From 61beea077c277873d5d70f28466245bfd6573437 Mon Sep 17 00:00:00 2001
From: Michael Grote <michael.grote@posteo.de>
Date: Wed, 3 Apr 2024 23:00:58 +0200
Subject: [PATCH] setup

---
 playbooks/3_service/git.yml                |  1 +
 roles/mgrote_gitea_setup/defaults/main.yml | 21 ++++++++++++++
 roles/mgrote_gitea_setup/tasks/main.yml    | 32 ++++++++++++++++++++++
 roles/mgrote_lldap/tasks/main.yml          | 15 ++++++++++
 4 files changed, 69 insertions(+)
 create mode 100644 roles/mgrote_gitea_setup/defaults/main.yml
 create mode 100644 roles/mgrote_gitea_setup/tasks/main.yml

diff --git a/playbooks/3_service/git.yml b/playbooks/3_service/git.yml
index e2029ff3..16ec8122 100644
--- a/playbooks/3_service/git.yml
+++ b/playbooks/3_service/git.yml
@@ -3,3 +3,4 @@
   roles:
     - { role: ansible-role-postgresql, tags: "db", become: true }
     - { role: ansible_role_gitea, tags: "gitea", become: true }
+    - { role: mgrote_gitea_setup, tags: "setup", become: true }
diff --git a/roles/mgrote_gitea_setup/defaults/main.yml b/roles/mgrote_gitea_setup/defaults/main.yml
new file mode 100644
index 00000000..875efbb5
--- /dev/null
+++ b/roles/mgrote_gitea_setup/defaults/main.yml
@@ -0,0 +1,21 @@
+---
+lldap_package_url: "https://download.opensuse.org/repositories/home:/Masgalor:/LLDAP/xUbuntu_22.04/amd64/lldap_0.5.0-1+3.1_amd64.deb"
+lldap_logging_verbose: "false"
+lldap_http_port: "17170"
+lldap_http_host: "0.0.0.0"
+lldap_ldap_host: "0.0.0.0"
+lldap_public_url: http://localhost
+lldap_jwt_secret: supersecret
+lldap_ldap_base_dn: "dc=example,dc=com"
+lldap_admin_username: ladmin # only used on setup
+lldap_admin_password: supersecret # also bind-secret; only used on setup
+lldap_admin_mailaddress: lldap-admin@mgrote.net # only used on setup
+lldap_database_url: "postgres://postgres-user:password@postgres-server/my-database"
+lldap_key_seed: supersecretseed
+lldap_smtp_from: "LLDAP Admin <info@mgrote.net>"
+lldap_smtp_reply_to: "Do not reply <info@mgrote.net>"
+lldap_smtp_server: "mail.domain.net"
+lldap_smtp_port: "25"
+lldap_smtp_smtp_encryption: "NONE"
+lldap_smtp_user: "info@mgrote.net"
+lldap_smtp_enable_password_reset: "true"
diff --git a/roles/mgrote_gitea_setup/tasks/main.yml b/roles/mgrote_gitea_setup/tasks/main.yml
new file mode 100644
index 00000000..2945b0bf
--- /dev/null
+++ b/roles/mgrote_gitea_setup/tasks/main.yml
@@ -0,0 +1,32 @@
+
+---
+- name: Ensure LDAP config is configured
+  ansible.builtin.command: |
+    forgejo admin auth add-ldap \
+      --config "/etc/gitea/gitea.ini" \
+      --name "lldap" \
+      --security-protocol "unencrypted" \
+      --host "ldap.mgrote.net" \
+      --port "3890" \
+      --bind-dn "uid=ladmin,ou=people,dc=mgrote,dc=net" \
+      --bind-password GEHEIM \
+      --user-search-base "ou=people,dc=mgrote,dc=net" \
+      --user-filter "(&(memberof=cn=gitea,ou=groups,dc=mgrote,dc=net)(|(uid=%[1]s)(mail=%[1]s)))" \
+      --username-attribute "uid" \
+      --email-attribute "mail" \
+      --firstname-attribute "givenName" \
+      --surname-attribute "sn" \
+      --avatar-attribute "jpegPhoto" \
+      --synchronize-users
+  register: configured
+  ignore_errors: true
+
+- name: debug
+  ansible.builtin.debug:
+    msg: "{{ register }}"
+
+- name: Modify LDAP config
+  ansible.builtin.command: cat /etc/motd
+  when: not configured.changed or configured
+
+...
diff --git a/roles/mgrote_lldap/tasks/main.yml b/roles/mgrote_lldap/tasks/main.yml
index a658d7ae..59a6b9f6 100644
--- a/roles/mgrote_lldap/tasks/main.yml
+++ b/roles/mgrote_lldap/tasks/main.yml
@@ -25,3 +25,18 @@
     mode: "0644"
   notify: Ensure services are enabled and started
 ...
+
+mache das
+https://docs.gitea.com/administration/command-line + https://github.com/lldap/lldap/blob/main/example_configs/gitea.md
+
+forgejo admin auth add-ldap --config "/etc/gitea/gitea.ini" --name "lldap" --security-protocol "unencrypted" --host "ldap.mgrote.net" --port "3890" --bind-dn "uid=ladmin,ou=people,dc=mgrote,dc=net" --bind-password GEHEIM --user-search-base "ou=people,dc=mgrote,dc=net" --user-filter "(&(memberof=cn=gitea,ou=groups,dc=mgrote,dc=net)(|(uid=%[1]s)(mail=%[1]s)))" --username-attribute "uid" --email-attribute "mail" --firstname-attribute "givenName" --surname-attribute "sn" --avatar-attribute "jpegPhoto" --synchronize-users
+
+when error =
+Command error: login source already exists [name: lldap]
+
+dann
+
+forgejo admin auth update-ldap --config "/etc/gitea/gitea.ini" --id "1" --security-protocol "unencrypted" --host "ldap.mgrote.net" --port "3890" --bind-dn "uid=ladmin,ou=people,dc=mgrote,dc=net" --bind-password GEHEIM --user-search-base "ou=people,dc=mgrote,dc=net" --user-filter "(&(memberof=cn=gitea,ou=groups,dc=mgrote,dc=net)(|(uid=%[1]s)(mail=%[1]s)))" --username-attribute "uid" --email-attribute "mail" --firstname-attribute "givenName" --surname-attribute "sn" --avatar-attribute "jpegPhoto" --synchronize-users
+
+
+das selbe um admin user zu erstellen