From e1df7463468cd085e937eec8f01665eb61b16513 Mon Sep 17 00:00:00 2001
From: Kevin Veen-Birkenbach <kevin@veen.world>
Date: Tue, 22 Apr 2025 01:42:54 +0200
Subject: [PATCH] Finished openproject container, ldap, settings bug and
 implemented administrator setting

---
 roles/docker-openproject/TODO.md        |  3 ++
 roles/docker-openproject/tasks/ldap.yml | 57 ++++++++++++++++++++++---
 roles/docker-openproject/tasks/main.yml |  8 ++--
 3 files changed, 60 insertions(+), 8 deletions(-)
 create mode 100644 roles/docker-openproject/TODO.md

diff --git a/roles/docker-openproject/TODO.md b/roles/docker-openproject/TODO.md
new file mode 100644
index 00000000..be0dbc42
--- /dev/null
+++ b/roles/docker-openproject/TODO.md
@@ -0,0 +1,3 @@
+# Todo
+- Finish corporate CSS implementation
+- Implement RBAC via LDAP
\ No newline at end of file
diff --git a/roles/docker-openproject/tasks/ldap.yml b/roles/docker-openproject/tasks/ldap.yml
index 118d28a2..d9a6e6fd 100644
--- a/roles/docker-openproject/tasks/ldap.yml
+++ b/roles/docker-openproject/tasks/ldap.yml
@@ -9,10 +9,38 @@
     login_password: "{{ database_password }}"
     login_host: "127.0.0.1"
     login_port: "{{ database_port }}"
-    query: "SELECT 1 FROM ldap_auth_sources WHERE name = '{{ openproject_ldap.name }}' LIMIT 1;"
+    query: "SELECT id FROM ldap_auth_sources WHERE name = '{{ openproject_ldap.name }}' LIMIT 1;"
   register: ldap_check
 
-- name: Create LDAP auth source if it doesn't exist
+- name: Update existing LDAP auth source
+  community.postgresql.postgresql_query:
+    db: "{{ database_name }}"
+    login_user: "{{ database_username }}"
+    login_password: "{{ database_password }}"
+    login_host: "127.0.0.1"
+    login_port: "{{ database_port }}"
+    query: >
+      UPDATE ldap_auth_sources SET
+        host = '{{ openproject_ldap.host }}',
+        port = {{ openproject_ldap.port }},
+        account = '{{ openproject_ldap.account }}',
+        account_password = '{{ openproject_ldap.account_password }}',
+        base_dn = '{{ openproject_ldap.base_dn }}',
+        attr_login = '{{ openproject_ldap.attr_login }}',
+        attr_firstname = '{{ openproject_ldap.attr_firstname }}',
+        attr_lastname = '{{ openproject_ldap.attr_lastname }}',
+        attr_mail = '{{ openproject_ldap.attr_mail }}',
+        onthefly_register = {{ openproject_ldap.onthefly_register }},
+        attr_admin = '{{ openproject_ldap.attr_admin }}',
+        updated_at = NOW(),
+        tls_mode = {{ openproject_ldap.tls_mode }},
+        filter_string = '{{ openproject_ldap.filter_string }}',
+        verify_peer = {{ openproject_ldap.verify_peer }},
+        tls_certificate_string = '{{ openproject_ldap.tls_certificate_string }}'
+      WHERE name = '{{ openproject_ldap.name }}';
+  when: ldap_check.query_result | length > 0
+
+- name: Create new LDAP auth source
   community.postgresql.postgresql_query:
     db: "{{ database_name }}"
     login_user: "{{ database_username }}"
@@ -46,7 +74,7 @@
       );
   when: ldap_check.query_result | length == 0
 
-- name: Check if LDAP source exists
+- name: Show all LDAP sources (debug)
   community.postgresql.postgresql_query:
     db: "{{ database_name }}"
     login_user: "{{ database_username }}"
@@ -56,9 +84,28 @@
     query: "SELECT id, name FROM ldap_auth_sources"
   register: ldap_entries
   when: enable_debug | bool
-  
-- name: "Debug LDAP entries"
+
+- name: Debug LDAP entries
   debug:
     var: ldap_entries
   when: enable_debug | bool
 
+# This works just after the first admin login
+# @todo Remove and replace trough LDAP RBAC group
+- name: Set LDAP user as admin via OpenProject Rails runner
+  shell: >
+    docker compose exec web bash -c "
+      cd /app &&
+      RAILS_ENV=production bundle exec rails runner \"
+        user = User.find_by(mail: '{{ users.administrator.email }}');
+        if user.nil?;
+          puts 'User with email {{ users.administrator.email }} not found.';
+        else;
+          user.admin = true;
+          user.save!;
+          puts 'User \#{user.login} is now an admin.';
+        end
+      \"
+    "
+  args:
+    chdir: "{{ docker_compose.directories.instance }}"
\ No newline at end of file
diff --git a/roles/docker-openproject/tasks/main.yml b/roles/docker-openproject/tasks/main.yml
index 18b3814f..a0029ce6 100644
--- a/roles/docker-openproject/tasks/main.yml
+++ b/roles/docker-openproject/tasks/main.yml
@@ -46,10 +46,12 @@
 - name: flush docker service
   meta: flush_handlers
 
-- name: "Set OpenProject settings via rails"
-  command: >
+- name: Set settings in OpenProject
+  shell: >
     docker compose exec web bash -c "cd /app &&
-    RAILS_ENV=production bundle exec rails runner 'Setting[:{{ item.key }}] = {{ item.value | to_json }}'"
+    RAILS_ENV=production bundle exec rails runner \"Setting[:{{ item.key }}] = '{{ item.value }}'\""
+  args:
+    chdir: "{{ docker_compose.directories.instance }}"
   loop: "{{ openproject_rails_settings | dict2items }}"
 
 - name: Setup LDAP