finallycoffee/base
5
0
Fork 1
Code Issues 1 Pull Requests 4 Packages Projects Releases Wiki Activity

Compare commits

base: finallycoffee:main
Branches Tags
finallycoffee:main finallycoffee:transcaffeine/openldap finallycoffee:lego/set-e-fix finallycoffee:transcaffeine/openssh finallycoffee:transcaffeine/hostname finallycoffee:transcaffeine/docker-redhat finallycoffee:transcaffeine/docker finallycoffee:transcaffeine/user finallycoffee:transcaffeine/restic-systemd-template-units finallycoffee:transcaffeine/base-use-find finallycoffee:transcaffeine/redis finallycoffee:transcaffeine/nscd-nslcd finallycoffee:transcaffeine/debian-proxmox
finallycoffee:0.3.0 finallycoffee:0.2.1 finallycoffee:0.2.0 finallycoffee:0.1.2 finallycoffee:0.1.1 finallycoffee:0.1.0 finallycoffee:0.0.2
..
compare: finallycoffee:transcaffeine/docker-redhat
Branches Tags
finallycoffee:main finallycoffee:transcaffeine/openldap finallycoffee:lego/set-e-fix finallycoffee:transcaffeine/openssh finallycoffee:transcaffeine/hostname finallycoffee:transcaffeine/docker-redhat finallycoffee:transcaffeine/docker finallycoffee:transcaffeine/user finallycoffee:transcaffeine/restic-systemd-template-units finallycoffee:transcaffeine/base-use-find finallycoffee:transcaffeine/redis finallycoffee:transcaffeine/nscd-nslcd finallycoffee:transcaffeine/debian-proxmox
finallycoffee:0.3.0 finallycoffee:0.2.1 finallycoffee:0.2.0 finallycoffee:0.1.2 finallycoffee:0.1.1 finallycoffee:0.1.0 finallycoffee:0.0.2

1 Commits
main ... transcaffe

Author SHA1 Message Date
transcaffeine
7c22a94d18 WIP: feat(docker): add support for redhat targets 2025-04-21 18:24:17 +02:00
40 changed files with 62 additions and 810 deletions
Expand all files Collapse all files

13
galaxy.yml
View File

@ -1,28 +1,21 @@
namespace: finallycoffee namespace: finallycoffee
name: base name: base
version: 0.3.0 version: 0.2.1
readme: README.md readme: README.md
authors: authors:
- transcaffeine <transcaffeine@finally.coffee> - transcaffeine <transcaffeine@finally.coffee>
description: >-2 description: Roles for base services which are common dependencies other services like databases
Roles for base services which are core functionality like managing packages
and ssh or common dependencies other services like databases
dependencies: dependencies:
"community.docker": "^4.2.0" "community.docker": "^4.2.0"
"community.general": "^10.0.0"
license_file: LICENSE.md license_file: LICENSE.md
build_ignore: build_ignore:
- '*.tar.gz' - '*.tar.gz'
repository: https://git.finally.coffee/finallycoffee/base repository: https://git.finally.coffee/finallycoffee/base
issues: https://codeberg.org/finallycoffee/ansible-collection-base/issues issues: https://codeberg.org/finallycoffee/ansible-collection-base/issues
tags: tags:
- bootstrap
- ssh
- mosh
- docker - docker
- lego - lego
- minio - minio
- nginx - nginx
- restic - restic
- user_management - docker
- openldap

16
playbooks/docker_registry.yml
View File

@ -1,16 +0,0 @@
---
- name: Manage docker registry credentials
hosts: "{{ docker_hosts | default('docker', true) }}"
become: "{{ docker_become | default(false) }}"
gather_facts: "{{ docker_registry_gather_facts | default(true) }}"
tasks:
- name: Manage docker registry credentials
community.docker.docker_login:
registry_url: "{{ docker_registry.registry }}"
username: "{{ docker_registry.username | default(omit) }}"
password: "{{ docker_registry.password | default(omit) }}"
state: "{{ docker_registry.state | default('present') }}"
loop: "{{ docker_registries | default([], true) }}"
loop_control:
loop_var: "docker_registry"
label: "{{ docker_registry.username}}@{{ docker_registry.registry }}"

109
playbooks/ldap.yml
View File

@ -1,109 +0,0 @@
---
- name: Configure LDAP directory information tree
hosts: "{{ ldap_hosts | default('ldap') }}"
become: "{{ ldap_become | default(false) }}"
gather_facts: "{{ ldap_gather_facts | default(false) }}"
vars:
_state: "{{ ldap_state | default('present') }}"
_ldap_bind_info: &ldap_bind_info
server_uri: "{{ ldap_server_uri }}"
bind_dn: "{{ ldap_bind_dn }}"
bind_pw: "{{ ldap_bind_pw }}"
roles:
# Ensure all defaults from openldap role are in scope
- role: finallycoffee.base.openldap
when: false
tasks:
- name: Ensure org units in '{{ ldap_base_dn }}' are {{ _state }}
community.general.ldap_entry:
<<: *ldap_bind_info
dn: "ou={{ org_unit }},{{ ldap_base_dn }}"
objectClass: "organizationalUnit"
state: "{{ _state }}"
loop: "{{ ldap_org_units | default([], true) }}"
loop_control:
loop_var: org_unit
- name: Ensure admin user is {{ _state }}
community.general.ldap_entry:
<<: *ldap_bind_info
dn: "uid={{ ldap_admin_user_rdn }},{{ ldap_admin_user_base }}"
objectClass: "{{ ldap_admin_user_object_classes }}"
attributes: "{{ ldap_admin_user_attributes }}"
state: "{{ _state }}"
vars:
ldap_admin_user_base: >-2
{{ ldap_admin_user_base_dn | default(ldap_base_dn, true) }}
when: ldap_admin_user_rdn is defined
- name: Ensure admin user attributes are correct
community.general.ldap_attrs:
<<: *ldap_bind_info
dn: "uid={{ ldap_admin_user_rdn }},{{ ldap_admin_user_base }}"
attributes: "{{ ldap_admin_user_attributes }}"
state: "{{ _state }}"
vars:
ldap_admin_user_base: >-2
{{ ldap_admin_user_base_dn | default(ldap_base_dn, true) }}
when:
- ldap_admin_user_rdn is defined
- _state == 'present'
- name: Ensure ldap groups are {{ _state }}
community.general.ldap_entry:
<<: *ldap_bind_info
dn: "{{ _ldap_group_dn }}"
objectClass: "{{ _ldap_group_object_classes }}"
attributes: "{{ _ldap_group_attributes }}"
state: "{{ _state }}"
vars:
_ldap_group_dn: >-2
cn={{ _ldap_group.name }},{{ ldap_group_base_dn }}
_ldap_group_object_classes:
- "groupOfNames"
_ldap_group_attributes:
cn: "{{ _ldap_group.name }}"
member: >-2
{{ _ldap_group.members | default([]) }}
loop: "{{ ldap_groups | default([], true) }}"
loop_control:
loop_var: _ldap_group
label: "{{ _ldap_group.name }}"
when:
- ldap_groups is defined
- ldap_group_base_dn is defined
- name: Ensure service accounts are {{ _state }}
community.general.ldap_entry:
<<: *ldap_bind_info
dn: "{{ _ldap_service_account_dn }}"
objectClass: "{{ _ldap_service_account_object_classes }}"
attributes: "{{ _ldap_service_account_attributes }}"
state: "{{ _state }}"
loop: &ldap_service_account_loop "{{ ldap_service_accounts | default([]) }}"
loop_control: &ldap_service_account_loop_control
loop_var: "_ldap_service_account"
label: "{{ _ldap_service_account.name }}"
vars: &ldap_service_account_vars
_ldap_service_account_dn: >-2
uid={{ _ldap_service_account.name }},{{ ldap_service_account_base_dn }}
_ldap_service_account_object_classes:
- "account"
- "simpleSecurityObject"
_ldap_service_account_attributes:
uid: "{{ _ldap_service_account.name }}"
userPassword: "{{ _ldap_service_account.password }}"
when: &ldap_service_account_when
- ldap_service_accounts is defined
- ldap_service_account_base_dn is defined
- name: Ensure service accounts attributes are correct
community.general.ldap_attrs:
<<: *ldap_bind_info
dn: "{{ _ldap_service_account_dn }}"
attributes: "{{ _ldap_service_account_attributes }}"
state: exact
loop: *ldap_service_account_loop
loop_control: *ldap_service_account_loop_control
vars: *ldap_service_account_vars
when: *ldap_service_account_when

6
playbooks/mosh.yml
View File

@ -1,6 +0,0 @@
---
- name: Manage and configure mosh
hosts: "{{ mosh_hosts | default('mosh', true) }}"
become: "{{ mosh_become | default(true) }}"
roles:
- role: finallycoffee.base.mosh

7
playbooks/openldap.yml
View File

@ -1,7 +0,0 @@
---
- name: Deploy and configure openLDAP
hosts: "{{ openldap_hosts | default('openldap', true) }}"
become: "{{ openldap_become | default(true) }}"
gather_facts: "{{ openldap_playbook_gather_facts | default(false) }}"
roles:
- role: finallycoffee.base.openldap

7
playbooks/openssh.yml
View File

@ -1,7 +0,0 @@
---
- name: Ensure openssh is installed and configured
hosts: "{{ openssh_target | default('openssh') }}"
become: "{{ openssh_become | default(true) }}"
gather_facts: "{{ openssh_gather_facts | default(true) }}"
roles:
- role: finallycoffee.base.openssh

34
roles/docker/defaults/main/rhel.yml Normal file
View File

@ -0,0 +1,34 @@
---
docker_rhel_repo_name: "docker-ce-stable"
docker_rhel_repo_description: "Docker CE Stable - $basearch"
docker_rhel_repo_url: "https://download.docker.com/linux/rhel/$releasever/$basearch/stable"
docker_rhel_repo_validate_certs: true
docker_rhel_repo_gpg_check: true
docker_rhel_repo_gpg_key: "https://download.docker.com/linux/rhel/gpg"
docker_rhel_cli_package: "docker-ce-cli"
docker_rhel_plugin_buildx_package: "docker-buildx-plugin"
docker_rhel_plugin_compose_package: "docker-compose-plugin"
docker_rhel_base_packages:
- "docker-ce"
- "docker-ce-cli"
- "containerd.io"
docker_rhel_packages: >-2
{{
docker_fedora_base_packages
+ (docker_plugin_buildx_enable | default(false)
| ternary([ docker_rhel_plugin_buildx_package ], []))
+ (docker_plugin_compose_enable | default(false)
| ternary([ docker_rhel_plugin_compose_package ], []))
}}
docker_rhel_legacy_packages:
- "docker"
- "docker-client"
- "docker-client-latest"
- "docker-common"
- "docker-latest"
- "docker-latest-logrotate"
- "docker-logrotate"
- "docker-engine"
- "podman"
- "runc"

21
roles/docker/tasks/install-redhat.yml Normal file
View File

@ -0,0 +1,21 @@
---
- name: Ensure legacy docker packages are removed
ansible.builtin.dnf:
name: "{{ docker_rhel_legacy_packages }}"
state: absent
when: docker_remove_legacy_packages
- name: Add dnf repository for docker
ansible.builtin.yum_repository:
name: "{{ docker_rhel_repo_name }}"
description: "{{ docker_rhel_repo_description }}"
baseurl: "{{ docker_rhel_repo_url }}"
validate_certs: "{{ docker_rhel_repo_validate_certs }}"
gpgkey: "{{ docker_rhel_repo_gpg_key }}"
gpgcheck: "{{ docker_rhel_repo_gpg_check }}"
state: "{{ docker_state }}"
- name: Install dnf packages for docker
ansible.builtin.dnf:
name: "{{ docker_rhel_packages }}"
state: "{{ docker_state }}"

2
roles/docker/vars/main.yml
View File

@ -2,3 +2,5 @@
docker_supported_oses: docker_supported_oses:
- 'debian' - 'debian'
- 'fedora' - 'fedora'
docker_supported_os_families:
- 'rhel'

13
roles/lego/tasks/main.yml
View File

@ -107,7 +107,6 @@
{{ entry.key }}={{ entry.value }} {{ entry.key }}={{ entry.value }}
{% endfor %} {% endfor %}
dest: "{{ lego_base_path }}/{{ lego_instance }}.conf" dest: "{{ lego_base_path }}/{{ lego_instance }}.conf"
register: lego_env_file_info
- name: Ensure timer unit is templated - name: Ensure timer unit is templated
ansible.builtin.template: ansible.builtin.template:
@ -121,7 +120,6 @@
src: "lego_run.sh" src: "lego_run.sh"
dest: "{{ lego_base_path }}/run.sh" dest: "{{ lego_base_path }}/run.sh"
mode: "0755" mode: "0755"
register: lego_handler_script_info
- name: Ensure per-instance base path is created - name: Ensure per-instance base path is created
ansible.builtin.file: ansible.builtin.file:
@ -161,18 +159,7 @@
name: "{{ lego_systemd_timer_name }}" name: "{{ lego_systemd_timer_name }}"
state: "started" state: "started"
- name: Check if certificates are present
ansible.builtin.find:
path: "{{ lego_instance_path }}/certificates"
recurse: false
file_type: "file"
register: lego_certificate_info
- name: Ensure systemd service is started once to obtain the certificate - name: Ensure systemd service is started once to obtain the certificate
ansible.builtin.systemd_service: ansible.builtin.systemd_service:
name: "{{ lego_systemd_service_name }}" name: "{{ lego_systemd_service_name }}"
state: "started" state: "started"
when: >-2
lego_handler_script_info.changed
or lego_env_file_info.changed
or lego_certificate_info.files | default([]) | length == 0

2
roles/minio/defaults/main/container.yml
View File

@ -1,7 +1,7 @@
--- ---
minio_container_name: minio minio_container_name: minio
minio_container_image_name: "docker.io/minio/minio" minio_container_image_name: "docker.io/minio/minio"
minio_container_image_tag: "RELEASE.2025-04-22T22-12-26Z" minio_container_image_tag: "RELEASE.2025-04-08T15-41-24Z"
minio_container_image: "{{ minio_container_image_name }}:{{ minio_container_image_tag }}" minio_container_image: "{{ minio_container_image_name }}:{{ minio_container_image_tag }}"
minio_container_networks: [] minio_container_networks: []
minio_container_ports: [] minio_container_ports: []

4
roles/mosh/README.md
View File

@ -1,4 +0,0 @@
# `finallycoffee.base.mosh`
Installs [`mosh`](https://mosh.org/#), a remote 'mobile shell' which supports
roaming and re-uses SSH for the authentication layer.

2
roles/mosh/defaults/main/main.yml
View File

@ -1,2 +0,0 @@
---
mosh_state: present

15
roles/mosh/defaults/main/packages.yml
View File

@ -1,15 +0,0 @@
---
mosh_debian_packages:
- "mosh"
- "openssh-server"
mosh_fedora_packages:
- "mosh"
- "openssh-server"
mosh_archlinux_packages:
- "mosh"
- "openssh"
mosh_packages:
debian: "{{ mosh_debian_packages }}"
fedora: "{{ mosh_fedora_packages }}"
archlinux: "{{ mosh_archlinux_packages }}"

30
roles/mosh/tasks/install.yml
View File

@ -1,30 +0,0 @@
---
- name: Ensure mosh is {{ mosh_state }} (dnf)
ansible.builtin.dnf:
name: "{{ mosh_packages[_key] }}"
state: "{{ mosh_state }}"
when:
- ansible_facts['pkg_mgr'] in ['dnf', 'dnf5']
- _key in mosh_packages.keys()
vars:
_key: "{{ ansible_distribution | lower }}"
- name: Ensure mosh is {{ mosh_state }} (apt)
ansible.builtin.apt:
package: "{{ mosh_packages[_key] }}"
state: "{{ mosh_state }}"
when:
- ansible_facts['pkg_mgr'] in ['apt']
- _key in mosh_packages.keys()
vars:
_key: "{{ ansible_distribution | lower }}"
- name: Ensure mosh is {{ mosh_state }} (pacman)
community.general.pacman:
name: "{{ mosh_packages[_key] }}"
state: "{{ mosh_state }}"
when:
- ansible_facts['pkg_mgr'] in ['pacman']
- _key in mosh_packages.keys()
vars:
_key: "{{ ansible_distribution | lower }}"

11
roles/mosh/tasks/main.yml
View File

@ -1,11 +0,0 @@
---
- name: Ensure 'mosh_state' is valid
ansible.builtin.fail:
msg: >-2
Invalid state '{{ mosh_state }}' for 'mosh_state'!
Allowed states are {{ mosh_states | join(', ') }}.
when: mosh_state not in mosh_states
- name: Ensure mosh is {{ mosh_state }}
ansible.builtin.include_tasks:
file: "install.yml"

4
roles/mosh/vars/main.yml
View File

@ -1,4 +0,0 @@
---
mosh_states:
- "present"
- "absent"

2
roles/nginx/defaults/main.yml
View File

@ -1,5 +1,5 @@
--- ---
nginx_version: "1.28.0" nginx_version: "1.27.5"
nginx_flavour: alpine nginx_flavour: alpine
nginx_base_path: /opt/nginx nginx_base_path: /opt/nginx
nginx_config_file: "{{ nginx_base_path }}/nginx.conf" nginx_config_file: "{{ nginx_base_path }}/nginx.conf"

3
roles/openldap/README.md
View File

@ -1,3 +0,0 @@
# `finallycoffee.base.openldap` ansible role
Deploy and configure [OpenLDAP](https://www.openldap.org/).

61
roles/openldap/defaults/main/container.yml
View File

@ -1,61 +0,0 @@
---
openldap_container_name: "openldap"
openldap_container_image_registry: docker.finally.coffee
openldap_container_image_namespace: containers
openldap_container_image_name: "openldap"
openldap_container_image_tag: ~
openldap_container_image_source: "pull"
openldap_container_image_force_source: >-2
{{ openldap_container_image_tag | default(false, true) }}
openldap_container_image_repository: >-2
{{
[
openldap_container_image_registry | default([], true),
openldap_container_image_namespace | default([], true),
openldap_container_image_name
] | flatten | join('/')
}}
openldap_container_image: >-2
{{
[
openldap_container_image_repository,
openldap_container_image_tag
| default(openldap_alpine_package_version, true),
] | join(':')
}}
openldap_container_env: ~
openldap_container_user: ~
openldap_container_ports: ~
openldap_container_labels: ~
openldap_container_volumes: ~
openldap_container_networks: ~
openldap_container_network_mode: ~
openldap_container_dns_servers: ~
openldap_container_etc_hosts: ~
openldap_container_ulimits:
- "nofile:{{ openldap_fd_soft_limit }}:{{ openldap_fd_hard_limit }}"
openldap_container_memory: "256M"
openldap_container_memory_swap: ~
openldap_container_memory_reservation: "128M"
openldap_container_restart_policy: "on-failure"
openldap_container_state: >-2
{{ (openldap_state == 'present') | ternary('started', 'absent') }}
openldap_container_data_path: "{{ openldap_data_path }}"
openldap_container_config_path: "{{ openldap_config_path }}"
openldap_container_socket_path: "{{ openldap_socket_path }}"
openldap_container_base_volumes:
- "{{ openldap_config_path }}:{{ openldap_container_config_path }}:Z"
- "{{ openldap_data_path }}:{{ openldap_container_data_path }}:rw"
- "{{ openldap_socket_path }}:{{ openldap_container_socket_path }}:rw"
openldap_container_all_volumes: >-2
{{ openldap_container_base_volumes | default([], true)
+ openldap_container_volumes | default([], true) }}
openldap_init_container_volumes:
- "{{ [openldap_slapd_path, openldap_slapd_path, 'ro'] | join(':') }}"
openldap_container_healthcheck:
test: >-2
[[ $(netstat -plnte | grep slapd | wc -l) -ge 1 ]]
&& [[ $(ps aux | grep slapd | wc -l) -ge 1 ]]
|| exit 1

24
roles/openldap/defaults/main/main.yml
View File

@ -1,24 +0,0 @@
---
openldap_version: "2.6.8"
openldap_alpine_revision: "0"
openldap_alpine_package_version: >-2
v{{ openldap_version }}-r{{ openldap_alpine_revision | string }}
openldap_domain: ~
openldap_organization: ~
openldap_config_path: "/etc/openldap/"
openldap_olc_path: "{{ openldap_config_path }}/{0}config"
openldap_slapd_path: "{{ openldap_config_path }}/slapd.ldif"
openldap_schema_path: "{{ openldap_config_path }}/schema"
openldap_data_path: "/var/lib/openldap"
openldap_socket_path: "/run/openldap"
openldap_socket: "{{ openldap_socket_path }}/slapd.sock"
openldap_socket_url: >-2
ldapi://{{ openldap_socket | urlencode | replace('/', '%2F') }}
openldap_state: "present"
openldap_deployment_method: "docker"
openldap_slapadd_init_command: >-2
slapadd -v -F {{ openldap_olc_path }} -n 0 -l {{ openldap_slapd_path }}

65
roles/openldap/defaults/main/openldap.yml
View File

@ -1,65 +0,0 @@
---
openldap_dn: >-2
dc={{ openldap_domain | regex_replace('\.', ',dc=') }}
openldap_root_username: "admin"
openldap_root_pw: ~
openldap_root_node_object_classes:
- "top"
- "dcObject"
- "organization"
openldap_root_node_dc: "{{ openldap_domain | regex_replace('\\..+', '') }}"
openldap_root_node_o: "{{ openldap_organization | default('not set!', true) }}"
openldap_fd_soft_limit: "8192"
openldap_fd_hard_limit: "8192"
openldap_module_path: "/usr/lib/openldap"
openldap_modules:
- "mdb"
- "hdb"
openldap_core_schema_path: "{{ openldap_schema_path }}/core.ldif"
openldap_enabled_schemas:
- name: "cosine"
- name: "inetorgperson"
openldap_additional_schemas: []
openldap_schemas: >-2
{{ openldap_enabled_schemas + openldap_additional_schemas }}
openldap_config_dn: "cn=config"
openldap_config_db_dn: "olcDatabase={0}config,cn=config"
openldap_config_db_olc_access:
- '{0} to *
by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
by * none'
openldap_config_attributes: {}
openldap_config_db_attributes:
olcAccess: "{{ openldap_config_db_olc_access }}"
openldap_default_indices:
- "objectClass eq"
openldap_indices: []
openldap_default_database_name: "mdb"
openldap_default_database_object_class: "olcMdbConfig"
openldap_default_database_suffix: "{{ openldap_dn }}"
openldap_default_database_root_dn: >-2
cn={{ openldap_root_username }},{{ openldap_default_database_suffix }}
openldap_default_database_root_pw: "{{ openldap_root_pw }}"
openldap_default_database_directory: >-2
{{ openldap_data_path }}/{{ openldap_default_database_name }}
openldap_default_database_indices: >-2
{{ openldap_default_indices + openldap_indices }}
openldap_default_database_config: >-2
olcDatabase={1}{{ openldap_default_database_name }},{{ openldap_config_dn }}
openldap_default_database:
name: "{{ openldap_default_database_name }}"
object_class: "{{ openldap_default_database_object_class }}"
suffix: "{{ openldap_default_database_suffix }}"
root_dn: "{{ openldap_default_database_root_dn }}"
root_pw: "{{ openldap_default_database_root_pw }}"
directory: "{{ openldap_default_database_directory }}"
indices: "{{ openldap_default_database_indices }}"
openldap_default_database_olc_access: "{{ openldap_config_db_olc_access }}"
openldap_databases:
- "{{ openldap_default_database }}"

80
roles/openldap/tasks/configure.yml
View File

@ -1,80 +0,0 @@
---
- name: Ensure config attributes are configured
community.general.ldap_attrs:
dn: "{{ openldap_config_dn }}"
attributes: "{{ { entry.key : entry.value } }}"
state: exact
server_uri: "{{ openldap_socket_url }}"
loop: "{{ openldap_config_attributes | dict2items }}"
loop_control:
loop_var: "entry"
label: "{{ entry.key }}"
- name: Ensure config db attributes are configured
community.general.ldap_attrs:
dn: "{{ openldap_config_db_dn }}"
attributes: "{{ { entry.key : entry.value } }}"
state: exact
server_uri: "{{ openldap_socket_url }}"
loop: "{{ openldap_config_db_attributes | dict2items }}"
loop_control:
loop_var: "entry"
label: "{{ entry.key }}"
- name: Ensure ACLs for default database are configured
community.general.ldap_attrs:
dn: "{{ openldap_default_database_config }}"
attributes:
olcAccess: "{{ openldap_default_database_olc_access }}"
state: "exact"
server_uri: "{{ openldap_socket_url }}"
retries: 3
delay: 3
register: openldap_acl_result
until: openldap_acl_result is succeeded
- name: Ensure LDAP DIT is configured
when:
- openldap_default_database_root_dn is defined
- openldap_default_database_root_pw is defined
vars:
_meta: &openldap_bind_info
bind_dn: "{{ openldap_default_database_root_dn }}"
bind_pw: "{{ openldap_default_database_root_pw }}"
server_uri: "{{ openldap_socket_url }}"
block:
- name: Ensure rootDN + credentials are correct
community.general.ldap_attrs:
dn: "{{ openldap_default_database_config }}"
attributes: "{{ {entry.key: entry.value} }}"
state: "exact"
server_uri: "{{ openldap_socket_url }}"
no_log: "{{ entry.log is defined and not entry.log }}"
loop:
- key: "olcRootDN"
value: "{{ openldap_default_database_root_dn }}"
- key: "olcRootPW"
value: "{{ openldap_default_database_root_pw }}"
log: false
loop_control:
loop_var: "entry"
label: "{{ entry.key }}"
- name: Ensure root node is {{ openldap_state }}
community.general.ldap_entry:
dn: "{{ openldap_dn }}"
objectClass: "{{ openldap_root_node_object_classes }}"
attributes:
dc: "{{ openldap_root_node_dc }}"
o: "{{ openldap_root_node_o }}"
<<: *openldap_bind_info
- name: Ensure root node attributes are up to date
community.general.ldap_attrs:
dn: "{{ openldap_dn }}"
attributes:
dc: "{{ openldap_root_node_dc }}"
o: "{{ openldap_root_node_o }}"
state: exact
<<: *openldap_bind_info
when: openldap_state == 'present'

25
roles/openldap/tasks/deploy-docker.yml
View File

@ -1,25 +0,0 @@
---
- name: Ensure container '{{ openldap_container_name }}' is {{ openldap_container_state }}
community.docker.docker_container:
name: "{{ openldap_container_name }}"
image: "{{ openldap_container_image }}"
env: "{{ openldap_container_env | default(omit, true) }}"
user: "{{ openldap_container_user | default(omit, true) }}"
ports: "{{ openldap_container_ports | default(omit, true) }}"
labels: "{{ openldap_container_labels | default(omit, true) }}"
volumes: "{{ openldap_container_all_volumes | default(omit, true) }}"
networks: "{{ openldap_container_networks | default(omit, true) }}"
network_mode: "{{ openldap_container_network_mode | default(omit, true) }}"
dns_servers: "{{ openldap_container_dns_servers | default(omit, true) }}"
etc_hosts: "{{ openldap_container_etc_hosts | default(omit, true) }}"
command: "{{ openldap_container_command | default(omit, true) }}"
ulimits: "{{ openldap_container_ulimits | default(omit, true) }}"
memory: "{{ openldap_container_memory | default(omit, true) }}"
memory_swap: "{{ openldap_container_memory_swap | default(omit, true) }}"
memory_reservation: >-2
{{ openldap_container_memory_reservation | default(omit, true) }}
restart_policy: >-2
{{ openldap_container_restart_policy | default(omit, true) }}
healthcheck: "{{ openldap_container_healthcheck | default(omit, true) }}"
state: "{{ openldap_container_state }}"

37
roles/openldap/tasks/initialize-docker.yml
View File

@ -1,37 +0,0 @@
---
- name: Ensure additional schemas are mapped to container
ansible.builtin.set_fact:
openldap_init_container_volumes: >-2
{{ openldap_init_container_volumes + [ schema_mount ] }}
vars:
schema_file: "{{ openldap_schema_path }}/{{ schema.name }}.ldif"
schema_mount: >-2
{{ schema_file }}:{{ schema_file }}:ro
loop: "{{ openldap_additional_schemas }}"
loop_control:
loop_var: "schema"
label: "{{ schema.name }}"
- name: Ensure ldap container is initialized
community.docker.docker_container:
name: "{{ openldap_container_name }}"
image: "{{ openldap_container_image }}"
env: "{{ openldap_container_env | default(omit, true) }}"
user: "{{ openldap_container_user | default(omit, true) }}"
ports: "{{ openldap_container_ports | default(omit, true) }}"
labels: "{{ openldap_container_labels | default(omit, true) }}"
volumes: "{{ openldap_container_merged_volumes | default(omit, true) }}"
networks: "{{ openldap_container_networks | default(omit, true) }}"
network_mode: "{{ openldap_container_network_mode | default(omit, true) }}"
dns_servers: "{{ openldap_container_dns_servers | default(omit, true) }}"
etc_hosts: "{{ openldap_container_etc_hosts | default(omit, true) }}"
memory: "{{ openldap_container_memory | default(omit, true) }}"
memory_swap: "{{ openldap_container_memory_swap | default(omit, true) }}"
memory_reservation: >-2
{{ openldap_container_memory_reservation | default(omit, true) }}
command: "{{ openldap_slapadd_init_command }}"
detach: false
cleanup: true
vars:
openldap_container_merged_volumes: >-2
{{ openldap_container_all_volumes + openldap_init_container_volumes }}

