From e99d5d98c04b4ebf9c4e375160ceb2ed8cba3a49 Mon Sep 17 00:00:00 2001 From: Michael Grote Date: Wed, 5 Jun 2024 18:44:57 +0200 Subject: [PATCH] add role --- .../tasks/admin.yml | 34 +++++++++++ .../mgrote_docker_housekeeping/tasks/ldap.yml | 56 +++++++++++++++++++ .../mgrote_docker_housekeeping/tasks/main.yml | 7 +++ 3 files changed, 97 insertions(+) create mode 100644 roles/mgrote_docker_housekeeping/tasks/admin.yml create mode 100644 roles/mgrote_docker_housekeeping/tasks/ldap.yml create mode 100644 roles/mgrote_docker_housekeeping/tasks/main.yml diff --git a/roles/mgrote_docker_housekeeping/tasks/admin.yml b/roles/mgrote_docker_housekeeping/tasks/admin.yml new file mode 100644 index 00000000..789e9fc1 --- /dev/null +++ b/roles/mgrote_docker_housekeeping/tasks/admin.yml @@ -0,0 +1,34 @@ +--- +# die Variablen kommen aus +# - https://docs.gitea.com/administration/command-line +# - https://github.com/lldap/lldap/blob/main/example_configs/gitea.md +# und +# den jeweiligen group/host-Vars! + +- name: Check if Admin-User exists + no_log: true + become_user: gitea + become: true + ansible.builtin.command: | + forgejo admin user list \ + --config "{{ gitea_configuration_path }}/gitea.ini" + register: check + changed_when: false + +- name: Ensure Admin-User exists # noqa no-changed-when no-jinja-when + #no_log: true + become_user: gitea + become: true + ansible.builtin.command: | + forgejo admin user create \ + --config "{{ gitea_configuration_path }}/gitea.ini" \ + --username "{{ gitea_admin_user }}" \ + --password "{{ gitea_admin_user_pass }}" \ + --email "{{ gitea_admin_user }}@mgrote.net" \ + --admin + when: 'not "{{ gitea_admin_user }}@mgrote.net" in check.stdout' + +- name: Show existing users + ansible.builtin.debug: + msg: "{{ check.stdout_lines }}" +... diff --git a/roles/mgrote_docker_housekeeping/tasks/ldap.yml b/roles/mgrote_docker_housekeeping/tasks/ldap.yml new file mode 100644 index 00000000..7fbb7436 --- /dev/null +++ b/roles/mgrote_docker_housekeeping/tasks/ldap.yml @@ -0,0 +1,56 @@ +--- +# die Variablen kommen aus +# - https://docs.gitea.com/administration/command-line +# - https://github.com/lldap/lldap/blob/main/example_configs/gitea.md +# und +# den jeweiligen group/host-Vars! +- name: Ensure LDAP config is set up + no_log: true + become_user: gitea + become: true + ansible.builtin.command: | + forgejo admin auth add-ldap \ + --config "{{ gitea_configuration_path }}/gitea.ini" \ + --name "lldap" \ + --security-protocol "unencrypted" \ + --host "{{ gitea_ldap_host }}" \ + --port "3890" \ + --bind-dn "uid={{ gitea_ldap_bind_user }},ou=people,{{ gitea_ldap_base_path }}" \ + --bind-password "{{ gitea_ldap_bind_pass }}" \ + --user-search-base "ou=people,{{ gitea_ldap_base_path }}" \ + --user-filter "(&(memberof=cn=gitea,ou=groups,{{ gitea_ldap_base_path }})(|(uid=%[1]s)(mail=%[1]s)))" \ + --username-attribute "uid" \ + --email-attribute "mail" \ + --firstname-attribute "givenName" \ + --surname-attribute "sn" \ + --avatar-attribute "jpegPhoto" \ + --synchronize-users + register: setup + ignore_errors: true + failed_when: 'not "Command error: login source already exists [name: lldap]" in setup.stderr' # fail Task wenn LDAP schon konfiguriert ist + changed_when: "setup.rc == 0" # chnaged nur wenn Task rc 0 hat, sollte nur beim ersten lauf vorkommen; ungetestet + +- name: Modify LDAP config + no_log: true + become_user: gitea + become: true + ansible.builtin.command: | + forgejo admin auth update-ldap \ + --config "{{ gitea_configuration_path }}/gitea.ini" \ + --id "1" \ + --security-protocol "unencrypted" \ + --host "{{ gitea_ldap_host }}" \ + --port "3890" \ + --bind-dn "uid={{ gitea_ldap_bind_user }},ou=people,{{ gitea_ldap_base_path }}" \ + --bind-password "{{ gitea_ldap_bind_pass }}" \ + --user-search-base "ou=people,{{ gitea_ldap_base_path }}" \ + --user-filter "(&(memberof=cn=gitea,ou=groups,{{ gitea_ldap_base_path }})(|(uid=%[1]s)(mail=%[1]s)))" \ + --username-attribute "uid" \ + --email-attribute "mail" \ + --firstname-attribute "givenName" \ + --surname-attribute "sn" \ + --avatar-attribute "jpegPhoto" \ + --synchronize-users + when: '"Command error: login source already exists [name: lldap]" in setup.stderr' # führe nur aus wenn erster Task fehlgeschlagen ist + changed_when: false # keine idee wie ich changed feststellen kann +... diff --git a/roles/mgrote_docker_housekeeping/tasks/main.yml b/roles/mgrote_docker_housekeeping/tasks/main.yml new file mode 100644 index 00000000..1da6b7d9 --- /dev/null +++ b/roles/mgrote_docker_housekeeping/tasks/main.yml @@ -0,0 +1,7 @@ +--- +- name: Include LDAP tasks + ansible.builtin.include_tasks: ldap.yml + +- name: Include User tasks + ansible.builtin.include_tasks: admin.yml +...