183 lines
7.1 KiB
YAML
183 lines
7.1 KiB
YAML
---
|
||
# The home-server project produces a multi-purpose setup using Ansible.
|
||
# Copyright © 2018–2023 Y. Gablin, under the GPL-3.0-or-later license.
|
||
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
|
||
|
||
### UPSTREAM BEGIN ⇒ ###
|
||
- name: pull prerequisites from upstream
|
||
include_role: name=etckeeper.inc allow_duplicates=true tasks_from=upstream.yml
|
||
vars:
|
||
msg: LDAP Account Manager
|
||
### ⇐ UPSTREAM BEGIN ###
|
||
|
||
- name: install AUR software
|
||
include_role:
|
||
name: aur.inc
|
||
allow_duplicates: true
|
||
vars:
|
||
packages:
|
||
- ldap-account-manager
|
||
aur_user: git
|
||
|
||
### UPSTREAM END ⇒ ###
|
||
- name: merge upstream
|
||
include_role: name=etckeeper.inc allow_duplicates=true tasks_from=merge.yml
|
||
vars:
|
||
msg: LDAP Account Manager
|
||
### ⇐ UPSTREAM END ###
|
||
|
||
- name: ensure some directories exist
|
||
file:
|
||
path: /etc/webapps/ldap-account-manager/{{item}}
|
||
state: directory
|
||
group: http
|
||
mode: 0770
|
||
with_items:
|
||
- pdf
|
||
- profiles
|
||
- pdf/{{nickname}}
|
||
- profiles/{{nickname}}
|
||
|
||
- name: create the template-based PDF configuration
|
||
shell: |
|
||
cp -al templates/pdf/* "pdf/{{nickname}}/"
|
||
args:
|
||
chdir: /etc/webapps/ldap-account-manager
|
||
creates: /etc/webapps/ldap-account-manager/pdf/{{nickname}}/*
|
||
|
||
- name: create the template-based profile configuration
|
||
shell: |
|
||
cp -al templates/pdf/* templates/profiles/* "profiles/{{nickname}}/"
|
||
args:
|
||
chdir: /etc/webapps/ldap-account-manager
|
||
creates: /etc/webapps/ldap-account-manager/profiles/{{nickname}}/*
|
||
|
||
- name: main lam configuration
|
||
copy:
|
||
remote_src: true
|
||
src: /etc/webapps/ldap-account-manager/config.cfg.sample
|
||
dest: /etc/webapps/ldap-account-manager/config.cfg
|
||
group: http
|
||
mode: 0660
|
||
force: false
|
||
|
||
- name: custom lam configuration
|
||
lineinfile:
|
||
path: /etc/webapps/ldap-account-manager/config.cfg
|
||
regexp: '^{{item.key}}:'
|
||
line: '{{item.key}}: {{item.value}}'
|
||
with_dict:
|
||
default: '{{nickname}}'
|
||
logLevel: 4
|
||
logDestination: SYSLOG
|
||
encryptSession: false
|
||
password: '{{lam_master_password}}'
|
||
passwordMinLength: '{{lam_passwordMinLength}}'
|
||
passwordMinUpper: '{{lam_passwordMinUpper}}'
|
||
passwordMinLower: '{{lam_passwordMinLower}}'
|
||
passwordMinNumeric: '{{lam_passwordMinNumeric}}'
|
||
passwordMinSymbol: '{{lam_passwordMinSymbol}}'
|
||
passwordMinClasses: '{{lam_passwordMinClasses}}'
|
||
checkedRulesCount: '{{lam_checkedRulesCount}}'
|
||
passwordMustNotContain3Chars: '{{lam_passwordMustNotContain3Chars}}'
|
||
passwordMustNotContainUser: '{{lam_passwordMustNotContainUser}}'
|
||
|
||
- name: custom lam profile
|
||
lineinfile:
|
||
path: /etc/webapps/ldap-account-manager/{{nickname}}.conf
|
||
create: true
|
||
group: http
|
||
mode: 0660
|
||
regexp: '^{{item.k}}:'
|
||
line: '{{item.k}}: {{item.v}}'
|
||
with_items:
|
||
- {k: 'Passwd', v: '{{lam_master_password}}'}
|
||
- {k: 'ServerURL', v: 'ldapi://%2Frun%2Fshared_sockets%2Fldapi/'}
|
||
- {k: 'serverDisplayName', v: '{{nickname}}'}
|
||
- {k: 'defaultLanguage', v: '{{locales_default}}'}
|
||
- {k: 'timeZone', v: '{{timezone}}'}
|
||
- {k: 'loginMethod', v: 'search'}
|
||
- {k: 'loginSearchSuffix', v: 'ou=Users,{{ldap_root}}'}
|
||
- {k: 'loginSearchFilter', v: 'uid=%USER%'}
|
||
- {k: 'loginSearchDN', v: ''}
|
||
- {k: 'loginSearchPassword', v: ''}
|
||
- {k: 'httpAuthentication', v: 'true'}
|
||
- {k: 'useTLS', v: 'no'}
|
||
- {k: 'treesuffix', v: '{{ldap_root}}'}
|
||
- {k: 'pwdResetAllowSpecificPassword', v: 'true'}
|
||
- {k: 'pwdResetAllowScreenPassword', v: 'true'}
|
||
