From a13bd1883e1dac20f37a8acd98323a1e1ede15c1 Mon Sep 17 00:00:00 2001
From: Kevin Veen-Birkenbach <kevin@veen.world>
Date: Tue, 8 Apr 2025 11:23:16 +0200
Subject: [PATCH] In between commit refactoring LDAP, to continue working on
other computer
---
group_vars/all/07_applications.yml | 69 +++++++-----
group_vars/all/09_ports.yml | 102 +++++++++---------
group_vars/all/10_networks.yml | 7 ++
roles/docker-lam/tasks/main.yml | 13 +++
.../templates/docker-compose.yml.j2 | 18 ++++
roles/docker-lam/templates/env.j2 | 14 +++
roles/docker-lam/vars/main.yml | 1 +
roles/docker-ldap/tasks/lam.yml | 33 ------
roles/docker-ldap/tasks/main.yml | 20 ----
.../templates/docker-compose.yml.j2 | 29 +----
.../templates/lam/default.group.j2 | 1 -
roles/docker-ldap/templates/lam/env.j2 | 13 ---
.../templates/lam/groupOfNames.conf.j2 | 5 -
roles/docker-ldap/vars/lam.yml | 1 -
roles/docker-phpldapadmin/tasks/main.yml | 13 +++
.../templates/docker-compose.yml.j2 | 19 ++++
.../templates/env.j2} | 0
roles/docker-phpldapadmin/vars/main.yml | 1 +
18 files changed, 183 insertions(+), 176 deletions(-)
create mode 100644 roles/docker-lam/tasks/main.yml
create mode 100644 roles/docker-lam/templates/docker-compose.yml.j2
create mode 100644 roles/docker-lam/templates/env.j2
create mode 100644 roles/docker-lam/vars/main.yml
delete mode 100644 roles/docker-ldap/tasks/lam.yml
delete mode 100644 roles/docker-ldap/templates/lam/default.group.j2
delete mode 100644 roles/docker-ldap/templates/lam/env.j2
delete mode 100644 roles/docker-ldap/templates/lam/groupOfNames.conf.j2
delete mode 100644 roles/docker-ldap/vars/lam.yml
create mode 100644 roles/docker-phpldapadmin/tasks/main.yml
create mode 100644 roles/docker-phpldapadmin/templates/docker-compose.yml.j2
rename roles/{docker-ldap/templates/phpldapadmin.env.j2 => docker-phpldapadmin/templates/env.j2} (100%)
create mode 100644 roles/docker-phpldapadmin/vars/main.yml
diff --git a/group_vars/all/07_applications.yml b/group_vars/all/07_applications.yml
index 3e5bc696..8d3b2c24 100644
--- a/group_vars/all/07_applications.yml
+++ b/group_vars/all/07_applications.yml
@@ -213,38 +213,35 @@ defaults_applications:
css_enabled: "{{css_enabled_default}}" # Enables\Disables Global CSS Style
landingpage_iframe_enabled: false # Disabled by default, because it leads to authentification problems
+ # LDAP Account Manager
+ lam:
+ version: "latest"
+# administrator_password: "{{users.administrator.initial_password}}" # CHANGE for security reasons
+ ldap:
+ enabled: True # Should have the same value as applications.ldap.network.local.
+ oauth2_proxy:
+ enabled: true # Activate the OAuth2 Proxy for the LDAP Webinterface
+ application: application # Needs to be the same as webinterface
+ port: 80 # application port
+# cookie_secret: None # Set via openssl rand -hex 16
+ matomo_tracking_enabled: "{{matomo_tracking_enabled_default}}" # Enables\Disables Matomo Tracking
+ css_enabled: "{{css_enabled_default}}" # Enables\Disables Global CSS Style
+ landingpage_iframe_enabled: "{{landingpage_iframe_enabled_default}}" # Enables\Disables the possibility to embed this on landing page via iframe
+
## LDAP
ldap:
- lam:
- version: "latest"
- administrator_password: "{{users.administrator.initial_password}}" # CHANGE for security reasons
- openldap:
- version: "latest"
- network:
- local: True # Activates local network to allow other docker containers to connect
- public: False # Set to true in inventory file if you want to expose the LDAP port to the internet
- hostname: "openldap" # Hostname of the LDAP Server in the central_ldap network
- phpldapadmin:
- version: "2.0.0-dev" # @todo Attention: Change this as fast as released to latest
+ version: "latest"
+ network:
+ local: True # Activates local network to allow other docker containers to connect
+ public: False # Set to true in inventory file if you want to expose the LDAP port to the internet
+ hostname: "openldap" # Hostname of the LDAP Server in the central_ldap network
webinterface: "lam" # The webinterface which should be used. Possible: lam and phpldapadmin
users:
administrator:
username: "{{users.administrator.username}}"
- ldap:
- enabled: True # Should have the same value as applications.ldap.openldap.network.local.
- oauth2_proxy:
- enabled: true # Activate the OAuth2 Proxy for the LDAP Webinterface
- application: lam # Needs to be the same as webinterface
- port: 80 # If you use phpldapadmin set it to 8080
-# cookie_secret: None # Set via openssl rand -hex 16
- database:
- central_storage: false # LDAP doesn't use an database in the current configuration. Propably a good idea to implement one later.
# administrator_password: # CHANGE for security reasons in inventory file
# administrator_database_password: # CHANGE for security reasons in inventory file
force_import: False # Forces the import of the LDIF files
- matomo_tracking_enabled: "{{matomo_tracking_enabled_default}}" # Enables\Disables Matomo Tracking
- css_enabled: "{{css_enabled_default}}" # Enables\Disables Global CSS Style
- landingpage_iframe_enabled: "{{landingpage_iframe_enabled_default}}" # Enables\Disables the possibility to embed this on landing page via iframe
## Libre Office
libreoffice:
@@ -290,14 +287,14 @@ defaults_applications:
## Matomo
matomo:
- version: "latest"
+ version: "latest"
oauth2_proxy:
- enabled: false # Deactivated atm. @todo implement
-# cookie_secret: None # Set via openssl rand -hex 16
-# database_password: Null # Needs to be set in inventory file
-# auth_token: Null # Needs to be set in inventory file
+ enabled: false # Deactivated atm. @todo implement
+# cookie_secret: None # Set via openssl rand -hex 16
+# database_password: Null # Needs to be set in inventory file
+# auth_token: Null # Needs to be set in inventory file
database:
- central_storage: True # Activate Central Database Storage
+ central_storage: True # Activate Central Database Storage
matomo_tracking_enabled: false # Activate in inventory file if you want to have the statistics, as soon as matomo is running
css_enabled: false # Not optimized yet for matomo
landingpage_iframe_enabled: "{{landingpage_iframe_enabled_default}}" # Enables\Disables the possibility to embed this on landing page via iframe
@@ -653,6 +650,20 @@ defaults_applications:
css_enabled: "{{ css_enabled_default }}" # Enables/Disables global CSS styling
landingpage_iframe_enabled: "{{ landingpage_iframe_enabled_default }}" # Enables/Disables embedding via iframe
+ ## phpLDAPadmin
+ phpldapadmin:
+ version: "2.0.0-dev" # @todo Attention: Change this as fast as released to latest
+ ldap:
+ enabled: True # Should have the same value as applications.ldap.network.local.
+ oauth2_proxy:
+ enabled: true # Activate the OAuth2 Proxy for the LDAP Webinterface
+ application: application # Needs to be the same as webinterface
+ port: 8080 # application port
+# cookie_secret: None # Set via openssl rand -hex 16
+ matomo_tracking_enabled: "{{matomo_tracking_enabled_default}}" # Enables\Disables Matomo Tracking
+ css_enabled: "{{css_enabled_default}}" # Enables\Disables Global CSS Style
+ landingpage_iframe_enabled: "{{landingpage_iframe_enabled_default}}" # Enables\Disables the possibility to embed this on landing page via iframe
+
## PHPMyAdmin
phpmyadmin:
version: "latest" # Use the latest phpmyadmin version
diff --git a/group_vars/all/09_ports.yml b/group_vars/all/09_ports.yml
index e4346d23..9ae18381 100644
--- a/group_vars/all/09_ports.yml
+++ b/group_vars/all/09_ports.yml
@@ -2,62 +2,66 @@ ports:
# Ports which are exposed to localhost
localhost:
web_socket:
- mastodon: 4001
+ mastodon: 4001
oauth2_proxy:
- phpmyadmin: 4181
- ldap: 4182
- openproject: 4183
- yourls: 4184
- pgadmin: 4185
+ phpmyadmin: 4181
+ lam: 4182
+ openproject: 4183
+ yourls: 4184
+ pgadmin: 4185
+ phpldapadmin: 4186
+ fusiondirectory: 4187
ldap:
- openldap: 389
+ openldap: 389
http:
- nextcloud: 8001
- gitea: 8002
- wordpress: 8003
- mediawiki: 8004
- mybb: 8005
- yourls: 8006
- mailu: 8007
- elk: 8008
- mastodon: 8009
- pixelfed: 8010
- peertube: 8011
- funkwhale: 8012
- roulette-wheel: 8013
- joomla: 8014
- attendize: 8015
- pgadmin: 8016
- baserow: 8017
- matomo: 8018
- listmonk: 8019
- discourse: 8020
- matrix_synapse: 8021
- matrix_element: 8022
- openproject: 8023
- gitlab: 8024
- akaunting: 8025
- moodle: 8026
- taiga: 8027
- friendica: 8028
- portfolio: 8029
- bluesky_api: 8030
- bluesky_web: 8031
- keycloak: 8032
- ldap: 8033
- phpmyadmin: 8034
- snipe_it: 8035
- sphinx: 8036
- bigbluebutton: 48087 # This port is predefined by bbb. @todo Try to change this to a 8XXX port
+ nextcloud: 8001
+ gitea: 8002
+ wordpress: 8003
+ mediawiki: 8004
+ mybb: 8005
+ yourls: 8006
+ mailu: 8007
+ elk: 8008
+ mastodon: 8009
+ pixelfed: 8010
+ peertube: 8011
+ funkwhale: 8012
+ roulette-wheel: 8013
+ joomla: 8014
+ attendize: 8015
+ pgadmin: 8016
+ baserow: 8017
+ matomo: 8018
+ listmonk: 8019
+ discourse: 8020
+ matrix_synapse: 8021
+ matrix_element: 8022
+ openproject: 8023
+ gitlab: 8024
+ akaunting: 8025
+ moodle: 8026
+ taiga: 8027
+ friendica: 8028
+ portfolio: 8029
+ bluesky_api: 8030
+ bluesky_web: 8031
+ keycloak: 8032
+ lam: 8033
+ phpmyadmin: 8034
+ snipe_it: 8035
+ sphinx: 8036
+ phpldapadmin: 8037
+ fusiondirectory: 8038
+ bigbluebutton: 48087 # This port is predefined by bbb. @todo Try to change this to a 8XXX port
# Ports which are exposed to the World Wide Web
public:
# The following ports should be changed to 22 on the subdomain via stream mapping
ssh:
- gitea: 2201
- gitlab: 2202
+ gitea: 2201
+ gitlab: 2202
ldaps:
- openldap: 636
+ openldap: 636
stun:
- bigbluebutton: 3478 # Not sure if it's right placed here or if it should be moved to localhost section
+ bigbluebutton: 3478 # Not sure if it's right placed here or if it should be moved to localhost section
turn:
- bigbluebutton: 5349 # Not sure if it's right placed here or if it should be moved to localhost section
+ bigbluebutton: 5349 # Not sure if it's right placed here or if it should be moved to localhost section
diff --git a/group_vars/all/10_networks.yml b/group_vars/all/10_networks.yml
index 13e4e546..9e2e51d3 100644
--- a/group_vars/all/10_networks.yml
+++ b/group_vars/all/10_networks.yml
@@ -72,6 +72,13 @@ defaults_networks:
subnet: 192.168.102.208/28
sphinx:
subnet: 192.168.102.224/28
