diff --git a/docker-compose/lldap/docker-compose.yml.j2 b/docker-compose/lldap/docker-compose.yml.j2 index bdc5378a..8cd7c0ea 100644 --- a/docker-compose/lldap/docker-compose.yml.j2 +++ b/docker-compose/lldap/docker-compose.yml.j2 @@ -23,22 +23,6 @@ services: environment: UID: 1000 GID: 1000 - LLDAP_HTTP_PORT: 17170 - LLDAP_HTTP_URL: "http://docker10.grote.lan:17170" - LLDAP_KEY_SEED: "{{ lookup('keepass', 'lldap_key_seed', 'password') }}" - LLDAP_VERBOSE: true - LLDAP_JWT_SECRET: "{{ lookup('keepass', 'lldap_jwt_secret', 'password') }}" - LLDAP_LDAP_BASE_DN: "dc=grote,dc=lan" - LLDAP_USER_DN: "admin" - LLDAP_LDAP_USER_PASS: "{{ lookup('keepass', 'lldap_ldap_user_pass', 'password') }}" - LLDAP_DATABASE_URL: "mysql://lldap-db-user:{{ lookup('keepass', 'lldap_mysql_password', 'password') }}@lldap-db/lldap" - LLDAP_SMTP_OPTIONS__ENABLE_PASSWORD_reset: true - LLDAP_SMTP_OPTIONS__FROM: "LLDAP Admin " - LLDAP_SMTP_OPTIONS__REPLY_TO: "Do not reply " - LLDAP_SMTP_OPTIONS__SERVER: "mail-relay" - LLDAP_SMTP_OPTIONS__PORT: "25" - LLDAP_SMTP_OPTIONS__SMTP_ENCRYPTION: "NONE" - LLDAP_SMTP_OPTIONS__USER: "info@mgrote.net" ######## DB ######## lldap-db: diff --git a/host_vars/docker10.mgrote.net.yml b/host_vars/docker10.mgrote.net.yml index a8b71a9c..f655c0f1 100644 --- a/host_vars/docker10.mgrote.net.yml +++ b/host_vars/docker10.mgrote.net.yml @@ -68,7 +68,7 @@ compose_files: state: present network: traefik - name: lldap - state: present + state: absent # auf system und unter docker-copose ordner löschen ### oefenweb.ufw ufw_rules: diff --git a/host_vars/ldap.mgrote.net.yml b/host_vars/ldap.mgrote.net.yml new file mode 100644 index 00000000..845d2560 --- /dev/null +++ b/host_vars/ldap.mgrote.net.yml @@ -0,0 +1,57 @@ +--- +### geerlingguy_postgres +postgresql_databases: + - name: "{{ lldap_db_name }}" +postgresql_users: + - name: "{{ lldap_db_user }}" + password: "{{ lldap_db_pass }}" + +### oefenweb.ufw +ufw_rules: + - rule: allow + to_port: 22 + protocol: tcp + comment: 'ssh' + from_ip: 0.0.0.0/0 + - rule: allow + to_port: 4949 + protocol: tcp + comment: 'munin' + from_ip: 192.168.2.0/24 + - rule: allow + to_port: "{{ lldap_http_port }}" + protocol: tcp + comment: 'lldap' + from_ip: 192.168.2.0/24 + - rule: allow + to_port: 3890 + protocol: tcp + comment: 'lldap' + from_ip: 192.168.2.0/24 + +### mgrote_lldap +lldap_repo_url: "deb http://download.opensuse.org/repositories/home:/Masgalor:/LLDAP/xUbuntu_22.04/ /" +lldap_logging_verbose: false +lldap_http_port: 17170 +lldap_http_host: "0.0.0.0" +lldap_ldap_host: "0.0.0.0" +lldap_public_url: http://localhost +lldap_jwt_secret: "{{ lookup('keepass', 'lldap_jwt_secret', 'password') }}" +lldap_ldap_base_dn: "dc=mgrote,dc=net" +lldap_admin_username: ladmin # only used on setup +lldap_admin_password: "{{ lookup('keepass', 'lldap_ldap_user_pass', 'password') }}" # only used on setup; also bind-secret +lldap_admin_mailaddress: lldap-admin@mgrote.net # only used on setup +lldap_database_url: "postgres://{{ lldap_db_user }}:{{ lldap_db_pass }}@{{ lldap_db_host }}/{{ lldap_db_name }}" +lldap_key_seed: "{{ lookup('keepass', 'lldap_key_seed', 'password') }}" +lldap_smtp_from: "LLDAP Admin " +lldap_smtp_reply_to: "Do not reply " +lldap_smtp_server: "mail-relay" +lldap_smtp_port: "25" +lldap_smtp_smtp_encryption: "NONE" +lldap_smtp_user: "info@mgrote.net" +lldap_smtp_enable_password_reset: true +# "meta vars"; daraus werden die db-url und die postgres-db abgeleitet +lldap_db_name: "lldap" +lldap_db_user: "lldap" +lldap_db_pass: "{{ lookup('keepass', 'lldap_db_pass', 'password') }}" +lldap_db_host: "localhost" diff --git a/keepass_db.kdbx b/keepass_db.kdbx index d6ed24a3..d393553b 100644 Binary files a/keepass_db.kdbx and b/keepass_db.kdbx differ diff --git a/playbooks/3_service/lldap.yml b/playbooks/3_service/lldap.yml new file mode 100644 index 00000000..c9078006 --- /dev/null +++ b/playbooks/3_service/lldap.yml @@ -0,0 +1,5 @@ +--- +- hosts: ldap + roles: + - { role: ansible-role-postgresql, tags: "db", become: true } + - { role: mgrote_lldap, tags: "lldap", become: true } diff --git a/roles/mgrote_lldap/defaults/main.yml b/roles/mgrote_lldap/defaults/main.yml new file mode 100644 