Added LDAP Draft for Funkwhale

2025-02-22 04:29:38 +01:00 · 2025-02-12 12:41:13 +01:00 · 2025-02-12 12:41:13 +01:00 · eaca564c6f
commit eaca564c6f
parent c687b19a6d
31 changed files with 92 additions and 78 deletions
--- a/group_vars/all/07_applications.yml
+++ b/group_vars/all/07_applications.yml
@ -4,11 +4,11 @@
 docker_restart_policy:        "unless-stopped"

 ##############################################
-## Private Helper variables                ### 
+## Applications Configuration              
 ##############################################

-# By default don't expose openldap to the internet, just if explicit configured
-_ldap_openldap_expose_to_internet:       "{{ applications.ldap.openldap.expose_to_internet | default(False) if applications.ldap is defined and applications.ldap.openldap is defined else false}}"
+# Keep in mind, that this configuration should in general just apply to the roles which set the applications up.
+# If other applications depend on this variables, propably it makes sense to define it in e.g. IMA or other variable files.

 defaults_applications:

@ -72,15 +72,17 @@ defaults_applications:
      administrator_password:         "{{user_administrator_initial_password}}" # CHANGE for security reasons
    openldap:
      version:                        "latest"
-      expose_to_internet:             "{{_ldap_openldap_expose_to_internet}}"   # Set to true if you want to expose the LDAP port to the internet
-      domain:                         "{{domains.ldap if _ldap_openldap_expose_to_internet else 'openldap'}}" # Mapping for public or locale access
+      network:
+        local:                        True                                      # Activates local network to allow other docker containers to connect
+        public:                       False                                     # Set to true in inventory file if you want to expose the LDAP port to the internet
+      hostname:                       "openldap"                                # Hostname of the LDAP Server in the central_ldap network
      modify:                         False                                     # When false entries will just be added, when true existing entries will be modified during import procedure
    phpldapadmin:
      version:                        "2.0.0-dev"                               # @todo Attention: Change this as fast as released to latest
    webinterface:                     "lam"                                     # The webinterface which should be used. Possible: lam and phpldapadmin
    administrator_username:           "{{administrator_username}}"
-    administrator_password:           "{{user_administrator_initial_password}}" # CHANGE for security reasons
-    administrator_database_password:  "{{user_administrator_initial_password}}" # CHANGE for security reasons         
+    administrator_password:           "{{user_administrator_initial_password}}" # CHANGE for security reasons in inventory file
+    administrator_database_password:  "{{user_administrator_initial_password}}" # CHANGE for security reasons in inventory file

  ## Listmonk
  listmonk:
--- a/group_vars/all/09_ports.yml
+++ b/group_vars/all/09_ports.yml
@ -3,13 +3,13 @@ ports:
  localhost:
    web_socket:
      mastodon:       4001
-    oauth2_proxy_ports:
+    oauth2_proxy:
      phpmyadmin:     4181
      ldap:           4182
      openproject:    4183
-    ldap_ports:
-      openldap:
-    http_ports:
+    ldap:
+      openldap:       389
+    http:
      nextcloud:      8001
      gitea:          8002
      wordpress:      8003
@ -49,6 +49,8 @@ ports:
  # Ports which are exposed to the World Wide Web
  public:
    # The following ports should be changed to 22 on the subdomain via stream mapping
-    ssh_ports:
+    ssh:
      gitea:         2201
      gitlab:        2202
+    ldaps:
+      openldap:      636
--- a/group_vars/all/11_iam.yml
+++ b/group_vars/all/11_iam.yml
@ -36,14 +36,25 @@ oauth2_proxy_active:                         false
 ### LDAP                                  ###
 #############################################

+# Helper variables
+_ldap_dn_base: "dc={{primary_domain_sld}},dc={{primary_domain_tld}}"

