diff --git a/docker-compose/lldap/docker-compose.yml.j2 b/docker-compose/lldap/docker-compose.yml.j2 new file mode 100644 index 00000000..9cc38478 --- /dev/null +++ b/docker-compose/lldap/docker-compose.yml.j2 @@ -0,0 +1,52 @@ +services: + lldap: + image: lldap/lldap:v0.6.0-debian-rootless + container_name: lldap + restart: unless-stopped + pull_policy: missing + ports: + - "3890:3890" + - "17170:17170" # front-end + volumes: + - "lldap_data:/data" + - "./lldap_config.toml:/data/lldap_config.toml" + environment: + TZ: Europe/Berlin + networks: + - traefik + - postfix + - internal + depends_on: + - lldap-db17 + +######## Postgres ######## + lldap-db17: + container_name: "lldap-db" + image: "postgres:17.0" + restart: unless-stopped + pull_policy: missing + environment: + POSTGRES_USER: lldap + POSTGRES_PASSWORD: "{{ lookup('viczem.keepass.keepass', 'lldap/lldap_db_pass', 'password') }}" + TZ: Europe/Berlin + volumes: + - db17:/var/lib/postgresql/data + networks: + - internal + healthcheck: + test: ["CMD", "pg_isready", "-U", "lldap"] + interval: 10s + start_period: 30s + +######## Networks ######## +networks: + traefik: + external: true + postfix: + external: true + internal: + +######## Volumes ######## +volumes: + lldap_data: + db17: diff --git a/docker-compose/lldap/lldap_config.toml.j2 b/docker-compose/lldap/lldap_config.toml.j2 new file mode 100755 index 00000000..50aad0d2 --- /dev/null +++ b/docker-compose/lldap/lldap_config.toml.j2 @@ -0,0 +1,28 @@ +verbose = false + +ldap_host = "0.0.0.0" +ldap_port = 3890 + +http_host = "0.0.0.0" +http_port = 17170 +http_url = "https://ldap.mgrote.net" + +jwt_secret = "{{ lookup('viczem.keepass.keepass', 'lldap/lldap_jwt_secret', 'password') }}" + +ldap_base_dn = "dc=mgrote,dc=net" +ldap_user_dn = "{{ lookup('viczem.keepass.keepass', 'lldap/lldap_admin_user', 'username') }}" +ldap_user_email = "lldap-admin@mgrote.net" +ldap_user_pass = "{{ lookup('viczem.keepass.keepass', 'lldap/lldap_admin_user', 'password') }}" + +database_url = "postgres://lldap:{{ lookup('viczem.keepass.keepass', 'lldap/lldap_db_pass', 'password') }}@lldap-db/lldap" + +key_seed = "{{ lookup('viczem.keepass.keepass', 'lldap/lldap_key_seed', 'password') }}" + +force_ldap_user_pass_reset = "always" + +[smtp_options] +enable_password_reset = false +server = "postfix" +port = 25 +smtp_encryption = "NONE" +reply_to ="Do not reply " diff --git a/docker-compose/nextcloud/ldap.sh.j2 b/docker-compose/nextcloud/ldap.sh.j2 index 14db6569..b4f85b2b 100644 --- a/docker-compose/nextcloud/ldap.sh.j2 +++ b/docker-compose/nextcloud/ldap.sh.j2 @@ -10,7 +10,7 @@ php occ app:enable user_ldap #php occ ldap:create-empty-config # wird nur bei komplett neuer nextcloud benötigt, legt sonst bei jedem durchlauf weitere ldap-configs an # EDIT: domain -php occ ldap:set-config s01 ldapHost "ldap://ldap.mgrote.net." +php occ ldap:set-config s01 ldapHost "ldap://lldap." php occ ldap:set-config s01 ldapPort 3890 # EDIT: admin user php occ ldap:set-config s01 ldapAgentName "uid=nextcloud_bind_user,ou=people,dc=mgrote,dc=net" diff --git a/docker-compose/traefik/configuration.yml.j2 b/docker-compose/traefik/configuration.yml.j2 index 34b8085a..e1b674a7 100644 --- a/docker-compose/traefik/configuration.yml.j2 +++ b/docker-compose/traefik/configuration.yml.j2 @@ -67,7 +67,7 @@ authentication_backend: refresh_interval: 1m ldap: implementation: custom - address: ldap://ldap.mgrote.net:3890 + address: ldap://lldap:3890 timeout: 5s start_tls: false base_dn: dc=mgrote,dc=net diff --git a/group_vars/ldap.yml b/friedhof/ldap.yml similarity index 100% rename from group_vars/ldap.yml rename to friedhof/ldap.yml diff --git a/playbooks/3_service/lldap.yml b/friedhof/lldap.yml similarity index 100% rename from playbooks/3_service/lldap.yml rename to friedhof/lldap.yml diff --git a/roles/mgrote_lldap/defaults/main.yml b/friedhof/mgrote_lldap/defaults/main.yml similarity index 100% rename from roles/mgrote_lldap/defaults/main.yml