vars

group_vars/git.yml

@@ -134,3 +134,7 @@ gitea_fail2ban_jail_maxretry: "3"
 gitea_fail2ban_jail_findtime: "300"
 gitea_fail2ban_jail_bantime: "600"
 gitea_fail2ban_jail_action: "iptables-allports"
+
+### mgrote_gitea_setup
+ldap_host: "ldap.mgrote.net"
+ldap_bind_pass: "{{ lookup('keepass', 'lldap_ldap_user_pass', 'password') }}"

roles/mgrote_gitea_setup/defaults/main.yml

@@ -1,21 +0,0 @@
----
-lldap_package_url: "https://download.opensuse.org/repositories/home:/Masgalor:/LLDAP/xUbuntu_22.04/amd64/lldap_0.5.0-1+3.1_amd64.deb"
-lldap_logging_verbose: "false"
-lldap_http_port: "17170"
-lldap_http_host: "0.0.0.0"
-lldap_ldap_host: "0.0.0.0"
-lldap_public_url: http://localhost
-lldap_jwt_secret: supersecret
-lldap_ldap_base_dn: "dc=example,dc=com"
-lldap_admin_username: ladmin # only used on setup
-lldap_admin_password: supersecret # also bind-secret; only used on setup
-lldap_admin_mailaddress: lldap-admin@mgrote.net # only used on setup
-lldap_database_url: "postgres://postgres-user:password@postgres-server/my-database"
-lldap_key_seed: supersecretseed
-lldap_smtp_from: "LLDAP Admin <info@mgrote.net>"
-lldap_smtp_reply_to: "Do not reply <info@mgrote.net>"
-lldap_smtp_server: "mail.domain.net"
-lldap_smtp_port: "25"
-lldap_smtp_smtp_encryption: "NONE"
-lldap_smtp_user: "info@mgrote.net"
-lldap_smtp_enable_password_reset: "true"

roles/mgrote_gitea_setup/tasks/main.yml

@@ -1,15 +1,21 @@
-
 ---
+# die Variablen kommen aus
+# - https://docs.gitea.com/administration/command-line
+# - https://github.com/lldap/lldap/blob/main/example_configs/gitea.md
+# und
+# den jeweiligen group/host-Vars!
 - name: Ensure LDAP config is set up
+  no_log: true
+  become_user: gitea
   ansible.builtin.command: |
     forgejo admin auth add-ldap \
-      --config "/etc/gitea/gitea.ini" \
+      --config "{{ gitea_configuration_path }}/gitea.ini" \
       --name "lldap" \
       --security-protocol "unencrypted" \
-      --host "ldap.mgrote.net" \
+      --host "{{ ldap_host }}" \
       --port "3890" \
       --bind-dn "uid=ladmin,ou=people,dc=mgrote,dc=net" \
-      --bind-password GEHEIM \
+      --bind-password "{{ ldap_bind_pass }}" \
       --user-search-base "ou=people,dc=mgrote,dc=net" \
       --user-filter "(&(memberof=cn=gitea,ou=groups,dc=mgrote,dc=net)(|(uid=%[1]s)(mail=%[1]s)))" \
       --username-attribute "uid" \
@@ -21,7 +27,6 @@
   register: setup
   ignore_errors: true
   failed_when: 'not "Command error: login source already exists [name: lldap]" in setup.stderr' # fail Task wenn LDAP schon konfiguriert ist
-  become_user: gitea
   changed_when: "setup.rc == 0" # chnaged nur wenn Task rc 0 hat, sollte nur beim ersten lauf vorkommen; ungetestet
 
 - name: debug
@@ -29,15 +34,17 @@
     msg: "{{ setup }}"
 
 - name: Modify LDAP config
+  no_log: true
+  become_user: gitea
   ansible.builtin.command: |
     forgejo admin auth update-ldap \
-      --config "/etc/gitea/gitea.ini" \
+      --config "{{ gitea_configuration_path }}/gitea.ini" \
       --id "1" \
       --security-protocol "unencrypted" \
-      --host "ldap.mgrote.net" \
+      --host "{{ ldap_host }}" \
       --port "3890" \
       --bind-dn "uid=ladmin,ou=people,dc=mgrote,dc=net" \
-      --bind-password GEHEIM \
+      --bind-password "{{ ldap_bind_pass }}" \
       --user-search-base "ou=people,dc=mgrote,dc=net" \
       --user-filter "(&(memberof=cn=gitea,ou=groups,dc=mgrote,dc=net)(|(uid=%[1]s)(mail=%[1]s)))" \
       --username-attribute "uid" \
@@ -47,6 +54,5 @@
       --avatar-attribute "jpegPhoto" \
       --synchronize-users
   when: '"Command error: login source already exists [name: lldap]" in setup.stderr' # führe nur aus wenn erster Task fehlgeschlagen ist
-  become_user: gitea
   changed_when: false # keine idee wie ich changed feststellen kann
 ...