Initial import; migrate some roles from irl.wip

2025-10-31 22:36:32 +00:00 · 2025-10-31 22:36:32 +00:00 · 2ba6c6691b
commit 2ba6c6691b
44 changed files with 1573 additions and 0 deletions
--- a/roles/podman_keycloak/tasks/ldap.yml
+++ b/roles/podman_keycloak/tasks/ldap.yml
@ -0,0 +1,115 @@
+---
+- name: wait 30 seconds for ldap server to start
+  ansible.builtin.pause:
+    seconds: 30
+
+- name: create ldap suffix
+  containers.podman.podman_container_exec:
+    name: ldap
+    argv:
+      - dsconf
+      - -v
+      - localhost
+      - backend
+      - create
+      - --suffix
+      - "{{ podman_keycloak_ldap_database_suffix_dn }}"
+      - --be-name
+      - "{{ podman_keycloak_ldap_database_backend_name }}"
+      - --create-suffix
+  become: true
+  become_user: "{{ podman_keycloak_podman_rootless_user }}"
+  register: podman_keycloak_create_suffix
+  ignore_errors: true
+  changed_when: false
+  tags:
+    - ldap
+
+- name: create suffix result (only when changed)
+  debug:
+    msg: "Suffix was created"
+  when: not podman_keycloak_create_suffix.failed
+  changed_when: not podman_keycloak_create_suffix.failed
+
+- name: ldap organisational units
+  community.general.ldap_entry:
+    dn: "ou={{ item }},{{ podman_keycloak_ldap_database_suffix_dn }}"
+    objectClass:
+      - top
+      - organizationalUnit
+    server_uri: ldaps://{{ inventory_hostname }}/
+    bind_dn: "cn=Directory Manager"
+    bind_pw: "{{ podman_keycloak_ldap_directory_manager_password }}"
+  delegate_to: localhost
+  with_items:
+    - Administrators
+    - People
+    - Groups
+  environment:
+    - LDAPTLS_REQCERT: "{% if podman_keycloak_certbot_testing %}never{% else %}always{% endif %}"
+  tags: ldap
+
+- name: enable memberOf plugin
+  containers.podman.podman_container_exec:
+    name: ldap
+    argv:
+      - dsconf
+      - -v
+      - localhost
+      - -D "cn=Directory Manager"
+      - plugin
+      - memberof
+      - enable
+  become: true
+  become_user: "{{ podman_keycloak_podman_rootless_user }}"
+  tags:
+    - ldap
+
+- name: disable anonymous bind
+  containers.podman.podman_container_exec:
+    name: ldap
+    argv:
+      - dsconf
+      - -v
+      - localhost
+      - -D "cn=Directory Manager"
+      - config
+      - replace
+      - nsslapd-allow-anonymous-access=off
+  become: true
+  become_user: "{{ podman_keycloak_podman_rootless_user }}"
+  tags:
+    - ldap
+
+- name: ldap read-only administrator
+  community.general.ldap_entry:
+    dn: "uid=admin,ou=Administrators,{{ podman_keycloak_ldap_database_suffix_dn }}"
+    objectClass:
+      - top
+      - person
+      - organizationalPerson
+      - inetOrgPerson
+    attributes:
+      cn: admin
+      sn: admin
+      userPassword: "{{ podman_keycloak_ldap_administrator_password }}"
+    server_uri: ldaps://{{ inventory_hostname }}/
+    bind_dn: "cn=Directory Manager"
+    bind_pw: "{{ podman_keycloak_ldap_directory_manager_password }}"
+  delegate_to: localhost
+  environment:
+    - LDAPTLS_REQCERT: "{% if podman_keycloak_certbot_testing %}never{% else %}always{% endif %}"
+  tags: ldap
+
+- name: ldap access control information
+  community.general.ldap_attrs:
+    dn: "{{ podman_keycloak_ldap_database_suffix_dn }}"
+    attributes:
+      aci: '(target="ldap:///{{ podman_keycloak_ldap_database_suffix_dn }}")(targetattr="*") (version 3.0; acl "readonly"; allow (search,read,compare) userdn="ldap:///uid=admin,ou=Administrators,{{ podman_keycloak_ldap_database_suffix_dn }}";)'
+    server_uri: ldaps://{{ inventory_hostname }}/
+    bind_dn: "cn=Directory Manager"
+    bind_pw: "{{ podman_keycloak_ldap_directory_manager_password }}"
+  delegate_to: localhost
+  environment:
+    - LDAPTLS_REQCERT: "{% if podman_keycloak_certbot_testing %}never{% else %}always{% endif %}"
+  tags: ldap