-# Activate local LDAP network for communitation on localhot between different docker containers
-# 
-# Set in vars/main.yml via:
-#   ldap_network_enabled: "{{ldap.enabled}}"
-#
-# This leads to that the local ldap networks get enabled, if LDAP is enabled
-ldap_network_enabled:                  false
+
+# This leads to that the role gets configured to use ldap
+ldap_enabled:                  false

 ldap:
-  enabled:  true # Enable or disable LDAP
+  # Enables LDAP for all roles in play if true
+  enabled:          true
+  # Distinguished Names (DN)
+  dn:
+    # Defines the base Distinguished Name (DN) for the LDAP directory, constructed from the second-level domain (SLD) and top-level domain (TLD).
+    root:           "{{_ldap_dn_base}}"
+    # Specifies the Distinguished Name (DN) of the LDAP administrator, combining the admin's username with the LDAP root domain.
+    administrator:  "cn={{applications.ldap.administrator_username}},{{_ldap_dn_base}}"
+  server:
+    domain: "{{applications.ldap.openldap.hostname if applications.ldap.openldap.network.local | bool else domains.ldap}}" # Mapping for public or locale access
+    uri:    "{% if applications.ldap.openldap.network.local | bool %}ldap://{{ applications.ldap.openldap.hostname }}:{{ ports.localhost.ldap.openldap }}{% else %}ldaps://{{ domains.ldap }}:{{ ports.public.ldaps.openldap }}{% endif %}"
+  network:
+    local:  "{{applications.ldap.openldap.network.local}}" # Uses the application configuration to define if local network should be available or not
+  
--- a/roles/docker-bigbluebutton/templates/nginx-proxy.conf.j2
+++ b/roles/docker-bigbluebutton/templates/nginx-proxy.conf.j2
@ -5,7 +5,7 @@ server {

  location / {
    proxy_http_version 1.1;
-    proxy_pass http://$endpoint_addr:{{ports.localhost.oauth2_proxy_ports[application_id]}};
+    proxy_pass http://$endpoint_addr:{{ports.localhost.oauth2_proxy[application_id]}};
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
--- a/roles/docker-bluesky/tasks/main.yml
+++ b/roles/docker-bluesky/tasks/main.yml
@ -7,13 +7,13 @@
  include_tasks: nginx-docker-proxy-domain.yml
  vars:
    domain: "{{ domains.bluesky_api }}"
-    http_port: "{{ ports.localhost.http_ports.bluesky_api }}"
+    http_port: "{{ ports.localhost.http.bluesky_api }}"

 - name: "Include tasks for Web domain"
  include_tasks: nginx-docker-proxy-domain.yml
  vars:
    domain: "{{ domains.bluesky_web }}"
-    http_port: "{{ ports.localhost.http_ports.bluesky_web }}" 
+    http_port: "{{ ports.localhost.http.bluesky_web }}" 

 # The following lines should be removed when the following issue is closed:
 # https://github.com/bluesky-social/pds/issues/52
--- a/roles/docker-bluesky/templates/docker-compose.yml.j2
+++ b/roles/docker-bluesky/templates/docker-compose.yml.j2
@ -6,7 +6,7 @@ services:
        - pds_data:/opt/pds
        - {{pdsadmin_file_path}}:/usr/local/bin/pdsadmin:ro
    ports:
-      - "127.0.0.1:{{ports.localhost.http_ports.bluesky_api}}:3000"
+      - "127.0.0.1:{{ports.localhost.http.bluesky_api}}:3000"
    healthcheck:
      test: ["CMD", "wget", "--spider", "http://127.0.0.1:3000/xrpc/_health"]
      interval: 1m
@ -27,7 +27,7 @@ services:
        REACT_APP_SITE_NAME: "{{primary_domain | upper}} - Bluesky"
        REACT_APP_SITE_DESCRIPTION: "Decentral Social "
    ports:
-      - "127.0.0.1:{{ports.localhost.http_ports.bluesky_web}}:8100"
+      - "127.0.0.1:{{ports.localhost.http.bluesky_web}}:8100"
    healthcheck:
      test: ["CMD", "sh", "-c", "for pid in $(ls /proc | grep -E '^[0-9]+$'); do if cat /proc/$pid/cmdline 2>/dev/null | grep -q 'bskywebserve'; then exit 0; fi; done; exit 1"]
      interval: 30s
--- a/roles/docker-compose/tasks/main.yml
+++ b/roles/docker-compose/tasks/main.yml
@ -6,9 +6,9 @@
    domain: "{{ domains[application_id] if application_id in domains else None }}"
  # Default case: One domain exists. Some applications like matrix don't have an default domain

