Alexander Dahl
b22c86758e
We used a similar local role here, in the Freifunk Magdeburg project, and in personal playbooks. That was moved to an external project, unified, and reworked, so the external role can act as replacement for the distributed, redundant copies. Link: https://github.com/netz39/ansible-role-host-docker
136 lines
4 KiB
YAML
136 lines
4 KiB
YAML
---
|
|
- hosts: krypton.n39.eu
|
|
become: true
|
|
|
|
vars:
|
|
ansible_python_interpreter: /usr/bin/python3
|
|
|
|
data_dir: "/srv/data"
|
|
|
|
docker_ip_ranges: ["172.16.0.0/12", "192.168.0.0/16"]
|
|
|
|
openldap_data: "{{ data_dir }}/openldap"
|
|
openldap_domain: "ldap.n39.eu"
|
|
ldap_domain: "netz39.de"
|
|
ldap_org: "Netz39 e.V."
|
|
ldap_base_dn: "dc=netz39,dc=de"
|
|
|
|
entities_validation_svc_host_port: 9001
|
|
|
|
|
|
roles:
|
|
# role 'netz39.host_docker' applied through group 'docker_host'
|
|
- role: apache
|
|
- role: apache_letsencrypt # Uses configuration from dehydrated setup
|
|
- role: 24367dfa.dehydrated
|
|
vars:
|
|
dehydrated_contact_email: "{{ server_admin }}"
|
|
dehydrated_domains:
|
|
- name: entities-validation.svc.n39.eu
|
|
- role: penguineer.dehydrated_cron
|
|
|
|
tasks:
|
|
|
|
# - name: Setup dehydrated challenge endpoint for {{ openldap_domain }}
|
|
# include_role:
|
|
# name: setup-http-dehydrated
|
|
# vars:
|
|
# site_name: "{{ openldap_domain }}"
|
|
|
|
- name: Ensure openLDAP directories are present.
|
|
file:
|
|
path: "{{ item.path }}"
|
|
mode: "0755"
|
|
state: directory
|
|
with_items:
|
|
- path: "{{ openldap_data }}/ldap"
|
|
- path: "{{ openldap_data }}/slapd"
|
|
- path: "{{ openldap_data }}/ldif"
|
|
- path: "{{ dehydrated_certs_dir }}/{{ openldap_domain }}"
|
|
|
|
- name: Ensure container for openLDAP is running.
|
|
docker_container:
|
|
name: openLDAP
|
|
image: osixia/openldap:1.5.0
|
|
detach: yes
|
|
state: started
|
|
restart_policy: unless-stopped
|
|
container_default_behavior: no_defaults
|
|
pull: true
|
|
env:
|
|
TZ: "{{ timezone }}"
|
|
LDAP_LOG_LEVEL: "256"
|
|
LDAP_ORGANISATION: "{{ ldap_org }}"
|
|
LDAP_DOMAIN: "{{ ldap_domain }}"
|
|
LDAP_BASE_DN: "{{ ldap_base_dn }}"
|
|
LDAP_READONLY_USER: "false"
|
|
|
|
LDAP_ADMIN_PASSWORD: "{{ ldap_admin_password }}"
|
|
# LDAP_CONFIG_PASSWORD: "{{ ldap_config_password }}"
|
|
|
|
LDAP_RFC2307BIS_SCHEMA: "true"
|
|
|
|
LDAP_TLS_CIPHER_SUITE: "SECURE256:-VERS-SSL3.0"
|
|
|
|
LDAP_REPLICATION: "no"
|
|
|
|
KEEP_EXISTING_CONFIG: "false"
|
|
LDAP_REMOVE_CONFIG_AFTER_SETUP: "true"
|
|
published_ports:
|
|
- "389:389" # unencrypted/STARTTLS
|
|
- "636:636" # SSL
|
|
volumes:
|
|
- "{{ openldap_data }}/ldap:/var/lib/ldap"
|
|
- "{{ openldap_data }}/slapd:/etc/ldap/slapd.d"
|
|
- "{{ dehydrated_certs_dir }}/{{ openldap_domain }}:/container/service/slapd/assets/certs"
|
|
- "{{ openldap_data }}/ldif/custom-element.ldif:/container/service/slapd/assets/config/bootstrap/ldif/custom/01_netz39.ldif"
|
|
timeout: 500
|
|
command: "--copy-service --loglevel debug"
|
|
|
|
- name: Ensure UFW is installed
|
|
ansible.builtin.package:
|
|
name: ufw
|
|
state: present
|
|
|
|
- name: Allow access to openLDAP from local docker container [1/2]
|
|
become: true
|
|
community.general.ufw:
|
|
rule: allow
|
|
port: '389'
|
|
proto: tcp
|
|
from: "{{ item }}"
|
|
comment: LDAP Docker Access
|
|
loop: "{{ docker_ip_ranges }}"
|
|
|
|
- name: Allow access to openLDAP from local docker container [2/2]
|
|
become: true
|
|
community.general.ufw:
|
|
rule: allow
|
|
port: '636'
|
|
proto: tcp
|
|
from: "{{ item }}"
|
|
comment: LDAP Docker Access
|
|
loop: "{{ docker_ip_ranges }}"
|
|
|
|
|
|
- name: Ensure container for entities validation service is running
|
|
docker_container:
|
|
name: entities_validation_svc
|
|
image: netz39/entities_validation_svc:v1.0.3
|
|
pull: true
|
|
state: started
|
|
detach: yes
|
|
ports:
|
|
- "127.0.0.1:{{ entities_validation_svc_host_port }}:8080"
|
|
restart_policy: unless-stopped
|
|
env:
|
|
TZ: "{{ timezone }}"
|
|
|
|
- name: Setup proxy site entities-validation.svc.n39.eu
|
|
include_role:
|
|
name: setup_http_site_proxy
|
|
vars:
|
|
site_name: entities-validation.svc.n39.eu
|
|
proxy_port: "{{ entities_validation_svc_host_port }}"
|
|
|
|
handlers:
|