index 00000000..9004a341 --- /dev/null +++ b/roles/mgrote_lldap/defaults/main.yml @@ -0,0 +1,21 @@ +--- +lldap_repo_url: "deb http://download.opensuse.org/repositories/home:/Masgalor:/LLDAP/xUbuntu_22.04/ /" +lldap_logging_verbose: false +lldap_http_port: "17170" +lldap_http_host: "0.0.0.0" +lldap_ldap_host: "0.0.0.0" +lldap_public_url: http://localhost +lldap_jwt_secret: supersecret +lldap_ldap_base_dn: "dc=example,dc=com" +lldap_admin_username: ladmin # only used on setup +lldap_admin_password: supersecret # also bind-secret; only used on setup +lldap_admin_mailaddress: lldap-admin@mgrote.net # only used on setup +lldap_database_url: "postgres://postgres-user:password@postgres-server/my-database" +lldap_key_seed: supersecretseed +lldap_smtp_from: "LLDAP Admin " +lldap_smtp_reply_to: "Do not reply " +lldap_smtp_server: "mail.domain.net" +lldap_smtp_port: "25" +lldap_smtp_smtp_encryption: "NONE" +lldap_smtp_user: "info@mgrote.net" +lldap_smtp_enable_password_reset: true diff --git a/roles/mgrote_lldap/tasks/main.yml b/roles/mgrote_lldap/tasks/main.yml new file mode 100644 index 00000000..b8d375c0 --- /dev/null +++ b/roles/mgrote_lldap/tasks/main.yml @@ -0,0 +1,28 @@ +--- +- name: Ensure repository exists + ansible.builtin.apt_repository: + repo: "{{ lldap_repo_url }}" + state: present + filename: lldap + +- name: Ensure package is installed + ansible.builtin.apt: + name: lldap + update_cache: yes + +- name: Ensure config is templated + ansible.builtin.template: + src: lldap_config.toml.j2 + dest: /etc/lldap/lldap_config.toml + owner: lldap + group: lldap + mode: "0644" + +- name: Ensure services are enabled and started + become: true + ansible.builtin.systemd: + name: lldap.service + masked: false + enabled: true + started: true +... diff --git a/roles/mgrote_lldap/templates/lldap_config.toml.j2 b/roles/mgrote_lldap/templates/lldap_config.toml.j2 new file mode 100644 index 00000000..b18e880e --- /dev/null +++ b/roles/mgrote_lldap/templates/lldap_config.toml.j2 @@ -0,0 +1,143 @@ +## Tune the logging to be more verbose by setting this to be true. +## You can set it with the LLDAP_VERBOSE environment variable. +verbose="{{ lldap_logging_verbose }}" + +## The host address that the LDAP server will be bound to. +## To enable IPv6 support, simply switch "ldap_host" to "::": +## To only allow connections from localhost (if you want to restrict to local self-hosted services), +## change it to "127.0.0.1" ("::1" in case of IPv6)". +ldap_host = "{{ lldap_ldap_host }}" + +## The port on which to have the LDAP server. +#ldap_port = 3890 + +## The host address that the HTTP server will be bound to. +## To enable IPv6 support, simply switch "http_host" to "::". +## To only allow connections from localhost (if you want to restrict to local self-hosted services), +## change it to "127.0.0.1" ("::1" in case of IPv6)". +http_host = "{{ lldap_http_host }}" + +## The port on which to have the HTTP server, for user login and +## administration. +http_port = "{{ lldap_http_port }}" + +## The public URL of the server, for password reset links. +http_url = "{{ lldap_public_url }}" + +## Random secret for JWT signature. +## This secret should be random, and should be shared with application +## servers that need to consume the JWTs. +## Changing this secret will invalidate all user sessions and require +## them to re-login. +## You should probably set it through the LLDAP_JWT_SECRET environment +## variable from a secret ".env" file. +## This can also be set from a file's contents by specifying the file path +## in the LLDAP_JWT_SECRET_FILE environment variable +## You can generate it with (on linux): +## LC_ALL=C tr -dc 'A-Za-z0-9!#%&'\''()*+,-./:;<=>?@[\]^_{|}~' . +from="{{ lldap_smtp_from }}" +## Same for reply-to, optional. +reply_to="{{ lldap_smtp_reply_to }}" + +## Options to configure LDAPS. +## To set these options from environment variables, use the following format +## (example with "port"): LLDAP_LDAPS_OPTIONS__PORT +[ldaps_options] +## Whether to enable LDAPS. +#enabled=true +## Port on which to listen. +#port=6360 +## Certificate file. +#cert_file="/data/cert.pem" +## Certificate key file. +#key_file="/data/key.pem"