redeployment forgejo + setup ldap #1
5 changed files with 83 additions and 53 deletions
|
@ -136,5 +136,7 @@ gitea_fail2ban_jail_bantime: "600"
|
|||
gitea_fail2ban_jail_action: "iptables-allports"
|
||||
|
||||
### mgrote_gitea_setup
|
||||
ldap_host: "ldap.mgrote.net"
|
||||
ldap_bind_pass: "{{ lookup('keepass', 'lldap_ldap_user_pass', 'password') }}"
|
||||
gitea_ldap_host: "ldap.mgrote.net"
|
||||
gitea_ldap_bind_pass: "{{ lookup('keepass', 'lldap_ldap_user_pass', 'password') }}"
|
||||
gitea_admin_user: "fadmin"
|
||||
gitea_admin_user_pass: "{{ lookup('keepass', 'forgejo_admin_user_pass', 'password') }}"
|
||||
|
|
BIN
keepass_db.kdbx
BIN
keepass_db.kdbx
Binary file not shown.
21
roles/mgrote_gitea_setup/tasks/admin.yml
Normal file
21
roles/mgrote_gitea_setup/tasks/admin.yml
Normal file
|
@ -0,0 +1,21 @@
|
|||
---
|
||||
# die Variablen kommen aus
|
||||
# - https://docs.gitea.com/administration/command-line
|
||||
# - https://github.com/lldap/lldap/blob/main/example_configs/gitea.md
|
||||
# und
|
||||
# den jeweiligen group/host-Vars!
|
||||
- name: Ensure Admin-User exists
|
||||
no_log: true
|
||||
become_user: gitea
|
||||
ansible.builtin.command: |
|
||||
forgejo admin user create \
|
||||
--config /etc/gitea/gitea.ini
|
||||
--username "{{ gitea_admin_user }}" \
|
||||
--password "{{ gitea_admin_user_pass }}" \
|
||||
--email "{{ gitea_admin_user }}@mgrote.net" \
|
||||
--admin
|
||||
register: setup_admin
|
||||
ignore_errors: true
|
||||
failed_when: 'not "Command error: CreateUser: user already exists [name: mg]" in setup_admin.stderr' # fail Task wenn LDAP schon konfiguriert ist
|
||||
changed_when: "setup_admin.rc == 0" # chnaged nur wenn Task rc 0 hat, sollte nur beim ersten lauf vorkommen; ungetestet
|
||||
...
|
54
roles/mgrote_gitea_setup/tasks/ldap.yml
Normal file
54
roles/mgrote_gitea_setup/tasks/ldap.yml
Normal file
|
@ -0,0 +1,54 @@
|
|||
---
|
||||
# die Variablen kommen aus
|
||||
# - https://docs.gitea.com/administration/command-line
|
||||
# - https://github.com/lldap/lldap/blob/main/example_configs/gitea.md
|
||||
# und
|
||||
# den jeweiligen group/host-Vars!
|
||||
- name: Ensure LDAP config is set up
|
||||
no_log: true
|
||||
become_user: gitea
|
||||
ansible.builtin.command: |
|
||||
forgejo admin auth add-ldap \
|
||||
--config "{{ gitea_configuration_path }}/gitea.ini" \
|
||||
--name "lldap" \
|
||||
--security-protocol "unencrypted" \
|
||||
--host "{{ gitea_ldap_host }}" \
|
||||
--port "3890" \
|
||||
--bind-dn "uid=ladmin,ou=people,dc=mgrote,dc=net" \
|
||||
--bind-password "{{ gitea_ldap_bind_pass }}" \
|
||||
--user-search-base "ou=people,dc=mgrote,dc=net" \
|
||||
--user-filter "(&(memberof=cn=gitea,ou=groups,dc=mgrote,dc=net)(|(uid=%[1]s)(mail=%[1]s)))" \
|
||||
--username-attribute "uid" \
|
||||
--email-attribute "mail" \
|
||||
--firstname-attribute "givenName" \
|
||||
--surname-attribute "sn" \
|
||||
--avatar-attribute "jpegPhoto" \
|
||||
--synchronize-users
|
||||
register: setup
|
||||
ignore_errors: true
|
||||
failed_when: 'not "Command error: login source already exists [name: lldap]" in setup.stderr' # fail Task wenn LDAP schon konfiguriert ist
|
||||
changed_when: "setup.rc == 0" # chnaged nur wenn Task rc 0 hat, sollte nur beim ersten lauf vorkommen; ungetestet
|
||||
|
||||
- name: Modify LDAP config
|
||||
no_log: true
|
||||
become_user: gitea
|
||||
ansible.builtin.command: |
|
||||
forgejo admin auth update-ldap \
|
||||
--config "{{ gitea_configuration_path }}/gitea.ini" \
|
||||
--id "1" \
|
||||
--security-protocol "unencrypted" \
|
||||
--host "{{ gitea_ldap_host }}" \
|
||||
--port "3890" \
|
||||
--bind-dn "uid=ladmin,ou=people,dc=mgrote,dc=net" \
|
||||
--bind-password "{{ gitea_ldap_bind_pass }}" \
|
||||
--user-search-base "ou=people,dc=mgrote,dc=net" \
|
||||
--user-filter "(&(memberof=cn=gitea,ou=groups,dc=mgrote,dc=net)(|(uid=%[1]s)(mail=%[1]s)))" \
|
||||
--username-attribute "uid" \
|
||||
--email-attribute "mail" \
|
||||
--firstname-attribute "givennName" \
|
||||
--surname-attribute "sn" \
|
||||
--avatar-attribute "jpegPhoto" \
|
||||
--synchronize-users
|
||||
when: '"Command error: login source already exists [name: lldap]" in setup.stderr' # führe nur aus wenn erster Task fehlgeschlagen ist
|
||||
changed_when: false # keine idee wie ich changed feststellen kann
|
||||
...
|
|
@ -1,54 +1,7 @@
|
|||
---
|
||||
# die Variablen kommen aus
|
||||
# - https://docs.gitea.com/administration/command-line
|
||||
# - https://github.com/lldap/lldap/blob/main/example_configs/gitea.md
|
||||
# und
|
||||
# den jeweiligen group/host-Vars!
|
||||
- name: Ensure LDAP config is set up
|
||||
no_log: true
|
||||
become_user: gitea
|
||||
ansible.builtin.command: |
|
||||
forgejo admin auth add-ldap \
|
||||
--config "{{ gitea_configuration_path }}/gitea.ini" \
|
||||
--name "lldap" \
|
||||
--security-protocol "unencrypted" \
|
||||
--host "{{ ldap_host }}" \
|
||||
--port "3890" \
|
||||
--bind-dn "uid=ladmin,ou=people,dc=mgrote,dc=net" \
|
||||
--bind-password "{{ ldap_bind_pass }}" \
|
||||
--user-search-base "ou=people,dc=mgrote,dc=net" \
|
||||
--user-filter "(&(memberof=cn=gitea,ou=groups,dc=mgrote,dc=net)(|(uid=%[1]s)(mail=%[1]s)))" \
|
||||
--username-attribute "uid" \
|
||||
--email-attribute "mail" \
|
||||
--firstname-attribute "givenName" \
|
||||
--surname-attribute "sn" \
|
||||
--avatar-attribute "jpegPhoto" \
|
||||
--synchronize-users
|
||||
register: setup
|
||||
ignore_errors: true
|
||||
failed_when: 'not "Command error: login source already exists [name: lldap]" in setup.stderr' # fail Task wenn LDAP schon konfiguriert ist
|
||||
changed_when: "setup.rc == 0" # chnaged nur wenn Task rc 0 hat, sollte nur beim ersten lauf vorkommen; ungetestet
|
||||
- name: Include LDAP tasks
|
||||
ansible.builtin.include_tasks: ldap.yml
|
||||
|
||||
- name: Modify LDAP config
|
||||
no_log: true
|
||||
become_user: gitea
|
||||
ansible.builtin.command: |
|
||||
forgejo admin auth update-ldap \
|
||||
--config "{{ gitea_configuration_path }}/gitea.ini" \
|
||||
--id "1" \
|
||||
--security-protocol "unencrypted" \
|
||||
--host "{{ ldap_host }}" \
|
||||
--port "3890" \
|
||||
--bind-dn "uid=ladmin,ou=people,dc=mgrote,dc=net" \
|
||||
--bind-password "{{ ldap_bind_pass }}" \
|
||||
--user-search-base "ou=people,dc=mgrote,dc=net" \
|
||||
--user-filter "(&(memberof=cn=gitea,ou=groups,dc=mgrote,dc=net)(|(uid=%[1]s)(mail=%[1]s)))" \
|
||||
--username-attribute "uid" \
|
||||
--email-attribute "mail" \
|
||||
--firstname-attribute "givennName" \
|
||||
--surname-attribute "sn" \
|
||||
--avatar-attribute "jpegPhoto" \
|
||||
--synchronize-users
|
||||
when: '"Command error: login source already exists [name: lldap]" in setup.stderr' # führe nur aus wenn erster Task fehlgeschlagen ist
|
||||
changed_when: false # keine idee wie ich changed feststellen kann
|
||||
- name: Include User tasks
|
||||
ansible.builtin.include_tasks: admin.yml
|
||||
...
|
||||
|
|
Loading…
Add table
Reference in a new issue