playbooks/heyer.systems/docker1.yml

@@ -40,4 +40,9 @@
     - role: deploy_container_excalidraw
       tags:
         - excalidraw
+        - docker-container
+
+    - role: deploy_container_lldap
+      tags:
+        - lldap
         - docker-container

roles/deploy_container_lldap/defaults/main.yml

@@ -0,0 +1,15 @@
+# Version of the LLDAP container image
+container_lldap_version: "stable"                   # e.g., "latest" or a specific version
+
+# LDAP Base DN components
+container_lldap_ldap_base_domain: "example"          # First part of the LDAP Base DN (dc=example)
+container_lldap_ldap_base_tld: "com"                 # Top-level domain part of the LDAP Base DN (dc=com)
+
+# Domain for Traefik / external access
+container_lldap_domain: "ldap.example.com"           # Fully qualified domain name for LLDAP service
+
+# LDAP admin user password
+container_lldap_ldap_user_pass: "adminPas$word"      # Admin password (can be replaced by secret file)
+
+# Base directory for container data (e.g., for volumes, secrets)
+container_lldap_directory: "/opt/docker/lldap"  # Base directory on the host for LLDAP data

roles/deploy_container_lldap/meta/main.yml

@@ -0,0 +1,4 @@
+---
+collections:
+  - community.general
+  - community.docker

roles/deploy_container_lldap/tasks/main.yml

@@ -0,0 +1,71 @@
+- name: Ensure data directories exist
+  ansible.builtin.file:
+    path: "{{ container_lldap_directory }}/{{ item }}"
+    state: directory
+    mode: '0755'
+  loop:
+    - "data"
+    - "secrets"
+  become: false
+
+- name: Check if jwt_secret file exists
+  ansible.builtin.stat:
+    path: "{{ container_lldap_directory }}/secrets/jwt_secret"
+  register: jwt_secret_stat
+
+- name: Check if key_seed file exists
+  ansible.builtin.stat:
+    path: "{{ container_lldap_directory }}/secrets/key_seed"
+  register: key_seed_stat
+
+- name: Generate JWT secret if not exists
+  set_fact:
+    jwt_secret: "{{ lookup('community.general.random_string', 'length=32 upper=true lower=true digits=true special=true override_special=!#%&()*+,-./:;<=>?@[]^_{|}~') }}"
+  when: not jwt_secret_stat.stat.exists
+  run_once: true
+
+- name: Generate Key Seed if not exists
+  set_fact:
+    key_seed: "{{ lookup('community.general.random_string', 'length=32 upper=true lower=true digits=true special=true override_special=!#%&()*+,-./:;<=>?@[]^_{|}~') }}"
+  when: not key_seed_stat.stat.exists
+  run_once: true
+
+- name: Copy JWT secret to host if generated
+  ansible.builtin.copy:
+    content: "{{ jwt_secret }}"
+    dest: "{{ container_lldap_directory }}/secrets/jwt_secret"
+    mode: '0644'
+  when: jwt_secret is defined
+  become: false
+
+- name: Copy Key Seed to host if generated
+  ansible.builtin.copy:
+    content: "{{ key_seed }}"
+    dest: "{{ container_lldap_directory }}/secrets/key_seed"
+    mode: '0644'
+  when: key_seed is defined
+  become: false
+
+- name: Write LDAP admin user password to file if not exists
+  ansible.builtin.copy:
+    content: "{{ container_lldap_ldap_user_pass }}"
+    dest: "{{ container_lldap_directory }}/secrets/ldap_user_pass"
+    mode: '0644'
+  become: false
+
+- name: Deploy Docker Compose and .env files
+  ansible.builtin.template:
+    src: "{{ item.src }}"
+    dest: "{{ container_lldap_directory }}/{{ item.dest }}"
+    mode: '0644'
+  loop:
+    - { src: 'docker-compose.yml.j2', dest: 'docker-compose.yml' }
+    - { src: '.env.j2', dest: '.env' }
+  become: false
+
+- name: Start Container
+  community.docker.docker_compose_v2:
+    project_src: "{{ container_lldap_directory }}"
+    pull: always
+    docker_host: "unix:///run/user/1000/docker.sock"
+  become: false

roles/deploy_container_lldap/templates/.env.j2

@@ -0,0 +1,4 @@
+LLDAP_VERSION={{ container_lldap_version }}
+LDAP_BASE_DOMAIN={{ container_lldap_ldap_base_domain }}
+LDAP_BASE_TLD={{ container_lldap_ldap_base_tld }}
+LLDAP_DOMAIN={{ container_lldap_domain }}

roles/deploy_container_lldap/templates/docker-compose.yml.j2

@@ -0,0 +1,36 @@
+---
+services:
+  lldap:
+    image: lldap/lldap:${LLDAP_VERSION:-stable}
+    container_name: lldap
+    volumes:
+      - "lldap_data:/data"
+      - "./secrets:/secrets:ro"
+    networks:
+      - traefik
+    environment:
+      - TZ=Europe/Berlin
+      - LLDAP_JWT_SECRET_FILE=/secrets/jwt_secret
+      - LLDAP_KEY_SEED_FILE=/secrets/key_seed
+      - LLDAP_LDAP_BASE_DN=dc=${LDAP_BASE_DOMAIN},dc=${LDAP_BASE_TLD}
+      - LLDAP_LDAP_USER_PASS_FILE=/secrets/ldap_user_pass
+    labels:
+      - "traefik.enable=true"
+      - "traefik.docker.network=traefik"
+      - "traefik.http.routers.lldap.entrypoints=http"
+      - "traefik.http.routers.lldap.rule=Host(`${LLDAP_DOMAIN}`)"
+      - "traefik.http.middlewares.lldap-https-redirect.redirectscheme.scheme=https"
+      - "traefik.http.routers.lldap.middlewares=lldap-https-redirect"
+      - "traefik.http.routers.lldap-secure.entrypoints=https"
+      - "traefik.http.routers.lldap-secure.rule=Host(`${LLDAP_DOMAIN}`)"
+      - "traefik.http.routers.lldap-secure.tls=true"
+      - "traefik.http.routers.lldap-secure.service=lldap"
+      - "traefik.http.services.lldap.loadbalancer.server.port=17170"
+
+networks:
+  traefik:
+    external: true
+
+volumes:
+  lldap_data:
+    driver: local