diff --git a/krypton.yml b/krypton.yml
index e3e2c10..d70f2db 100644
--- a/krypton.yml
+++ b/krypton.yml
@@ -7,6 +7,11 @@
data_dir: "/srv/data"
+ openldap_image_version: 1.5.0
+ openldap_data: "{{ data_dir }}/openldap"
+ openldap_domain: "ldap.n39.eu"
+ ldap_org: "Netz39 e.V."
+
roles:
- role: docker_setup
vars:
@@ -14,4 +19,86 @@
tasks:
+ # - name: Setup dehydrated challenge endpoint for {{ openldap_domain }}
+ # include_role:
+ # name: setup-http-dehydrated
+ # vars:
+ # site_name: "{{ openldap_domain }}"
+
+ - name: Ensure openLDAP directories are present.
+ file:
+ path: "{{ item }}"
+ state: directory
+ with_items:
+ - "{{ openldap_data }}/ldap"
+ - "{{ openldap_data }}/slapd"
+ - "{{ openldap_data }}/ldif"
+ # - "{{ dehydrated_certs_dir }}/certs/{{ openldap_domain }}"
+
+ - name: Ensure container for openLDAP is running.
+ docker_container:
+ name: openLDAP
+ image: "osixia/openldap:{{ openldap_image_version }}"
+ detach: yes
+ state: started
+ restart_policy: unless-stopped
+ container_default_behavior: no_defaults
+ pull: true
+ env:
+ LDAP_LOG_LEVEL: "256"
+ LDAP_ORGANISATION: "{{ldap_org}}"
+ LDAP_DOMAIN: "{{ldap_domain}}"
+ LDAP_BASE_DN: "{{ldap_base_dn}}"
+ LDAP_READONLY_USER: "false"
+
+ LDAP_ADMIN_PASSWORD: "{{ldap_admin_password}}"
+ LDAP_CONFIG_PASSWORD: "{{ldap_config_password}}"
+
+ LDAP_RFC2307BIS_SCHEMA: "true"
+
+ LDAP_TLS_CIPHER_SUITE: "SECURE256:-VERS-SSL3.0"
+
+ LDAP_REPLICATION: "{{ldap_replication_enable}}"
+ LDAP_REPLICATION_CONFIG_SYNCPROV: "{{ldap_replication_config_syncprov}}"
+ LDAP_REPLICATION_DB_SYNCPROV: "{{ldap_replication_db_syncprov}}"
+ LDAP_REPLICATION_HOSTS: "{{ldap_replication_hosts}}"
+
+ KEEP_EXISTING_CONFIG: "false"
+ LDAP_REMOVE_CONFIG_AFTER_SETUP: "true"
+ published_ports:
+ - "{{ldap_ip}}:389:389" # unencrypted/STARTTLS
+ - "{{ldap_ip}}:636:636" # SSL
+ volumes:
+ - "{{ openldap_data }}/ldap:/var/lib/ldap"
+ - "{{ openldap_data }}/slapd:/etc/ldap/slapd.d"
+ # - "{{ dehydrated_certs_dir }}/certs/{{ openldap_domain }}:/container/service/slapd/assets/certs"
+ - "{{ openldap_data }}/ldif/custom-element.ldif:/container/service/slapd/assets/config/bootstrap/ldif/custom/01_netz39.ldif"
+ timeout: 500
+ # For replication to work correctly, domainname and hostname must be
+ # set correctly so that "hostname"."domainname" equates to the
+ # fully-qualified domain name for the host.
+ domainname: "{{ldap_domainname}}"
+ hostname: "{{ldap_hostname}}"
+ command: "--copy-service --loglevel debug"
+
+ - name: Allow access to openLDAP from local docker container [1/2]
+ become: true
+ community.general.ufw:
+ rule: allow
+ port: '389'
+ proto: tcp
+ from: "{{ item }}"
+ comment: LDAP Docker Access
+ loop: "{{ docker_ip_ranges }}"
+
+ - name: Allow access to openLDAP from local docker container [2/2]
+ become: true
+ community.general.ufw:
+ rule: allow
+ port: '636'
+ proto: tcp
+ from: "{{ item }}"
+ comment: LDAP Docker Access
+ loop: "{{ docker_ip_ranges }}"
+
handlers:
diff --git a/pottwal.yml b/pottwal.yml
index c71e11f..c30cea2 100644
--- a/pottwal.yml
+++ b/pottwal.yml
@@ -23,12 +23,6 @@
hedgedoc_host_port: 8084
hedgedoc_image: quay.io/hedgedoc/hedgedoc:1.9.3
- openldap_image_version: 1.5.0
- openldap_data: "{{ data_dir }}/openldap"
- openldap_domain: "ldap.n39.eu"
- ldap_org: "Netz39 e.V."
