862396632643961
    unicorn.n39.eu:
      server_admin: "admin+unicorn@netz39.de"
    platon.n39.eu:
@ -99,3 +92,10 @@ all:
      server_admin: "admin+radon@netz39.de"
    krypton.n39.eu:
      server_admin: "admin+krypton@netz39.de"
      ldap_admin_password: !vault |
        $ANSIBLE_VAULT;1.1;AES256
        30646262643765616236666665363366353934333264343064383265316162333033653839396466
        3262306131373461323032363234323161613431613133360a396531343438313165666163646363
        65333334666132313834663839626431373339646631366261316139333233666566383131353035
        3765613264626637660a343562363166313535613964336261356530353732333965313830653865
        39373837643837663630333765306463616234363535613666333862396632643961
--- a/krypton.yml
+++ b/krypton.yml
@ -7,6 +7,17 @@
    data_dir: "/srv/data"
    dehydrated_certs_dir: "/usr/local/etc/dehydrated"
    docker_ip_ranges: ["172.16.0.0/12", "192.168.0.0/16"]
    openldap_image_version: 1.5.0
    openldap_data: "{{ data_dir }}/openldap"
    openldap_domain: "ldap.n39.eu"
    ldap_domain: "netz39.de"
    ldap_org: "Netz39 e.V."
    ldap_base_dn: "dc=netz39,dc=de"
  roles:
    - role: docker_setup
      vars:
@ -14,4 +25,83 @@
  tasks:
    # - name: Setup dehydrated challenge endpoint for {{ openldap_domain }}
    #   include_role:
    #     name: setup-http-dehydrated
    #   vars:
    #     site_name: "{{ openldap_domain }}"
    - name: Ensure openLDAP directories are present.
      file:
        path: "{{ item }}"
        state: directory
      with_items:
        - "{{ openldap_data }}/ldap"
        - "{{ openldap_data }}/slapd"
        - "{{ openldap_data }}/ldif"
        - "{{ dehydrated_certs_dir }}/certs/{{ openldap_domain }}"
    - name: Ensure container for openLDAP is running.
      docker_container:
        name: openLDAP
        image: "osixia/openldap:{{ openldap_image_version }}"
        detach: yes
        state: started
        restart_policy: unless-stopped
        container_default_behavior: no_defaults
        pull: true
        env:
          LDAP_LOG_LEVEL: "256"
          LDAP_ORGANISATION: "{{ldap_org}}"
          LDAP_DOMAIN: "{{ldap_domain}}"
          LDAP_BASE_DN: "{{ldap_base_dn}}"
          LDAP_READONLY_USER: "false"
          LDAP_ADMIN_PASSWORD: "{{ldap_admin_password}}"
 #          LDAP_CONFIG_PASSWORD: "{{ldap_config_password}}"
          LDAP_RFC2307BIS_SCHEMA: "true"
          LDAP_TLS_CIPHER_SUITE: "SECURE256:-VERS-SSL3.0"
          LDAP_REPLICATION: "no"
          KEEP_EXISTING_CONFIG: "false"
          LDAP_REMOVE_CONFIG_AFTER_SETUP: "true"
        published_ports:
          - "389:389" # unencrypted/STARTTLS
          - "636:636" # SSL
        volumes:
          - "{{ openldap_data }}/ldap:/var/lib/ldap"
          - "{{ openldap_data }}/slapd:/etc/ldap/slapd.d"
          - "{{ dehydrated_certs_dir }}/certs/{{ openldap_domain }}:/container/service/slapd/assets/certs"
          - "{{ openldap_data }}/ldif/custom-element.ldif:/container/service/slapd/assets/config/bootstrap/ldif/custom/01_netz39.ldif"
        timeout: 500
        command: "--copy-service --loglevel debug"
    - name: Ensure UFW is installed
      ansible.builtin.package:
        name: ufw
        state: present
    - name: Allow access to openLDAP from local docker container [1/2]
      become: true
      community.general.ufw:
        rule: allow
        port: '389'
        proto: tcp
        from: "{{  item  }}"
        comment: LDAP Docker Access
      loop: "{{  docker_ip_ranges  }}"
    - name: Allow access to openLDAP from local docker container [2/2]
      become: true
      community.general.ufw:
        rule: allow
        port: '636'
        proto: tcp
        from: "{{  item  }}"
        comment: LDAP Docker Access
      loop: "{{  docker_ip_ranges  }}"
  handlers:
--- a/pottwal.yml
+++ b/pottwal.yml
@ -23,12 +23,6 @@
    hedgedoc_host_port: 8084
    hedgedoc_image: quay.io/hedgedoc/hedgedoc:1.9.3
    openldap_image_version: 1.5.0
    openldap_data: "{{ data_dir }}/openldap"
    openldap_domain: "ldap.n39.eu"
    ldap_org: "Netz39 e.V."
