13 files changed, 108 insertions, 2 deletions

diff --git a/deploy.yml b/deploy.yml
index 250f4b3..c3424c7 100644
--- a/deploy.yml
+++ b/deploy.yml
@@ -35,3 +35,6 @@
 
 - name: Kanidm
   ansible.builtin.import_playbook: playbooks/kanidm.yml
+
+- name: Kanboard
+  ansible.builtin.import_playbook: playbooks/kanboard.yml
diff --git a/group_vars/kanboard.yml b/group_vars/kanboard.yml
new file mode 100644
index 0000000..086d9ec
--- /dev/null
+++ b/group_vars/kanboard.yml
@@ -0,0 +1,21 @@
+---
+
+kanboard_base: "{{ swarm_base }}/kanboard"
+kanboard_domain: "kanban.{{ domain }}"
+
+# https://docs.kanboard.org/v1/admin/ldap/
+base_dn: "{{ 'dc=' ~ idm_domain | regex_replace('\\.', ',dc=') }}"
+kanboard_ldap_auth: "true"
+kanboard_ldap_server: "ldaps://{{ idm_domain }}:3636"
+kanboard_ldap_ssl_verify: "true"
+kanboard_ldap_bind_type: "proxy"
+kanboard_ldap_username: "dn=token"
+kanboard_ldap_user_attribute_email: "emailprimary"
+kanboard_ldap_user_creation: "true"
+kanboard_ldap_user_base_dn: "{{ base_dn }}"
+kanboard_ldap_user_filter: "(&(class=account)(name=%s))"
+kanboard_ldap_group_provider: "true"
+kanboard_ldap_group_base_dn: "{{ base_dn }}"
+kanboard_ldap_group_filter: "(&(class=group)(name=%s))"
+kanboard_ldap_group_admin_dn: "spn=kanban_admins@{{ idm_domain }},{{ base_dn }}"
+kanboard_ldap_group_manager_dn: "spn=kanban_admins@{{ idm_domain }},{{ base_dn }}"
diff --git a/inventory b/inventory
index b2fbd18..ce96e4d 100644
--- a/inventory
+++ b/inventory
@@ -43,3 +43,6 @@ swarm-one ansible_host=10.128.0.201  ansible_user=serve ansible_connection=ssh a
 
 [kanidm]
 swarm-one ansible_host=10.128.0.201  ansible_user=serve ansible_connection=ssh ansible_become_password='{{ swarm_become_password }}'
+
+[kanboard]
+swarm-one ansible_host=10.128.0.201  ansible_user=serve ansible_connection=ssh ansible_become_password='{{ swarm_become_password }}'
diff --git a/playbooks/kanboard.yml b/playbooks/kanboard.yml
new file mode 100644
index 0000000..823688b
--- /dev/null
+++ b/playbooks/kanboard.yml
@@ -0,0 +1,7 @@
+---
+
+- name: kanboard setup
+  hosts: kanboard
+  become: true
+  roles:
+    - kanboard
diff --git a/playbooks/roles/kanboard/tasks/main.yml b/playbooks/roles/kanboard/tasks/main.yml
new file mode 100644
index 0000000..3d1efb8
--- /dev/null
+++ b/playbooks/roles/kanboard/tasks/main.yml
@@ -0,0 +1,19 @@
+---
+
+- name: Build kanboard compose dirs
+  ansible.builtin.file:
+    state: directory
+    dest: '{{ kanboard_base }}/{{ item.path }}'
+  with_filetree: '../templates'
+  when: item.state == 'directory'
+
+- name: Build kanboard compose files
+  ansible.builtin.template:
+    src: '{{ item.src }}'
+    dest: '{{ kanboard_base }}/{{ item.path }}'
+  with_filetree: '../templates'
+  when: item.state == 'file'
+
+- name: Deploy kanboard stack
+  ansible.builtin.command:
+    cmd: "docker stack deploy -c {{ kanboard_base }}/stacks/docker-compose.yml kanboard"
diff --git a/playbooks/roles/kanboard/templates/stacks/docker-compose.yml b/playbooks/roles/kanboard/templates/stacks/docker-compose.yml
new file mode 100644
index 0000000..abed6ce
--- /dev/null
+++ b/playbooks/roles/kanboard/templates/stacks/docker-compose.yml
@@ -0,0 +1,43 @@
+version: '3.2'
+
+services:
+  kanboard:
+    image: kanboard/kanboard:latest
+    volumes:
+      - {{ kanboard_base }}/volumes/data:/var/www/app/data
+      - {{ kanboard_base }}/volumes/plugins:/var/www/app/plugins
+    environment:
+      - TZ={{ timezone }}
+      - LOG_DRIVER=syslog
+      - LDAP_AUTH={{ kanboard_ldap_auth }}
+      - LDAP_SERVER={{ kanboard_ldap_server }}
+      - LDAP_SSL_VERIFY={{ kanboard_ldap_ssl_verify }}
+      - LDAP_BIND_TYPE={{ kanboard_ldap_bind_type }}
+      - LDAP_USERNAME={{ kanboard_ldap_username }}
+      - LDAP_PASSWORD={{ kanboard_ldap_password }}
+      - LDAP_USER_BASE_DN={{ kanboard_ldap_user_base_dn }}
+      - LDAP_USER_ATTRIBUTE_EMAIL={{ kanboard_ldap_user_attribute_email }}
+      - LDAP_USER_CREATION={{ kanboard_ldap_user_creation }}
+      - LDAP_USER_FILTER={{ kanboard_ldap_user_filter }}
+      - LDAP_GROUP_PROVIDER={{ kanboard_ldap_group_provider }}
+      - LDAP_GROUP_BASE_DN={{ kanboard_ldap_group_base_dn }}
+      - LDAP_GROUP_FILTER={{ kanboard_ldap_group_filter }}
+      - LDAP_GROUP_ADMIN_DN={{ kanboard_ldap_group_admin_dn }}
+      - LDAP_GROUP_MANAGER_DN={{ kanboard_ldap_group_manager_dn }}
+    networks:
+      - proxy
+    deploy:
+      mode: replicated
+      replicas: 1
+      labels:
+        - traefik.enable=true
+        - traefik.swarm.network=proxy
+        - traefik.http.routers.kanboard.tls=true
+        - traefik.http.routers.kanboard.tls.certResolver=letsencrypt
+        - traefik.http.routers.kanboard.rule=Host(`{{ kanboard_domain }}`)
+        - traefik.http.routers.kanboard.entrypoints=websecure
+        - traefik.http.services.kanboard.loadbalancer.server.port=80
+
+networks:
+  proxy:
+    external: true
diff --git a/playbooks/roles/traefik/templates/volumes/headscale/.gitkeep b/playbooks/roles/kanboard/templates/volumes/data/.gitkeep
index e69de29..e69de29 100644
--- a/playbooks/roles/traefik/templates/volumes/headscale/.gitkeep
+++ b/playbooks/roles/kanboard/templates/volumes/data/.gitkeep
diff --git a/playbooks/roles/kanboard/templates/volumes/plugins/.gitkeep b/playbooks/roles/kanboard/templates/volumes/plugins/.gitkeep
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/playbooks/roles/kanboard/templates/volumes/plugins/.gitkeep
diff --git a/playbooks/roles/kanidm/templates/stacks/docker-compose.yml b/playbooks/roles/kanidm/templates/stacks/docker-compose.yml
index 8ba1c98..7f568e8 100644
--- a/playbooks/roles/kanidm/templates/stacks/docker-compose.yml
+++ b/playbooks/roles/kanidm/templates/stacks/docker-compose.yml
@@ -28,6 +28,12 @@ services:
         - traefik.http.routers.kanidm.entrypoints=websecure
         - traefik.http.services.kanidm.loadbalancer.server.port=8443
         - traefik.http.services.kanidm.loadbalancer.server.scheme=https
+        # ldap
+        - traefik.tcp.routers.kanidm-ldaps.tls.passthrough=true
+        - traefik.tcp.routers.kanidm-ldaps.rule=HostSNI(`*`)
+        - traefik.tcp.routers.kanidm-ldaps.entrypoints=ldaps
+        - traefik.tcp.routers.kanidm-ldaps.service=kanidm-ldaps
+        - traefik.tcp.services.kanidm-ldaps.loadbalancer.server.port=3636
 