-
-
roles:
- role: docker_setup
vars:
@@ -267,86 +261,5 @@
site_name: pad.n39.eu
proxy_port: "{{ hedgedoc_host_port }}"
- # - name: Setup dehydrated challenge endpoint for {{ openldap_domain }}
- # include_role:
- # name: setup-http-dehydrated
- # vars:
- # site_name: "{{ openldap_domain }}"
-
- - name: Ensure openLDAP directories are present.
- file:
- path: "{{ item }}"
- state: directory
- with_items:
- - "{{ openldap_data }}/ldap"
- - "{{ openldap_data }}/slapd"
- - "{{ openldap_data }}/ldif"
- # - "{{ dehydrated_certs_dir }}/certs/{{ openldap_domain }}"
-
- - name: Ensure container for openLDAP is running.
- docker_container:
- name: openLDAP
- image: "osixia/openldap:{{ openldap_image_version }}"
- detach: yes
- state: started
- restart_policy: unless-stopped
- container_default_behavior: no_defaults
- pull: true
- env:
- LDAP_LOG_LEVEL: "256"
- LDAP_ORGANISATION: "{{ldap_org}}"
- LDAP_DOMAIN: "{{ldap_domain}}"
- LDAP_BASE_DN: "{{ldap_base_dn}}"
- LDAP_READONLY_USER: "false"
-
- LDAP_ADMIN_PASSWORD: "{{ldap_admin_password}}"
- LDAP_CONFIG_PASSWORD: "{{ldap_config_password}}"
-
- LDAP_RFC2307BIS_SCHEMA: "true"
-
- LDAP_TLS_CIPHER_SUITE: "SECURE256:-VERS-SSL3.0"
-
- LDAP_REPLICATION: "{{ldap_replication_enable}}"
- LDAP_REPLICATION_CONFIG_SYNCPROV: "{{ldap_replication_config_syncprov}}"
- LDAP_REPLICATION_DB_SYNCPROV: "{{ldap_replication_db_syncprov}}"
- LDAP_REPLICATION_HOSTS: "{{ldap_replication_hosts}}"
-
- KEEP_EXISTING_CONFIG: "false"
- LDAP_REMOVE_CONFIG_AFTER_SETUP: "true"
- published_ports:
- - "{{ldap_ip}}:389:389" # unencrypted/STARTTLS
- - "{{ldap_ip}}:636:636" # SSL
- volumes:
- - "{{ openldap_data }}/ldap:/var/lib/ldap"
- - "{{ openldap_data }}/slapd:/etc/ldap/slapd.d"
- # - "{{ dehydrated_certs_dir }}/certs/{{ openldap_domain }}:/container/service/slapd/assets/certs"
- - "{{ openldap_data }}/ldif/custom-element.ldif:/container/service/slapd/assets/config/bootstrap/ldif/custom/01_netz39.ldif"
- timeout: 500
- # For replication to work correctly, domainname and hostname must be
- # set correctly so that "hostname"."domainname" equates to the
- # fully-qualified domain name for the host.
- domainname: "{{ldap_domainname}}"
- hostname: "{{ldap_hostname}}"
- command: "--copy-service --loglevel debug"
-
- - name: Allow access to openLDAP from local docker container [1/2]
- become: true
- community.general.ufw:
- rule: allow
- port: '389'
- proto: tcp
- from: "{{ item }}"
- comment: LDAP Docker Access
- loop: "{{ docker_ip_ranges }}"
-
- - name: Allow access to openLDAP from local docker container [2/2]
- become: true
- community.general.ufw:
- rule: allow
- port: '636'
- proto: tcp
- from: "{{ item }}"
- comment: LDAP Docker Access
- loop: "{{ docker_ip_ranges }}"
handlers: