218 lines
6.4 KiB
YAML
218 lines
6.4 KiB
YAML
---
|
|
# TODO: configure ufw
|
|
|
|
- name: create service configuration directories
|
|
ansible.builtin.file:
|
|
path: "/home/{{ podman_identity_podman_rootless_user }}/{{ item }}"
|
|
state: directory
|
|
owner: "{{ podman_identity_podman_rootless_user }}"
|
|
group: "{{ podman_identity_podman_rootless_user }}"
|
|
mode: "0755"
|
|
become: true
|
|
with_items:
|
|
- keycloak
|
|
- ldap
|
|
- postgres
|
|
|
|
- name: download keycloak providers
|
|
ansible.builtin.get_url:
|
|
url: "{{ item.url }}"
|
|
dest: "/home/{{ podman_identity_podman_rootless_user }}/keycloak/{{ item.url | basename }}"
|
|
checksum: "sha256:{{ item.sha256 }}"
|
|
with_items: "{{ podman_identity_keycloak_providers }}"
|
|
become: true
|
|
become_user: "{{ podman_identity_podman_rootless_user }}"
|
|
notify: restart keycloak
|
|
|
|
- name: install systemd units for rootless podman user
|
|
ansible.builtin.template:
|
|
src: "{{ item }}"
|
|
dest: "/home/{{ podman_identity_podman_rootless_user }}/.config/containers/systemd/{{ item }}"
|
|
owner: "{{ podman_identity_podman_rootless_user }}"
|
|
mode: "0400"
|
|
with_items:
|
|
- ldap.container
|
|
- keycloak.container
|
|
- postgres.container
|
|
notify:
|
|
- "restart {{ item | split('.') | first }}"
|
|
become: true
|
|
|
|
- name: install network quadlets for rootless podman user
|
|
ansible.builtin.template:
|
|
src: "{{ item }}"
|
|
dest: "/home/{{ podman_identity_podman_rootless_user }}/.config/containers/systemd/{{ item }}"
|
|
owner: "{{ podman_identity_podman_rootless_user }}"
|
|
mode: "0400"
|
|
with_items:
|
|
- frontend.network
|
|
- ldap.network
|
|
- keycloak.network
|
|
become: true
|
|
|
|
- name: verify quadlets are correctly defined
|
|
ansible.builtin.command: /usr/libexec/podman/quadlet -dryrun -user
|
|
register: podman_identity_quadlet_result
|
|
ignore_errors: true
|
|
changed_when: false
|
|
become: true
|
|
become_user: "{{ podman_identity_podman_rootless_user }}"
|
|
|
|
- name: assert that the quadlet verification succeeded
|
|
ansible.builtin.assert:
|
|
that:
|
|
- podman_identity_quadlet_result.rc == 0
|
|
fail_msg: "'/usr/libexec/podman/quadlet -dryrun -user' failed! Output withheld to prevent leaking secrets."
|
|
|
|
- name: start postgres and keycloak
|
|
ansible.builtin.systemd_service:
|
|
name: "{{ item }}"
|
|
state: started
|
|
scope: user
|
|
daemon_reload: true
|
|
become: true
|
|
become_user: "{{ podman_identity_podman_rootless_user }}"
|
|
with_items:
|
|
- postgres
|
|
- keycloak
|
|
|
|
- name: set up nginx
|
|
ansible.builtin.import_role:
|
|
name: podman_nginx
|
|
vars:
|
|
podman_nginx_podman_rootless_user: "{{ podman_identity_podman_rootless_user }}"
|
|
podman_nginx_primary_hostname: "{{ podman_identity_keycloak_hostname }}"
|
|
podman_nginx_frontend_network: frontend
|
|
|
|
- name: start ldap
|
|
ansible.builtin.systemd_service:
|
|
name: ldap
|
|
state: started
|
|
scope: user
|
|
become: true
|
|
become_user: "{{ podman_identity_podman_rootless_user }}"
|
|
|
|
- name: create nginx configuration file
|
|
ansible.builtin.template:
|
|
src: nginx.conf
|
|
dest: "/home/{{ podman_identity_podman_rootless_user }}/nginx/nginx.conf"
|
|
owner: "{{ podman_identity_podman_rootless_user }}"
|
|
group: "{{ podman_identity_podman_rootless_user }}"
|
|
mode: "0644"
|
|
become: true
|
|
notify: restart nginx
|
|
|
|
- name: wait 30 seconds for ldap server to start
|
|
ansible.builtin.pause:
|
|
seconds: 30
|
|
|
|
- name: create ldap suffix
|
|
containers.podman.podman_container_exec:
|
|
name: ldap
|
|
argv:
|
|
- dsconf
|
|
- -v
|
|
- localhost
|
|
- backend
|
|
- create
|
|
- --suffix
|
|
- "{{ podman_identity_ldap_database_suffix_dn }}"
|
|
- --be-name
|
|
- "{{ podman_identity_ldap_database_backend_name }}"
|
|
- --create-suffix
|
|
become: true
|
|
become_user: "{{ podman_identity_podman_rootless_user }}"
|
|
register: podman_identity_create_suffix
|
|
ignore_errors: true
|
|
changed_when: false
|
|
tags:
|
|
- ldap
|
|
|
|
- name: create suffix result (only when changed)
|
|
debug:
|
|
msg: "Suffix was created"
|
|
when: not podman_identity_create_suffix.failed
|
|
changed_when: not podman_identity_create_suffix.failed
|
|
|
|
- name: ldap organisational units
|
|
community.general.ldap_entry:
|
|
dn: "ou={{ item }},{{ podman_identity_ldap_database_suffix_dn }}"
|
|
objectClass:
|
|
- top
|
|
- organizationalUnit
|
|
server_uri: ldaps://{{ inventory_hostname }}/
|
|
bind_dn: "cn=Directory Manager"
|
|
bind_pw: "{{ podman_identity_ldap_directory_manager_password }}"
|
|
delegate_to: localhost
|
|
with_items:
|
|
- Administrators
|
|
- People
|
|
- Groups
|
|
environment:
|
|
- LDAPTLS_REQCERT: "{% if podman_identity_certbot_testing %}never{% else %}always{% endif %}"
|
|
tags: ldap
|
|
|
|
- name: enable memberOf plugin
|
|
containers.podman.podman_container_exec:
|
|
name: ldap
|
|
argv:
|
|
- dsconf
|
|
- -v
|
|
- localhost
|
|
- -D "cn=Directory Manager"
|
|
- plugin
|
|
- memberof
|
|
- enable
|
|
become: true
|
|
become_user: "{{ podman_identity_podman_rootless_user }}"
|
|
tags:
|
|
- ldap
|
|
|
|
- name: disable anonymous bind
|
|
containers.podman.podman_container_exec:
|
|
name: ldap
|
|
argv:
|
|
- dsconf
|
|
- -v
|
|
- localhost
|
|
- -D "cn=Directory Manager"
|
|
- config
|
|
- replace
|
|
- nsslapd-allow-anonymous-access=off
|
|
become: true
|
|
become_user: "{{ podman_identity_podman_rootless_user }}"
|
|
tags:
|
|
- ldap
|
|
|
|
- name: ldap read-only administrator
|
|
community.general.ldap_entry:
|
|
dn: "uid=admin,ou=Administrators,{{ podman_identity_ldap_database_suffix_dn }}"
|
|
objectClass:
|
|
- top
|
|
- person
|
|
- organizationalPerson
|
|
- inetOrgPerson
|
|
attributes:
|
|
cn: admin
|
|
sn: admin
|
|
userPassword: "{{ podman_identity_ldap_administrator_password }}"
|
|
server_uri: ldaps://{{ inventory_hostname }}/
|
|
bind_dn: "cn=Directory Manager"
|
|
bind_pw: "{{ podman_identity_ldap_directory_manager_password }}"
|
|
delegate_to: localhost
|
|
environment:
|
|
- LDAPTLS_REQCERT: "{% if podman_identity_certbot_testing %}never{% else %}always{% endif %}"
|
|
tags: ldap
|
|
|
|
- name: ldap access control information
|
|
community.general.ldap_attrs:
|
|
dn: "{{ podman_identity_ldap_database_suffix_dn }}"
|
|
attributes:
|
|
aci: '(target="ldap:///{{ podman_identity_ldap_database_suffix_dn }}")(targetattr="*") (version 3.0; acl "readonly"; allow (search,read,compare) userdn="ldap:///uid=admin,ou=Administrators,{{ podman_identity_ldap_database_suffix_dn }}";)'
|
|
server_uri: ldaps://{{ inventory_hostname }}/
|
|
bind_dn: "cn=Directory Manager"
|
|
bind_pw: "{{ podman_identity_ldap_directory_manager_password }}"
|
|
delegate_to: localhost
|
|
environment:
|
|
- LDAPTLS_REQCERT: "{% if podman_identity_certbot_testing %}never{% else %}always{% endif %}"
|
|
tags: ldap
|