---
- hosts: krypton.n39.eu
  become: true

  vars:
    ansible_python_interpreter: /usr/bin/python3

    data_dir: "/srv/data"

    openldap_image_version: 1.5.0
    openldap_data: "{{ data_dir }}/openldap"
    openldap_domain: "ldap.n39.eu"
    ldap_org: "Netz39 e.V."

  roles:
    - role: docker_setup
      vars:
        docker_data_root: "/srv/docker"

  tasks:

    # - name: Setup dehydrated challenge endpoint for {{ openldap_domain }}
    #   include_role:
    #     name: setup-http-dehydrated
    #   vars:
    #     site_name: "{{ openldap_domain }}"

    - name: Ensure openLDAP directories are present.
      file:
        path: "{{ item }}"
        state: directory
      with_items:
        - "{{ openldap_data }}/ldap"
        - "{{ openldap_data }}/slapd"
        - "{{ openldap_data }}/ldif"
        - "{{ dehydrated_certs_dir }}/certs/{{ openldap_domain }}"

    - name: Ensure container for openLDAP is running.
      docker_container:
        name: openLDAP
        image: "osixia/openldap:{{ openldap_image_version }}"
        detach: yes
        state: started
        restart_policy: unless-stopped
        container_default_behavior: no_defaults
        pull: true
        env:
          LDAP_LOG_LEVEL: "256"
          LDAP_ORGANISATION: "{{ldap_org}}"
          LDAP_DOMAIN: "{{ldap_domain}}"
          LDAP_BASE_DN: "{{ldap_base_dn}}"
          LDAP_READONLY_USER: "false"

          LDAP_ADMIN_PASSWORD: "{{ldap_admin_password}}"
          LDAP_CONFIG_PASSWORD: "{{ldap_config_password}}"

          LDAP_RFC2307BIS_SCHEMA: "true"

          LDAP_TLS_CIPHER_SUITE: "SECURE256:-VERS-SSL3.0"

          LDAP_REPLICATION: "{{ldap_replication_enable}}"
          LDAP_REPLICATION_CONFIG_SYNCPROV: "{{ldap_replication_config_syncprov}}"
          LDAP_REPLICATION_DB_SYNCPROV: "{{ldap_replication_db_syncprov}}"
          LDAP_REPLICATION_HOSTS: "{{ldap_replication_hosts}}"

          KEEP_EXISTING_CONFIG: "false"
          LDAP_REMOVE_CONFIG_AFTER_SETUP: "true"
        published_ports:
          - "{{ldap_ip}}:389:389" # unencrypted/STARTTLS
          - "{{ldap_ip}}:636:636" # SSL
        volumes:
          - "{{ openldap_data }}/ldap:/var/lib/ldap"
          - "{{ openldap_data }}/slapd:/etc/ldap/slapd.d"
          - "{{ dehydrated_certs_dir }}/certs/{{ openldap_domain }}:/container/service/slapd/assets/certs"
          - "{{ openldap_data }}/ldif/custom-element.ldif:/container/service/slapd/assets/config/bootstrap/ldif/custom/01_netz39.ldif"
        timeout: 500
        # For replication to work correctly, domainname and hostname must be
        # set correctly so that "hostname"."domainname" equates to the
        # fully-qualified domain name for the host.
        domainname: "{{ldap_domainname}}"
        hostname: "{{ldap_hostname}}"
        command: "--copy-service --loglevel debug"

    - name: Allow access to openLDAP from local docker container [1/2]
      become: true
      community.general.ufw:
        rule: allow
        port: '389'
        proto: tcp
        from: "{{  item  }}"
        comment: LDAP Docker Access
      loop: "{{  docker_ip_ranges  }}"

    - name: Allow access to openLDAP from local docker container [2/2]
      become: true
      community.general.ufw:
        rule: allow
        port: '636'
        proto: tcp
        from: "{{  item  }}"
        comment: LDAP Docker Access
      loop: "{{  docker_ip_ranges  }}"

  handlers: