From 39f64cc408fe1c795b57936a972655ef83585f9d Mon Sep 17 00:00:00 2001 From: = <=> Date: Sat, 21 Jun 2025 09:07:25 +0200 Subject: [PATCH] add lldap Container --- playbooks/heyer.systems/docker1.yml | 5 ++ .../deploy_container_lldap/defaults/main.yml | 15 ++++ .../deploy_container_lldap/handlers/main.yml | 0 roles/deploy_container_lldap/meta/main.yml | 4 ++ roles/deploy_container_lldap/tasks/main.yml | 71 +++++++++++++++++++ .../deploy_container_lldap/templates/.env.j2 | 4 ++ .../templates/docker-compose.yml.j2 | 36 ++++++++++ roles/deploy_container_lldap/vars/main.yml | 0 8 files changed, 135 insertions(+) create mode 100644 roles/deploy_container_lldap/defaults/main.yml create mode 100644 roles/deploy_container_lldap/handlers/main.yml create mode 100644 roles/deploy_container_lldap/meta/main.yml create mode 100644 roles/deploy_container_lldap/tasks/main.yml create mode 100644 roles/deploy_container_lldap/templates/.env.j2 create mode 100644 roles/deploy_container_lldap/templates/docker-compose.yml.j2 create mode 100644 roles/deploy_container_lldap/vars/main.yml diff --git a/playbooks/heyer.systems/docker1.yml b/playbooks/heyer.systems/docker1.yml index 214b89f..98ab198 100644 --- a/playbooks/heyer.systems/docker1.yml +++ b/playbooks/heyer.systems/docker1.yml @@ -40,4 +40,9 @@ - role: deploy_container_excalidraw tags: - excalidraw + - docker-container + + - role: deploy_container_lldap + tags: + - lldap - docker-container \ No newline at end of file diff --git a/roles/deploy_container_lldap/defaults/main.yml b/roles/deploy_container_lldap/defaults/main.yml new file mode 100644 index 0000000..908664e --- /dev/null +++ b/roles/deploy_container_lldap/defaults/main.yml @@ -0,0 +1,15 @@ +# Version of the LLDAP container image +container_lldap_version: "stable" # e.g., "latest" or a specific version + +# LDAP Base DN components +container_lldap_ldap_base_domain: "example" # First part of the LDAP Base DN (dc=example) +container_lldap_ldap_base_tld: "com" # Top-level domain part of the LDAP Base DN (dc=com) + +# Domain for Traefik / external access +container_lldap_domain: "ldap.example.com" # Fully qualified domain name for LLDAP service + +# LDAP admin user password +container_lldap_ldap_user_pass: "adminPas$word" # Admin password (can be replaced by secret file) + +# Base directory for container data (e.g., for volumes, secrets) +container_lldap_directory: "/opt/docker/lldap" # Base directory on the host for LLDAP data diff --git a/roles/deploy_container_lldap/handlers/main.yml b/roles/deploy_container_lldap/handlers/main.yml new file mode 100644 index 0000000..e69de29 diff --git a/roles/deploy_container_lldap/meta/main.yml b/roles/deploy_container_lldap/meta/main.yml new file mode 100644 index 0000000..d0ed71a --- /dev/null +++ b/roles/deploy_container_lldap/meta/main.yml @@ -0,0 +1,4 @@ +--- +collections: + - community.general + - community.docker \ No newline at end of file diff --git a/roles/deploy_container_lldap/tasks/main.yml b/roles/deploy_container_lldap/tasks/main.yml new file mode 100644 index 0000000..57b47f3 --- /dev/null +++ b/roles/deploy_container_lldap/tasks/main.yml @@ -0,0 +1,71 @@ +- name: Ensure data directories exist + ansible.builtin.file: + path: "{{ container_lldap_directory }}/{{ item }}" + state: directory + mode: '0755' + loop: + - "data" + - "secrets" + become: false + +- name: Check if jwt_secret file exists + ansible.builtin.stat: + path: "{{ container_lldap_directory }}/secrets/jwt_secret" + register: jwt_secret_stat + +- name: Check if key_seed file exists + ansible.builtin.stat: + path: "{{ container_lldap_directory }}/secrets/key_seed" + register: key_seed_stat + +- name: Generate JWT secret if not exists + set_fact: + jwt_secret: "{{ lookup('community.general.random_string', 'length=32 upper=true lower=true digits=true special=true override_special=!