LDAP

8 files changed, 73 insertions, 2 deletions

diff --git a/playbooks/roles/kanboard/tasks/main.yml b/playbooks/roles/kanboard/tasks/main.yml
new file mode 100644
index 0000000..3d1efb8
--- /dev/null
+++ b/playbooks/roles/kanboard/tasks/main.yml
@@ -0,0 +1,19 @@
+---
+
+- name: Build kanboard compose dirs
+  ansible.builtin.file:
+    state: directory
+    dest: '{{ kanboard_base }}/{{ item.path }}'
+  with_filetree: '../templates'
+  when: item.state == 'directory'
+
+- name: Build kanboard compose files
+  ansible.builtin.template:
+    src: '{{ item.src }}'
+    dest: '{{ kanboard_base }}/{{ item.path }}'
+  with_filetree: '../templates'
+  when: item.state == 'file'
+
+- name: Deploy kanboard stack
+  ansible.builtin.command:
+    cmd: "docker stack deploy -c {{ kanboard_base }}/stacks/docker-compose.yml kanboard"
diff --git a/playbooks/roles/kanboard/templates/stacks/docker-compose.yml b/playbooks/roles/kanboard/templates/stacks/docker-compose.yml
new file mode 100644
index 0000000..abed6ce
--- /dev/null
+++ b/playbooks/roles/kanboard/templates/stacks/docker-compose.yml
@@ -0,0 +1,43 @@
+version: '3.2'
+
+services:
+  kanboard:
+    image: kanboard/kanboard:latest
+    volumes:
+      - {{ kanboard_base }}/volumes/data:/var/www/app/data
+      - {{ kanboard_base }}/volumes/plugins:/var/www/app/plugins
+    environment:
+      - TZ={{ timezone }}
+      - LOG_DRIVER=syslog
+      - LDAP_AUTH={{ kanboard_ldap_auth }}
+      - LDAP_SERVER={{ kanboard_ldap_server }}
+      - LDAP_SSL_VERIFY={{ kanboard_ldap_ssl_verify }}
+      - LDAP_BIND_TYPE={{ kanboard_ldap_bind_type }}
+      - LDAP_USERNAME={{ kanboard_ldap_username }}
+      - LDAP_PASSWORD={{ kanboard_ldap_password }}
+      - LDAP_USER_BASE_DN={{ kanboard_ldap_user_base_dn }}
+      - LDAP_USER_ATTRIBUTE_EMAIL={{ kanboard_ldap_user_attribute_email }}
+      - LDAP_USER_CREATION={{ kanboard_ldap_user_creation }}
+      - LDAP_USER_FILTER={{ kanboard_ldap_user_filter }}
+      - LDAP_GROUP_PROVIDER={{ kanboard_ldap_group_provider }}
+      - LDAP_GROUP_BASE_DN={{ kanboard_ldap_group_base_dn }}
+      - LDAP_GROUP_FILTER={{ kanboard_ldap_group_filter }}
+      - LDAP_GROUP_ADMIN_DN={{ kanboard_ldap_group_admin_dn }}
+      - LDAP_GROUP_MANAGER_DN={{ kanboard_ldap_group_manager_dn }}
+    networks:
+      - proxy
+    deploy:
+      mode: replicated
+      replicas: 1
+      labels:
+        - traefik.enable=true
+        - traefik.swarm.network=proxy
+        - traefik.http.routers.kanboard.tls=true
+        - traefik.http.routers.kanboard.tls.certResolver=letsencrypt
+        - traefik.http.routers.kanboard.rule=Host(`{{ kanboard_domain }}`)
+        - traefik.http.routers.kanboard.entrypoints=websecure
+        - traefik.http.services.kanboard.loadbalancer.server.port=80
+
+networks:
+  proxy:
+    external: true
diff --git a/playbooks/roles/traefik/templates/volumes/headscale/.gitkeep b/playbooks/roles/kanboard/templates/volumes/data/.gitkeep
index e69de29..e69de29 100644
--- a/playbooks/roles/traefik/templates/volumes/headscale/.gitkeep
+++ b/playbooks/roles/kanboard/templates/volumes/data/.gitkeep
diff --git a/playbooks/roles/kanboard/templates/volumes/plugins/.gitkeep b/playbooks/roles/kanboard/templates/volumes/plugins/.gitkeep
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/playbooks/roles/kanboard/templates/volumes/plugins/.gitkeep
diff --git a/playbooks/roles/kanidm/templates/stacks/docker-compose.yml b/playbooks/roles/kanidm/templates/stacks/docker-compose.yml
index 8ba1c98..7f568e8 100644
--- a/playbooks/roles/kanidm/templates/stacks/docker-compose.yml
+++ b/playbooks/roles/kanidm/templates/stacks/docker-compose.yml
@@ -28,6 +28,12 @@ services:
         - traefik.http.routers.kanidm.entrypoints=websecure
         - traefik.http.services.kanidm.loadbalancer.server.port=8443
         - traefik.http.services.kanidm.loadbalancer.server.scheme=https
+        # ldap
+        - traefik.tcp.routers.kanidm-ldaps.tls.passthrough=true
+        - traefik.tcp.routers.kanidm-ldaps.rule=HostSNI(`*`)
+        - traefik.tcp.routers.kanidm-ldaps.entrypoints=ldaps
+        - traefik.tcp.routers.kanidm-ldaps.service=kanidm-ldaps
+        - traefik.tcp.services.kanidm-ldaps.loadbalancer.server.port=3636
 
 networks:
   proxy:
diff --git a/playbooks/roles/kanidm/templates/volumes/data/server.toml b/playbooks/roles/kanidm/templates/volumes/data/server.toml
index 75bd7c2..dd13e1c 100644
--- a/playbooks/roles/kanidm/templates/volumes/data/server.toml
+++ b/playbooks/roles/kanidm/templates/volumes/data/server.toml
@@ -1,5 +1,5 @@
-bindaddress = "0.0.0.0:8443"
-ldapbindaddress = "0.0.0.0:3636"
+bindaddress = "[::]:8443"
+ldapbindaddress = "[::]:3636"
 trust_x_forward_for = true
 db_path = "/data/kanidm.db"
 tls_chain = "/certs/{{ idm_domain }}.pem"
diff --git a/playbooks/roles/traefik/templates/stacks/docker-compose.yml b/playbooks/roles/traefik/templates/stacks/docker-compose.yml
index deb5329..214c57e 100644
--- a/playbooks/roles/traefik/templates/stacks/docker-compose.yml
+++ b/playbooks/roles/traefik/templates/stacks/docker-compose.yml
@@ -32,6 +32,7 @@ services:
       - 443:443
       - 53:53
       - 53:53/udp
+      - 3636:3636
     environment:
       - TZ={{ timezone }}
       - CF_API_EMAIL={{ cloudflare_email }}
diff --git a/playbooks/roles/traefik/templates/stacks/traefik.yml b/playbooks/roles/traefik/templates/stacks/traefik.yml
index 5dcb19e..c4e2bd5 100644
--- a/playbooks/roles/traefik/templates/stacks/traefik.yml
+++ b/playbooks/roles/traefik/templates/stacks/traefik.yml
@@ -20,6 +20,8 @@ entryPoints:
     address: ":53/udp"
   dns_tcp:
     address: ":53/tcp"
+  ldaps:
+    address: ":3636/tcp"
 serversTransport:
   insecureSkipVerify: true
 providers: