--- - hosts: krypton.n39.eu become: true vars: ansible_python_interpreter: /usr/bin/python3 data_dir: "/srv/data" docker_ip_ranges: ["172.16.0.0/12", "192.168.0.0/16"] openldap_data: "{{ data_dir }}/openldap" openldap_domain: "ldap.n39.eu" ldap_domain: "netz39.de" ldap_org: "Netz39 e.V." ldap_base_dn: "dc=netz39,dc=de" entities_validation_svc_host_port: 9001 roles: # role 'docker_setup' applied through group 'docker_host' - role: apache - role: apache_letsencrypt # Uses configuration from dehydrated setup - role: ansible-role-dehydrated vars: dehydrated_contact_email: "{{ server_admin }}" dehydrated_domains: - name: entities-validation.svc.n39.eu - role: ansible-role-dehydrated_cron tasks: # - name: Setup dehydrated challenge endpoint for {{ openldap_domain }} # include_role: # name: setup-http-dehydrated # vars: # site_name: "{{ openldap_domain }}" - name: Ensure openLDAP directories are present. file: path: "{{ item.path }}" mode: "0755" state: directory with_items: - path: "{{ openldap_data }}/ldap" - path: "{{ openldap_data }}/slapd" - path: "{{ openldap_data }}/ldif" - path: "{{ dehydrated_certs_dir }}/{{ openldap_domain }}" - name: Ensure container for openLDAP is running. docker_container: name: openLDAP image: osixia/openldap:1.5.0 detach: yes state: started restart_policy: unless-stopped container_default_behavior: no_defaults pull: true env: TZ: "{{ timezone }}" LDAP_LOG_LEVEL: "256" LDAP_ORGANISATION: "{{ ldap_org }}" LDAP_DOMAIN: "{{ ldap_domain }}" LDAP_BASE_DN: "{{ ldap_base_dn }}" LDAP_READONLY_USER: "false" LDAP_ADMIN_PASSWORD: "{{ ldap_admin_password }}" # LDAP_CONFIG_PASSWORD: "{{ ldap_config_password }}" LDAP_RFC2307BIS_SCHEMA: "true" LDAP_TLS_CIPHER_SUITE: "SECURE256:-VERS-SSL3.0" LDAP_REPLICATION: "no" KEEP_EXISTING_CONFIG: "false" LDAP_REMOVE_CONFIG_AFTER_SETUP: "true" published_ports: - "389:389" # unencrypted/STARTTLS - "636:636" # SSL volumes: - "{{ openldap_data }}/ldap:/var/lib/ldap" - "{{ openldap_data }}/slapd:/etc/ldap/slapd.d" - "{{ dehydrated_certs_dir }}/{{ openldap_domain }}:/container/service/slapd/assets/certs" - "{{ openldap_data }}/ldif/custom-element.ldif:/container/service/slapd/assets/config/bootstrap/ldif/custom/01_netz39.ldif" timeout: 500 command: "--copy-service --loglevel debug" - name: Ensure UFW is installed ansible.builtin.package: name: ufw state: present - name: Allow access to openLDAP from local docker container [1/2] become: true community.general.ufw: rule: allow port: '389' proto: tcp from: "{{ item }}" comment: LDAP Docker Access loop: "{{ docker_ip_ranges }}" - name: Allow access to openLDAP from local docker container [2/2] become: true community.general.ufw: rule: allow port: '636' proto: tcp from: "{{ item }}" comment: LDAP Docker Access loop: "{{ docker_ip_ranges }}" - name: Ensure container for entities validation service is running docker_container: name: entities_validation_svc image: netz39/entities_validation_svc:v1.0.1 pull: true state: started detach: yes ports: - "127.0.0.1:{{ entities_validation_svc_host_port }}:8080" restart_policy: unless-stopped env: TZ: "{{ timezone }}" - name: Setup proxy site entities-validation.svc.n39.eu include_role: name: setup_http_site_proxy vars: site_name: entities-validation.svc.n39.eu proxy_port: "{{ entities_validation_svc_host_port }}" handlers: