diff options
| author | Christian Pointner <equinox@spreadspace.org> | 2024-02-01 00:03:13 +0100 |
|---|---|---|
| committer | Christian Pointner <equinox@spreadspace.org> | 2024-02-01 00:03:13 +0100 |
| commit | b168f3f3e267f17b6a435cec5c145e4a67caca12 (patch) | |
| tree | ae451577e26971b595e71cecbbcf28235ce3f306 /roles/apps/whawty | |
| parent | apps/whawty: switch to new 0.3 release candidate (diff) | |
apps/whawty/auth: add ldap listener
Diffstat (limited to 'roles/apps/whawty')
4 files changed, 49 insertions, 0 deletions
diff --git a/roles/apps/whawty/auth/defaults/main.yml b/roles/apps/whawty/auth/defaults/main.yml index 8f203802..538ffbde 100644 --- a/roles/apps/whawty/auth/defaults/main.yml +++ b/roles/apps/whawty/auth/defaults/main.yml @@ -12,6 +12,12 @@ # memory: 65536 # threads: 4 # length: 32 +# ldap: +# port: 3636 +# hostnames: +# - ldap.example.com +# tls: +# certificate_provider: ... # sync: # port: 3022 # authorized_keys: diff --git a/roles/apps/whawty/auth/instance/tasks/main.yml b/roles/apps/whawty/auth/instance/tasks/main.yml index 8bada57c..2c3fc175 100644 --- a/roles/apps/whawty/auth/instance/tasks/main.yml +++ b/roles/apps/whawty/auth/instance/tasks/main.yml @@ -62,6 +62,29 @@ include_role: name: "x509/{{ whawty_auth_instances[whawty_auth_instance].publish.zone.certificate_provider }}/cert" +- name: generate/install TLS certificates for ldap + when: + - "'ldap' in whawty_auth_instances[whawty_auth_instance]" + - "'tls' in whawty_auth_instances[whawty_auth_instance].ldap" + vars: + x509_certificate_name: "whawty-auth-{{ whawty_auth_instance }}_ldap" + x509_certificate_hostnames: "{{ whawty_auth_instances[whawty_auth_instance].ldap.hostnames }}" + x509_certificate_config: "{{ whawty_auth_instances[whawty_auth_instance].ldap.tls.certificate_config }}" + x509_certificate_renewal: + install: + - dest: "{{ whawty_auth_instance_basepath }}/tls/ldap-crt.pem" + src: + - fullchain + owner: app + mode: "0444" + - dest: "{{ whawty_auth_instance_basepath }}/tls/ldap-key.pem" + src: + - key + owner: app + mode: "0400" + include_role: + name: "x509/{{ whawty_auth_instances[whawty_auth_instance].ldap.tls.certificate_provider }}/cert" + - name: generate app listener config template: src: listener.yml.j2 diff --git a/roles/apps/whawty/auth/instance/templates/listener.yml.j2 b/roles/apps/whawty/auth/instance/templates/listener.yml.j2 index a69bdc58..12a83905 100644 --- a/roles/apps/whawty/auth/instance/templates/listener.yml.j2 +++ b/roles/apps/whawty/auth/instance/templates/listener.yml.j2 @@ -6,3 +6,19 @@ https: certificate-key: /tls/publish-key.pem min-protocol-version: "TLSv1.3" prefer-server-ciphers: true +{% if 'ldap' in whawty_auth_instances[whawty_auth_instance] %} +{% if 'tls' in whawty_auth_instances[whawty_auth_instance].ldap %} +ldaps: +{% else %} +ldap: +{% endif %} + listen: + - ":{{ whawty_auth_instances[whawty_auth_instance].ldap.port }}" +{% if 'tls' in whawty_auth_instances[whawty_auth_instance].ldap %} + tls: + certificate: /tls/ldap-crt.pem + certificate-key: /tls/ldap-key.pem + min-protocol-version: "TLSv1.3" + prefer-server-ciphers: true +{% endif %} +{% endif %} diff --git a/roles/apps/whawty/auth/instance/templates/pod-spec.yml.j2 b/roles/apps/whawty/auth/instance/templates/pod-spec.yml.j2 index 01a956cc..4b75a346 100644 --- a/roles/apps/whawty/auth/instance/templates/pod-spec.yml.j2 +++ b/roles/apps/whawty/auth/instance/templates/pod-spec.yml.j2 @@ -27,6 +27,10 @@ containers: {% if whawty_auth_instances[whawty_auth_instance].publish.zone.publisher == inventory_hostname %} hostIP: "127.0.0.1" {% endif %} +{% if 'ldap' in whawty_auth_instances[whawty_auth_instance] %} + - containerPort: {{ whawty_auth_instances[whawty_auth_instance].ldap.port }} + hostPort: {{ whawty_auth_instances[whawty_auth_instance].ldap.port }} +{% endif %} {% if 'sync' in whawty_auth_instances[whawty_auth_instance] %} - name: sync image: "ghcr.io/whawty/auth/sync:v{{ whawty_auth_instances[whawty_auth_instance].version }}" |