Activated auto settings for ldap and smtp

group_vars/all/11_iam.yml

@@ -34,8 +34,6 @@ _ldap_dn_base:      "dc={{primary_domain_sld}},dc={{primary_domain_tld}}"
 _ldap_server_port:  "{% if applications.ldap.openldap.network.local | bool %}{{ ports.localhost.ldap.openldap }}{% else %}{{ ports.localhost.ldaps.openldap }}{% endif %}"
 
 ldap:
-  # Enables LDAP for all roles in play if true
-  enabled:  true
   # Distinguished Names (DN)
   dn:
     # Defines the base Distinguished Name (DN) for the LDAP directory, constructed from the second-level domain (SLD) and top-level domain (TLD).

roles/docker-openproject/Development.md

@@ -0,0 +1,15 @@
+# Development Notes
+
+## Get Settings
+
+## LDAP
+
+```bash
+docker compose exec web bash -c 'cd /app && RAILS_ENV=production bundle exec rails runner "puts Setting.all.select { |s| s.name.start_with?(\"ldap\") }.map { |s| \"#{s.name} = #{s.value}\" }"'
+```
+
+### All
+
+```bash
+docker compose exec web bash -c 'cd /app && RAILS_ENV=production bundle exec rails runner "Setting.all.each { |s| puts \"#{s.name} = #{s.value}\" }"'
+```

roles/docker-openproject/README.md

@@ -1,27 +1,34 @@
-# OpenProject Role
+# OpenProject 🧭
+
+## Description
+
+This role deploys [OpenProject](https://www.openproject.org/) using Docker Compose and provides a fully integrated experience for project collaboration with optional support for LDAP authentication and SMTP email delivery. Ideal for teams or individuals who want to get started with OpenProject quickly without manually setting up infrastructure.
 
 ## Overview
 
-This role is designed to deploy the [OpenProject](https://www.openproject.org/) application using Docker. It includes tasks for setting up the environment, pulling the Docker repository, and configuring a reverse proxy with Nginx. It was developed by [Kevin Veen-Birkenbach](https://www.veen.world/)
+Designed for simplicity, this role automates everything needed to run OpenProject in a containerized environment. It configures essential services such as the application itself, a PostgreSQL database, reverse proxy, and optional LDAP integration for identity management.
 
-## Handlers
+## Purpose
 
-Defined in `handlers/main.yml`, the handler `recreate openproject` is used for recreating the OpenProject instance with specific environment settings.
+The purpose of this role is to reduce the complexity of setting up OpenProject with modern production-ready defaults. By combining Docker Compose and Ansible automation, it enables a hands-off setup for both small teams and larger internal infrastructures.
 
-## Tasks
+## Features
 
-Outlined in `tasks/main.yml`, the role includes tasks for:
+- 🐳 **Docker-First Deployment**: Uses Docker Compose to launch the entire OpenProject stack.
+- 🔒 **LDAP Integration (optional)**: Automatically connects to your LDAP server for centralized authentication.
+- 📬 **SMTP Configuration**: Sends notification emails via your own mail server.
+- 🧩 **OIDC Ready**: Prepared to extend with OpenID Connect login (e.g., Keycloak).
+- 🔄 **Plugin Support**: Supports custom plugin installation via a pluggable `Gemfile.plugins`.
+- 🛠️ **Role-Oriented Architecture**: Easily integrates with your infrastructure (e.g., database, reverse proxy).
 
-- Including Nginx Docker proxy domain tasks.
+## Developer Notes
-- Creating the repository directory.
-- Pulling the OpenProject Docker repository.
-- Warning if the repository is not reachable.
-- Copying the `.env` file from a template.
 
-## Usage
+See the [Development.md](./Development.md) file for how to inspect and modify live settings inside the container, including full LDAP and SMTP configuration via the Rails console.
 
-To use this role, include it in your Ansible playbook and set the necessary variables, especially those required in the `.env` file template.
+## Credits 📝
 
-## Notes
+Developed and maintained by **Kevin Veen-Birkenbach**  
+Learn more at [www.veen.world](https://www.veen.world)
 
-Ensure that Docker and Docker Compose are installed and configured correctly on the target machine. Also, ensure that the necessary ports are open and accessible.
+Part of the [CyMaIS Project](https://github.com/kevinveenbirkenbach/cymais)  
+License: [CyMaIS NonCommercial License (CNCL)](https://s.veen.world/cncl)

roles/docker-openproject/meta/main.yml

@@ -0,0 +1,27 @@
+---
+galaxy_info:
+  author: "Kevin Veen-Birkenbach"
+  description: "Deploys OpenProject with full Docker Compose integration and optional LDAP/SMTP/SSO setup."
+  license: "CyMaIS NonCommercial License (CNCL)"
+  license_url: "https://s.veen.world/cncl"
+  company: |
+    Kevin Veen-Birkenbach  
+    Consulting & Coaching Solutions  
+    https://www.veen.world
+  min_ansible_version: "2.9"
+  platforms:
+    - name: Archlinux
+      versions:
+        - rolling
+  galaxy_tags:
+    - openproject
+    - project-management
+    - docker
+    - compose
+    - ldap
+    - sso
+    - automation
+  repository: https://s.veen.world/cymais
+  issue_tracker_url: https://s.veen.world/cymaisissues
+  documentation: https://s.veen.world/cymais
+dependencies: []

