diff --git a/roles/docker-friendica/meta/main.yml b/roles/docker-friendica/meta/main.yml index 2bf530fe..56d2c41c 100644 --- a/roles/docker-friendica/meta/main.yml +++ b/roles/docker-friendica/meta/main.yml @@ -21,3 +21,4 @@ galaxy_info: run_after: - docker-matomo - docker-keycloak + - docker-ldap diff --git a/roles/docker-friendica/tasks/main.yml b/roles/docker-friendica/tasks/main.yml index 0443f5d8..71a10dbc 100644 --- a/roles/docker-friendica/tasks/main.yml +++ b/roles/docker-friendica/tasks/main.yml @@ -3,6 +3,17 @@ include_role: name: docker-central-database +- name: "create {{ friendica_host_ldap_config }}" + template: + src: "ldapauth.config.php.j2" + dest: "{{ friendica_host_ldap_config }}" + mode: '644' + owner: root + group: 33 + force: yes + notify: docker compose up + when: applications | is_feature_enabled('ldap',application_id) + - name: "include role nginx-domain-setup for {{application_id}}" include_role: name: nginx-domain-setup @@ -11,3 +22,37 @@ http_port: "{{ ports.localhost.http[application_id] }}" - include_tasks: "{{ playbook_dir }}/roles/docker-compose/tasks/create-files.yml" + +- name: Build friendica_addons based on features + set_fact: + friendica_addons: >- + {{ + friendica_addons | default([]) + + [{ + 'name': item.key, + 'enabled': ( + applications[application_id].features.oidc + if item.key == 'keycloakpassword' + else applications[application_id].features.ldap + if item.key == 'ldapauth' + else (item.value.enabled if item.value is mapping and 'enabled' in item.value else False) + ) + }] + }} + loop: "{{ applications[application_id].addons | dict2items }}" + loop_control: + label: "{{ item.key }}" + +- name: Ensure Friendica addons are in sync + command: > + docker compose exec --user www-data + application + bin/console addon + {{ 'enable' if item.enabled else 'disable' }} + {{ item.name }} + args: + chdir: "{{ docker_compose.directories.instance }}" + loop: "{{ friendica_addons }}" + loop_control: + label: "{{ item.name }}" + diff --git a/roles/docker-friendica/templates/docker-compose.yml.j2 b/roles/docker-friendica/templates/docker-compose.yml.j2 index da2bbf65..5621531b 100644 --- a/roles/docker-friendica/templates/docker-compose.yml.j2 +++ b/roles/docker-friendica/templates/docker-compose.yml.j2 @@ -6,8 +6,9 @@ services: image: "{{ applications[application_id].images.friendica }}" {% include 'roles/docker-compose/templates/services/base.yml.j2' %} volumes: - - html:/var/www/html - - data:/var/www/data + - html:{{ friendica_application_base }} + - data:/var/www/data # I assume that this one is unnessecarry + - {{ friendica_host_ldap_config }}:{{ friendica_docker_ldap_config }}:ro ports: - "127.0.0.1:{{ports.localhost.http[application_id]}}:80" diff --git a/roles/docker-friendica/templates/env.j2 b/roles/docker-friendica/templates/env.j2 index b8d02c9a..04f6bd68 100644 --- a/roles/docker-friendica/templates/env.j2 +++ b/roles/docker-friendica/templates/env.j2 @@ -1,14 +1,14 @@ # The configuration options can be found here: # @see https://hub.docker.com/_/friendica -FRIENDICA_URL= https://{{domains | get_domain(application_id)}} -HOSTNAME= {{domains | get_domain(application_id)}} -FRIENDICA_NO_VALIDATION={{no_validation | lower}} +FRIENDICA_URL=https://{{domains | get_domain(application_id)}} +HOSTNAME={{domains | get_domain(application_id)}} +FRIENDICA_NO_VALIDATION={{friendica_no_validation | lower}} # Debugging -FRIENDICA_DEBUGGING= {% if enable_debug | bool %}true{% else %}false{% endif %} -FRIENDICA_LOGLEVEL= 5 -FRIENDICA_LOGGER= syslog +FRIENDICA_DEBUGGING={% if enable_debug | bool %}true{% else %}false{% endif %}{{"\n"}} +FRIENDICA_LOGLEVEL={% if enable_debug | bool %}9{% else %}5{% endif %}{{"\n"}} +FRIENDICA_LOGGER=syslog # Database Configuration