add lldap Container

2025-06-21 09:07:25 +02:00 · 2025-06-21 09:07:25 +02:00 · 39f64cc408
commit 39f64cc408
parent c9fff1a0c2
8 changed files with 135 additions and 0 deletions
--- a/playbooks/heyer.systems/docker1.yml
+++ b/playbooks/heyer.systems/docker1.yml
@ -40,4 +40,9 @@
    - role: deploy_container_excalidraw
      tags:
        - excalidraw
        - docker-container
    - role: deploy_container_lldap
      tags:
        - lldap
        - docker-container
--- a/roles/deploy_container_lldap/defaults/main.yml
+++ b/roles/deploy_container_lldap/defaults/main.yml
@ -0,0 +1,15 @@
 # Version of the LLDAP container image
 container_lldap_version: "stable"                   # e.g., "latest" or a specific version
 # LDAP Base DN components
 container_lldap_ldap_base_domain: "example"          # First part of the LDAP Base DN (dc=example)
 container_lldap_ldap_base_tld: "com"                 # Top-level domain part of the LDAP Base DN (dc=com)
 # Domain for Traefik / external access
 container_lldap_domain: "ldap.example.com"           # Fully qualified domain name for LLDAP service
 # LDAP admin user password
 container_lldap_ldap_user_pass: "adminPas$word"      # Admin password (can be replaced by secret file)
 # Base directory for container data (e.g., for volumes, secrets)
 container_lldap_directory: "/opt/docker/lldap"  # Base directory on the host for LLDAP data
--- a/roles/deploy_container_lldap/handlers/main.yml
+++ b/roles/deploy_container_lldap/handlers/main.yml
--- a/roles/deploy_container_lldap/meta/main.yml
+++ b/roles/deploy_container_lldap/meta/main.yml
@ -0,0 +1,4 @@
 ---
 collections:
  - community.general
  - community.docker
--- a/roles/deploy_container_lldap/tasks/main.yml
+++ b/roles/deploy_container_lldap/tasks/main.yml
@ -0,0 +1,71 @@
 - name: Ensure data directories exist
  ansible.builtin.file:
    path: "{{ container_lldap_directory }}/{{ item }}"
    state: directory
    mode: '0755'
  loop:
    - "data"
    - "secrets"
  become: false
 - name: Check if jwt_secret file exists
  ansible.builtin.stat:
    path: "{{ container_lldap_directory }}/secrets/jwt_secret"
  register: jwt_secret_stat
 - name: Check if key_seed file exists
  ansible.builtin.stat:
    path: "{{ container_lldap_directory }}/secrets/key_seed"
  register: key_seed_stat
 - name: Generate JWT secret if not exists
  set_fact:
    jwt_secret: "{{ lookup('community.general.random_string', 'length=32 upper=true lower=true digits=true special=true override_special=!#%&()*+,-./:;<=>?@[]^_{|}~') }}"
  when: not jwt_secret_stat.stat.exists
  run_once: true
 - name: Generate Key Seed if not exists
  set_fact:
    key_seed: "{{ lookup('community.general.random_string', 'length=32 upper=true lower=true digits=true special=true override_special=!#%&()*+,-./:;<=>?@[]^_{|}~') }}"
  when: not key_seed_stat.stat.exists
  run_once: true
 - name: Copy JWT secret to host if generated
  ansible.builtin.copy:
    content: "{{ jwt_secret }}"
    dest: "{{ container_lldap_directory }}/secrets/jwt_secret"
    mode: '0644'
  when: jwt_secret is defined
  become: false
 - name: Copy Key Seed to host if generated
  ansible.builtin.copy:
    content: "{{ key_seed }}"
    dest: "{{ container_lldap_directory }}/secrets/key_seed"
    mode: '0644'
  when: key_seed is defined
  become: false
 - name: Write LDAP admin user password to file if not exists
  ansible.builtin.copy:
    content: "{{ container_lldap_ldap_user_pass }}"
    dest: "{{ container_lldap_directory }}/secrets/ldap_user_pass"
    mode: '0644'
  become: false
 - name: Deploy Docker Compose and .env files
  ansible.builtin.template:
    src: "{{ item.src }}"
    dest: "{{ container_lldap_directory }}/{{ item.dest }}"
    mode: '0644'
  loop:
    - { src: 'docker-compose.yml.j2', dest: 'docker-compose.yml' }
    - { src: '.env.j2', dest: '.env' }
  become: false
 - name: Start Container
  community.docker.docker_compose_v2:
    project_src: "{{ container_lldap_directory }}"
    pull: always
    docker_host: "unix:///run/user/1000/docker.sock"
  become: false
--- a/roles/deploy_container_lldap/templates/.env.j2
+++ b/roles/deploy_container_lldap/templates/.env.j2
@ -0,0 +1,4 @@
 LLDAP_VERSION={{ container_lldap_version }}
 LDAP_BASE_DOMAIN={{ container_lldap_ldap_base_domain }}
 LDAP_BASE_TLD={{ container_lldap_ldap_base_tld }}
 LLDAP_DOMAIN={{ container_lldap_domain }}
--- a/roles/deploy_container_lldap/templates/docker-compose.yml.j2
+++ b/roles/deploy_container_lldap/templates/docker-compose.yml.j2
@ -0,0 +1,36 @@
 ---
 services:
  lldap:
    image: lldap/lldap:${LLDAP_VERSION:-stable}
    container_name: lldap
    volumes:
      - "lldap_data:/data"
      - "./secrets:/secrets:ro"
    networks:
      - traefik
    environment:
      - TZ=Europe/Berlin
      - LLDAP_JWT_SECRET_FILE=/secrets/jwt_secret
      - LLDAP_KEY_SEED_FILE=/secrets/key_seed
      - LLDAP_LDAP_BASE_DN=dc=${LDAP_BASE_DOMAIN},dc=${LDAP_BASE_TLD}
      - LLDAP_LDAP_USER_PASS_FILE=/secrets/ldap_user_pass
    labels:
      - "traefik.enable=true"
      - "traefik.docker.network=traefik"
      - "traefik.http.routers.lldap.entrypoints=http"
      - "traefik.http.routers.lldap.rule=Host(`${LLDAP_DOMAIN}`)"
      - "traefik.http.middlewares.lldap-https-redirect.redirectscheme.scheme=https"
      - "traefik.http.routers.lldap.middlewares=lldap-https-redirect"
      - "traefik.http.routers.lldap-secure.entrypoints=https"
      - "traefik.http.routers.lldap-secure.rule=Host(`${LLDAP_DOMAIN}`)"
      - "traefik.http.routers.lldap-secure.tls=true"
      - "traefik.http.routers.lldap-secure.service=lldap"
      - "traefik.http.services.lldap.loadbalancer.server.port=17170"
 networks:
  traefik:
    external: true
 volumes:
  lldap_data:
    driver: local
--- a/roles/deploy_container_lldap/vars/main.yml
+++ b/roles/deploy_container_lldap/vars/main.yml