roles/docker-openproject/tasks/ldap.yml

@@ -0,0 +1,47 @@
+- name: "Create LDAP auth source"
+  community.postgresql.postgresql_query:
+    db: openproject
+    login_user: postgres
+    query: >
+      INSERT INTO ldap_auth_sources
+      (name, host, port, account, account_password, base_dn, attr_login,
+       attr_firstname, attr_lastname, attr_mail, onthefly_register, attr_admin,
+       created_at, updated_at, tls_mode, filter_string, verify_peer, tls_certificate_string)
+      VALUES (
+        '{{ openproject_ldap.name }}',
+        '{{ openproject_ldap.host }}',
+        {{ openproject_ldap.port }},
+        '{{ openproject_ldap.account }}',
+        '{{ openproject_ldap.account_password }}',
+        '{{ openproject_ldap.base_dn }}',
+        '{{ openproject_ldap.attr_login }}',
+        '{{ openproject_ldap.attr_firstname }}',
+        '{{ openproject_ldap.attr_lastname }}',
+        '{{ openproject_ldap.attr_mail }}',
+        {{ openproject_ldap.onthefly_register }},
+        '{{ openproject_ldap.attr_admin }}',
+        NOW(),
+        NOW(),
+        {{ openproject_ldap.tls_mode }},
+        '{{ openproject_ldap.filter_string }}',
+        {{ openproject_ldap.verify_peer }},
+        '{{ openproject_ldap.tls_certificate_string }}'
+      )
+      ON CONFLICT (name) DO NOTHING;
+  become: true
+  vars_files:
+    - vars/ldap.yml
+
+- name: "Check existing LDAP sources"
+  community.postgresql.postgresql_query:
+    db: openproject
+    login_user: postgres
+    query: "SELECT id, name FROM ldap_auth_sources"
+  register: ldap_entries
+  when: enable_debug | bool
+
+- name: "Debug LDAP entries"
+  debug:
+    var: ldap_entries
+  when: enable_debug | bool
+

roles/docker-openproject/tasks/main.yml

@@ -44,3 +44,21 @@
 
 - name: "copy docker-compose.yml and env file"
   include_tasks: copy-docker-compose-and-env.yml
+
+- name: flush docker service
+  meta: flush_handlers
+
+- name: "Set OpenProject settings via rails"
+  vars:
+    rails_env: "RAILS_ENV=production"
+    rails_cmd: "bundle exec rails runner"
+  docker_container:
+    name: openproject-web
+    command: >
+      bash -c "cd /app &&
+      {{ rails_env }} {{ rails_cmd }} 'Setting[:{{ item.key }}] = {{ item.value | to_json }}'"
+  loop: "{{ openproject_settings | dict2items }}"
+
+- name: Setup LDAP
+  include_tasks: ldap.yml
+  when: applications[application_id].ldap.enabled | bool

roles/docker-openproject/vars/ldap.yml

@@ -0,0 +1,17 @@
+openproject_ldap:
+  name:                 "{{ primary_domain }}"                         # Display name for the LDAP connection in OpenProject
+  host:                 "{{ ldap.server.domain }}"                     # LDAP server address
+  port:                 "{{ ldap.server.port }}"                       # LDAP server port (typically 389 or 636)
+  account:              "{{ ldap.dn.administrator }}"                  # Bind DN (used for authentication)
+  account_password:     "{{ ldap.bind_credential }}"                   # Bind password
+  base_dn:              "{{ ldap.dn.users }}"                          # Base DN for user search
+  attr_login:           "{{ ldap.attributes.user_id | default('uid') }}" # LDAP attribute used for login
+  attr_firstname:       "givenName"                                    # LDAP attribute for first name
+  attr_lastname:        "sn"                                           # LDAP attribute for last name
+  attr_mail:            "mail"                                         # LDAP attribute for email
+  attr_admin:           ""                                             # Optional: LDAP attribute for admin group (leave empty if unused)
+  onthefly_register:    true                                           # Automatically create users on first login
+  tls_mode:             0                                              # 0 = No TLS, 1 = TLS, 2 = STARTTLS
+  verify_peer:          false                                          # Whether to verify the SSL certificate
+  filter_string:        ""                                             # Optional: Custom filter for users (e.g., "(objectClass=person)")
+  tls_certificate_string: ""                                          # Optional: Client certificate string for TLS (usually left empty)

roles/docker-openproject/vars/settings.yml

@@ -0,0 +1,7 @@
+openproject_settings:
+  email_delivery_method:  "smtp"
+  smtp_address:           "{{ system_email.host }}"
+  smtp_domain:            "{{ system_email.domain }}"
+  smtp_user_name:         "{{ system_email.username }}"
+  smtp_password:          "{{ system_email.password }}"
+  smtp_ssl:               false

roles/docker-taiga/vars/main.yml

@@ -6,4 +6,4 @@ email_backend:              "smtp"                                      ## use a
 docker_compose_init:        "{{docker_compose.directories.instance}}docker-compose-inits.yml.j2"
 taiga_image_backend:        "{{ 'robrotheram/taiga-back-openid' if applications[application_id].oidc.enabled else 'taigaio/taiga-back' }}"
 taiga_image_frontend:       "{{ 'robrotheram/taiga-front-openid' if applications[application_id].oidc.enabled else 'taigaio/taiga-front' }}"
-taiga_frontend_conf_path:   "{{docker_compose.directories.conf}}conf.json"
+taiga_frontend_conf_path:   "{{docker_compose.directories.config}}conf.json"