redeployment forgejo + setup ldap #1
8 changed files with 255 additions and 17 deletions
|
@ -23,22 +23,6 @@ services:
|
||||||
environment:
|
environment:
|
||||||
UID: 1000
|
UID: 1000
|
||||||
GID: 1000
|
GID: 1000
|
||||||
LLDAP_HTTP_PORT: 17170
|
|
||||||
LLDAP_HTTP_URL: "http://docker10.grote.lan:17170"
|
|
||||||
LLDAP_KEY_SEED: "{{ lookup('keepass', 'lldap_key_seed', 'password') }}"
|
|
||||||
LLDAP_VERBOSE: true
|
|
||||||
LLDAP_JWT_SECRET: "{{ lookup('keepass', 'lldap_jwt_secret', 'password') }}"
|
|
||||||
LLDAP_LDAP_BASE_DN: "dc=grote,dc=lan"
|
|
||||||
LLDAP_USER_DN: "admin"
|
|
||||||
LLDAP_LDAP_USER_PASS: "{{ lookup('keepass', 'lldap_ldap_user_pass', 'password') }}"
|
|
||||||
LLDAP_DATABASE_URL: "mysql://lldap-db-user:{{ lookup('keepass', 'lldap_mysql_password', 'password') }}@lldap-db/lldap"
|
|
||||||
LLDAP_SMTP_OPTIONS__ENABLE_PASSWORD_reset: true
|
|
||||||
LLDAP_SMTP_OPTIONS__FROM: "LLDAP Admin <info@mgrote.net>"
|
|
||||||
LLDAP_SMTP_OPTIONS__REPLY_TO: "Do not reply <info@mgrote.net>"
|
|
||||||
LLDAP_SMTP_OPTIONS__SERVER: "mail-relay"
|
|
||||||
LLDAP_SMTP_OPTIONS__PORT: "25"
|
|
||||||
LLDAP_SMTP_OPTIONS__SMTP_ENCRYPTION: "NONE"
|
|
||||||
LLDAP_SMTP_OPTIONS__USER: "info@mgrote.net"
|
|
||||||
|
|
||||||
######## DB ########
|
######## DB ########
|
||||||
lldap-db:
|
lldap-db:
|
||||||
|
|
|
@ -68,7 +68,7 @@ compose_files:
|
||||||
state: present
|
state: present
|
||||||
network: traefik
|
network: traefik
|
||||||
- name: lldap
|
- name: lldap
|
||||||
state: present
|
state: absent # auf system und unter docker-copose ordner löschen
|
||||||
|
|
||||||
### oefenweb.ufw
|
### oefenweb.ufw
|
||||||
ufw_rules:
|
ufw_rules:
|
||||||
|
|
57
host_vars/ldap.mgrote.net.yml
Normal file
57
host_vars/ldap.mgrote.net.yml
Normal file
|
@ -0,0 +1,57 @@
|
||||||
|
---
|
||||||
|
### geerlingguy_postgres
|
||||||
|
postgresql_databases:
|
||||||
|
- name: "{{ lldap_db_name }}"
|
||||||
|
postgresql_users:
|
||||||
|
- name: "{{ lldap_db_user }}"
|
||||||
|
password: "{{ lldap_db_pass }}"
|
||||||
|
|
||||||
|
### oefenweb.ufw
|
||||||
|
ufw_rules:
|
||||||
|
- rule: allow
|
||||||
|
to_port: 22
|
||||||
|
protocol: tcp
|
||||||
|
comment: 'ssh'
|
||||||
|
from_ip: 0.0.0.0/0
|
||||||
|
- rule: allow
|
||||||
|
to_port: 4949
|
||||||
|
protocol: tcp
|
||||||
|
comment: 'munin'
|
||||||
|
from_ip: 192.168.2.0/24
|
||||||
|
- rule: allow
|
||||||
|
to_port: "{{ lldap_http_port }}"
|
||||||
|
protocol: tcp
|
||||||
|
comment: 'lldap'
|
||||||
|
from_ip: 192.168.2.0/24
|
||||||
|
- rule: allow
|
||||||
|
to_port: 3890
|
||||||
|
protocol: tcp
|
||||||
|
comment: 'lldap'
|
||||||
|
from_ip: 192.168.2.0/24
|
||||||
|
|
||||||
|
### mgrote_lldap
|
||||||
|
lldap_repo_url: "deb http://download.opensuse.org/repositories/home:/Masgalor:/LLDAP/xUbuntu_22.04/ /"
|
||||||
|
lldap_logging_verbose: false
|
||||||
|
lldap_http_port: 17170
|
||||||
|
lldap_http_host: "0.0.0.0"
|
||||||
|
lldap_ldap_host: "0.0.0.0"
|
||||||
|
lldap_public_url: http://localhost
|
||||||
|
lldap_jwt_secret: "{{ lookup('keepass', 'lldap_jwt_secret', 'password') }}"
|
||||||
|
lldap_ldap_base_dn: "dc=mgrote,dc=net"
|
||||||
|
lldap_admin_username: ladmin # only used on setup
|
||||||
|
lldap_admin_password: "{{ lookup('keepass', 'lldap_ldap_user_pass', 'password') }}" # only used on setup; also bind-secret
|
||||||
|
lldap_admin_mailaddress: lldap-admin@mgrote.net # only used on setup
|
||||||
|
lldap_database_url: "postgres://{{ lldap_db_user }}:{{ lldap_db_pass }}@{{ lldap_db_host }}/{{ lldap_db_name }}"
|
||||||
|
lldap_key_seed: "{{ lookup('keepass', 'lldap_key_seed', 'password') }}"
|
||||||
|
lldap_smtp_from: "LLDAP Admin <info@mgrote.net>"
|
||||||
|
lldap_smtp_reply_to: "Do not reply <info@mgrote.net>"
|
||||||
|
lldap_smtp_server: "mail-relay"
|
||||||
|
lldap_smtp_port: "25"
|
||||||
|
lldap_smtp_smtp_encryption: "NONE"
|
||||||
|
lldap_smtp_user: "info@mgrote.net"
|
||||||
|
lldap_smtp_enable_password_reset: true
|
||||||
|
# "meta vars"; daraus werden die db-url und die postgres-db abgeleitet
|
||||||
|
lldap_db_name: "lldap"
|
||||||
|
lldap_db_user: "lldap"
|
||||||
|
lldap_db_pass: "{{ lookup('keepass', 'lldap_db_pass', 'password') }}"
|
||||||
|
lldap_db_host: "localhost"
|
BIN
keepass_db.kdbx
BIN
keepass_db.kdbx
Binary file not shown.
5
playbooks/3_service/lldap.yml
Normal file
5
playbooks/3_service/lldap.yml
Normal file
|
@ -0,0 +1,5 @@
|
||||||
|
---
|
||||||
|
- hosts: ldap
|
||||||
|
roles:
|
||||||
|
- { role: ansible-role-postgresql, tags: "db", become: true }
|
||||||
|
- { role: mgrote_lldap, tags: "lldap", become: true }
|
21
roles/mgrote_lldap/defaults/main.yml
Normal file
21
roles/mgrote_lldap/defaults/main.yml
Normal file
|
@ -0,0 +1,21 @@
|
||||||
|
---
|
||||||
|
lldap_repo_url: "deb http://download.opensuse.org/repositories/home:/Masgalor:/LLDAP/xUbuntu_22.04/ /"
|
||||||
|
lldap_logging_verbose: false
|
||||||
|
lldap_http_port: "17170"
|
||||||
|
lldap_http_host: "0.0.0.0"
|
||||||
|
lldap_ldap_host: "0.0.0.0"
|
||||||
|
lldap_public_url: http://localhost
|
||||||
|
lldap_jwt_secret: supersecret
|
||||||
|
lldap_ldap_base_dn: "dc=example,dc=com"
|
||||||
|
lldap_admin_username: ladmin # only used on setup
|
||||||
|
lldap_admin_password: supersecret # also bind-secret; only used on setup
|
||||||
|
lldap_admin_mailaddress: lldap-admin@mgrote.net # only used on setup
|
||||||
|
lldap_database_url: "postgres://postgres-user:password@postgres-server/my-database"
|
||||||
|
lldap_key_seed: supersecretseed
|
||||||
|
lldap_smtp_from: "LLDAP Admin <info@mgrote.net>"
|
||||||
|
lldap_smtp_reply_to: "Do not reply <info@mgrote.net>"
|
||||||
|
lldap_smtp_server: "mail.domain.net"
|
||||||
|
lldap_smtp_port: "25"
|
||||||
|
lldap_smtp_smtp_encryption: "NONE"
|
||||||
|
lldap_smtp_user: "info@mgrote.net"
|
||||||
|
lldap_smtp_enable_password_reset: true
|
28
roles/mgrote_lldap/tasks/main.yml
Normal file
28
roles/mgrote_lldap/tasks/main.yml
Normal file
|
@ -0,0 +1,28 @@
|
||||||
|
---
|
||||||
|
- name: Ensure repository exists
|
||||||
|
ansible.builtin.apt_repository:
|
||||||
|
repo: "{{ lldap_repo_url }}"
|
||||||
|
state: present
|
||||||
|
filename: lldap
|
||||||
|
|
||||||
|
- name: Ensure package is installed
|
||||||
|
ansible.builtin.apt:
|
||||||
|
name: lldap
|
||||||
|
update_cache: yes
|
||||||
|
|
||||||
|
- name: Ensure config is templated
|
||||||
|
ansible.builtin.template:
|
||||||
|
src: lldap_config.toml.j2
|
||||||
|
dest: /etc/lldap/lldap_config.toml
|
||||||
|
owner: lldap
|
||||||
|
group: lldap
|
||||||
|
mode: "0644"
|
||||||
|
|
||||||
|
- name: Ensure services are enabled and started
|
||||||
|
become: true
|
||||||
|
ansible.builtin.systemd:
|
||||||
|
name: lldap.service
|
||||||
|
masked: false
|
||||||
|
enabled: true
|
||||||
|
started: true
|
||||||
|
...
|
143
roles/mgrote_lldap/templates/lldap_config.toml.j2
Normal file
143
roles/mgrote_lldap/templates/lldap_config.toml.j2
Normal file
|
@ -0,0 +1,143 @@
|
||||||
|
## Tune the logging to be more verbose by setting this to be true.
|
||||||
|
## You can set it with the LLDAP_VERBOSE environment variable.
|
||||||
|
verbose="{{ lldap_logging_verbose }}"
|
||||||
|
|
||||||
|
## The host address that the LDAP server will be bound to.
|
||||||
|
## To enable IPv6 support, simply switch "ldap_host" to "::":
|
||||||
|
## To only allow connections from localhost (if you want to restrict to local self-hosted services),
|
||||||
|
## change it to "127.0.0.1" ("::1" in case of IPv6)".
|
||||||
|
ldap_host = "{{ lldap_ldap_host }}"
|
||||||
|
|
||||||
|
## The port on which to have the LDAP server.
|
||||||
|
#ldap_port = 3890
|
||||||
|
|
||||||
|
## The host address that the HTTP server will be bound to.
|
||||||
|
## To enable IPv6 support, simply switch "http_host" to "::".
|
||||||
|
## To only allow connections from localhost (if you want to restrict to local self-hosted services),
|
||||||
|
## change it to "127.0.0.1" ("::1" in case of IPv6)".
|
||||||
|
http_host = "{{ lldap_http_host }}"
|
||||||
|
|
||||||
|
## The port on which to have the HTTP server, for user login and
|
||||||
|
## administration.
|
||||||
|
http_port = "{{ lldap_http_port }}"
|
||||||
|
|
||||||
|
## The public URL of the server, for password reset links.
|
||||||
|
http_url = "{{ lldap_public_url }}"
|
||||||
|
|
||||||
|
## Random secret for JWT signature.
|
||||||
|
## This secret should be random, and should be shared with application
|
||||||
|
## servers that need to consume the JWTs.
|
||||||
|
## Changing this secret will invalidate all user sessions and require
|
||||||
|
## them to re-login.
|
||||||
|
## You should probably set it through the LLDAP_JWT_SECRET environment
|
||||||
|
## variable from a secret ".env" file.
|
||||||
|
## This can also be set from a file's contents by specifying the file path
|
||||||
|
## in the LLDAP_JWT_SECRET_FILE environment variable
|
||||||
|
## You can generate it with (on linux):
|
||||||
|
## LC_ALL=C tr -dc 'A-Za-z0-9!#%&'\''()*+,-./:;<=>?@[\]^_{|}~' </dev/urandom | head -c 32; echo ''
|
||||||
|
jwt_secret = "{{ lldap_jwt_secret }}"
|
||||||
|
|
||||||
|
## Base DN for LDAP.
|
||||||
|
## This is usually your domain name, and is used as a
|
||||||
|
## namespace for your users. The choice is arbitrary, but will be needed
|
||||||
|
## to configure the LDAP integration with other services.
|
||||||
|
## The sample value is for "example.com", but you can extend it with as
|
||||||
|
## many "dc" as you want, and you don't actually need to own the domain
|
||||||
|
## name.
|
||||||
|
ldap_base_dn = "{{ lldap_ldap_base_dn }}"
|
||||||
|
|
||||||
|
## Admin username.
|
||||||
|
## For the LDAP interface, a value of "admin" here will create the LDAP
|
||||||
|
## user "cn=admin,ou=people,dc=example,dc=com" (with the base DN above).
|
||||||
|
## For the administration interface, this is the username.
|
||||||
|
ldap_user_dn = "{{ lldap_admin_username }}"
|
||||||
|
|
||||||
|
## Admin email.
|
||||||
|
## Email for the admin account. It is only used when initially creating
|
||||||
|
## the admin user, and can safely be omitted.
|
||||||
|
ldap_user_email = "{{ lldap_admin_mailaddress }}"
|
||||||
|
|
||||||
|
## Admin password.
|
||||||
|
## Password for the admin account, both for the LDAP bind and for the
|
||||||
|
## administration interface. It is only used when initially creating
|
||||||
|
## the admin user.
|
||||||
|
## It should be minimum 8 characters long.
|
||||||
|
## You can set it with the LLDAP_LDAP_USER_PASS environment variable.
|
||||||
|
## This can also be set from a file's contents by specifying the file path
|
||||||
|
## in the LLDAP_LDAP_USER_PASS_FILE environment variable
|
||||||
|
## Note: you can create another admin user for user administration, this
|
||||||
|
## is just the default one.
|
||||||
|
ldap_user_pass = "{{ lldap_admin_password }}"
|
||||||
|
|
||||||
|
## Database URL.
|
||||||
|
## This encodes the type of database (SQlite, MySQL, or PostgreSQL)
|
||||||
|
## , the path, the user, password, and sometimes the mode (when
|
||||||
|
## relevant).
|
||||||
|
## Note: SQlite should come with "?mode=rwc" to create the DB
|
||||||
|
## if not present.
|
||||||
|
## Example URLs:
|
||||||
|
## - "postgres://postgres-user:password@postgres-server/my-database"
|
||||||
|
## - "mysql://mysql-user:password@mysql-server/my-database"
|
||||||
|
##
|
||||||
|
## This can be overridden with the LLDAP_DATABASE_URL env variable.
|
||||||
|
database_url = "{{ lldap_database_url }}"
|
||||||
|
|
||||||
|
## Private key file.
|
||||||
|
## Contains the secret private key used to store the passwords safely.
|
||||||
|
## Note that even with a database dump and the private key, an attacker
|
||||||
|
## would still have to perform an (expensive) brute force attack to find
|
||||||
|
## each password.
|
||||||
|
## Randomly generated on first run if it doesn't exist.
|
||||||
|
## Alternatively, you can use key_seed to override this instead of relying on
|
||||||
|
## a file.
|
||||||
|
## Env variable: LLDAP_KEY_FILE
|
||||||
|
key_file = "/var/lib/lldap/private_key"
|
||||||
|
|
||||||
|
## Seed to generate the server private key, see key_file above.
|
||||||
|
## This can be any random string, the recommendation is that it's at least 12
|
||||||
|
## characters long.
|
||||||
|
## Env variable: LLDAP_KEY_SEED
|
||||||
|
key_seed = "{{ lldap_key_seed }}"
|
||||||
|
|
||||||
|
## Ignored attributes.
|
||||||
|
## Some services will request attributes that are not present in LLDAP. When it
|
||||||
|
## is the case, LLDAP will warn about the attribute being unknown. If you want
|
||||||
|
## to ignore the attribute and the service works without, you can add it to this
|
||||||
|
## list to silence the warning.
|
||||||
|
#ignored_user_attributes = [ "sAMAccountName" ]
|
||||||
|
#ignored_group_attributes = [ "mail", "userPrincipalName" ]
|
||||||
|
|
||||||
|
## Options to configure SMTP parameters, to send password reset emails.
|
||||||
|
## To set these options from environment variables, use the following format
|
||||||
|
## (example with "password"): LLDAP_SMTP_OPTIONS__PASSWORD
|
||||||
|
[smtp_options]
|
||||||
|
## Whether to enabled password reset via email, from LLDAP.
|
||||||
|
enable_password_reset="{{ lldap_smtp_enable_password_reset }}"
|
||||||
|
## The SMTP server.
|
||||||
|
server="{{ lldap_smtp_server }}"
|
||||||
|
## The SMTP port.
|
||||||
|
port="{{ lldap_smtp_port }}"
|
||||||
|
## How the connection is encrypted, either "NONE" (no encryption), "TLS" or "STARTTLS".
|
||||||
|
smtp_encryption = "{{ lldap_smtp_smtp_encryption }}"
|
||||||
|
## The SMTP user, usually your email address.
|
||||||
|
user="{{ lldap_smtp_user }}"
|
||||||
|
## The SMTP password.
|
||||||
|
#password="password"
|
||||||
|
## The header field, optional: how the sender appears in the email. The first
|
||||||
|
## is a free-form name, followed by an email between <>.
|
||||||
|
from="{{ lldap_smtp_from }}"
|
||||||
|
## Same for reply-to, optional.
|
||||||
|
reply_to="{{ lldap_smtp_reply_to }}"
|
||||||
|
|
||||||
|
## Options to configure LDAPS.
|
||||||
|
## To set these options from environment variables, use the following format
|
||||||
|
## (example with "port"): LLDAP_LDAPS_OPTIONS__PORT
|
||||||
|
[ldaps_options]
|
||||||
|
## Whether to enable LDAPS.
|
||||||
|
#enabled=true
|
||||||
|
## Port on which to listen.
|
||||||
|
#port=6360
|
||||||
|
## Certificate file.
|
||||||
|
#cert_file="/data/cert.pem"
|
||||||
|
## Certificate key file.
|
||||||
|
#key_file="/data/key.pem"
|
Loading…
Add table
Reference in a new issue