feat(ldap-user-backend): add role for managing ldap user backend in nextcloud

roles/ldap-user-backend/README.md

@@ -0,0 +1,27 @@
+# `finallycoffee.nextcloud.ldap-user-backend` ansible role
+
+Ansible role for managing LDAP authentication of nextcloud instances using ansible.
+
+## Prerequisites
+
+This role assumes a nextcloud instance is up and running, and has the `user_ldap`
+nextcloud app installed. For starting a nextcloud instance, see the
+`finallycoffee.nextcloud.server` role, for managing nextcloud apps see the
+`finallycoffee.nextcloud.apps` ansible role.
+
+## Configuration
+
+- Set `nc_ldap_api_method` to either `occ` or `http` to control wether the
+  configuration is set using `php occ` command line calls or the `http` API
+  of the `user_ldap` nextcloud app.
+
+- For `nc_ldap_api_method: occ`, ensure `nc_ldap_container` is set to the name
+  of the docker container where nextcloud is running, and `nc_ldap_occ_user` is
+  the user the container / nextcloud itself runs as. `nc_ldap_occ_command`
+  _can_ also be tweaked if `php` is not in the path, but the default should
+  be fine in most cases.
+
+- For `nc_ldap_api_method: http`, ensure `nc_ldapi_api_instance_url` contains
+  the URL to the nextcloud server, including protocol (and port, if
+  non-standard), and `nc_ldap_api_basic_auth_[user|password]` contain the
+  credentials of an admin user with the rights to edit the LDAP settings.

roles/ldap-user-backend/defaults/main.yml

@@ -1,9 +1,15 @@
 ---
 
+nc_ldap_api_method: occ
+
 nc_ldap_api_instance_url: http://localhost
 nc_ldap_api_basic_auth_user:
 nc_ldap_api_basic_auth_password:
 
+nc_ldap_occ_command: "php occ"
+nc_ldap_occ_user: "nextcloud"
+nc_ldap_container: nextcloud
+
 nc_ldap_config_id: s01
 nc_ldap_config_host: 127.0.0.1
 nc_ldap_config_port: 389

roles/ldap-user-backend/tasks/main.yml

@@ -1,6 +1,6 @@
 ---
 
-- name: Default api config
+- name: Set default api parameters for HTTP
   meta: noop
   vars: &api_defaults
     http_agent: "{{ nc_ldap_meta_http_agent }}"
@@ -9,6 +9,16 @@
     url_password: "{{ nc_ldap_api_basic_auth_password }}"
     force_basic_auth: yes
     force: yes
+  when: nc_ldap_api_method == 'http'
+
+- name: Check if configuration with given config ID already exists
+  docker_container_exec:
+    container: "{{ nc_ldap_container }}"
+    command: "{{ nc_ldap_occ_command }} ldap:show-config --output json {{ nc_ldap_config_id }}"
+    user: "{{ nc_ldap_occ_user }}"
+    tty: yes
+  when: nc_ldap_api_method == 'occ'
+  register: nc_ldap_existing_config
 
 - name: Check if configuration with given config ID already exists
   uri:
@@ -18,6 +28,7 @@
   vars:
     query_params: "?showPassword=1&format={{nc_ldap_api_parameter_format }}"
     
+  when: nc_ldap_api_method == 'http'
   register: nc_ldap_existing_config
 
 # TODO: Can we force an ID on POST?
@@ -26,7 +37,16 @@
     <<: *api_defaults
     url: "{{ nc_ldap_api_path }}"
     method: POST
-  when: nc_ldap_existing_config.status != 200
+  when: nc_ldap_api_method == 'http' and nc_ldap_existing_config.status != 200
+
+- name: Create ldap configuration with id={{ nc_ldap_config_id }}
+  docker_container_exec:
+    container: "{{ nc_ldap_container }}"
+    command: "{{ nc_ldap_occ_command }} ldap:create-empty-config --output json {{ nc_ldap_config_id }}"
+    user: "{{ nc_ldap_occ_user }}"
+    tty: yes
+  # research conditions?
+  when: nc_ldap_api_method == 'occ' and nc_ldap_existing_config.exitCode = 0
 
 - name: Create changeset
   set_fact:
@@ -43,3 +63,12 @@
     method: PUT
     body:
     body_format: "form-urlencoded"
+  when: nc_ldap_api_method == 'http'
+
+- name: Ensure ldap configuration is in sync
+  docker_container_exec:
+    container: "{{ nc_ldap_container }}"
+    command: "{{ nc_ldap_occ_command }} ldap:set-config #args"
+    user: "{{ nc_ldap_occ_user }}"
+    tty: yes
+  when: nc_ldap_api_method == 'occ'