Added ldap support

2025-07-06 08:35:15 +02:00 · 2025-07-04 21:49:31 +02:00 · 2025-07-04 21:49:31 +02:00 · 1858c1970f
commit 1858c1970f
parent 06b864ad52
7 changed files with 133 additions and 13 deletions
--- a/roles/docker-friendica/meta/main.yml
+++ b/roles/docker-friendica/meta/main.yml
@ -21,3 +21,4 @@ galaxy_info:
  run_after:
    - docker-matomo
    - docker-keycloak
+    - docker-ldap
--- a/roles/docker-friendica/tasks/main.yml
+++ b/roles/docker-friendica/tasks/main.yml
@ -3,6 +3,17 @@
  include_role: 
    name: docker-central-database

+- name: "create {{ friendica_host_ldap_config }}"
+  template: 
+    src:  "ldapauth.config.php.j2" 
+    dest: "{{ friendica_host_ldap_config }}"
+    mode: '644'
+    owner: root
+    group: 33
+    force: yes
+  notify: docker compose up
+  when: applications | is_feature_enabled('ldap',application_id)
+
 - name: "include role nginx-domain-setup for {{application_id}}"
  include_role:
    name: nginx-domain-setup
@ -11,3 +22,37 @@
    http_port:   "{{ ports.localhost.http[application_id] }}"

 - include_tasks: "{{ playbook_dir }}/roles/docker-compose/tasks/create-files.yml"
+
+- name: Build friendica_addons based on features
+  set_fact:
+    friendica_addons: >-
+      {{
+        friendica_addons | default([])
+        + [{
+            'name': item.key,
+            'enabled': (
+              applications[application_id].features.oidc
+                if item.key == 'keycloakpassword'
+              else applications[application_id].features.ldap
+                if item.key == 'ldapauth'
+              else (item.value.enabled if item.value is mapping and 'enabled' in item.value else False)
+            )
+          }]
+      }}
+  loop: "{{ applications[application_id].addons | dict2items }}"
+  loop_control:
+    label: "{{ item.key }}"
+
+- name: Ensure Friendica addons are in sync
+  command: >
+    docker compose exec --user www-data
+    application
+    bin/console addon
+    {{ 'enable' if item.enabled else 'disable' }}
+    {{ item.name }}
+  args:
+    chdir: "{{ docker_compose.directories.instance }}"
+  loop: "{{ friendica_addons }}"
+  loop_control:
+    label: "{{ item.name }}"
+
--- a/roles/docker-friendica/templates/docker-compose.yml.j2
+++ b/roles/docker-friendica/templates/docker-compose.yml.j2
@ -6,8 +6,9 @@ services:
    image: "{{ applications[application_id].images.friendica }}"
    {% include 'roles/docker-compose/templates/services/base.yml.j2' %}
    volumes:
-      - html:/var/www/html
-      - data:/var/www/data
+      - html:{{ friendica_application_base }}
+      - data:/var/www/data # I assume that this one is unnessecarry
+      - {{ friendica_host_ldap_config }}:{{ friendica_docker_ldap_config }}:ro 
    ports:
      - "127.0.0.1:{{ports.localhost.http[application_id]}}:80"

--- a/roles/docker-friendica/templates/env.j2
+++ b/roles/docker-friendica/templates/env.j2
@ -1,14 +1,14 @@
 # The configuration options can be found here: 
 # @see https://hub.docker.com/_/friendica

-FRIENDICA_URL= https://{{domains | get_domain(application_id)}}
-HOSTNAME= {{domains | get_domain(application_id)}}
-FRIENDICA_NO_VALIDATION={{no_validation | lower}}
+FRIENDICA_URL=https://{{domains | get_domain(application_id)}}
+HOSTNAME={{domains | get_domain(application_id)}}
+FRIENDICA_NO_VALIDATION={{friendica_no_validation | lower}}
      
 # Debugging
-FRIENDICA_DEBUGGING=    {% if enable_debug | bool %}true{% else %}false{% endif %}
-FRIENDICA_LOGLEVEL=     5
-FRIENDICA_LOGGER=       syslog
+FRIENDICA_DEBUGGING={% if enable_debug | bool %}true{% else %}false{% endif %}{{"\n"}}
+FRIENDICA_LOGLEVEL={% if enable_debug | bool %}9{% else %}5{% endif %}{{"\n"}}
+FRIENDICA_LOGGER=syslog

 # Database Configuration 
 MYSQL_HOST=     "{{database_host}}:{{database_port}}"
--- a/roles/docker-friendica/templates/ldapauth.config.php.j2
+++ b/roles/docker-friendica/templates/ldapauth.config.php.j2
@ -0,0 +1,51 @@
+<?php
+// Source: https://git.friendi.ca/friendica/friendica-addons/src/branch/develop/ldapauth
+
+// Warning: Don't change this file! It only holds the default config values for this addon.
+// Instead, copy this file to config/ldapauth.config.php in your Friendica directory and set the correct values there
+
+return [
+	'ldapauth' => [
+		// ldap_server (String)
+		// ldap hostname server - required
+		// Example: ldap_server = host.example.com
+		'ldap_server' => '{{ ldap.server.uri }}',
+
+		// ldap_binddn (String)
+		// admin dn - optional - only if ldap server dont have anonymous access
+		// Example: ldap_binddn = cn=admin,dc=example,dc=com
+		'ldap_binddn' => '{{ ldap.dn.administrator.data }}',
+
+		// ldap_bindpw (String)
+		// admin password - optional - only if ldap server dont have anonymous access
+		'ldap_bindpw' => '{{ ldap.bind_credential }}',
+
+		// ldap_searchdn (String)
+		// dn to search users - required
+		// Example: ldap_searchdn = ou=users,dc=example,dc=com
+		'ldap_searchdn' => '{{ ldap.dn.ou.users }}',
+
+		// ldap_userattr (String)
+		// attribute to find username - required
+		// Example: ldap_userattr = uid
+		'ldap_userattr' => '{{ ldap.user.attributes.id }}',
+
+		// ldap_group (String)
+		// DN of the group whose member can auth on Friendica - optional
+		'ldap_group' =>'',
+
+		// ldap_autocreateaccount (Boolean)
+		// To create Friendica account if user exists in ldap
+		// Requires an email and a simple (beautiful) nickname on user ldap object
+		// active account creation - optional - default true
+		'ldap_autocreateaccount' => true,
+
+		// ldap_autocreateaccount_emailattribute (String)
+		// attribute to get email - optional - default : 'mail'
+		'ldap_autocreateaccount_emailattribute' => '{{ ldap.user.attributes.mail }}',
+
+		// ldap_autocreateaccount_nameattribute (String)
+		// attribute to get nickname - optional - default : 'givenName'
+		'ldap_autocreateaccount_nameattribute' => '{{ ldap.user.attributes.firstname }}',
+	],
+];
--- a/roles/docker-friendica/vars/configuration.yml
+++ b/roles/docker-friendica/vars/configuration.yml
@ -2,10 +2,27 @@ images:
  friendica:          "friendica:latest"
 features:
  matomo:             true
-  css:                true
+  css:                false # Temporary deactivated
  portfolio_iframe:   true
-  oidc:               true
+  oidc:               false # Implementation doesn't work yet
  central_database:   true
+  ldap:               true
+  oauth2:             false # No special login side which could be protected, use 2FA of Friendica instead
 domains:
-  aliases:
-    - "social.{{ primary_domain }}"
+  canonical:
+    - "social.{{ primary_domain }}"
+csp:
+  flags:
+    script-src-elem:
+      unsafe-inline:  true
+    script-src:
+      unsafe-inline:  true
+      unsafe-eval:    true
+    style-src:
+      unsafe-inline:  true
+oauth2_proxy:  
+  application:        "application"
+  port:               "80"
+addons:
+  keycloakpassword:
+  ldapauth:
--- a/roles/docker-friendica/vars/main.yml
+++ b/roles/docker-friendica/vars/main.yml
@ -1,3 +1,8 @@
 application_id:     "friendica"
 database_type:      "mariadb"
-no_validation:      "{{ applications[application_id].features.oidc }}" # Email validation is not neccessary if OIDC is active
+
+friendica_no_validation:       "{{ applications[application_id].features.oidc }}" # Email validation is not neccessary if OIDC is active
+friendica_application_base:    "/var/www/html"
+friendica_docker_ldap_config:  "{{friendica_application_base}}/config/ldapauth.config.php"
+friendica_host_ldap_config:    "{{ docker_compose.directories.volumes }}ldapauth.config.php"
+