- {k: 'pwdResetForcePasswordChange', v: 'true'}
|
||
- {k: 'pwdResetDefaultPasswordOutput', v: '2'}
|
||
- {k: 'tools: tool_hide_toolSchemaBrowser', v: 'true'}
|
||
- {k: 'tools: tool_hide_toolTests', v: 'true'}
|
||
- {k: 'tools: tool_hide_toolServerInformation', v: 'true'}
|
||
- {k: 'tools: tool_hide_toolProfileEditor', v: 'true'}
|
||
- {k: 'tools: tool_hide_toolPDFEditor', v: 'true'}
|
||
- {k: 'tools: tool_hide_toolOUEditor', v: 'true'}
|
||
- {k: 'tools: tool_hide_toolFileUpload', v: 'true'}
|
||
- {k: 'tools: tool_hide_toolMultiEdit', v: 'true'}
|
||
- {k: 'activeTypes', v: 'user,mailAlias'}
|
||
- {k: 'types: suffix_user', v: 'ou=Users,{{ldap_root}}'}
|
||
- {k: 'types: attr_user', v: '#uid;#givenName;#cn;#sn;#mail'}
|
||
- {k: 'types: modules_user', v: 'inetOrgPerson'}
|
||
- {k: 'types: suffix_group', v: 'ou=Groups,{{ldap_root}}'}
|
||
- {k: 'types: attr_group', v: '#cn;#memberUID'}
|
||
- {k: 'types: modules_group', v: 'posixGroup'}
|
||
- {k: 'types: suffix_mailAlias', v: 'ou=Aliases,{{ldap_root}}'}
|
||
- {k: 'types: attr_mailAlias', v: '#cn;#rfc822MailMember'}
|
||
- {k: 'types: modules_mailAlias', v: 'nisMailAlias'}
|
||
- {k: 'modules: posixAccount_pwdHash', v: 'SSHA'}
|
||
- {k: 'modules: inetOrgPerson_hideDescription', v: 'true'}
|
||
- {k: 'modules: inetOrgPerson_hideStreet', v: 'true'}
|
||
- {k: 'modules: inetOrgPerson_hidePostOfficeBox', v: 'true'}
|
||
- {k: 'modules: inetOrgPerson_hidePostalCode', v: 'true'}
|
||
- {k: 'modules: inetOrgPerson_hideLocation', v: 'true'}
|
||
- {k: 'modules: inetOrgPerson_hideState', v: 'true'}
|
||
- {k: 'modules: inetOrgPerson_hidePostalAddress', v: 'true'}
|
||
- {k: 'modules: inetOrgPerson_hideRegisteredAddress', v: 'true'}
|
||
- {k: 'modules: inetOrgPerson_hideOfficeName', v: 'true'}
|
||
- {k: 'modules: inetOrgPerson_hideRoomNumber', v: 'true'}
|
||
- {k: 'modules: inetOrgPerson_hideTelephoneNumber', v: 'true'}
|
||
- {k: 'modules: inetOrgPerson_hideHomeTelephoneNumber', v: 'true'}
|
||
- {k: 'modules: inetOrgPerson_hideMobileNumber', v: 'true'}
|
||
- {k: 'modules: inetOrgPerson_hideFaxNumber', v: 'true'}
|
||
- {k: 'modules: inetOrgPerson_hidePager', v: 'true'}
|
||
- {k: 'modules: inetOrgPerson_hideJobTitle', v: 'true'}
|
||
- {k: 'modules: inetOrgPerson_hideCarLicense', v: 'true'}
|
||
- {k: 'modules: inetOrgPerson_hideEmployeeType', v: 'true'}
|
||
- {k: 'modules: inetOrgPerson_hideBusinessCategory', v: 'true'}
|
||
- {k: 'modules: inetOrgPerson_hideDepartments', v: 'true'}
|
||
- {k: 'modules: inetOrgPerson_hideManager', v: 'true'}
|
||
- {k: 'modules: inetOrgPerson_hideOu', v: 'true'}
|
||
- {k: 'modules: inetOrgPerson_hideO', v: 'true'}
|
||
- {k: 'modules: inetOrgPerson_hideEmployeeNumber', v: 'true'}
|
||
- {k: 'modules: inetOrgPerson_hideInitials', v: 'true'}
|
||
- {k: 'modules: inetOrgPerson_hideuserCertificate', v: 'true'}
|
||
- {k: 'modules: inetOrgPerson_addAddressbook', v: 'false'}
|
||
- {k: 'modules: inetOrgPerson_readOnly_mail', v: 'true'}
|
||
- {k: 'modules: inetOrgPerson_readOnly_uid', v: 'true'}
|
||
- {k: 'modules: inetOrgPerson_hideUID', v: 'false'}
|
||
|
||
- name: configure nginx for ldap-account-manager
|
||
copy:
|
||
content: |
|
||
location {{http_pfx_lam}} {
|
||
alias /usr/share/webapps/ldap-account-manager;
|
||
autoindex on;
|
||
rewrite ^({{http_pfx_lam}})(/.*?\.php)(/.*)?$ /php...$document_root/...$1/...$2/...$3 last;
|
||
}
|
||
dest: /etc/nginx/inc.d/lam.https.inc
|
||
mode: 0440
|
||
owner: http
|
||
group: http
|
||
notify:
|
||
- restart openresty.service
|
||
|
||
### LOCAL COMMIT ⇒ ###
|
||
- name: commit local changes
|
||
include_role: name=etckeeper.inc allow_duplicates=true tasks_from=local.yml
|
||
vars:
|
||
msg: LDAP Account Manager
|
||
### ⇐ LOCAL COMMIT ###
|
||
- meta: flush_handlers
|