rename to friedhof/mgrote_lldap/defaults/main.yml diff --git a/roles/mgrote_lldap/handlers/main.yml b/friedhof/mgrote_lldap/handlers/main.yml similarity index 100% rename from roles/mgrote_lldap/handlers/main.yml rename to friedhof/mgrote_lldap/handlers/main.yml diff --git a/roles/mgrote_lldap/tasks/main.yml b/friedhof/mgrote_lldap/tasks/main.yml similarity index 100% rename from roles/mgrote_lldap/tasks/main.yml rename to friedhof/mgrote_lldap/tasks/main.yml diff --git a/roles/mgrote_lldap/templates/lldap_config.toml.j2 b/friedhof/mgrote_lldap/templates/lldap_config.toml.j2 similarity index 100% rename from roles/mgrote_lldap/templates/lldap_config.toml.j2 rename to friedhof/mgrote_lldap/templates/lldap_config.toml.j2 diff --git a/group_vars/blocky.yml b/group_vars/blocky.yml index 7eefd60a..a9ec5915 100644 --- a/group_vars/blocky.yml +++ b/group_vars/blocky.yml @@ -85,7 +85,7 @@ blocky_custom_lookups: # optional - name: fritz.box ip: 192.168.5.1 - name: ldap.mgrote.net - ip: 192.168.2.47 + ip: 192.168.2.43 - name: munin.mgrote.net ip: 192.168.2.40 - name: s3.mgrote.net diff --git a/group_vars/git.yml b/group_vars/git.yml index aadb9bd4..03ca1776 100644 --- a/group_vars/git.yml +++ b/group_vars/git.yml @@ -148,7 +148,7 @@ gitea_fail2ban_jail_bantime: "600" gitea_fail2ban_jail_action: "iptables-allports" ### mgrote_gitea_setup -gitea_ldap_host: "ldap.mgrote.net" +gitea_ldap_host: "docker10.mgrote.net" gitea_ldap_base_path: "dc=mgrote,dc=net" gitea_ldap_bind_user: "forgejo_bind_user" gitea_ldap_bind_pass: "{{ lookup('viczem.keepass.keepass', 'forgejo/lldap_forgejo_bind_user', 'password') }}" diff --git a/group_vars/munin.yml b/group_vars/munin.yml index 81475a4c..c4cfe98f 100644 --- a/group_vars/munin.yml +++ b/group_vars/munin.yml @@ -67,9 +67,6 @@ munin_hosts: - name: blocky.mgrote.net address: blocky.mgrote.net extra: ["use_node_name yes"] - - name: ldap.mgrote.net - address: ldap.mgrote.net - extra: ["use_node_name yes"] ### mgrote_munin_node munin_node_bind_host: "127.0.0.1" @@ -104,7 +101,7 @@ munin_node_plugins: src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/http/http_response config: | [http_response] - env.sites https://git.mgrote.net http://ldap.mgrote.net:17170 https://docker10.mgrote.net:8443 https://rui.mgrote.net/ http://munin.mgrote.net http://192.168.5.1 http://192.168.3.1 http://192.168.3.108:8080 http://192.168.3.204 http://docker10.mgrote.net:6483 https://miniflux.mgrote.net/ https://nextcloud.mgrote.net https://audio.mgrote.net/mg http://wiki.mgrote.net https://s3.mgrote.net https://auth.mgrote.net + env.sites https://git.mgrote.net https://docker10.mgrote.net:8443 https://rui.mgrote.net/ http://munin.mgrote.net http://192.168.5.1 http://192.168.3.1 http://192.168.3.108:8080 http://192.168.3.204 http://docker10.mgrote.net:6483 https://miniflux.mgrote.net/ https://nextcloud.mgrote.net https://audio.mgrote.net/mg http://wiki.mgrote.net https://s3.mgrote.net https://auth.mgrote.net http://docker10.mgrote.net:17170 env.max_time 20 env.short_label true env.follow_redirect true diff --git a/host_vars/docker10.mgrote.net.yml b/host_vars/docker10.mgrote.net.yml index cc9b4922..1bb9a7df 100644 --- a/host_vars/docker10.mgrote.net.yml +++ b/host_vars/docker10.mgrote.net.yml @@ -50,8 +50,12 @@ compose_files: state: present - name: act-runner state: present + - name: lldap + state: present + network: traefik - name: minio state: present + network: traefik ### oefenweb.ufw ufw_rules: diff --git a/inventory b/inventory index 72a6505a..224037b4 100644 --- a/inventory +++ b/inventory @@ -6,9 +6,6 @@ all: blocky: hosts: blocky.mgrote.net: - ldap: - hosts: - ldap.mgrote.net: lxc: hosts: fileserver3.mgrote.net: @@ -47,7 +44,6 @@ all: docker10.mgrote.net: pbs.mgrote.net: blocky.mgrote.net: - ldap.mgrote.net: munin.mgrote.net: test: hosts: diff --git a/keepass_db.kdbx b/keepass_db.kdbx index 7cb1cfb0..4dee2ea7 100644 Binary files a/keepass_db.kdbx and b/keepass_db.kdbx differ