 networks:
   proxy:
diff --git a/playbooks/roles/kanidm/templates/volumes/data/server.toml b/playbooks/roles/kanidm/templates/volumes/data/server.toml
index 75bd7c2..dd13e1c 100644
--- a/playbooks/roles/kanidm/templates/volumes/data/server.toml
+++ b/playbooks/roles/kanidm/templates/volumes/data/server.toml
@@ -1,5 +1,5 @@
-bindaddress = "0.0.0.0:8443"
-ldapbindaddress = "0.0.0.0:3636"
+bindaddress = "[::]:8443"
+ldapbindaddress = "[::]:3636"
 trust_x_forward_for = true
 db_path = "/data/kanidm.db"
 tls_chain = "/certs/{{ idm_domain }}.pem"
diff --git a/playbooks/roles/traefik/templates/stacks/docker-compose.yml b/playbooks/roles/traefik/templates/stacks/docker-compose.yml
index deb5329..214c57e 100644
--- a/playbooks/roles/traefik/templates/stacks/docker-compose.yml
+++ b/playbooks/roles/traefik/templates/stacks/docker-compose.yml
@@ -32,6 +32,7 @@ services:
       - 443:443
       - 53:53
       - 53:53/udp
+      - 3636:3636
     environment:
       - TZ={{ timezone }}
       - CF_API_EMAIL={{ cloudflare_email }}
diff --git a/playbooks/roles/traefik/templates/stacks/traefik.yml b/playbooks/roles/traefik/templates/stacks/traefik.yml
index 5dcb19e..c4e2bd5 100644
--- a/playbooks/roles/traefik/templates/stacks/traefik.yml
+++ b/playbooks/roles/traefik/templates/stacks/traefik.yml
@@ -20,6 +20,8 @@ entryPoints:
     address: ":53/udp"
   dns_tcp:
     address: ":53/tcp"
+  ldaps:
+    address: ":3636/tcp"
 serversTransport:
   insecureSkipVerify: true
 providers:
diff --git a/secrets.txt b/secrets.txt
index bf6b4f8..2f5e99f 100644
--- a/secrets.txt
+++ b/secrets.txt
@@ -7,3 +7,4 @@ ceph_secret
 pihole_webpwd
 headscale_oidc_secret
 headscale_user_auth_key
+kanboard_ldap_password