migrate lldap to docker (#238)

docker-compose/lldap/lldap_config.toml.j2 host_vars/docker10.mgrote.net.yml Signed-off-by: Michael Grote <michael.grote@posteo.de> Reviewed-on: #238 Co-authored-by: Michael Grote <michael.grote@posteo.de> Co-committed-by: Michael Grote <michael.grote@posteo.de>
2024-11-15 20:53:26 +01:00 · 2024-11-15 20:53:26 +01:00 · b72ccc4a92
commit b72ccc4a92
parent b3c5a460ba
16 changed files with 89 additions and 12 deletions
--- a/docker-compose/lldap/docker-compose.yml.j2
+++ b/docker-compose/lldap/docker-compose.yml.j2
@ -0,0 +1,52 @@
+services:
+  lldap:
+    image: lldap/lldap:v0.6.0-debian-rootless
+    container_name: lldap
+    restart: unless-stopped
+    pull_policy: missing
+    ports:
+      - "3890:3890"
+      - "17170:17170" # front-end
+    volumes:
+      - "lldap_data:/data"
+      - "./lldap_config.toml:/data/lldap_config.toml"
+    environment:
+      TZ: Europe/Berlin
+    networks:
+      - traefik
+      - postfix
+      - internal
+    depends_on:
+      - lldap-db17
+
+######## Postgres ########
+  lldap-db17:
+    container_name: "lldap-db"
+    image: "postgres:17.0"
+    restart: unless-stopped
+    pull_policy: missing
+    environment:
+      POSTGRES_USER: lldap
+      POSTGRES_PASSWORD: "{{ lookup('viczem.keepass.keepass', 'lldap/lldap_db_pass', 'password') }}"
+      TZ: Europe/Berlin
+    volumes:
+      - db17:/var/lib/postgresql/data
+    networks:
+      - internal
+    healthcheck:
+      test: ["CMD", "pg_isready", "-U", "lldap"]
+      interval: 10s
+      start_period: 30s
+
+######## Networks ########
+networks:
+  traefik:
+    external: true
+  postfix:
+    external: true
+  internal:
+
+######## Volumes ########
+volumes:
+  lldap_data:
+  db17:
--- a/docker-compose/lldap/lldap_config.toml.j2
+++ b/docker-compose/lldap/lldap_config.toml.j2
@ -0,0 +1,28 @@
+verbose = false
+
+ldap_host = "0.0.0.0"
+ldap_port = 3890
+
+http_host = "0.0.0.0"
+http_port = 17170
+http_url = "https://ldap.mgrote.net"
+
+jwt_secret = "{{ lookup('viczem.keepass.keepass', 'lldap/lldap_jwt_secret', 'password') }}"
+
+ldap_base_dn = "dc=mgrote,dc=net"
+ldap_user_dn = "{{ lookup('viczem.keepass.keepass', 'lldap/lldap_admin_user', 'username') }}"
+ldap_user_email = "lldap-admin@mgrote.net"
+ldap_user_pass = "{{ lookup('viczem.keepass.keepass', 'lldap/lldap_admin_user', 'password') }}"
+
+database_url = "postgres://lldap:{{ lookup('viczem.keepass.keepass', 'lldap/lldap_db_pass', 'password') }}@lldap-db/lldap"
+
+key_seed = "{{ lookup('viczem.keepass.keepass', 'lldap/lldap_key_seed', 'password') }}"
+
+force_ldap_user_pass_reset = "always"
+
+[smtp_options]
+enable_password_reset = false
+server = "postfix"
+port = 25
+smtp_encryption = "NONE"
+reply_to  ="Do not reply <info@mgrote.net>"
--- a/docker-compose/nextcloud/ldap.sh.j2
+++ b/docker-compose/nextcloud/ldap.sh.j2
@ -10,7 +10,7 @@ php occ app:enable user_ldap
 #php occ ldap:create-empty-config # wird nur bei komplett neuer nextcloud benötigt, legt sonst bei jedem durchlauf weitere ldap-configs an

 # EDIT: domain
-php occ ldap:set-config s01 ldapHost "ldap://ldap.mgrote.net."
+php occ ldap:set-config s01 ldapHost "ldap://lldap."
 php occ ldap:set-config s01 ldapPort 3890
 # EDIT: admin user
 php occ ldap:set-config s01 ldapAgentName "uid=nextcloud_bind_user,ou=people,dc=mgrote,dc=net"
--- a/docker-compose/traefik/configuration.yml.j2
+++ b/docker-compose/traefik/configuration.yml.j2
@ -67,7 +67,7 @@ authentication_backend:
  refresh_interval: 1m
  ldap:
    implementation: custom
-    address: ldap://ldap.mgrote.net:3890
+    address: ldap://lldap:3890
    timeout: 5s
    start_tls: false
    base_dn: dc=mgrote,dc=net
--- a/group_vars/ldap.yml
+++ b/group_vars/ldap.yml
--- a/playbooks/3_service/lldap.yml
+++ b/playbooks/3_service/lldap.yml
--- a/friedhof/mgrote_lldap/defaults/main.yml
+++ b/friedhof/mgrote_lldap/defaults/main.yml
--- a/friedhof/mgrote_lldap/handlers/main.yml
+++ b/friedhof/mgrote_lldap/handlers/main.yml
--- a/friedhof/mgrote_lldap/tasks/main.yml
+++ b/friedhof/mgrote_lldap/tasks/main.yml
--- a/friedhof/mgrote_lldap/templates/lldap_config.toml.j2
+++ b/friedhof/mgrote_lldap/templates/lldap_config.toml.j2
--- a/group_vars/blocky.yml
+++ b/group_vars/blocky.yml
@ -85,7 +85,7 @@ blocky_custom_lookups: # optional
  - name: fritz.box
    ip: 192.168.5.1
  - name: ldap.mgrote.net
-    ip: 192.168.2.47
+    ip: 192.168.2.43
  - name: munin.mgrote.net
    ip: 192.168.2.40
  - name: s3.mgrote.net
--- a/group_vars/git.yml
+++ b/group_vars/git.yml
@ -148,7 +148,7 @@ gitea_fail2ban_jail_bantime: "600"
 gitea_fail2ban_jail_action: "iptables-allports"

 ### mgrote_gitea_setup
-gitea_ldap_host: "ldap.mgrote.net"
+gitea_ldap_host: "docker10.mgrote.net"
 gitea_ldap_base_path: "dc=mgrote,dc=net"
 gitea_ldap_bind_user: "forgejo_bind_user"
 gitea_ldap_bind_pass: "{{ lookup('viczem.keepass.keepass', 'forgejo/lldap_forgejo_bind_user', 'password') }}"
--- a/group_vars/munin.yml
+++ b/group_vars/munin.yml
@ -67,9 +67,6 @@ munin_hosts:
  - name: blocky.mgrote.net
    address: blocky.mgrote.net
    extra: ["use_node_name yes"]
-  - name: ldap.mgrote.net
-    address: ldap.mgrote.net
-    extra: ["use_node_name yes"]

 ### mgrote_munin_node
 munin_node_bind_host: "127.0.0.1"
@ -104,7 +101,7 @@ munin_node_plugins:
    src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/http/http_response
    config: |
      [http_response]
-      env.sites https://git.mgrote.net http://ldap.mgrote.net:17170 https://docker10.mgrote.net:8443 https://rui.mgrote.net/ http://munin.mgrote.net http://192.168.5.1 http://192.168.3.1 http://192.168.3.108:8080 http://192.168.3.204 http://docker10.mgrote.net:6483 https://miniflux.mgrote.net/ https://nextcloud.mgrote.net https://audio.mgrote.net/mg http://wiki.mgrote.net https://s3.mgrote.net https://auth.mgrote.net
+      env.sites https://git.mgrote.net https://docker10.mgrote.net:8443 https://rui.mgrote.net/ http://munin.mgrote.net http://192.168.5.1 http://192.168.3.1 http://192.168.3.108:8080 http://192.168.3.204 http://docker10.mgrote.net:6483 https://miniflux.mgrote.net/ https://nextcloud.mgrote.net https://audio.mgrote.net/mg http://wiki.mgrote.net https://s3.mgrote.net https://auth.mgrote.net http://docker10.mgrote.net:17170
      env.max_time 20
      env.short_label true
      env.follow_redirect true
--- a/host_vars/docker10.mgrote.net.yml
+++ b/host_vars/docker10.mgrote.net.yml
@ -50,8 +50,12 @@ compose_files:
    state: present
  - name: act-runner
    state: present
+  - name: lldap
+    state: present
+    network: traefik
  - name: minio
    state: present
+    network: traefik

 ### oefenweb.ufw
 ufw_rules:
--- a/4
+++ b/4
@ -6,9 +6,6 @@ all:
    blocky:
      hosts:
        blocky.mgrote.net:
-    ldap:
-      hosts:
-        ldap.mgrote.net:
    lxc:
      hosts:
        fileserver3.mgrote.net:
@ -47,7 +44,6 @@ all:
        docker10.mgrote.net:
        pbs.mgrote.net:
        blocky.mgrote.net:
-        ldap.mgrote.net:
        munin.mgrote.net:
    test:
      hosts:
--- a/keepass_db.kdbx
+++ b/keepass_db.kdbx