Merge pull request 'ldap' (!7) from dkdent/netz39-infra-ansible:ldap into master

Reviewed-on: https://gitea.n39.eu/Netz39_Admin/netz39-infra-ansible/pulls/7
This commit is contained in:
dkdent 2022-07-05 16:45:32 +00:00
commit c36e34966d
2 changed files with 95 additions and 0 deletions

View file

@ -83,6 +83,13 @@ all:
38656238663565386631306263333166633064313762343139373735626439666665356530383363 38656238663565386631306263333166633064313762343139373735626439666665356530383363
3134373261386435310a626461376537643937643838636638313033383463356663396464643361 3134373261386435310a626461376537643937643838636638313033383463356663396464643361
36333766383139376331336633646633396430323663366636616431643134666536 36333766383139376331336633646633396430323663366636616431643134666536
ldap_admin_password: !vault |
$ANSIBLE_VAULT;1.1;AES256
30646262643765616236666665363366353934333264343064383265316162333033653839396466
3262306131373461323032363234323161613431613133360a396531343438313165666163646363
65333334666132313834663839626431373339646631366261316139333233666566383131353035
3765613264626637660a343562363166313535613964336261356530353732333965313830653865
39373837643837663630333765306463616234363535613666333862396632643961
unicorn.n39.eu: unicorn.n39.eu:
server_admin: "admin+unicorn@netz39.de" server_admin: "admin+unicorn@netz39.de"
platon.n39.eu: platon.n39.eu:

View file

@ -23,6 +23,12 @@
hedgedoc_host_port: 8084 hedgedoc_host_port: 8084
hedgedoc_image: quay.io/hedgedoc/hedgedoc:1.9.3 hedgedoc_image: quay.io/hedgedoc/hedgedoc:1.9.3
openldap_image_version: 1.5.0
openldap_data: "{{ data_dir }}/openldap"
openldap_domain: "ldap.n39.eu"
ldap_org: "Netz39 e.V."
roles: roles:
- role: docker_setup - role: docker_setup
vars: vars:
@ -261,4 +267,86 @@
site_name: pad.n39.eu site_name: pad.n39.eu
proxy_port: "{{ hedgedoc_host_port }}" proxy_port: "{{ hedgedoc_host_port }}"
# - name: Setup dehydrated challenge endpoint for {{ openldap_domain }}
# include_role:
# name: setup-http-dehydrated
# vars:
# site_name: "{{ openldap_domain }}"
- name: Ensure openLDAP directories are present.
file:
path: "{{ item }}"
state: directory
with_items:
- "{{ openldap_data }}/ldap"
- "{{ openldap_data }}/slapd"
- "{{ openldap_data }}/ldif"
# - "{{ dehydrated_certs_dir }}/certs/{{ openldap_domain }}"
- name: Ensure container for openLDAP is running.
docker_container:
name: openLDAP
image: "osixia/openldap:{{ openldap_image_version }}"
detach: yes
state: started
restart_policy: unless-stopped
container_default_behavior: no_defaults
pull: true
env:
LDAP_LOG_LEVEL: "256"
LDAP_ORGANISATION: "{{ldap_org}}"
LDAP_DOMAIN: "{{ldap_domain}}"
LDAP_BASE_DN: "{{ldap_base_dn}}"
LDAP_READONLY_USER: "false"
LDAP_ADMIN_PASSWORD: "{{ldap_admin_password}}"
LDAP_CONFIG_PASSWORD: "{{ldap_config_password}}"
LDAP_RFC2307BIS_SCHEMA: "true"
LDAP_TLS_CIPHER_SUITE: "SECURE256:-VERS-SSL3.0"
LDAP_REPLICATION: "{{ldap_replication_enable}}"
LDAP_REPLICATION_CONFIG_SYNCPROV: "{{ldap_replication_config_syncprov}}"
LDAP_REPLICATION_DB_SYNCPROV: "{{ldap_replication_db_syncprov}}"
LDAP_REPLICATION_HOSTS: "{{ldap_replication_hosts}}"
KEEP_EXISTING_CONFIG: "false"
LDAP_REMOVE_CONFIG_AFTER_SETUP: "true"
published_ports:
- "{{ldap_ip}}:389:389" # unencrypted/STARTTLS
- "{{ldap_ip}}:636:636" # SSL
volumes:
- "{{ openldap_data }}/ldap:/var/lib/ldap"
- "{{ openldap_data }}/slapd:/etc/ldap/slapd.d"
# - "{{ dehydrated_certs_dir }}/certs/{{ openldap_domain }}:/container/service/slapd/assets/certs"
- "{{ openldap_data }}/ldif/custom-element.ldif:/container/service/slapd/assets/config/bootstrap/ldif/custom/01_netz39.ldif"
timeout: 500
# For replication to work correctly, domainname and hostname must be
# set correctly so that "hostname"."domainname" equates to the
# fully-qualified domain name for the host.
domainname: "{{ldap_domainname}}"
hostname: "{{ldap_hostname}}"
command: "--copy-service --loglevel debug"
- name: Allow access to openLDAP from local docker container [1/2]
become: true
community.general.ufw:
rule: allow
port: '389'
proto: tcp
from: "{{ item }}"
comment: LDAP Docker Access
loop: "{{ docker_ip_ranges }}"
- name: Allow access to openLDAP from local docker container [2/2]
become: true
community.general.ufw:
rule: allow
port: '636'
proto: tcp
from: "{{ item }}"
comment: LDAP Docker Access
loop: "{{ docker_ip_ranges }}"
handlers: handlers: