From 48cf09d4181805316aed72d40616f85b3afb7bba Mon Sep 17 00:00:00 2001
From: Michael Grote <michael.grote@posteo.de>
Date: Wed, 3 Apr 2024 23:27:23 +0200
Subject: [PATCH] vars

---
 group_vars/git.yml                         |  4 ++++
 roles/mgrote_gitea_setup/defaults/main.yml | 21 ---------------------
 roles/mgrote_gitea_setup/tasks/main.yml    | 18 +++++++++++-------
 3 files changed, 15 insertions(+), 28 deletions(-)
 delete mode 100644 roles/mgrote_gitea_setup/defaults/main.yml

diff --git a/group_vars/git.yml b/group_vars/git.yml
index d593da81..ed13cd95 100644
--- a/group_vars/git.yml
+++ b/group_vars/git.yml
@@ -134,3 +134,7 @@ gitea_fail2ban_jail_maxretry: "3"
 gitea_fail2ban_jail_findtime: "300"
 gitea_fail2ban_jail_bantime: "600"
 gitea_fail2ban_jail_action: "iptables-allports"
+
+### mgrote_gitea_setup
+ldap_host: "ldap.mgrote.net"
+ldap_bind_pass: "{{ lookup('keepass', 'lldap_ldap_user_pass', 'password') }}"
diff --git a/roles/mgrote_gitea_setup/defaults/main.yml b/roles/mgrote_gitea_setup/defaults/main.yml
deleted file mode 100644
index 875efbb5..00000000
--- a/roles/mgrote_gitea_setup/defaults/main.yml
+++ /dev/null
@@ -1,21 +0,0 @@
----
-lldap_package_url: "https://download.opensuse.org/repositories/home:/Masgalor:/LLDAP/xUbuntu_22.04/amd64/lldap_0.5.0-1+3.1_amd64.deb"
-lldap_logging_verbose: "false"
-lldap_http_port: "17170"
-lldap_http_host: "0.0.0.0"
-lldap_ldap_host: "0.0.0.0"
-lldap_public_url: http://localhost
-lldap_jwt_secret: supersecret
-lldap_ldap_base_dn: "dc=example,dc=com"
-lldap_admin_username: ladmin # only used on setup
-lldap_admin_password: supersecret # also bind-secret; only used on setup
-lldap_admin_mailaddress: lldap-admin@mgrote.net # only used on setup
-lldap_database_url: "postgres://postgres-user:password@postgres-server/my-database"
-lldap_key_seed: supersecretseed
-lldap_smtp_from: "LLDAP Admin <info@mgrote.net>"
-lldap_smtp_reply_to: "Do not reply <info@mgrote.net>"
-lldap_smtp_server: "mail.domain.net"
-lldap_smtp_port: "25"
-lldap_smtp_smtp_encryption: "NONE"
-lldap_smtp_user: "info@mgrote.net"
-lldap_smtp_enable_password_reset: "true"
diff --git a/roles/mgrote_gitea_setup/tasks/main.yml b/roles/mgrote_gitea_setup/tasks/main.yml
index db8bb75c..fda59fa0 100644
--- a/roles/mgrote_gitea_setup/tasks/main.yml
+++ b/roles/mgrote_gitea_setup/tasks/main.yml
@@ -1,17 +1,21 @@
-
 ---
+# die Variablen kommen aus
+# - https://docs.gitea.com/administration/command-line
+# - https://github.com/lldap/lldap/blob/main/example_configs/gitea.md
+# und
+# den jeweiligen group/host-Vars!
 - name: Ensure LDAP config is set up
   no_log: true
   become_user: gitea
   ansible.builtin.command: |
     forgejo admin auth add-ldap \
-      --config "/etc/gitea/gitea.ini" \
+      --config "{{ gitea_configuration_path }}/gitea.ini" \
       --name "lldap" \
       --security-protocol "unencrypted" \
-      --host "ldap.mgrote.net" \
+      --host "{{ ldap_host }}" \
       --port "3890" \
       --bind-dn "uid=ladmin,ou=people,dc=mgrote,dc=net" \
-      --bind-password GEHEIM \
+      --bind-password "{{ ldap_bind_pass }}" \
       --user-search-base "ou=people,dc=mgrote,dc=net" \
       --user-filter "(&(memberof=cn=gitea,ou=groups,dc=mgrote,dc=net)(|(uid=%[1]s)(mail=%[1]s)))" \
       --username-attribute "uid" \
@@ -34,13 +38,13 @@
   become_user: gitea
   ansible.builtin.command: |
     forgejo admin auth update-ldap \
-      --config "/etc/gitea/gitea.ini" \
+      --config "{{ gitea_configuration_path }}/gitea.ini" \
       --id "1" \
       --security-protocol "unencrypted" \
-      --host "ldap.mgrote.net" \
+      --host "{{ ldap_host }}" \
       --port "3890" \
       --bind-dn "uid=ladmin,ou=people,dc=mgrote,dc=net" \
-      --bind-password GEHEIM \
+      --bind-password "{{ ldap_bind_pass }}" \
       --user-search-base "ou=people,dc=mgrote,dc=net" \
       --user-filter "(&(memberof=cn=gitea,ou=groups,dc=mgrote,dc=net)(|(uid=%[1]s)(mail=%[1]s)))" \
       --username-attribute "uid" \