Added LDAP Draft for Funkwhale

2025-08-29 15:06:26 +02:00 · 2025-02-12 12:41:13 +01:00
parent c687b19a6d
commit eaca564c6f
31 changed files with 92 additions and 78 deletions
--- a/group_vars/all/07_applications.yml
+++ b/group_vars/all/07_applications.yml
@@ -4,11 +4,11 @@
 docker_restart_policy:        "unless-stopped"

 ##############################################
-## Private Helper variables                ### 
+## Applications Configuration              
 ##############################################

-# By default don't expose openldap to the internet, just if explicit configured
-_ldap_openldap_expose_to_internet:       "{{ applications.ldap.openldap.expose_to_internet | default(False) if applications.ldap is defined and applications.ldap.openldap is defined else false}}"
+# Keep in mind, that this configuration should in general just apply to the roles which set the applications up.
+# If other applications depend on this variables, propably it makes sense to define it in e.g. IMA or other variable files.

 defaults_applications:

@@ -72,15 +72,17 @@ defaults_applications:
      administrator_password:         "{{user_administrator_initial_password}}" # CHANGE for security reasons
    openldap:
      version:                        "latest"
-      expose_to_internet:             "{{_ldap_openldap_expose_to_internet}}"   # Set to true if you want to expose the LDAP port to the internet
-      domain:                         "{{domains.ldap if _ldap_openldap_expose_to_internet else 'openldap'}}" # Mapping for public or locale access
+      network:
+        local:                        True                                      # Activates local network to allow other docker containers to connect
+        public:                       False                                     # Set to true in inventory file if you want to expose the LDAP port to the internet
+      hostname:                       "openldap"                                # Hostname of the LDAP Server in the central_ldap network
      modify:                         False                                     # When false entries will just be added, when true existing entries will be modified during import procedure
    phpldapadmin:
      version:                        "2.0.0-dev"                               # @todo Attention: Change this as fast as released to latest
    webinterface:                     "lam"                                     # The webinterface which should be used. Possible: lam and phpldapadmin
    administrator_username:           "{{administrator_username}}"
-    administrator_password:           "{{user_administrator_initial_password}}" # CHANGE for security reasons
-    administrator_database_password:  "{{user_administrator_initial_password}}" # CHANGE for security reasons         
+    administrator_password:           "{{user_administrator_initial_password}}" # CHANGE for security reasons in inventory file
+    administrator_database_password:  "{{user_administrator_initial_password}}" # CHANGE for security reasons in inventory file

  ## Listmonk
  listmonk:
--- a/group_vars/all/09_ports.yml
+++ b/group_vars/all/09_ports.yml
@@ -3,13 +3,13 @@ ports:
  localhost:
    web_socket:
      mastodon:       4001
-    oauth2_proxy_ports:
+    oauth2_proxy:
      phpmyadmin:     4181
      ldap:           4182
      openproject:    4183
-    ldap_ports:
-      openldap:
-    http_ports:
+    ldap:
+      openldap:       389
+    http:
      nextcloud:      8001
      gitea:          8002
      wordpress:      8003
@@ -49,6 +49,8 @@ ports:
  # Ports which are exposed to the World Wide Web
  public:
    # The following ports should be changed to 22 on the subdomain via stream mapping
-    ssh_ports:
+    ssh:
      gitea:         2201
      gitlab:        2202
+    ldaps:
+      openldap:      636
--- a/group_vars/all/11_iam.yml
+++ b/group_vars/all/11_iam.yml
@@ -36,14 +36,25 @@ oauth2_proxy_active:                         false
 ### LDAP                                  ###
 #############################################

+# Helper variables
+_ldap_dn_base: "dc={{primary_domain_sld}},dc={{primary_domain_tld}}"

-# Activate local LDAP network for communitation on localhot between different docker containers
-# 
-# Set in vars/main.yml via:
-#   ldap_network_enabled: "{{ldap.enabled}}"
-#
-# This leads to that the local ldap networks get enabled, if LDAP is enabled
-ldap_network_enabled:                  false
+
+# This leads to that the role gets configured to use ldap
+ldap_enabled:                  false

 ldap:
-  enabled:  true # Enable or disable LDAP
+  # Enables LDAP for all roles in play if true
+  enabled:          true
+  # Distinguished Names (DN)
+  dn:
+    # Defines the base Distinguished Name (DN) for the LDAP directory, constructed from the second-level domain (SLD) and top-level domain (TLD).
+    root:           "{{_ldap_dn_base}}"
+    # Specifies the Distinguished Name (DN) of the LDAP administrator, combining the admin's username with the LDAP root domain.
+    administrator:  "cn={{applications.ldap.administrator_username}},{{_ldap_dn_base}}"
+  server:
+    domain: "{{applications.ldap.openldap.hostname if applications.ldap.openldap.network.local | bool else domains.ldap}}" # Mapping for public or locale access
+    uri:    "{% if applications.ldap.openldap.network.local | bool %}ldap://{{ applications.ldap.openldap.hostname }}:{{ ports.localhost.ldap.openldap }}{% else %}ldaps://{{ domains.ldap }}:{{ ports.public.ldaps.openldap }}{% endif %}"
+  network:
+    local:  "{{applications.ldap.openldap.network.local}}" # Uses the application configuration to define if local network should be available or not
+