  roles:
    - role: docker_setup
      vars:
@ -267,86 +261,5 @@
        site_name: pad.n39.eu
        proxy_port: "{{ hedgedoc_host_port }}"
    # - name: Setup dehydrated challenge endpoint for {{ openldap_domain }}
    #   include_role:
    #     name: setup-http-dehydrated
    #   vars:
    #     site_name: "{{ openldap_domain }}"
    - name: Ensure openLDAP directories are present.
      file:
        path: "{{ item }}"
        state: directory
      with_items:
        - "{{ openldap_data }}/ldap"
        - "{{ openldap_data }}/slapd"
        - "{{ openldap_data }}/ldif"
        # - "{{ dehydrated_certs_dir }}/certs/{{ openldap_domain }}"
    - name: Ensure container for openLDAP is running.
      docker_container:
        name: openLDAP
        image: "osixia/openldap:{{ openldap_image_version }}"
        detach: yes
        state: started
        restart_policy: unless-stopped
        container_default_behavior: no_defaults
        pull: true
        env:
          LDAP_LOG_LEVEL: "256"
          LDAP_ORGANISATION: "{{ldap_org}}"
          LDAP_DOMAIN: "{{ldap_domain}}"
          LDAP_BASE_DN: "{{ldap_base_dn}}"
          LDAP_READONLY_USER: "false"
          LDAP_ADMIN_PASSWORD: "{{ldap_admin_password}}"
          LDAP_CONFIG_PASSWORD: "{{ldap_config_password}}"
          LDAP_RFC2307BIS_SCHEMA: "true"
          LDAP_TLS_CIPHER_SUITE: "SECURE256:-VERS-SSL3.0"
          LDAP_REPLICATION: "{{ldap_replication_enable}}"
          LDAP_REPLICATION_CONFIG_SYNCPROV: "{{ldap_replication_config_syncprov}}"
          LDAP_REPLICATION_DB_SYNCPROV: "{{ldap_replication_db_syncprov}}"
          LDAP_REPLICATION_HOSTS: "{{ldap_replication_hosts}}"
          KEEP_EXISTING_CONFIG: "false"
          LDAP_REMOVE_CONFIG_AFTER_SETUP: "true"
        published_ports:
          - "{{ldap_ip}}:389:389" # unencrypted/STARTTLS
          - "{{ldap_ip}}:636:636" # SSL
        volumes:
          - "{{ openldap_data }}/ldap:/var/lib/ldap"
          - "{{ openldap_data }}/slapd:/etc/ldap/slapd.d"
          # - "{{ dehydrated_certs_dir }}/certs/{{ openldap_domain }}:/container/service/slapd/assets/certs"
          - "{{ openldap_data }}/ldif/custom-element.ldif:/container/service/slapd/assets/config/bootstrap/ldif/custom/01_netz39.ldif"
        timeout: 500
        # For replication to work correctly, domainname and hostname must be
        # set correctly so that "hostname"."domainname" equates to the
        # fully-qualified domain name for the host.
        domainname: "{{ldap_domainname}}"
        hostname: "{{ldap_hostname}}"
        command: "--copy-service --loglevel debug"
    - name: Allow access to openLDAP from local docker container [1/2]
      become: true
      community.general.ufw:
        rule: allow
        port: '389'
        proto: tcp
        from: "{{  item  }}"
        comment: LDAP Docker Access
      loop: "{{  docker_ip_ranges  }}"
    - name: Allow access to openLDAP from local docker container [2/2]
      become: true
      community.general.ufw:
        rule: allow
        port: '636'
        proto: tcp
        from: "{{  item  }}"
        comment: LDAP Docker Access
      loop: "{{  docker_ip_ranges  }}"
  handlers: