135 lines
4 KiB
YAML
135 lines
4 KiB
YAML
---
|
|
- hosts: krypton.n39.eu
|
|
become: true
|
|
|
|
vars:
|
|
ansible_python_interpreter: /usr/bin/python3
|
|
|
|
data_dir: "/srv/data"
|
|
|
|
docker_ip_ranges: ["172.16.0.0/12", "192.168.0.0/16"]
|
|
|
|
openldap_image_version: 1.5.0
|
|
openldap_data: "{{ data_dir }}/openldap"
|
|
openldap_domain: "ldap.n39.eu"
|
|
ldap_domain: "netz39.de"
|
|
ldap_org: "Netz39 e.V."
|
|
ldap_base_dn: "dc=netz39,dc=de"
|
|
|
|
entities_validation_svc_host_port: 9001
|
|
|
|
|
|
roles:
|
|
- role: docker_setup
|
|
vars:
|
|
docker_data_root: "/srv/docker"
|
|
- role: apache
|
|
- role: apache_letsencrypt # Uses configuration from dehydrated setup
|
|
- role: ansible-role-dehydrated
|
|
vars:
|
|
dehydrated_contact_email: "{{ server_admin }}"
|
|
dehydrated_domains:
|
|
- name: entities-validation.svc.n39.eu
|
|
- role: penguineer.dehydrated_cron
|
|
|
|
tasks:
|
|
|
|
# - name: Setup dehydrated challenge endpoint for {{ openldap_domain }}
|
|
# include_role:
|
|
# name: setup-http-dehydrated
|
|
# vars:
|
|
# site_name: "{{ openldap_domain }}"
|
|
|
|
- name: Ensure openLDAP directories are present.
|
|
file:
|
|
path: "{{ item }}"
|
|
state: directory
|
|
with_items:
|
|
- "{{ openldap_data }}/ldap"
|
|
- "{{ openldap_data }}/slapd"
|
|
- "{{ openldap_data }}/ldif"
|
|
- "{{ dehydrated_certs_dir }}/{{ openldap_domain }}"
|
|
|
|
- name: Ensure container for openLDAP is running.
|
|
docker_container:
|
|
name: openLDAP
|
|
image: "osixia/openldap:{{ openldap_image_version }}"
|
|
detach: yes
|
|
state: started
|
|
restart_policy: unless-stopped
|
|
container_default_behavior: no_defaults
|
|
pull: true
|
|
env:
|
|
LDAP_LOG_LEVEL: "256"
|
|
LDAP_ORGANISATION: "{{ ldap_org }}"
|
|
LDAP_DOMAIN: "{{ ldap_domain }}"
|
|
LDAP_BASE_DN: "{{ ldap_base_dn }}"
|
|
LDAP_READONLY_USER: "false"
|
|
|
|
LDAP_ADMIN_PASSWORD: "{{ ldap_admin_password }}"
|
|
# LDAP_CONFIG_PASSWORD: "{{ ldap_config_password }}"
|
|
|
|
LDAP_RFC2307BIS_SCHEMA: "true"
|
|
|
|
LDAP_TLS_CIPHER_SUITE: "SECURE256:-VERS-SSL3.0"
|
|
|
|
LDAP_REPLICATION: "no"
|
|
|
|
KEEP_EXISTING_CONFIG: "false"
|
|
LDAP_REMOVE_CONFIG_AFTER_SETUP: "true"
|
|
published_ports:
|
|
- "389:389" # unencrypted/STARTTLS
|
|
- "636:636" # SSL
|
|
volumes:
|
|
- "{{ openldap_data }}/ldap:/var/lib/ldap"
|
|
- "{{ openldap_data }}/slapd:/etc/ldap/slapd.d"
|
|
- "{{ dehydrated_certs_dir }}/{{ openldap_domain }}:/container/service/slapd/assets/certs"
|
|
- "{{ openldap_data }}/ldif/custom-element.ldif:/container/service/slapd/assets/config/bootstrap/ldif/custom/01_netz39.ldif"
|
|
timeout: 500
|
|
command: "--copy-service --loglevel debug"
|
|
|
|
- name: Ensure UFW is installed
|
|
ansible.builtin.package:
|
|
name: ufw
|
|
state: present
|
|
|
|
- name: Allow access to openLDAP from local docker container [1/2]
|
|
become: true
|
|
community.general.ufw:
|
|
rule: allow
|
|
port: '389'
|
|
proto: tcp
|
|
from: "{{ item }}"
|
|
comment: LDAP Docker Access
|
|
loop: "{{ docker_ip_ranges }}"
|
|
|
|
- name: Allow access to openLDAP from local docker container [2/2]
|
|
become: true
|
|
community.general.ufw:
|
|
rule: allow
|
|
port: '636'
|
|
proto: tcp
|
|
from: "{{ item }}"
|
|
comment: LDAP Docker Access
|
|
loop: "{{ docker_ip_ranges }}"
|
|
|
|
|
|
- name: Ensure container for entities validation service is running
|
|
docker_container:
|
|
name: entities_validation_svc
|
|
image: netz39/entities_validation_svc:v1.0.0
|
|
pull: true
|
|
state: started
|
|
detach: yes
|
|
ports:
|
|
- "127.0.0.1:{{ entities_validation_svc_host_port }}:8080"
|
|
restart_policy: unless-stopped
|
|
|
|
- name: Setup proxy site entities-validation.svc.n39.eu
|
|
include_role:
|
|
name: setup_http_site_proxy
|
|
vars:
|
|
site_name: entities-validation.svc.n39.eu
|
|
proxy_port: "{{ entities_validation_svc_host_port }}"
|
|
|
|
handlers:
|