MYSQL_HOST= "{{database_host}}:{{database_port}}" diff --git a/roles/docker-friendica/templates/ldapauth.config.php.j2 b/roles/docker-friendica/templates/ldapauth.config.php.j2 new file mode 100644 index 00000000..5a5478d1 --- /dev/null +++ b/roles/docker-friendica/templates/ldapauth.config.php.j2 @@ -0,0 +1,51 @@ + [ + // ldap_server (String) + // ldap hostname server - required + // Example: ldap_server = host.example.com + 'ldap_server' => '{{ ldap.server.uri }}', + + // ldap_binddn (String) + // admin dn - optional - only if ldap server dont have anonymous access + // Example: ldap_binddn = cn=admin,dc=example,dc=com + 'ldap_binddn' => '{{ ldap.dn.administrator.data }}', + + // ldap_bindpw (String) + // admin password - optional - only if ldap server dont have anonymous access + 'ldap_bindpw' => '{{ ldap.bind_credential }}', + + // ldap_searchdn (String) + // dn to search users - required + // Example: ldap_searchdn = ou=users,dc=example,dc=com + 'ldap_searchdn' => '{{ ldap.dn.ou.users }}', + + // ldap_userattr (String) + // attribute to find username - required + // Example: ldap_userattr = uid + 'ldap_userattr' => '{{ ldap.user.attributes.id }}', + + // ldap_group (String) + // DN of the group whose member can auth on Friendica - optional + 'ldap_group' =>'', + + // ldap_autocreateaccount (Boolean) + // To create Friendica account if user exists in ldap + // Requires an email and a simple (beautiful) nickname on user ldap object + // active account creation - optional - default true + 'ldap_autocreateaccount' => true, + + // ldap_autocreateaccount_emailattribute (String) + // attribute to get email - optional - default : 'mail' + 'ldap_autocreateaccount_emailattribute' => '{{ ldap.user.attributes.mail }}', + + // ldap_autocreateaccount_nameattribute (String) + // attribute to get nickname - optional - default : 'givenName' + 'ldap_autocreateaccount_nameattribute' => '{{ ldap.user.attributes.firstname }}', + ], +]; \ No newline at end of file diff --git a/roles/docker-friendica/vars/configuration.yml b/roles/docker-friendica/vars/configuration.yml index 08798255..54d7e0e3 100644 --- a/roles/docker-friendica/vars/configuration.yml +++ b/roles/docker-friendica/vars/configuration.yml @@ -2,10 +2,27 @@ images: friendica: "friendica:latest" features: matomo: true - css: true + css: false # Temporary deactivated portfolio_iframe: true - oidc: true + oidc: false # Implementation doesn't work yet central_database: true + ldap: true + oauth2: false # No special login side which could be protected, use 2FA of Friendica instead domains: - aliases: - - "social.{{ primary_domain }}" \ No newline at end of file + canonical: + - "social.{{ primary_domain }}" +csp: + flags: + script-src-elem: + unsafe-inline: true + script-src: + unsafe-inline: true + unsafe-eval: true + style-src: + unsafe-inline: true +oauth2_proxy: + application: "application" + port: "80" +addons: + keycloakpassword: + ldapauth: \ No newline at end of file diff --git a/roles/docker-friendica/vars/main.yml b/roles/docker-friendica/vars/main.yml index 2d13aea9..105b517c 100644 --- a/roles/docker-friendica/vars/main.yml +++ b/roles/docker-friendica/vars/main.yml @@ -1,3 +1,8 @@ application_id: "friendica" database_type: "mariadb" -no_validation: "{{ applications[application_id].features.oidc }}" # Email validation is not neccessary if OIDC is active \ No newline at end of file + +friendica_no_validation: "{{ applications[application_id].features.oidc }}" # Email validation is not neccessary if OIDC is active +friendica_application_base: "/var/www/html" +friendica_docker_ldap_config: "{{friendica_application_base}}/config/ldapauth.config.php" +friendica_host_ldap_config: "{{ docker_compose.directories.volumes }}ldapauth.config.php" +