--- # die Variablen kommen aus # - https://docs.gitea.com/administration/command-line # - https://github.com/lldap/lldap/blob/main/example_configs/gitea.md # und # den jeweiligen group/host-Vars! - name: Ensure LDAP config is set up no_log: true become_user: gitea become: true ansible.builtin.command: | forgejo admin auth add-ldap \ --config "{{ gitea_configuration_path }}/gitea.ini" \ --name "lldap" \ --security-protocol "unencrypted" \ --host "{{ gitea_ldap_host }}" \ --port "3890" \ --bind-dn "uid={{ gitea_ldap_bind_user }},ou=people,dc=mgrote,dc=net" \ --bind-password "{{ gitea_ldap_bind_pass }}" \ --user-search-base "ou=people,dc=mgrote,dc=net" \ --user-filter "(&(memberof=cn=gitea,ou=groups,dc=mgrote,dc=net)(|(uid=%[1]s)(mail=%[1]s)))" \ --username-attribute "uid" \ --email-attribute "mail" \ --firstname-attribute "givenName" \ --surname-attribute "sn" \ --avatar-attribute "jpegPhoto" \ --synchronize-users register: setup ignore_errors: true failed_when: 'not "Command error: login source already exists [name: lldap]" in setup.stderr' # fail Task wenn LDAP schon konfiguriert ist changed_when: "setup.rc == 0" # chnaged nur wenn Task rc 0 hat, sollte nur beim ersten lauf vorkommen; ungetestet - name: Modify LDAP config no_log: true become_user: gitea become: true ansible.builtin.command: | forgejo admin auth update-ldap \ --config "{{ gitea_configuration_path }}/gitea.ini" \ --id "1" \ --security-protocol "unencrypted" \ --host "{{ gitea_ldap_host }}" \ --port "3890" \ --bind-dn "uid={{ gitea_ldap_bind_user }},ou=people,dc=mgrote,dc=net" \ --bind-password "{{ gitea_ldap_bind_pass }}" \ --user-search-base "ou=people,dc=mgrote,dc=net" \ --user-filter "(&(memberof=cn=gitea,ou=groups,dc=mgrote,dc=net)(|(uid=%[1]s)(mail=%[1]s)))" \ --username-attribute "uid" \ --email-attribute "mail" \ --firstname-attribute "givenName" \ --surname-attribute "sn" \ --avatar-attribute "jpegPhoto" \ --synchronize-users when: '"Command error: login source already exists [name: lldap]" in setup.stderr' # führe nur aus wenn erster Task fehlgeschlagen ist changed_when: false # keine idee wie ich changed feststellen kann ...