+ lam:
+ subnet: 192.168.103.0/28
+ phpldapadmin:
+ subnet: 192.168.103.16/28
+ fusiondirectory:
+ subnet: 192.168.103.32/28
+
# /24 Networks / 254 Usable Clients
bigbluebutton:
subnet: 10.7.7.0/24 # This variable does not have an impact. It's just there for documentation reasons, because this network is used in bbb
diff --git a/roles/docker-lam/tasks/main.yml b/roles/docker-lam/tasks/main.yml
new file mode 100644
index 00000000..65e23553
--- /dev/null
+++ b/roles/docker-lam/tasks/main.yml
@@ -0,0 +1,13 @@
+- name: "include docker-compose role"
+ include_role:
+ name: docker-compose
+
+- name: "include role nginx-domain-setup for {{application_id}}"
+ include_role:
+ name: nginx-domain-setup
+ vars:
+ domain: "{{ domains[application_id] }}"
+ http_port: "{{ ports.localhost.http[application_id] }}"
+
+- name: "copy docker-compose.yml and env file"
+ include_tasks: copy-docker-compose-and-env.yml
diff --git a/roles/docker-lam/templates/docker-compose.yml.j2 b/roles/docker-lam/templates/docker-compose.yml.j2
new file mode 100644
index 00000000..ec1c9c02
--- /dev/null
+++ b/roles/docker-lam/templates/docker-compose.yml.j2
@@ -0,0 +1,18 @@
+services:
+
+{% include 'roles/docker-oauth2-proxy/templates/container.yml.j2' %}
+
+ application:
+ container_name: {{ application_id }}
+ logging:
+ driver: journald
+ restart: {{docker_restart_policy}}
+ image: ghcr.io/ldapaccountmanager/lam:{{applications[application_id].version}}
+ ports:
+ - 127.0.0.1:{{ports.localhost.http[application_id]}}:80
+{% include 'roles/docker-compose/templates/services/base.yml.j2' %}
+{% include 'templates/docker/container/networks.yml.j2' %}
+
+{# include 'templates/docker/compose/volumes.yml.j2' #}
+
+{% include 'templates/docker/compose/networks.yml.j2' %}
diff --git a/roles/docker-lam/templates/env.j2 b/roles/docker-lam/templates/env.j2
new file mode 100644
index 00000000..8fe70b81
--- /dev/null
+++ b/roles/docker-lam/templates/env.j2
@@ -0,0 +1,14 @@
+# See all variables here:
+# https://github.com/LDAPAccountManager/lam/blob/develop/lam-packaging/docker/.env
+
+# Basic Configuration
+LAM_PASSWORD= {{applications[application_id].administrator_password}} # LAM configuration master password and password for server profile "lam
+
+# Database
+LAM_CONFIGURATION_DATABASE= files # configuration database (files or mysql) @todo implement mariadb
+
+# LDAP Configuration
+LDAP_SERVER= {{ldap.server.domain}} # domain of LDAP database root entry
+LDAP_BASE_DN= {{ldap.dn.root}} # LDAP base DN to overwrite value generated by LDAP_DOMAIN
+LDAP_USER= {{ldap.dn.administrator}} # LDAP admin user (set as login user for LAM)
+LDAP_ADMIN_PASSWORD= {{ldap.bind_credential}} # LDAP admin password
\ No newline at end of file
diff --git a/roles/docker-lam/vars/main.yml b/roles/docker-lam/vars/main.yml
new file mode 100644
index 00000000..6b00064a
--- /dev/null
+++ b/roles/docker-lam/vars/main.yml
@@ -0,0 +1 @@
+application_id: "lam"
\ No newline at end of file
diff --git a/roles/docker-ldap/tasks/lam.yml b/roles/docker-ldap/tasks/lam.yml
deleted file mode 100644
index 09ba8c3c..00000000
--- a/roles/docker-ldap/tasks/lam.yml
+++ /dev/null
@@ -1,33 +0,0 @@
-- name: "load lam variables"
- include_vars:
- file: lam.yml
-
-- name: "Ensure LAM profiles directory exists"
- file:
- path: "{{ lam_profiles_dir }}"
- state: directory
- mode: '0755'
- recurse: true
-
-#- name: "create {{docker_compose.directories.env}}lam.env"
-# template:
-# src: "lam/env.j2"
-# dest: "{{docker_compose.directories.env}}lam.env"
-# mode: '770'
-# force: yes
-# notify: docker compose project setup
-#
-#- name: "create default.group to enable groupOfNames in LAM"
-# template:
-# src: "lam/default.group.j2"
-# dest: "{{ lam_profiles_dir }}/default.group"
-# mode: '0644'
-# notify: docker compose project setup
-#
-#- name: "Create groupOfNames.conf to enable groupOfNames as base module in LAM"
-# template:
-# src: "lam/groupOfNames.conf.j2"
-# dest: "{{ lam_profiles_dir }}/groupOfNames.conf"
-# mode: '0644'
-
-
diff --git a/roles/docker-ldap/tasks/main.yml b/roles/docker-ldap/tasks/main.yml
index 7130f4f7..08608889 100644
--- a/roles/docker-ldap/tasks/main.yml
+++ b/roles/docker-ldap/tasks/main.yml
@@ -3,13 +3,6 @@
include_role:
name: docker-compose
-- name: "include role nginx-domain-setup for {{application_id}}"
- include_role:
- name: nginx-domain-setup
- vars:
- domain: "{{ domains[application_id] }}"
- http_port: "{{ ports.localhost.http[application_id] }}"
-
- name: Create {{domains[application_id]}}.conf if LDAP is exposed to internet
template:
src: "nginx.stream.conf.j2"
@@ -29,20 +22,7 @@
state: present
ipam_config:
- subnet: "{{ networks.local.central_ldap.subnet }}"
-
-- name: "create {{docker_compose.directories.env}}phpldapadmin.env"
- template:
- src: "phpldapadmin.env.j2"
- dest: "{{docker_compose.directories.env}}phpldapadmin.env"
- mode: '770'
- force: yes
- notify: docker compose project setup
- when: applications.ldap.webinterface == 'phpldapadmin'
-- name: "execute lam tasks"
- include_tasks: lam.yml
- when: applications.ldap.webinterface == 'lam'
-
- name: "copy docker-compose.yml and env file"
include_tasks: copy-docker-compose-and-env.yml
diff --git a/roles/docker-ldap/templates/docker-compose.yml.j2 b/roles/docker-ldap/templates/docker-compose.yml.j2
index eaa0f05f..5f522b29 100644
--- a/roles/docker-ldap/templates/docker-compose.yml.j2
+++ b/roles/docker-ldap/templates/docker-compose.yml.j2
@@ -2,32 +2,11 @@ services:
{% include 'roles/docker-oauth2-proxy/templates/container.yml.j2' %}
- {{applications.ldap.webinterface}}:
- container_name: {{applications.ldap.webinterface}}
- logging:
- driver: journald
- restart: {{docker_restart_policy}}
-{% if applications.ldap.webinterface == 'lam' %}
- image: ghcr.io/ldapaccountmanager/lam:{{applications.ldap.lam.version}}
- ports:
- - 127.0.0.1:{{ports.localhost.http.ldap}}:80
- env_file:
- - "{{docker_compose.directories.env}}lam.env"
-# volumes:
-# - "{{ lam_profiles_dir }}:/var/lib/ldap-account-manager/config/profiles/"
-
-{% elif applications.ldap.webinterface == 'phpldapadmin' %}
- image: leenooks/phpldapadmin:{{applications.ldap.phpldapadmin.version}}
- ports:
- - 127.0.0.1:{{ports.localhost.http.ldap}}:8080
- env_file:
- - "{{docker_compose.directories.env}}phpldapadmin.env"
-{% endif %}
- openldap:
- image: bitnami/openldap:{{applications.ldap.openldap.version}}
- container_name: {{applications.ldap.openldap.hostname}}
+ application:
+ image: bitnami/openldap:{{ applications[application_id].version }}
+ container_name: {{ application_id }}
{% include 'roles/docker-compose/templates/services/base.yml.j2' %}
-{% if applications.ldap.openldap.network.public | bool %}
+{% if applications[application_id].network.public | bool %}
ports:
- 127.0.0.1:{{ports.localhost.ldap.openldap}}:{{ldap_docker_port}} # Expose just on localhost so that nginx stream proxy can use it
{% endif %}
diff --git a/roles/docker-ldap/templates/lam/default.group.j2 b/roles/docker-ldap/templates/lam/default.group.j2
deleted file mode 100644
index d4bae6df..00000000
--- a/roles/docker-ldap/templates/lam/default.group.j2
+++ /dev/null
@@ -1 +0,0 @@
-Modules: groupOfNames
\ No newline at end of file
diff --git a/roles/docker-ldap/templates/lam/env.j2 b/roles/docker-ldap/templates/lam/env.j2
deleted file mode 100644
index f5d4b75a..00000000
--- a/roles/docker-ldap/templates/lam/env.j2
+++ /dev/null
@@ -1,13 +0,0 @@
-# See all variables here: https://github.com/LDAPAccountManager/lam/blob/develop/lam-packaging/docker/.env
-
-# Basic Configuration
-LAM_PASSWORD= {{applications.ldap.lam.administrator_password}} # LAM configuration master password and password for server profile "lam
-
-# Database
-LAM_CONFIGURATION_DATABASE= files # configuration database (files or mysql) @todo implement mariadb
-
-# LDAP Configuration
-LDAP_SERVER= {{ldap.server.domain}} # domain of LDAP database root entry
-LDAP_BASE_DN= {{ldap.dn.root}} # LDAP base DN to overwrite value generated by LDAP_DOMAIN
-LDAP_USER= {{ldap.dn.administrator}} # LDAP admin user (set as login user for LAM)
-LDAP_ADMIN_PASSWORD= {{ldap.bind_credential}} # LDAP admin password
\ No newline at end of file
diff --git a/roles/docker-ldap/templates/lam/groupOfNames.conf.j2 b/roles/docker-ldap/templates/lam/groupOfNames.conf.j2
deleted file mode 100644
index d74163dc..00000000
--- a/roles/docker-ldap/templates/lam/groupOfNames.conf.j2
+++ /dev/null
@@ -1,5 +0,0 @@
-type: group
-module: groupOfNames
-cn: cn
-description: description
-member: member
\ No newline at end of file
diff --git a/roles/docker-ldap/vars/lam.yml b/roles/docker-ldap/vars/lam.yml
deleted file mode 100644
index f412bbbe..00000000
--- a/roles/docker-ldap/vars/lam.yml
+++ /dev/null
@@ -1 +0,0 @@
-lam_profiles_dir: "{{ docker_compose.directories.volumes }}lam/config/profiles/"
\ No newline at end of file
diff --git a/roles/docker-phpldapadmin/tasks/main.yml b/roles/docker-phpldapadmin/tasks/main.yml
new file mode 100644
index 00000000..65e23553
--- /dev/null
+++ b/roles/docker-phpldapadmin/tasks/main.yml
@@ -0,0 +1,13 @@
+- name: "include docker-compose role"
+ include_role:
+ name: docker-compose
+
+- name: "include role nginx-domain-setup for {{application_id}}"
+ include_role:
+ name: nginx-domain-setup
+ vars:
+ domain: "{{ domains[application_id] }}"
+ http_port: "{{ ports.localhost.http[application_id] }}"
+
+- name: "copy docker-compose.yml and env file"
+ include_tasks: copy-docker-compose-and-env.yml
diff --git a/roles/docker-phpldapadmin/templates/docker-compose.yml.j2 b/roles/docker-phpldapadmin/templates/docker-compose.yml.j2
new file mode 100644
index 00000000..7b868673
--- /dev/null
+++ b/roles/docker-phpldapadmin/templates/docker-compose.yml.j2
@@ -0,0 +1,19 @@
+services:
+
+{% include 'roles/docker-oauth2-proxy/templates/container.yml.j2' %}
+
+ application:
+ container_name: {{ application_id }}
+ logging:
+ driver: journald
+ restart: {{docker_restart_policy}}
+ image: leenooks/phpldapadmin:{{applications[application_id].version}}
+ ports:
+ - 127.0.0.1:{{ports.localhost.http[application_id]}}:8080
+{% include 'roles/docker-compose/templates/services/base.yml.j2' %}
+{% include 'templates/docker/container/networks.yml.j2' %}
+
+{% include 'templates/docker/compose/volumes.yml.j2' %}
+ data:
+
+{% include 'templates/docker/compose/networks.yml.j2' %}
diff --git a/roles/docker-ldap/templates/phpldapadmin.env.j2 b/roles/docker-phpldapadmin/templates/env.j2
similarity index 100%
rename from roles/docker-ldap/templates/phpldapadmin.env.j2
rename to roles/docker-phpldapadmin/templates/env.j2
diff --git a/roles/docker-phpldapadmin/vars/main.yml b/roles/docker-phpldapadmin/vars/main.yml
new file mode 100644
index 00000000..7d7bdf9e
--- /dev/null
+++ b/roles/docker-phpldapadmin/vars/main.yml
@@ -0,0 +1 @@
+application_id: "phpldapadmin"
\ No newline at end of file