47
roles/openldap/tasks/initialize.yml
View File

@ -1,47 +0,0 @@
---
- name: Determine if persisted OLC config exists
ansible.builtin.stat:
path: "{{ openldap_olc_path }}/cn=config"
register: openldap_olc_stat_info
- name: Ensure openldap databases are initialized
when: not openldap_olc_stat_info.stat.exists
block:
- name: Ensure initial slapd.ldif is templated
ansible.builtin.template:
src: "slapd.ldif.j2"
dest: "{{ openldap_slapd_path }}"
mode: "0644"
- name: Ensure additional schemas to install are present
ansible.builtin.copy:
content: "{{ schema.content }}"
dest: "{{ openldap_schema_path }}/{{ schema.name }}.ldif"
mode: "0644"
loop: "{{ openldap_additional_schemas }}"
loop_control:
loop_var: "schema"
label: "{{ schema.name }}"
- name: Ensure db data directory exists
ansible.builtin.file:
path: "{{ openldap_default_database_directory }}"
state: directory
mode: "0750"
- name: Ensure container is initialized using {{ openldap_deployment_method }}
ansible.builtin.include_tasks:
file: "initialize-{{ openldap_deployment_method }}.yml"
rescue:
- name: Ensure temporary schema files are absent
ansible.builtin.file:
path: "{{ openldap_schema_path }}/{{ file.name }}.ldif"
state: absent
loop: >-2
{{ openldap_additional_schemas }}
loop_control:
loop_var: "file"
label: "{{ file.name }}"
ignore_errors: true
- name: Ensure intial slapd.ldif file is absent
ansible.builtin.file:
path: "{{ openldap_slapd_path }}"
state: absent
ignore_errors: true

26
roles/openldap/tasks/main.yml
View File

@ -1,26 +0,0 @@
---
- name: Check if 'openldap_state' is valid
ansible.builtin.fail:
msg: >-2
Invalid state '{{ openldap_state }}'!
Supported states are {{ openldap_states | join(', ') }}.
when: openldap_state not in openldap_states
- name: Check if 'openldap_deployment_method' is valid
ansible.builtin.fail:
msg: >-2
Invalid state '{{ openldap_deployment_method }}'!
Supported states are {{ openldap_deployment_methods | join(', ') }}.
when: openldap_deployment_method not in openldap_deployment_methods
- name: Ensure openldap deployment is prepared
ansible.builtin.include_tasks:
file: "prepare-{{ openldap_deployment_method }}.yml"
- name: Ensure openldap is deployed using {{ openldap_deployment_method }}
ansible.builtin.include_tasks:
file: "deploy-{{ openldap_deployment_method }}.yml"
- name: Ensure openldap is configured
ansible.builtin.include_tasks:
file: "configure.yml"

7
roles/openldap/tasks/prepare-docker.yml
View File

@ -1,7 +0,0 @@
---
- name: Ensure container image '{{ openldap_container_image }}' is {{ openldap_state }}
community.docker.docker_image:
name: "{{ openldap_container_image }}"
state: "{{ openldap_state }}"
source: "{{ openldap_container_image_source }}"
force_source: "{{ openldap_container_image_force_source }}"

64
roles/openldap/templates/slapd.ldif.j2
View File

@ -1,64 +0,0 @@
dn: cn=config
objectClass: olcGlobal
cn: config
olcPidFile: /run/openldap/slapd.pid
olcArgsFile: /run/openldap/slapd.args
# Dynamic backend modules
dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulepath: {{ openldap_module_path }}
{% for mod in openldap_modules | default([]) %}
olcModuleload: back_{{ mod }}.so
{% endfor %}
# Schema config
dn: cn=schema,cn=config
objectClass: olcSchemaConfig
cn: schema
include: file://{{ openldap_core_schema_path }}
{% for schema in openldap_schemas %}
include: file://{{ openldap_schema_path }}/{{ schema.name }}.ldif
{% endfor %}
# Frontend settings
dn: olcDatabase=frontend,cn=config
objectClass: olcDatabaseConfig
objectClass: olcFrontendConfig
olcDatabase: frontend
# Config-DB settings
dn: olcDatabase=config,cn=config
objectClass: olcDatabaseConfig
olcDatabase: config
{% for attr in openldap_config_db_attributes | dict2items %}
{% if attr is string %}
{{ attr.key }}: {{ attr.value }}
{% else %}
{% for val in attr.value %}
{{ attr.key }}: {{ val }}
{% endfor %}
{% endif %}
{% endfor %}
# database settings
{% for db in openldap_databases %}
dn: olcDatabase={{ db.name }},cn=config
objectClass: olcDatabaseConfig
objectClass: {{ db.object_class }}
olcDatabase: {{ db.name }}
olcSuffix: {{ db.suffix }}
olcRootDN: {{ db.root_dn }}
olcRootPW: {{ db.root_pw }}
olcDbDirectory: {{ db.directory }}
{% for idx in db.indices %}
olcDbIndex: {{ idx }}
{% endfor %}
{% endfor %}

6
roles/openldap/vars/main.yml
View File

@ -1,6 +0,0 @@
---
openldap_states:
- "present"
- "absent"
openldap_deployment_methods:
- "docker"

13
roles/openssh/README.md
View File

@ -1,13 +0,0 @@
# `finallycoffee.base.openssh`
Ansible role to manage and configure openssh and it's components (like `sshd`).
Currently supports `fedora` and `debian` linux distributions.
## `sshd`
To configure `sshd`, see the [`defaults/main/sshd.yml`](defaults/main/sshd.yml),
where snake\_cased config keys for `/etc/ssh/sshd_config` are available in
the `openssh_sshd_config_` namespace.
To add your own config on top, simply use key-value syntax in `openssh_sshd_config`.

