Add LLDAP.

env.yml

@@ -1,4 +1,5 @@
 domain: viyurz.fr
+ldap_base_dn: dc=viyurz,dc=fr
 timezone: "Europe/Paris"
 host_uid: 1000
 project_dir: "{{ ansible_env['HOME'] }}/docker-projects/{{ role_name }}"
@@ -43,6 +44,7 @@ projects:
   - etebase
   - hedgedoc
   - homepage
+  - lldap
   - mailserver
   - postgres
   - reverse-proxy
@@ -56,6 +58,7 @@ projects:
 projects_to_backup:
   - etebase
   - hedgedoc
+  - lldap
   - mailserver
   - postgres
   - synapse
@@ -84,6 +87,7 @@ ports:
   etebase: 3735
   hedgedoc: 8086
   homepage: 8082
+  lldap: 17170
   mailserver_smtp: 1025
   mailserver_smtps: 1465
   mailserver_imaps: 1993
@@ -108,6 +112,7 @@ users:
   hedgedoc: 1004
   hedgedoc_mysql: 1005
   homepage: 8686
+  lldap: 1007
   mailserver: 8
   postgres: 70
   searxng: 977
@@ -127,6 +132,7 @@ volumes:
   etebase_datadir: /mnt/etebasedata
   hedgedoc_mysql_datadir: /mnt/hedgedoc/mysql-data
   hedgedoc_configdir: /mnt/hedgedoc/config
+  lldap_datadir: /mnt/lldapdata
   mailserver_datadir: /mnt/mailserverdata
   mailserver_tls_certificate_file: "/etc/letsencrypt/live/mail.{{ domain }}/fullchain.pem"
   mailserver_tls_certificate_key_file: "/etc/letsencrypt/live/mail.{{ domain }}/privkey.pem"

playbooks/update-services.yml

@@ -7,6 +7,7 @@
   hosts: localhost
   vars:
     run_backup: false
+    run_setup: true
     run_update: true
   vars_prompt:
     - name: selected_projects

roles/lldap/tasks/backup.yml

@@ -0,0 +1,25 @@
+- name: "Backup PostgreSQL lldap database & {{ volumes['lldap_datadir'] }} directory"
+  shell: >
+    docker exec postgres
+    pg_dump -c {{ role_name }} |
+    borg create
+    --compression lzma
+    "{{ borg_repodir }}::{{ role_name }}-{now:%Y-%m-%d_%H-%M-%S}"
+    "{{ volumes['lldap_datadir'] }}"
+    -
+    --stdin-name dump_{{ role_name }}.sql
+  environment:
+    DOCKER_HOST: "{{ docker_host }}"
+    BORG_PASSCOMMAND: "cat {{ borg_passphrase_file }}"
+  become: true
+
+- name: Prune borg repository
+  command:
+    cmd: |
+      borg prune
+      --glob-archives='{{ role_name }}-*'
+      {{ borg_prune_options }}
+      {{ borg_repodir }}
+  environment:
+    BORG_PASSCOMMAND: "cat {{ borg_passphrase_file }}"
+  become: true

roles/lldap/tasks/main.yml

@@ -0,0 +1,14 @@
+- name: Include backup tasks
+  include_tasks:
+    file: backup.yml
+  when: run_backup | default(false) | bool
+
+- name: Include setup tasks
+  include_tasks:
+    file: setup.yml
+  when: run_setup | default(false) | bool
+
+- name: Include update tasks
+  include_tasks:
+    file: update.yml
+  when: run_update | default(false) | bool

roles/lldap/tasks/setup.yml

@@ -0,0 +1,24 @@
+- name: "Create {{ project_dir }} project directory"
+  file:
+    path: "{{ project_dir }}"
+    state: directory
+
+- name: Template docker-compose.yaml & .env to project directory
+  template:
+    src: "{{ item }}"
+    dest: "{{ project_dir }}/{{ item }}"
+    owner: "{{ host_uid }}"
+    group: "{{ host_uid }}"
+    mode: '600'
+  loop:
+    - docker-compose.yaml
+    - .env
+
+- name: "Create (if not exists) directory {{ volumes['lldap_datadir'] }} & set permissions"
+  file:
+    path: "{{ volumes['lldap_datadir'] }}"
+    state: directory
+    owner: "{{ users['lldap'] + uid_shift }}"
+    group: "{{ users['lldap'] + uid_shift }}"
+    mode: '700'
+  become: true

roles/lldap/tasks/update.yml

@@ -0,0 +1,23 @@
+- name: Pull project services
+  community.docker.docker_compose:
+    project_src: "{{ project_dir }}"
+    recreate: never
+    pull: true
+    debug: true
+  when: docker_pull_images | bool
+  register: lldap_docker_compose_pull_result
+
+- name: Display pulled image(s) name
+  set_fact:
+    lldap_pulled_images: "{{ lldap_pulled_images | default([]) + [item.pulled_image.name] }}"
+  loop: "{{ lldap_docker_compose_pull_result['actions'] | default([]) | selectattr('pulled_image', 'defined') }}"
+
+- name: Include backup tasks
+  include_tasks:
+    file: backup.yml
+  # Make a backup if we didn't already make one and we pulled a new image
+  when: not run_backup and lldap_pulled_images is defined
+
+- name: Create/Restart project services
+  community.docker.docker_compose:
+    project_src: "{{ project_dir }}"

roles/lldap/templates/.env

@@ -0,0 +1,7 @@
+UID={{ users['lldap'] }}
+GID={{ users['lldap'] }}
+TZ={{ timezone }}
+LLDAP_LDAP_BASE_DN={{ ldap_base_dn }}
+LLDAP_JWT_SECRET='{{ lldap_secrets["jwt_secret"] }}'
+LLDAP_KEY_SEED='{{ lldap_secrets["key_seed"] }}'
+LLDAP_DATABASE_URL='postgres://{{ lldap_secrets["postgres_user"] }}:{{ lldap_secrets["postgres_password"] }}@postgres.{{ domain }}/lldap'

roles/lldap/templates/docker-compose.yaml

@@ -0,0 +1,20 @@
+services:
+  lldap:
+    container_name: lldap
+    image: docker.io/lldap/lldap:latest-alpine-rootless
+    restart: always
+    user: {{ users['lldap'] }}:{{ users['lldap'] }}
+    env_file: .env
+    networks:
+      - authelia
+      - mailserver
+    ports:
+      - {{ ports['lldap'] }}:17170
+    volumes:
+      - {{ volumes['lldap_datadir'] }}:/data
+
+networks:
+  authelia:
+    name: authelia
+  mailserver:
+    name: mailserver

roles/reverse-proxy/templates/reverse-proxy.conf

@@ -131,6 +131,19 @@ server {
 }
 
 
+# LLDAP
+server {
+	listen 443 ssl http2;
+	listen [::]:443 ssl http2;	
+	
+	server_name ldap.{{ domain }};
+
+	location / {
+		proxy_pass http://127.0.0.1:{{ ports['lldap'] }};
+	}
+}
+
+
 # SearXNG
 server {
 	listen 443 ssl http2;

secrets.yml.example

@@ -13,6 +13,12 @@ coturn_secrets:
 hedgedoc_secrets:
   mysql_root_password:
 
+lldap_secrets:
+  jwt_secret:
+  key_seed:
+  postgres_user:
+  postgres_password:
+
 searxng_secrets:
   searxng_secret: