Optimized openproject for new repository structure

2025-10-31 18:29:21 +00:00 · 2025-08-11 23:03:24 +02:00
parent f671678720
commit d5e5f57f92
9 changed files with 48 additions and 178 deletions
--- a/roles/web-app-openproject/tasks/01_ldap.yml
+++ b/roles/web-app-openproject/tasks/01_ldap.yml
@@ -0,0 +1,111 @@
+- name: Load LDAP configuration variables
+  include_vars:
+    file: "ldap.yml"
+
+- name: Check if LDAP source exists
+  community.postgresql.postgresql_query:
+    db: "{{ database_name }}"
+    login_user: "{{ database_username }}"
+    login_password: "{{ database_password }}"
+    login_host: "127.0.0.1"
+    login_port: "{{ database_port }}"
+    query: "SELECT id FROM ldap_auth_sources WHERE name = '{{ openproject_ldap.name }}' LIMIT 1;"
+  register: ldap_check
+
+- name: Update existing LDAP auth source
+  community.postgresql.postgresql_query:
+    db: "{{ database_name }}"
+    login_user: "{{ database_username }}"
+    login_password: "{{ database_password }}"
+    login_host: "127.0.0.1"
+    login_port: "{{ database_port }}"
+    query: >
+      UPDATE ldap_auth_sources SET
+        host = '{{ openproject_ldap.host }}',
+        port = {{ openproject_ldap.port }},
+        account = '{{ openproject_ldap.account }}',
+        account_password = '{{ openproject_ldap.account_password }}',
+        base_dn = '{{ openproject_ldap.base_dn }}',
+        attr_login = '{{ openproject_ldap.attr_login }}',
+        attr_firstname = '{{ openproject_ldap.attr_firstname }}',
+        attr_lastname = '{{ openproject_ldap.attr_lastname }}',
+        attr_mail = '{{ openproject_ldap.attr_mail }}',
+        onthefly_register = {{ openproject_ldap.onthefly_register }},
+        attr_admin = '{{ openproject_ldap.attr_admin }}',
+        updated_at = NOW(),
+        tls_mode = {{ openproject_ldap.tls_mode }},
+        filter_string = '{{ openproject_ldap.filter_string }}',
+        verify_peer = {{ openproject_ldap.verify_peer }},
+        tls_certificate_string = '{{ openproject_ldap.tls_certificate_string }}'
+      WHERE name = '{{ openproject_ldap.name }}';
+  when: ldap_check.query_result | length > 0
+
+- name: Create new LDAP auth source
+  community.postgresql.postgresql_query:
+    db: "{{ database_name }}"
+    login_user: "{{ database_username }}"
+    login_password: "{{ database_password }}"
+    login_host: "127.0.0.1"
+    login_port: "{{ database_port }}"
+    query: >
+      INSERT INTO ldap_auth_sources
+      (name, host, port, account, account_password, base_dn, attr_login,
+       attr_firstname, attr_lastname, attr_mail, onthefly_register, attr_admin,
+       created_at, updated_at, tls_mode, filter_string, verify_peer, tls_certificate_string)
+      VALUES (
+        '{{ openproject_ldap.name }}',
+        '{{ openproject_ldap.host }}',
+        {{ openproject_ldap.port }},
+        '{{ openproject_ldap.account }}',
+        '{{ openproject_ldap.account_password }}',
+        '{{ openproject_ldap.base_dn }}',
+        '{{ openproject_ldap.attr_login }}',
+        '{{ openproject_ldap.attr_firstname }}',
+        '{{ openproject_ldap.attr_lastname }}',
+        '{{ openproject_ldap.attr_mail }}',
+        {{ openproject_ldap.onthefly_register }},
+        '{{ openproject_ldap.attr_admin }}',
+        NOW(),
+        NOW(),
+        {{ openproject_ldap.tls_mode }},
+        '{{ openproject_ldap.filter_string }}',
+        {{ openproject_ldap.verify_peer }},
+        '{{ openproject_ldap.tls_certificate_string }}'
+      );
+  when: ldap_check.query_result | length == 0
+
+- name: Show all LDAP sources (debug)
+  community.postgresql.postgresql_query:
+    db: "{{ database_name }}"
+    login_user: "{{ database_username }}"
+    login_password: "{{ database_password }}"
+    login_host: "127.0.0.1"
+    login_port: "{{ database_port }}"
+    query: "SELECT id, name FROM ldap_auth_sources"
+  register: ldap_entries
+  when: enable_debug | bool
+
+- name: Debug LDAP entries
+  debug:
+    var: ldap_entries
+  when: enable_debug | bool
+
+# This works just after the first admin login
+# @todo Remove and replace trough LDAP RBAC group
+- name: Set LDAP user as admin via OpenProject Rails runner
+  shell: >
+    docker compose exec web bash -c "
+      cd /app &&
+      RAILS_ENV={{ INFINITO_ENVIRONMENT | lower }} bundle exec rails runner \"
+        user = User.find_by(mail: '{{ users.administrator.email }}');
+        if user.nil?;
+          puts 'User with email {{ users.administrator.email }} not found.';
+        else;
+          user.admin = true;
+          user.save!;
+          puts 'User \#{user.login} is now an admin.';
+        end
+      \"
+    "
+  args:
+    chdir: "{{ docker_compose.directories.instance }}"