- name: "Set global http_port to {{ ports.localhost.http_ports[application_id] }}"
+- name: "Set global http_port to {{ ports.localhost.http[application_id] }}"
  set_fact:
-    http_port: "{{ ports.localhost.http_ports[application_id] if application_id in ports.localhost.http_ports else None }}"
+    http_port: "{{ ports.localhost.http[application_id] if application_id in ports.localhost.http else None }}"
  # Default case: One port exists. Some applications like matrix don't have an default port

 - name: "remove {{ docker_compose.directories.instance }} and all its contents"
--- a/roles/docker-funkwhale/templates/env.j2
+++ b/roles/docker-funkwhale/templates/env.j2
@ -99,19 +99,21 @@ DJANGO_SETTINGS_MODULE=config.settings.production
 # Generate one using `openssl rand -base64 45`, for example
 DJANGO_SECRET_KEY={{funkwhale_django_secret}}

+{% if ldap_enabled | bool %}
 # LDAP settings
 # Use the following options to allow authentication on your Funkwhale instance
 # using a LDAP directory.
 # Have a look at https://docs.funkwhale.audio/installation/ldap.html for
 # detailed instructions.

-# LDAP_ENABLED=False
-# LDAP_SERVER_URI=ldap://your.server:389
-# LDAP_BIND_DN=cn=admin,dc=domain,dc=com
-# LDAP_BIND_PASSWORD=bindpassword
-# LDAP_SEARCH_FILTER=(|(cn={0})(mail={0}))
-# LDAP_START_TLS=False
-# LDAP_ROOT_DN=dc=domain,dc=com
+LDAP_ENABLED=True
+LDAP_SERVER_URI={{ldap.server.uri}}
+LDAP_BIND_DN={{ldap.dn.administrator}}
+LDAP_BIND_PASSWORD={{applications.ldap.administrator_database_password}}
+LDAP_SEARCH_FILTER=(|(cn={0})(mail={0})) # Needs to checked 
+LDAP_START_TLS=False
+LDAP_ROOT_DN={{ldap.dn.root}}
+{% endif %}

 FUNKWHALE_FRONTEND_PATH=/srv/funkwhale/front/dist

--- a/roles/docker-funkwhale/vars/main.yml
+++ b/roles/docker-funkwhale/vars/main.yml
@ -2,7 +2,7 @@ application_id:                                 "funkwhale"
 nginx_docker_reverse_proxy_extra_configuration: "client_max_body_size 512M;"
 database_password:                              "{{funkwhale_database_password}}"
 database_type:                                  "postgres"
-ldap_network_enabled:                           "{{ldap.enabled}}"
+ldap_enabled:                                   True
 media_root:                                     "/srv/funkwhale/data/"
 static_root:                                    "{{media_root}}static"
 celeryd_concurrency:                            1
--- a/roles/docker-gitea/templates/docker-compose.yml.j2
+++ b/roles/docker-gitea/templates/docker-compose.yml.j2
@ -7,7 +7,7 @@ services:
    image: "gitea/gitea:{{applications.gitea.version}}"
    ports:
      - "127.0.0.1:{{http_port}}:3000"
-      - "{{ports.public.ssh_ports[application_id]}}:22"
+      - "{{ports.public.ssh[application_id]}}:22"
    volumes:
      - data:/data
      - /etc/timezone:/etc/timezone:ro
--- a/roles/docker-gitea/templates/env.j2
+++ b/roles/docker-gitea/templates/env.j2
@ -5,7 +5,7 @@ DB_HOST={{database_host}}:{{database_port}}
 DB_NAME={{database_name}}
 DB_USER={{database_username}}
 DB_PASSWD={{database_password}}
-SSH_PORT={{ports.public.ssh_ports[application_id]}}
+SSH_PORT={{ports.public.ssh[application_id]}}
 SSH_LISTEN_PORT=22
 DOMAIN={{domain}}
 SSH_DOMAIN={{domain}}
--- a/roles/docker-gitlab/templates/docker-compose.yml.j2
+++ b/roles/docker-gitlab/templates/docker-compose.yml.j2
@ -10,7 +10,7 @@ services:
 {% include 'roles/docker-compose/templates/services/base.yml.j2' %}
    ports:
      - "127.0.0.1:{{http_port}}:80"
-      - "{{ports.public.ssh_ports[application_id]}}:22"
+      - "{{ports.public.ssh[application_id]}}:22"
    volumes:
      - 'config:/etc/gitlab'
      - 'logs:/var/log/gitlab'
--- a/roles/docker-gitlab/templates/env.j2
+++ b/roles/docker-gitlab/templates/env.j2
@ -2,7 +2,7 @@
 {% set config_lines = [
  "external_url 'https://{{ domain }}'",
  "postgresql['enable']=false",
-  "gitlab_rails['gitlab_shell_ssh_port']={{ ports.public.ssh_ports[application_id] }}",
+  "gitlab_rails['gitlab_shell_ssh_port']={{ ports.public.ssh[application_id] }}",
  "gitlab_rails['db_adapter']='postgresql'",
  "gitlab_rails['db_encoding']='utf8'",
  "gitlab_rails['db_host']='{{ database_host }}'",
--- a/roles/docker-keycloak/vars/main.yml
+++ b/roles/docker-keycloak/vars/main.yml
@ -1,4 +1,4 @@
 application_id:  	      "keycloak"
 database_type:          "postgres"
 database_password:      "{{keycloak_database_password}}"
-ldap_network_enabled:   "{{ldap.enabled}}"
+ldap_enabled:   True
--- a/roles/docker-ldap/handlers/main.yml
+++ b/roles/docker-ldap/handlers/main.yml
@ -1,6 +1,6 @@
 - name: "import missing groups from {{ldif_docker_path}} to OpenLDAP"
  shell: >
-    docker exec -i openldap {{ 'ldapmodify' if applications.ldap.openldap.modify|bool else 'ldapadd' }} -x -D "{{ldap_admin_dn}}" -w "{{applications.ldap.administrator_database_password}}" -c -f "{{ldif_docker_path}}{{ item }}"
+    docker exec -i openldap {{ 'ldapmodify' if applications.ldap.openldap.modify|bool else 'ldapadd' }} -x -D "{{ldap.dn.administrator}}" -w "{{applications.ldap.administrator_database_password}}" -c -f "{{ldif_docker_path}}{{ item }}"
  loop: "{{ ldif_files }}"
  register: ldapadd_result
  changed_when: "'adding new entry' in ldapadd_result.stdout"
--- a/roles/docker-ldap/tasks/main.yml
+++ b/roles/docker-ldap/tasks/main.yml
@ -11,13 +11,13 @@
    src:  "nginx.stream.conf.j2" 
    dest: "{{nginx.directories.streams}}{{domain}}.conf"
  notify: restart nginx
-  when: applications.ldap.openldap.expose_to_internet | bool
+  when: applications.ldap.openldap.network.public | bool

 - name: Remove {{domain}}.conf if LDAP is not exposed to internet
  file:
    path: "{{ nginx.directories.streams }}{{ domain }}.conf"
    state: absent
-  when: not applications.ldap.openldap.expose_to_internet | bool
+  when: not applications.ldap.openldap.network.public | bool

 - name: create docker network for LDAP, so that other applications can access it
  docker_network:
--- a/roles/docker-ldap/templates/docker-compose.yml.j2
+++ b/roles/docker-ldap/templates/docker-compose.yml.j2
@ -23,19 +23,18 @@ services:
 {% endif %}
  openldap:
    image: bitnami/openldap:{{applications.ldap.openldap.version}}
-    container_name: openldap
+    container_name: {{applications.ldap.openldap.hostname}}
 {% include 'roles/docker-compose/templates/services/base.yml.j2' %}
-{% if applications.ldap.openldap.expose_to_internet | bool %}
+{% if applications.ldap.openldap.network.public | bool %}
    ports:
-      - 127.0.0.1:{{ldap_localhost_port}}:{{ldap_localhost_port}}               # Expose just on localhost so that nginx stream proxy can use it
-      - 127.0.0.1:{{ldap_secure_localhost_port}}:{{ldap_secure_localhost_port}} # Expose just on localhost
+      - 127.0.0.1:{{ports.localhost.ldap.openldap}}:{{ldap_docker_port}}  # Expose just on localhost so that nginx stream proxy can use it
 {% endif %}
    volumes:
      - 'data:/bitnami/openldap'
-      - '{{ldif_host_path}}:{{ldif_docker_path}}:ro' # Mounting all ldif files for import
+      - '{{ldif_host_path}}:{{ldif_docker_path}}:ro'                      # Mounting all ldif files for import
    healthcheck:
      test: >
-        ldapsearch -x -H ldap://localhost:389 -b "{{ldap_root}}" -D "{{ldap_admin_dn}}" -w "{{applications.ldap.administrator_database_password}}"
+        ldapsearch -x -H ldap://localhost:{{ldap_docker_port}} -b "{{ldap.dn.root}}" -D "{{ldap.dn.administrator}}" -w "{{applications.ldap.administrator_database_password}}"
      interval: 30s
      timeout: 10s
      retries: 3
--- a/roles/docker-ldap/templates/env.j2
+++ b/roles/docker-ldap/templates/env.j2
@ -9,18 +9,18 @@ LDAP_ADMIN_PASSWORD=        {{applications.ldap.administrator_database_password}
 ## Users
 LDAP_USERS=                 ' '                             # Comma separated list of LDAP users to create in the default LDAP tree. Default: user01,user02
 LDAP_PASSWORDS=             ' '                             # Comma separated list of passwords to use for LDAP users. Default: bitnami1,bitnami2
-LDAP_ROOT=                  {{ldap_root}}                   # LDAP baseDN (or suffix) of the LDAP tree. Default: dc=example,dc=org
+LDAP_ROOT=                  {{ldap.dn.root}}                # LDAP baseDN (or suffix) of the LDAP tree. Default: dc=example,dc=org

 ## Admin
-LDAP_ADMIN_DN=              {{ldap_admin_dn}}               # Not well documented. Don't know if this has an effect
+LDAP_ADMIN_DN=              {{ldap.dn.administrator}}       # Not well documented. Don't know if this has an effect
 LDAP_CONFIG_ADMIN_ENABLED=  yes
 LDAP_CONFIG_ADMIN_USERNAME= {{applications.ldap.administrator_username}}
 LDAP_CONFIG_ADMIN_PASSWORD= {{applications.ldap.administrator_password}}
  
 # Network
-LDAP_PORT_NUMBER=           {{ldap_localhost_port}}         # Route to default port
+LDAP_PORT_NUMBER=           {{ldap_docker_port}}            # Route to default port
 LDAP_ENABLE_TLS=            no                              # Using nginx proxy for tls
-LDAP_LDAPS_PORT_NUMBER=     {{ldap_secure_localhost_port}}  # Port used for TLS secure traffic. Priviledged port is supported (e.g. 636). Default: 1636 (non privileged port).
+LDAP_LDAPS_PORT_NUMBER=     {{ldaps_docker_port}}           # Port used for TLS secure traffic. Priviledged port is supported (e.g. 636). Default: 1636 (non privileged port).

 # Security
 LDAP_ALLOW_ANON_BINDING=    no                              # Allow anonymous bindings to the LDAP server. Default: yes.
--- a/roles/docker-ldap/templates/lam.env.j2
+++ b/roles/docker-ldap/templates/lam.env.j2
@ -7,7 +7,7 @@ LAM_PASSWORD=               {{applications.ldap.lam.administrator_password}}
 LAM_CONFIGURATION_DATABASE= files                                                   # configuration database (files or mysql) @todo implement mariadb

 # LDAP Configuration
-LDAP_SERVER=                {{applications.ldap.openldap.domain}}                   # domain of LDAP database root entry, will be converted to dc=...,dc=...
-LDAP_BASE_DN=               {{ldap_root}}                                           # LDAP base DN to overwrite value generated by LDAP_DOMAIN
-LDAP_USER=                  {{ldap_admin_dn}}                                       # LDAP admin user (set as login user for LAM)
+LDAP_SERVER=                {{ldap.server.domain}}                                  # domain of LDAP database root entry
+LDAP_BASE_DN=               {{ldap.dn.root}}                                        # LDAP base DN to overwrite value generated by LDAP_DOMAIN
+LDAP_USER=                  {{ldap.dn.administrator}}                               # LDAP admin user (set as login user for LAM)
 LDAP_ADMIN_PASSWORD=        {{applications.ldap.administrator_database_password}}   # LDAP admin password
--- a/roles/docker-ldap/templates/nginx.stream.conf.j2
+++ b/roles/docker-ldap/templates/nginx.stream.conf.j2
@ -1,6 +1,6 @@
 server {
-    listen {{ldap_secure_internet_port}} ssl;
-    proxy_pass 127.0.0.1:{{ldap_localhost_port}};
+    listen {{ports.public.ldaps.openldap}}ssl;
+    proxy_pass 127.0.0.1:{{ports.localhost.ldap.openldap}};

    # SSL Configuration for LDAPS
    {% include 'roles/letsencrypt/templates/ssl_credentials.j2' %}
--- a/roles/docker-ldap/vars/main.yml
+++ b/roles/docker-ldap/vars/main.yml
@ -1,10 +1,8 @@
-application_id:               "ldap"
-ldap_root:                    "dc={{primary_domain_sld}},dc={{primary_domain_tld}}"
-ldap_admin_dn:                "cn={{applications.ldap.administrator_username}},{{ldap_root}}"
-ldap_secure_localhost_port:   1636
-ldap_secure_internet_port:    636
-ldap_localhost_port:          389
-ldap_network_enabled:         "{{ldap.enabled}}"
+application_id:       "ldap"
+ldaps_docker_port:    636
+ldap_docker_port:     389
+ldap_enabled:         True
+
 # OAuth2 Proxy Configuration
 oauth2_proxy_upstream_application_and_port: "{{ applications.ldap.webinterface }}:{% if applications.ldap.webinterface == 'phpldapadmin' %}8080{% else %}80{% endif %}"
 oauth2_proxy_active:                        true
--- a/roles/docker-matrix-compose/tasks/main.yml
+++ b/roles/docker-matrix-compose/tasks/main.yml
@ -7,7 +7,7 @@
  include_tasks: certbot-and-globals.yml
  vars:
    domain:     "{{domains.matrix_synapse}}"
-    http_port:  "{{ports.localhost.http_ports.matrix_synapse}}"
+    http_port:  "{{ports.localhost.http.matrix_synapse}}"

 - name: create {{well_known_directory}}
  file:
@ -26,14 +26,14 @@
    dest: "{{nginx.directories.http.servers}}{{domains.matrix_synapse}}.conf"
  vars:
    # domain:     "{{domains.matrix_synapse}}" This does not seem to work @todo Check how to solve without declaring set_fact, seems a bug at templates
-    http_port:  "{{ports.localhost.http_ports.matrix_synapse}}"
+    http_port:  "{{ports.localhost.http.matrix_synapse}}"
  notify: restart nginx
        
 - name: "include tasks nginx-docker-proxy-domain.yml for element"
  include_tasks: nginx-docker-proxy-domain.yml
  vars:        
    domain:     "{{domains.matrix_element}}"
-    http_port:  "{{ports.localhost.http_ports.matrix_element}}"
+    http_port:  "{{ports.localhost.http.matrix_element}}"

 - name: include create-and-seed-database.yml for multiple bridges
  include_tasks: create-and-seed-database.yml
--- a/roles/docker-matrix-compose/templates/docker-compose.yml.j2
+++ b/roles/docker-matrix-compose/templates/docker-compose.yml.j2
@ -19,7 +19,7 @@ services:
      - SYNAPSE_SERVER_NAME={{domains.matrix_synapse}}
      - SYNAPSE_REPORT_STATS=no
    ports:
-      - "127.0.0.1:{{ports.localhost.http_ports.matrix_synapse}}:8008"
+      - "127.0.0.1:{{ports.localhost.http.matrix_synapse}}:8008"
    healthcheck:
      test: ["CMD", "curl", "-f", "http://localhost:8008/"]
      interval: 1m
@ -39,7 +39,7 @@ services:
    volumes:
      - ./element-config.json:/app/config.json
    ports:
-      - "127.0.0.1:{{ports.localhost.http_ports.matrix_element}}:80"
+      - "127.0.0.1:{{ports.localhost.http.matrix_element}}:80"
    healthcheck:
      test: ["CMD", "wget", "--spider", "-q", "http://localhost:80/"]
      interval: 1m
--- a/roles/docker-matrix-compose/templates/nginx.conf.j2
+++ b/roles/docker-matrix-compose/templates/nginx.conf.j2
@ -1,7 +1,7 @@
 server {
    # Somehow .j2 doesn't interpretate the passed variable right. For this reasons this redeclaration is necessary
    {% set domain = domains.matrix_synapse %}
-    {% set http_port = ports.localhost.http_ports.matrix_synapse %}
+    {% set http_port = ports.localhost.http.matrix_synapse %}

    server_name {{domain}};
    {% include 'roles/letsencrypt/templates/ssl_header.j2' %}
--- a/roles/docker-nextcloud/vars/main.yml
+++ b/roles/docker-nextcloud/vars/main.yml
@ -4,4 +4,4 @@ database_password:  	                "{{nextcloud_database_password}}"
 database_type:                        "mariadb"
 nextcloud_application_container_name: "nextcloud-application"
 nextcloud_nginx_container_name:       "nextcloud-web"
-ldap_network_enabled:                 "{{ldap.enabled}}"
+ldap_enabled:                         True
--- a/roles/docker-oauth2-proxy/templates/container.yml.j2
+++ b/roles/docker-oauth2-proxy/templates/container.yml.j2
@ -4,6 +4,6 @@
    command: --config /oauth2-proxy.cfg
    hostname: oauth2-proxy
    ports:
-      - {{ports.localhost.oauth2_proxy_ports[application_id]}}:4180/tcp
+      - {{ports.localhost.oauth2_proxy[application_id]}}:4180/tcp
    volumes:
      - "{{docker_compose.directories.volumes}}{{applications.oauth2_proxy.configuration_file}}:/oauth2-proxy.cfg"
--- a/roles/docker-openproject/vars/main.yml
+++ b/roles/docker-openproject/vars/main.yml
@ -15,4 +15,4 @@ dummy_volume:                                 "{{docker_compose.directories.volu
 oauth2_proxy_upstream_application_and_port:   "proxy:80"
 oauth2_proxy_active:                          true

-ldap_network_enabled:                         "{{ldap.enabled}}"
+ldap_enabled:                                 True
--- a/roles/docker-snipe_it/templates/docker-compose.yml.j2
+++ b/roles/docker-snipe_it/templates/docker-compose.yml.j2
@ -10,7 +10,7 @@ services:
    volumes:
      - data:/var/lib/snipeit
    ports:
-      - "127.0.0.1:{{ports.localhost.http_ports.snipe_it}}:80"
+      - "127.0.0.1:{{ports.localhost.http.snipe_it}}:80"
 {% include 'templates/docker/container/depends-on-database-redis.yml.j2' %}
 {% include 'templates/docker/container/networks.yml.j2' %}

--- a/roles/nginx-docker-reverse-proxy/templates/domain.conf.j2
+++ b/roles/nginx-docker-reverse-proxy/templates/domain.conf.j2
@ -13,7 +13,7 @@ server

  # OAuth2-Proxy-Endpoint
  location /oauth2/ {
-      proxy_pass http://127.0.0.1:{{ports.localhost.oauth2_proxy_ports[application_id]}};
+      proxy_pass http://127.0.0.1:{{ports.localhost.oauth2_proxy[application_id]}};
      proxy_set_header Host $host;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
--- a/templates/docker/compose/networks.yml.j2
+++ b/templates/docker/compose/networks.yml.j2
@ -4,7 +4,7 @@ networks:
  central_{{ database_type }}:
    external: true
 {% endif %}
-{% if ldap_network_enabled | bool %}
+{% if ldap_enabled | bool and applications.ldap.openldap.network.local | bool %}
  central_ldap:
    external: true
 {% endif %}
--- a/templates/docker/container/networks.yml.j2
+++ b/templates/docker/container/networks.yml.j2
@ -3,7 +3,7 @@
 {% if enable_central_database | bool and database_type is defined %}
      central_{{ database_type }}:
 {% endif %}
-{% if ldap_network_enabled | bool %}
+{% if ldap_enabled | bool and applications.ldap.openldap.network.local | bool %}
      central_ldap:
 {% endif %}
      default: