kevinveenbirkenbach/computer-playbook
1
0
Fork 0
mirror of https://github.com/kevinveenbirkenbach/computer-playbook.git synced 2025-06-28 13:15:32 +02:00
Code Issues Packages Projects Releases Wiki Activity
computer-playbook/roles/docker-ldap/tasks/main.yml

118 lines
4.0 KiB
YAML
Raw Blame History

---
- name: "include docker-compose role"
include_role:
name: docker-compose
- name: Create {{domains | get_domain(application_id)}}.conf if LDAP is exposed to internet
template:
src: "nginx.stream.conf.j2"
dest: "{{nginx.directories.streams}}{{domains | get_domain(application_id)}}.conf"
notify: restart nginx
when: applications[application_id].network.public | bool
- name: Remove {{domains | get_domain(application_id)}}.conf if LDAP is not exposed to internet
file:
path: "{{ nginx.directories.streams }}{{ domains | get_domain(application_id) }}.conf"
state: absent
when: not applications[application_id].network.public | bool
- name: create docker network for LDAP, so that other applications can access it
docker_network:
name: central_ldap
state: present
ipam_config:
- subnet: "{{ networks.local.central_ldap.subnet }}"
- include_tasks: "{{ playbook_dir }}/roles/docker-compose/tasks/create-files.yml"
- name: "create directory {{ldif_host_path}}{{item}}"
file:
path: "{{ldif_host_path}}{{item}}"
state: directory
mode: 0755
loop: "{{ldif_types}}"
- name: "Process all LDIF types"
include_tasks: create_ldif_files.yml
loop:
- configuration
loop_control:
loop_var: folder
- name: flush LDIF handlers
meta: flush_handlers
- name: install python-ldap
community.general.pacman:
name:
- python-ldap
state: present
- name: "Include Nextcloud Schema"
include_tasks: schemas/nextcloud.yml
- name: "Include openssh-lpk Schema"
include_tasks: schemas/openssh_lpk.yml
###############################################################################
# 1) Create the LDAP entry if it does not yet exist
###############################################################################
- name: Ensure LDAP users exist
community.general.ldap_entry:
dn: "{{ ldap.attributes.user_id }}={{ item.key }},{{ ldap.dn.users }}"
server_uri: "{{ ldap_server_uri }}"
bind_dn: "{{ ldap.dn.administrator.data }}"
bind_pw: "{{ ldap.bind_credential }}"
objectClass: "{{ ldap.user_objects.structural }}"
attributes:
uid: "{{ item.key }}" # {{ ldap.attributes.user_id }} can't be used as key here, dynamic key generation isn't possible
sn: "{{ item.value.sn | default(item.key) }}"
cn: "{{ item.value.cn | default(item.key) }}"
userPassword: "{SSHA}{{ item.value.password }}"
loginShell: /bin/bash
homeDirectory: "/home/{{ item.key }}"
uidNumber: "{{ item.value.uid | int }}"
gidNumber: "{{ item.value.gid | int }}"
state: present # ↳ creates but never updates
loop: "{{ users | dict2items }}"
loop_control:
label: "{{ item.key }}"
###############################################################################
# 2) Keep the objectClass list AND the mail attribute up-to-date
###############################################################################
- name: Ensure required objectClass values and mail address are present
community.general.ldap_attrs:
dn: "{{ ldap.attributes.user_id }}={{ item.key }},{{ ldap.dn.users }}"
server_uri: "{{ ldap_server_uri }}"
bind_dn: "{{ ldap.dn.administrator.data }}"
bind_pw: "{{ ldap.bind_credential }}"
attributes:
objectClass: "{{ ldap.user_objects.structural }}"
mail: "{{ item.value.email }}"
state: exact
loop: "{{ users | dict2items }}"
loop_control:
label: "{{ item.key }}"
- name: "Ensure container for application roles exists"
community.general.ldap_entry:
dn: "{{ ldap.dn.application_roles }}"
server_uri: "{{ ldap_server_uri }}"
bind_dn: "{{ ldap.dn.administrator.data }}"
bind_pw: "{{ ldap.bind_credential }}"
objectClass: organizationalUnit
attributes:
ou: roles
description: Container for application access profiles
state: present
- name: "Process all LDIF types"
include_tasks: create_ldif_files.yml
loop:
- data
loop_control:
loop_var: folder
- name: "Add Objects to all users"
include_tasks: add_user_objects.yml
Reference in New Issue View Git Blame Copy Permalink