homeserver/roles/mgrote_gitea_setup/tasks/main.yml

---
# die Variablen kommen aus
# - https://docs.gitea.com/administration/command-line
# - https://github.com/lldap/lldap/blob/main/example_configs/gitea.md
# und
# den jeweiligen group/host-Vars!
- name: Ensure LDAP config is set up
  no_log: true
  become_user: gitea
  ansible.builtin.command: |
    forgejo admin auth add-ldap \
      --config "{{ gitea_configuration_path }}/gitea.ini" \
      --name "lldap" \
      --security-protocol "unencrypted" \
      --host "{{ ldap_host }}" \
      --port "3890" \
      --bind-dn "uid=ladmin,ou=people,dc=mgrote,dc=net" \
      --bind-password "{{ ldap_bind_pass }}" \
      --user-search-base "ou=people,dc=mgrote,dc=net" \
      --user-filter "(&(memberof=cn=gitea,ou=groups,dc=mgrote,dc=net)(|(uid=%[1]s)(mail=%[1]s)))" \
      --username-attribute "uid" \
      --email-attribute "mail" \
      --firstname-attribute "givenName" \
      --surname-attribute "sn" \
      --avatar-attribute "jpegPhoto" \
      --synchronize-users
  register: setup
  ignore_errors: true
  failed_when: 'not "Command error: login source already exists [name: lldap]" in setup.stderr' # fail Task wenn LDAP schon konfiguriert ist
  changed_when: "setup.rc == 0" # chnaged nur wenn Task rc 0 hat, sollte nur beim ersten lauf vorkommen; ungetestet

- name: Modify LDAP config
  no_log: true
  become_user: gitea
  ansible.builtin.command: |
    forgejo admin auth update-ldap \
      --config "{{ gitea_configuration_path }}/gitea.ini" \
      --id "1" \
      --security-protocol "unencrypted" \
      --host "{{ ldap_host }}" \
      --port "3890" \
      --bind-dn "uid=ladmin,ou=people,dc=mgrote,dc=net" \
      --bind-password "{{ ldap_bind_pass }}" \
      --user-search-base "ou=people,dc=mgrote,dc=net" \
      --user-filter "(&(memberof=cn=gitea,ou=groups,dc=mgrote,dc=net)(|(uid=%[1]s)(mail=%[1]s)))" \
      --username-attribute "uid" \
      --email-attribute "mail" \
      --firstname-attribute "givennName" \
      --surname-attribute "sn" \
      --avatar-attribute "jpegPhoto" \
      --synchronize-users
  when: '"Command error: login source already exists [name: lldap]" in setup.stderr' # führe nur aus wenn erster Task fehlgeschlagen ist
  changed_when: false # keine idee wie ich changed feststellen kann
...
setup 2024-04-03 23:00:58 +02:00			`---`
vars 2024-04-03 23:27:23 +02:00			`# die Variablen kommen aus`
			`# - https://docs.gitea.com/administration/command-line`
			`# - https://github.com/lldap/lldap/blob/main/example_configs/gitea.md`
			`# und`
			`# den jeweiligen group/host-Vars!`
f 2024-04-03 23:20:59 +02:00			`- name: Ensure LDAP config is set up`
sort 2024-04-03 23:23:35 +02:00			`no_log: true`
			`become_user: gitea`
setup 2024-04-03 23:00:58 +02:00			`ansible.builtin.command: \|`
			`forgejo admin auth add-ldap \`
vars 2024-04-03 23:27:23 +02:00			`--config "{{ gitea_configuration_path }}/gitea.ini" \`
setup 2024-04-03 23:00:58 +02:00			`--name "lldap" \`
			`--security-protocol "unencrypted" \`
vars 2024-04-03 23:27:23 +02:00			`--host "{{ ldap_host }}" \`
setup 2024-04-03 23:00:58 +02:00			`--port "3890" \`
			`--bind-dn "uid=ladmin,ou=people,dc=mgrote,dc=net" \`
vars 2024-04-03 23:27:23 +02:00			`--bind-password "{{ ldap_bind_pass }}" \`
setup 2024-04-03 23:00:58 +02:00			`--user-search-base "ou=people,dc=mgrote,dc=net" \`
			`--user-filter "(&(memberof=cn=gitea,ou=groups,dc=mgrote,dc=net)(\|(uid=%[1]s)(mail=%[1]s)))" \`
			`--username-attribute "uid" \`
			`--email-attribute "mail" \`
			`--firstname-attribute "givenName" \`
			`--surname-attribute "sn" \`
			`--avatar-attribute "jpegPhoto" \`
			`--synchronize-users`
f 2024-04-03 23:20:59 +02:00			`register: setup`
setup 2024-04-03 23:00:58 +02:00			`ignore_errors: true`
f 2024-04-03 23:20:59 +02:00			`failed_when: 'not "Command error: login source already exists [name: lldap]" in setup.stderr' # fail Task wenn LDAP schon konfiguriert ist`
			`changed_when: "setup.rc == 0" # chnaged nur wenn Task rc 0 hat, sollte nur beim ersten lauf vorkommen; ungetestet`
setup 2024-04-03 23:00:58 +02:00
			`- name: Modify LDAP config`
sort 2024-04-03 23:23:35 +02:00			`no_log: true`
			`become_user: gitea`
dd 2024-04-03 23:06:38 +02:00			`ansible.builtin.command: \|`
			`forgejo admin auth update-ldap \`
vars 2024-04-03 23:27:23 +02:00			`--config "{{ gitea_configuration_path }}/gitea.ini" \`
dd 2024-04-03 23:06:38 +02:00			`--id "1" \`
			`--security-protocol "unencrypted" \`
vars 2024-04-03 23:27:23 +02:00			`--host "{{ ldap_host }}" \`
dd 2024-04-03 23:06:38 +02:00			`--port "3890" \`
			`--bind-dn "uid=ladmin,ou=people,dc=mgrote,dc=net" \`
vars 2024-04-03 23:27:23 +02:00			`--bind-password "{{ ldap_bind_pass }}" \`
dd 2024-04-03 23:06:38 +02:00			`--user-search-base "ou=people,dc=mgrote,dc=net" \`
			`--user-filter "(&(memberof=cn=gitea,ou=groups,dc=mgrote,dc=net)(\|(uid=%[1]s)(mail=%[1]s)))" \`
			`--username-attribute "uid" \`
			`--email-attribute "mail" \`
ff 2024-04-03 23:21:19 +02:00			`--firstname-attribute "givennName" \`
dd 2024-04-03 23:06:38 +02:00			`--surname-attribute "sn" \`
			`--avatar-attribute "jpegPhoto" \`
			`--synchronize-users`
f 2024-04-03 23:20:59 +02:00			`when: '"Command error: login source already exists [name: lldap]" in setup.stderr' # führe nur aus wenn erster Task fehlgeschlagen ist`
f 2024-04-03 23:22:45 +02:00			`changed_when: false # keine idee wie ich changed feststellen kann`
setup 2024-04-03 23:00:58 +02:00			`...`