3
roles/openssh/defaults/main/main.yml
View File

@ -1,3 +0,0 @@
---
openssh_state: 'present'
openssh_sshd_config_file: "/etc/ssh/sshd_config"

8
roles/openssh/defaults/main/packages.yml
View File

@ -1,8 +0,0 @@
---
openssh_packages:
fedora: "{{ openssh_fedora_packages }}"
debian: "{{ openssh_debian_packages }}"
openssh_fedora_packages:
- "openssh-server"
openssh_debian_packages:
- "openssh-server"

33
roles/openssh/defaults/main/sshd.yml
View File

@ -1,33 +0,0 @@
---
openssh_sshd_enable: true
openssh_sshd_config_pubkey_authentication: true
openssh_sshd_config_password_authentication: false
openssh_sshd_config_challenge_response_authentication: false
openssh_sshd_config_permit_root_login: false
# Limits
openssh_sshd_config_max_sessions: ~
openssh_sshd_config_max_startups: ~
# Hardening
openssh_sshd_config_protocol: 2
openssh_sshd_config_x11_forwarding: false
openssh_sshd_config_allow_agent_forwarding: false
openssh_sshd_config_allow_tcp_forwarding: false
openssh_sshd_default_config:
PubkeyAuthentication: "{{ openssh_sshd_config_pubkey_authentication }}"
PasswordAuthentication: "{{ openssh_sshd_config_password_authentication }}"
ChallengeResponseAuthentication: >-2
{{ openssh_sshd_config_challenge_response_authentication }}
PermitRootLogin: "{{ openssh_sshd_config_permit_root_login }}"
MaxSessions: "{{ openssh_sshd_config_max_sessions }}"
MaxStartups: "{{ openssh_sshd_config_max_startups }}"
Protocol: "{{ openssh_sshd_config_protocol }}"
X11Forwarding: "{{ openssh_sshd_config_x11_forwarding }}"
AllowAgentForwarding: "{{ openssh_sshd_config_allow_agent_forwarding }}"
AllowTcpForwarding: "{{ openssh_sshd_config_allow_tcp_forwarding }}"
openssh_sshd_merged_config: >-2
{{ openssh_sshd_default_config | default({}, true)
| combine(openssh_sshd_config | default({}, true)) }}

2
roles/openssh/defaults/main/systemd.yml
View File

@ -1,2 +0,0 @@
---
openssh_sshd_systemd_service_name: "sshd.service"

7
roles/openssh/handlers/main.yml
View File

@ -1,7 +0,0 @@
---
- name: Ensure sshd is reloaded
ansible.builtin.systemd_service:
name: "{{ openssh_sshd_systemd_service_name }}"
state: "reloaded"
when: ansible_facts['service_mgr'] == 'systemd'
listen: openssh_sshd_reload

28
roles/openssh/tasks/configure-sshd.yml
View File

@ -1,28 +0,0 @@
---
- name: Configure sshd
ansible.builtin.lineinfile:
path: "{{ openssh_sshd_config_file }}"
regexp: "{{ openssh_sshd_config_regexp }}"
line: "{{ openssh_sshd_config_line }}"
firstmatch: true
state: present
validate: "sshd -Tf %s"
loop: "{{ openssh_sshd_merged_config | dict2items }}"
loop_control:
loop_var: "tuple"
label: "{{ tuple.key }}"
notify:
- openssh_sshd_reload
vars:
openssh_sshd_config_regexp: "^\\s*#?\\s*{{ tuple.key }}"
openssh_sshd_config_line: >-2
{{ openssh_sshd_config_line_commented }}{{ tuple.key }} {{ openssh_sshd_config_value }}
openssh_sshd_config_value_is_none: "{{ tuple.value is none }}"
openssh_sshd_config_line_commented: >-2
{{ openssh_sshd_config_value_is_none | ternary('#', '') }}
openssh_sshd_config_value: >-2
{{ (tuple.value is boolean) | ternary(
tuple.value | ternary('yes', 'no'),
tuple.value
)
}}

16
roles/openssh/tasks/install.yml
View File

@ -1,16 +0,0 @@
---
- name: Ensure openssh server package is {{ openssh_state }} (dnf)
ansible.builtin.dnf:
name: "{{ openssh_packages[ansible_distribution | lower] }}"
state: "{{ openssh_state }}"
when:
- ansible_facts['pkg_mgr'] in ['dnf', 'dnf5']
- ansible_distribution | lower in openssh_packages.keys()
- name: Ensure openssh server package is {{ openssh_state }} (apt)
ansible.builtin.apt:
package: "{{ openssh_packages[ansible_distribution | lower] }}"
state: "{{ openssh_state }}"
when:
- ansible_facts['pkg_mgr'] in ['apt']
- ansible_distribution | lower in openssh_packages.keys()

15
roles/openssh/tasks/main.yml
View File

@ -1,15 +0,0 @@
---
- name: Ensure 'openssh_state' is valid
ansible.builtin.fail:
msg: >-2
Invalid value '{{ openssh_state }}' for 'openssh_state'.
Valid values are {{ openssh_states | join(', ') }}!
when: openssh_state not in openssh_states
- name: Ensure openssh is {{ openssh_state }}
ansible.builtin.include_tasks:
file: "install.yml"
- name: Ensure sshd is configured
ansible.builtin.include_tasks:
file: "configure-sshd.yml"

4
roles/openssh/vars/main.yml
View File

@ -1,4 +0,0 @@
---
openssh_states:
- "present"
- "absent"