#%&()*+,-./:;<=>?@[]^_{|}~') }}" + when: not jwt_secret_stat.stat.exists + run_once: true + +- name: Generate Key Seed if not exists + set_fact: + key_seed: "{{ lookup('community.general.random_string', 'length=32 upper=true lower=true digits=true special=true override_special=!#%&()*+,-./:;<=>?@[]^_{|}~') }}" + when: not key_seed_stat.stat.exists + run_once: true + +- name: Copy JWT secret to host if generated + ansible.builtin.copy: + content: "{{ jwt_secret }}" + dest: "{{ container_lldap_directory }}/secrets/jwt_secret" + mode: '0644' + when: jwt_secret is defined + become: false + +- name: Copy Key Seed to host if generated + ansible.builtin.copy: + content: "{{ key_seed }}" + dest: "{{ container_lldap_directory }}/secrets/key_seed" + mode: '0644' + when: key_seed is defined + become: false + +- name: Write LDAP admin user password to file if not exists + ansible.builtin.copy: + content: "{{ container_lldap_ldap_user_pass }}" + dest: "{{ container_lldap_directory }}/secrets/ldap_user_pass" + mode: '0644' + become: false + +- name: Deploy Docker Compose and .env files + ansible.builtin.template: + src: "{{ item.src }}" + dest: "{{ container_lldap_directory }}/{{ item.dest }}" + mode: '0644' + loop: + - { src: 'docker-compose.yml.j2', dest: 'docker-compose.yml' } + - { src: '.env.j2', dest: '.env' } + become: false + +- name: Start Container + community.docker.docker_compose_v2: + project_src: "{{ container_lldap_directory }}" + pull: always + docker_host: "unix:///run/user/1000/docker.sock" + become: false diff --git a/roles/deploy_container_lldap/templates/.env.j2 b/roles/deploy_container_lldap/templates/.env.j2 new file mode 100644 index 0000000..6311746 --- /dev/null +++ b/roles/deploy_container_lldap/templates/.env.j2 @@ -0,0 +1,4 @@ +LLDAP_VERSION={{ container_lldap_version }} +LDAP_BASE_DOMAIN={{ container_lldap_ldap_base_domain }} +LDAP_BASE_TLD={{ container_lldap_ldap_base_tld }} +LLDAP_DOMAIN={{ container_lldap_domain }} \ No newline at end of file diff --git a/roles/deploy_container_lldap/templates/docker-compose.yml.j2 b/roles/deploy_container_lldap/templates/docker-compose.yml.j2 new file mode 100644 index 0000000..85b7f45 --- /dev/null +++ b/roles/deploy_container_lldap/templates/docker-compose.yml.j2 @@ -0,0 +1,36 @@ +--- +services: + lldap: + image: lldap/lldap:${LLDAP_VERSION:-stable} + container_name: lldap + volumes: + - "lldap_data:/data" + - "./secrets:/secrets:ro" + networks: + - traefik + environment: + - TZ=Europe/Berlin + - LLDAP_JWT_SECRET_FILE=/secrets/jwt_secret + - LLDAP_KEY_SEED_FILE=/secrets/key_seed + - LLDAP_LDAP_BASE_DN=dc=${LDAP_BASE_DOMAIN},dc=${LDAP_BASE_TLD} + - LLDAP_LDAP_USER_PASS_FILE=/secrets/ldap_user_pass + labels: + - "traefik.enable=true" + - "traefik.docker.network=traefik" + - "traefik.http.routers.lldap.entrypoints=http" + - "traefik.http.routers.lldap.rule=Host(`${LLDAP_DOMAIN}`)" + - "traefik.http.middlewares.lldap-https-redirect.redirectscheme.scheme=https" + - "traefik.http.routers.lldap.middlewares=lldap-https-redirect" + - "traefik.http.routers.lldap-secure.entrypoints=https" + - "traefik.http.routers.lldap-secure.rule=Host(`${LLDAP_DOMAIN}`)" + - "traefik.http.routers.lldap-secure.tls=true" + - "traefik.http.routers.lldap-secure.service=lldap" + - "traefik.http.services.lldap.loadbalancer.server.port=17170" + +networks: + traefik: + external: true + +volumes: + lldap_data: + driver: local \ No newline at end of file diff --git a/roles/deploy_container_lldap/vars/main.yml b/roles/deploy_container_lldap/vars/main.yml new file mode 100644 index 0000000..e69de29