kevinveenbirkenbach/computer-playbook
1
0
Fork 0
mirror of https://github.com/kevinveenbirkenbach/computer-playbook.git synced 2025-04-28 10:26:54 +02:00
Code Issues Packages Projects Releases Wiki Activity

Activated auto settings for ldap and smtp

Browse Source
This commit is contained in:
Kevin Veen-Birkenbach 2025-04-07 09:19:37 +02:00
parent fe39a7f701
commit 2997fb4f5f
No known key found for this signature in database
GPG Key ID: 44D8F11FD62F878E
9 changed files with 154 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
group_vars/all/11_iam.yml
View File

@ -34,8 +34,6 @@ _ldap_dn_base: "dc={{primary_domain_sld}},dc={{primary_domain_tld}}"
_ldap_server_port: "{% if applications.ldap.openldap.network.local | bool %}{{ ports.localhost.ldap.openldap }}{% else %}{{ ports.localhost.ldaps.openldap }}{% endif %}"
ldap:
# Enables LDAP for all roles in play if true
enabled: true
# Distinguished Names (DN)
dn:
# Defines the base Distinguished Name (DN) for the LDAP directory, constructed from the second-level domain (SLD) and top-level domain (TLD).

15
roles/docker-openproject/Development.md Normal file
View File

@ -0,0 +1,15 @@
# Development Notes
## Get Settings
## LDAP
```bash
docker compose exec web bash -c 'cd /app && RAILS_ENV=production bundle exec rails runner "puts Setting.all.select { |s| s.name.start_with?(\"ldap\") }.map { |s| \"#{s.name} = #{s.value}\" }"'
```
### All
```bash
docker compose exec web bash -c 'cd /app && RAILS_ENV=production bundle exec rails runner "Setting.all.each { |s| puts \"#{s.name} = #{s.value}\" }"'
```

37
roles/docker-openproject/README.md
View File

@ -1,27 +1,34 @@
# OpenProject Role
# OpenProject 🧭
## Description
This role deploys [OpenProject](https://www.openproject.org/) using Docker Compose and provides a fully integrated experience for project collaboration with optional support for LDAP authentication and SMTP email delivery. Ideal for teams or individuals who want to get started with OpenProject quickly without manually setting up infrastructure.
## Overview
This role is designed to deploy the [OpenProject](https://www.openproject.org/) application using Docker. It includes tasks for setting up the environment, pulling the Docker repository, and configuring a reverse proxy with Nginx. It was developed by [Kevin Veen-Birkenbach](https://www.veen.world/)
Designed for simplicity, this role automates everything needed to run OpenProject in a containerized environment. It configures essential services such as the application itself, a PostgreSQL database, reverse proxy, and optional LDAP integration for identity management.
## Handlers
## Purpose
Defined in `handlers/main.yml`, the handler `recreate openproject` is used for recreating the OpenProject instance with specific environment settings.
The purpose of this role is to reduce the complexity of setting up OpenProject with modern production-ready defaults. By combining Docker Compose and Ansible automation, it enables a hands-off setup for both small teams and larger internal infrastructures.
## Tasks
## Features
Outlined in `tasks/main.yml`, the role includes tasks for:
- 🐳 **Docker-First Deployment**: Uses Docker Compose to launch the entire OpenProject stack.
- 🔒 **LDAP Integration (optional)**: Automatically connects to your LDAP server for centralized authentication.
- 📬 **SMTP Configuration**: Sends notification emails via your own mail server.
- 🧩 **OIDC Ready**: Prepared to extend with OpenID Connect login (e.g., Keycloak).
- 🔄 **Plugin Support**: Supports custom plugin installation via a pluggable `Gemfile.plugins`.
- 🛠️ **Role-Oriented Architecture**: Easily integrates with your infrastructure (e.g., database, reverse proxy).
- Including Nginx Docker proxy domain tasks.
- Creating the repository directory.
- Pulling the OpenProject Docker repository.
- Warning if the repository is not reachable.
- Copying the `.env` file from a template.
## Developer Notes
## Usage
See the [Development.md](./Development.md) file for how to inspect and modify live settings inside the container, including full LDAP and SMTP configuration via the Rails console.
To use this role, include it in your Ansible playbook and set the necessary variables, especially those required in the `.env` file template.
## Credits 📝
## Notes
Developed and maintained by **Kevin Veen-Birkenbach**
Learn more at [www.veen.world](https://www.veen.world)
Ensure that Docker and Docker Compose are installed and configured correctly on the target machine. Also, ensure that the necessary ports are open and accessible.
Part of the [CyMaIS Project](https://github.com/kevinveenbirkenbach/cymais)
License: [CyMaIS NonCommercial License (CNCL)](https://s.veen.world/cncl)

27
roles/docker-openproject/meta/main.yml Normal file
View File

@ -0,0 +1,27 @@
---
galaxy_info:
author: "Kevin Veen-Birkenbach"
description: "Deploys OpenProject with full Docker Compose integration and optional LDAP/SMTP/SSO setup."
license: "CyMaIS NonCommercial License (CNCL)"
license_url: "https://s.veen.world/cncl"
company: |
Kevin Veen-Birkenbach
Consulting & Coaching Solutions
https://www.veen.world
min_ansible_version: "2.9"
platforms:
- name: Archlinux
versions:
- rolling
galaxy_tags:
- openproject
- project-management
- docker
- compose
- ldap
- sso
- automation
repository: https://s.veen.world/cymais
issue_tracker_url: https://s.veen.world/cymaisissues
documentation: https://s.veen.world/cymais
dependencies: []

47
roles/docker-openproject/tasks/ldap.yml Normal file
View File

@ -0,0 +1,47 @@
- name: "Create LDAP auth source"
community.postgresql.postgresql_query:
db: openproject
login_user: postgres
query: >
INSERT INTO ldap_auth_sources
(name, host, port, account, account_password, base_dn, attr_login,
attr_firstname, attr_lastname, attr_mail, onthefly_register, attr_admin,
created_at, updated_at, tls_mode, filter_string, verify_peer, tls_certificate_string)
VALUES (
'{{ openproject_ldap.name }}',
'{{ openproject_ldap.host }}',
{{ openproject_ldap.port }},
'{{ openproject_ldap.account }}',
'{{ openproject_ldap.account_password }}',
'{{ openproject_ldap.base_dn }}',
'{{ openproject_ldap.attr_login }}',
'{{ openproject_ldap.attr_firstname }}',
'{{ openproject_ldap.attr_lastname }}',
'{{ openproject_ldap.attr_mail }}',
{{ openproject_ldap.onthefly_register }},
'{{ openproject_ldap.attr_admin }}',
NOW(),
NOW(),
{{ openproject_ldap.tls_mode }},
'{{ openproject_ldap.filter_string }}',
{{ openproject_ldap.verify_peer }},
'{{ openproject_ldap.tls_certificate_string }}'
)
ON CONFLICT (name) DO NOTHING;
become: true
vars_files:
- vars/ldap.yml
- name: "Check existing LDAP sources"
community.postgresql.postgresql_query:
db: openproject
login_user: postgres
query: "SELECT id, name FROM ldap_auth_sources"
register: ldap_entries
when: enable_debug | bool
- name: "Debug LDAP entries"
debug:
var: ldap_entries
when: enable_debug | bool

18
roles/docker-openproject/tasks/main.yml
View File

@ -44,3 +44,21 @@
- name: "copy docker-compose.yml and env file"
include_tasks: copy-docker-compose-and-env.yml
- name: flush docker service
meta: flush_handlers
- name: "Set OpenProject settings via rails"
vars:
rails_env: "RAILS_ENV=production"
rails_cmd: "bundle exec rails runner"
docker_container:
name: openproject-web
command: >
bash -c "cd /app &&
{{ rails_env }} {{ rails_cmd }} 'Setting[:{{ item.key }}] = {{ item.value | to_json }}'"
loop: "{{ openproject_settings | dict2items }}"
- name: Setup LDAP
include_tasks: ldap.yml
when: applications[application_id].ldap.enabled | bool

17
roles/docker-openproject/vars/ldap.yml Normal file
View File

@ -0,0 +1,17 @@
openproject_ldap:
name: "{{ primary_domain }}" # Display name for the LDAP connection in OpenProject
host: "{{ ldap.server.domain }}" # LDAP server address
port: "{{ ldap.server.port }}" # LDAP server port (typically 389 or 636)
account: "{{ ldap.dn.administrator }}" # Bind DN (used for authentication)
account_password: "{{ ldap.bind_credential }}" # Bind password
base_dn: "{{ ldap.dn.users }}" # Base DN for user search
attr_login: "{{ ldap.attributes.user_id | default('uid') }}" # LDAP attribute used for login
attr_firstname: "givenName" # LDAP attribute for first name
attr_lastname: "sn" # LDAP attribute for last name
attr_mail: "mail" # LDAP attribute for email
attr_admin: "" # Optional: LDAP attribute for admin group (leave empty if unused)
onthefly_register: true # Automatically create users on first login
tls_mode: 0 # 0 = No TLS, 1 = TLS, 2 = STARTTLS
verify_peer: false # Whether to verify the SSL certificate
filter_string: "" # Optional: Custom filter for users (e.g., "(objectClass=person)")
tls_certificate_string: "" # Optional: Client certificate string for TLS (usually left empty)

7
roles/docker-openproject/vars/settings.yml Normal file
View File

@ -0,0 +1,7 @@
openproject_settings:
email_delivery_method: "smtp"
smtp_address: "{{ system_email.host }}"
smtp_domain: "{{ system_email.domain }}"
smtp_user_name: "{{ system_email.username }}"
smtp_password: "{{ system_email.password }}"
smtp_ssl: false

2
roles/docker-taiga/vars/main.yml
View File

@ -6,4 +6,4 @@ email_backend: "smtp" ## use a
docker_compose_init: "{{docker_compose.directories.instance}}docker-compose-inits.yml.j2"
taiga_image_backend: "{{ 'robrotheram/taiga-back-openid' if applications[application_id].oidc.enabled else 'taigaio/taiga-back' }}"
taiga_image_frontend: "{{ 'robrotheram/taiga-front-openid' if applications[application_id].oidc.enabled else 'taigaio/taiga-front' }}"
taiga_frontend_conf_path: "{{docker_compose.directories.conf}}conf.json"
taiga_frontend_conf_path: "{{docker_compose.directories.config}}conf.json"