diff options
Diffstat (limited to 'playbooks/roles/kanidm')
| -rw-r--r-- | playbooks/roles/kanidm/tasks/main.yml | 47 | ||||
| -rw-r--r-- | playbooks/roles/kanidm/templates/docker-compose.yml.j2 | 13 | ||||
| -rw-r--r-- | playbooks/roles/kanidm/templates/server.toml.j2 | 10 |
3 files changed, 70 insertions, 0 deletions
diff --git a/playbooks/roles/kanidm/tasks/main.yml b/playbooks/roles/kanidm/tasks/main.yml new file mode 100644 index 0000000..37cc0da --- /dev/null +++ b/playbooks/roles/kanidm/tasks/main.yml @@ -0,0 +1,47 @@ +--- + +- name: Ensure kanidm docker/compose exist + ansible.builtin.file: + path: /etc/docker/compose/kanidm + state: directory + owner: root + group: root + mode: 0700 + +- name: Build kanidm docker-compose.yml.j2 + ansible.builtin.template: + src: docker-compose.yml.j2 + dest: /etc/docker/compose/kanidm/docker-compose.yml + owner: root + group: root + mode: 0700 + +- name: Ensure kanidm docker/compose/data exist + ansible.builtin.file: + path: /etc/docker/compose/kanidm/data + state: directory + owner: root + group: root + mode: 0700 + +- name: Build kanidm config + ansible.builtin.template: + src: server.toml.j2 + dest: /etc/docker/compose/kanidm/data/server.toml + owner: root + group: root + mode: 0755 + +- name: Allow LDAPS from rfc1918 networks + loop: "{{ rfc1918_networks }}" + community.general.ufw: + rule: allow + proto: tcp + port: '3636' + from: "{{ item }}" + +- name: Enable kanidm + ansible.builtin.systemd_service: + state: restarted + enabled: true + name: docker-compose@kanidm diff --git a/playbooks/roles/kanidm/templates/docker-compose.yml.j2 b/playbooks/roles/kanidm/templates/docker-compose.yml.j2 new file mode 100644 index 0000000..b269865 --- /dev/null +++ b/playbooks/roles/kanidm/templates/docker-compose.yml.j2 @@ -0,0 +1,13 @@ + +version: '3' + +services: + kanidm: + image: kanidm/server:1.1.0-rc.16 + restart: always + volumes: + - ./data:/data + - /etc/letsencrypt:/certs:ro + ports: + - 127.0.0.1:8443:8443 + - {{ kanidm_bind_address }}:3636:3636 diff --git a/playbooks/roles/kanidm/templates/server.toml.j2 b/playbooks/roles/kanidm/templates/server.toml.j2 new file mode 100644 index 0000000..ac470cc --- /dev/null +++ b/playbooks/roles/kanidm/templates/server.toml.j2 @@ -0,0 +1,10 @@ +bindaddress = "[::]:8443" +ldapbindaddress = "[::]:3636" +trust_x_forward_for = true +db_path = "/data/kanidm.db" +tls_chain = "/certs/live/{{ kanidm_domain }}/fullchain.pem" +tls_key = "/certs/live/{{ kanidm_domain }}/privkey.pem" +log_level = "info" + +domain = "{{ kanidm_domain }}" +origin = "https://{{ kanidm_domain }}" |