diff --git a/group_vars/all b/group_vars/all index f3721ad9..3e1f294a 100644 --- a/group_vars/all +++ b/group_vars/all @@ -1,16 +1,16 @@ # General -pause_duration: "120" # Database delay to wait for the central database before continue tasks -ip4_address: "127.0.0.1" # Change thie in inventory to the ip address of your server -backups_folder_path: "/Backups/" # Path to the backups folder +pause_duration: "120" # Database delay to wait for the central database before continue tasks +ip4_address: "127.0.0.1" # Change thie in inventory to the ip address of your server +backups_folder_path: "/Backups/" # Path to the backups folder ## Domain -primary_domain_tld: "localhost" # Top Level Domain of the server -primary_domain_sld: "cymais" # Second Level Domain of the server -primary_domain: "{{primary_domain_sld}}.{{primary_domain_tld}}" # Primary Domain of the server +primary_domain_tld: "localhost" # Top Level Domain of the server +primary_domain_sld: "cymais" # Second Level Domain of the server +primary_domain: "{{primary_domain_sld}}.{{primary_domain_tld}}" # Primary Domain of the server # Administrator -administrator_username: "administrator" # Username of the administrator -administrator_email: "{{administrator_username}}@{{primary_domain}}" # Email of the administrator +administrator_username: "administrator" # Username of the administrator +administrator_email: "{{administrator_username}}@{{primary_domain}}" # Email of the administrator #user_administrator_initial_password: EXAMPLE_PASSWORD_123456 # Example initialisation password needs to be set in inventory file # Email Configuration @@ -157,6 +157,7 @@ domain_gitea: "git.{{primary_domain}}" domain_gitlab: "gitlab.{{primary_domain}}" domain_portfolio: "{{primary_domain}}" domain_keycloak: "auth.{{primary_domain}}" +domain_ldap: "ldap.{{primary_domain}}" domain_listmonk: "newsletter.{{primary_domain}}" domain_mailu: "{{system_email_host}}" domain_mastodon: "microblog.{{primary_domain}}" @@ -245,9 +246,9 @@ keycloak_administrator_username: "{{administrator_username}}" #### LDAP ldap_version: "latest" +ldap_admin_version: "latest" ldap_administrator_username: "{{administrator_username}}" ldap_administrator_password: "{{user_administrator_initial_password}}" #CHANGE for security reasons -# ldap_database_password: # Needs to be defined in inventory #### Listmonk listmonk_admin_username: "{{administrator_username}}" diff --git a/playbook.servers.yml b/playbook.servers.yml index b41b1fa1..a692c588 100644 --- a/playbook.servers.yml +++ b/playbook.servers.yml @@ -306,6 +306,15 @@ domain: "{{domain_keycloak}}" http_port: 8032 +- name: setup ldap + hosts: ldap + become: true + roles: + - role: docker-ldap + vars: + domain: "{{domain_ldap}}" + http_port: 8033 + # Native Webserver Roles - name: setup nginx-static-repositorys hosts: nginx-static-repositorys diff --git a/roles/docker-ldap/README.md b/roles/docker-ldap/README.md index be992170..001b59d4 100644 --- a/roles/docker-ldap/README.md +++ b/roles/docker-ldap/README.md @@ -4,4 +4,7 @@ Draft role for an LDAP implementation with sso. - [ChatGPT Conversation](https://chat.openai.com/share/77919994-5d44-4a64-877d-b572d67483d4) - [Discouse Documentation](https://forum.veen.world/t/cymais-ldap-implementierung-documentation/49) - [Setup Guide](https://goneuland.de/ldap-nextcloud-und-mailserver-in-docker/) -- https://hub.docker.com/r/bitnami/openldap \ No newline at end of file +- https://hub.docker.com/r/bitnami/openldap +- https://github.com/LDAPAccountManager/docker +- https://github.com/LDAPAccountManager/lam/blob/develop/lam-packaging/docker/.env +- https://github.com/leenooks/phpLDAPadmin/wiki/Docker-Container \ No newline at end of file diff --git a/roles/docker-ldap/tasks/main.yml b/roles/docker-ldap/tasks/main.yml new file mode 100644 index 00000000..a71310ec --- /dev/null +++ b/roles/docker-ldap/tasks/main.yml @@ -0,0 +1,23 @@ +--- +- name: "include docker/compose/common.yml" + include_tasks: docker/compose/common.yml + +# optimize +- name: "include tasks nginx-docker-proxy-domain.yml" + include_tasks: nginx-docker-proxy-domain.yml + +- name: "create {{docker_compose_instance_directory}}" + file: + path: "{{docker_compose_instance_directory}}" + state: directory + mode: 0755 + +- name: "include the nginx-docker-cert-deploy role" + include_role: + name: nginx-docker-cert-deploy + +- name: add docker-compose.yml + template: + src: "docker-compose.yml.j2" + dest: "{{docker_compose_instance_directory}}docker-compose.yml" + notify: docker compose project setup \ No newline at end of file diff --git a/roles/docker-ldap/templates/docker-compose.yml.j2 b/roles/docker-ldap/templates/docker-compose.yml.j2 index 70fa0765..96fc5621 100644 --- a/roles/docker-ldap/templates/docker-compose.yml.j2 +++ b/roles/docker-ldap/templates/docker-compose.yml.j2 @@ -1,6 +1,15 @@ services: - {% include 'templates/docker/services/' + database_type + '.yml.j2' %} - + phpldapadmin: + image: leenooks/phpldapadmin:{{ldap_admin_version}} + logging: + driver: journald + restart: {{docker_restart_policy}} + ports: + - 127.0.0.1:{{http_port}}:8080 + environment: + # @See https://github.com/leenooks/phpLDAPadmin/wiki/Docker-Container + APP_URL: https://{{domain}} + LDAP_HOST: {{domain}} openldap: image: bitnami/openldap:{{ldap_version}} logging: @@ -10,6 +19,8 @@ services: - '127.0.0.1:389:1389' # Expose just on local host for security reasons - '636:636' # Expose to internet environment: + # @See https://hub.docker.com/r/bitnami/openldap + # GENERAL LDAP_ADMIN_USERNAME: {{ldap_administrator_username}} # LDAP database admin user. LDAP_ADMIN_PASSWORD: {{ldap_administrator_password}} # LDAP database admin password. @@ -19,22 +30,16 @@ services: LDAP_ADMIN_DN: {{ldap_admin_dn}} # TLS - LDAP_ENABLE_TLS: yes # Whether to enable TLS for traffic or not. Defaults to no - LDAP_REQUIRE_TLS: yes # Whether connections must use TLS. Will only be applied with LDAP_ENABLE_TLS active. Defaults to no - LDAP_LDAPS_PORT_NUMBER: 636 # Port used for TLS secure traffic. Priviledged port is supported (e.g. 636). Default: 1636 (non privileged port). - LDAP_TLS_CERT_FILE: File containing the certificate file for the TLS traffic. No defaults. - LDAP_TLS_KEY_FILE: File containing the key for certificate. No defaults. - LDAP_TLS_CA_FILE: File containing the CA of the certificate. No defaults. - LDAP_TLS_DH_PARAMS_FILE: File containing the DH parameters. No defaults. - - # Database Configuration - MARIADB_ROOT_PASSWORD=root-password - MARIADB_USER=customuser - MARIADB_DATABASE=customdatabase - MARIADB_ENABLE_LDAP=yes + LDAP_ENABLE_TLS: yes # Whether to enable TLS for traffic or not. Defaults to no + LDAP_REQUIRE_TLS: yes # Whether connections must use TLS. Will only be applied with LDAP_ENABLE_TLS active. Defaults to no + LDAP_LDAPS_PORT_NUMBER: 636 # Port used for TLS secure traffic. Priviledged port is supported (e.g. 636). Default: 1636 (non privileged port). + LDAP_TLS_CERT_FILE: /certs/cert.pem # File containing the certificate file for the TLS traffic. No defaults. + LDAP_TLS_KEY_FILE: /certs/key.pem # File containing the key for certificate. No defaults. + #LDAP_TLS_CA_FILE: # File containing the CA of the certificate. No defaults. + #LDAP_TLS_DH_PARAMS_FILE: # File containing the DH parameters. No defaults. volumes: + - {{cert_mount_directory}}:/certs - 'data:/bitnami/openldap' -{% include 'templates/docker/container/depends-on-just-database.yml.j2' %} {% include 'templates/docker/container/networks.yml.j2' %} {% include 'templates/docker/compose/volumes.yml.j2' %} data: diff --git a/roles/docker-ldap/vars/main.yml b/roles/docker-ldap/vars/main.yml index 0ef66621..266cc2bc 100644 --- a/roles/docker-ldap/vars/main.yml +++ b/roles/docker-ldap/vars/main.yml @@ -1,5 +1,3 @@ docker_compose_project_name: "ldap" -database_type: "postgres" -database_password: "{{ldap_database_password}}" ldap_root: "dc={{primary_domain_sld}},dc={{primary_domain_tld}}" ldap_admin_dm: "cn={{ldap_administrator_username}},{{ldap_root}}" \ No newline at end of file