185 lines
7.1 KiB
YAML
185 lines
7.1 KiB
YAML
---
|
|
# The home-server project produces a multi-purpose setup using Ansible.
|
|
# Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license.
|
|
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
|
|
|
|
### UPSTREAM BEGIN ⇒ ###
|
|
- name: pull prerequisites from upstream
|
|
include_role: name=etckeeper.inc allow_duplicates=true tasks_from=upstream.yml
|
|
vars:
|
|
msg: LDAP Account Manager
|
|
### ⇐ UPSTREAM BEGIN ###
|
|
|
|
- name: install AUR software
|
|
include_role:
|
|
name: aur.inc
|
|
allow_duplicates: true
|
|
vars:
|
|
pkg_names: |
|
|
[
|
|
"ldap-account-manager"
|
|
]
|
|
aur_user: git
|
|
|
|
### UPSTREAM END ⇒ ###
|
|
- name: merge upstream
|
|
include_role: name=etckeeper.inc allow_duplicates=true tasks_from=merge.yml
|
|
vars:
|
|
msg: LDAP Account Manager
|
|
### ⇐ UPSTREAM END ###
|
|
|
|
- name: ensure some directories exist
|
|
file:
|
|
path: /etc/webapps/ldap-account-manager/{{item}}
|
|
state: directory
|
|
group: http
|
|
mode: 0770
|
|
with_items:
|
|
- pdf
|
|
- profiles
|
|
- pdf/{{nickname}}
|
|
- profiles/{{nickname}}
|
|
|
|
- name: create the template-based PDF configuration
|
|
shell: |
|
|
cp -al templates/pdf/* "pdf/{{nickname}}/"
|
|
args:
|
|
chdir: /etc/webapps/ldap-account-manager
|
|
creates: /etc/webapps/ldap-account-manager/pdf/{{nickname}}/*
|
|
|
|
- name: create the template-based profile configuration
|
|
shell: |
|
|
cp -al templates/pdf/* templates/profiles/* "profiles/{{nickname}}/"
|
|
args:
|
|
chdir: /etc/webapps/ldap-account-manager
|
|
creates: /etc/webapps/ldap-account-manager/profiles/{{nickname}}/*
|
|
|
|
- name: main lam configuration
|
|
copy:
|
|
remote_src: true
|
|
src: /etc/webapps/ldap-account-manager/config.cfg.sample
|
|
dest: /etc/webapps/ldap-account-manager/config.cfg
|
|
group: http
|
|
mode: 0660
|
|
force: false
|
|
|
|
- name: custom lam configuration
|
|
lineinfile:
|
|
path: /etc/webapps/ldap-account-manager/config.cfg
|
|
regexp: '^{{item.key}}:'
|
|
line: '{{item.key}}: {{item.value}}'
|
|
with_dict:
|
|
default: '{{nickname}}'
|
|
logLevel: 4
|
|
logDestination: SYSLOG
|
|
encryptSession: false
|
|
password: '{{lam_master_password}}'
|
|
passwordMinLength: '{{lam_passwordMinLength}}'
|
|
passwordMinUpper: '{{lam_passwordMinUpper}}'
|
|
passwordMinLower: '{{lam_passwordMinLower}}'
|
|
passwordMinNumeric: '{{lam_passwordMinNumeric}}'
|
|
passwordMinSymbol: '{{lam_passwordMinSymbol}}'
|
|
passwordMinClasses: '{{lam_passwordMinClasses}}'
|
|
checkedRulesCount: '{{lam_checkedRulesCount}}'
|
|
passwordMustNotContain3Chars: '{{lam_passwordMustNotContain3Chars}}'
|
|
passwordMustNotContainUser: '{{lam_passwordMustNotContainUser}}'
|
|
|
|
- name: custom lam profile
|
|
lineinfile:
|
|
path: /etc/webapps/ldap-account-manager/{{nickname}}.conf
|
|
create: true
|
|
group: http
|
|
mode: 0660
|
|
regexp: '^{{item.k}}:'
|
|
line: '{{item.k}}: {{item.v}}'
|
|
with_items:
|
|
- {k: 'Passwd', v: '{{lam_master_password}}'}
|
|
- {k: 'ServerURL', v: 'ldapi://%2Frun%2Fshared_sockets%2Fldapi/'}
|
|
- {k: 'serverDisplayName', v: '{{nickname}}'}
|
|
- {k: 'defaultLanguage', v: '{{locales_default}}'}
|
|
- {k: 'timeZone', v: '{{timezone}}'}
|
|
- {k: 'loginMethod', v: 'search'}
|
|
- {k: 'loginSearchSuffix', v: 'ou=Users,{{ldap_root}}'}
|
|
- {k: 'loginSearchFilter', v: 'uid=%USER%'}
|
|
- {k: 'loginSearchDN', v: ''}
|
|
- {k: 'loginSearchPassword', v: ''}
|
|
- {k: 'httpAuthentication', v: 'true'}
|
|
- {k: 'useTLS', v: 'no'}
|
|
- {k: 'treesuffix', v: '{{ldap_root}}'}
|
|
- {k: 'pwdResetAllowSpecificPassword', v: 'true'}
|
|
- {k: 'pwdResetAllowScreenPassword', v: 'true'}
|
|
- {k: 'pwdResetForcePasswordChange', v: 'true'}
|
|
- {k: 'pwdResetDefaultPasswordOutput', v: '2'}
|
|
- {k: 'tools: tool_hide_toolSchemaBrowser', v: 'true'}
|
|
- {k: 'tools: tool_hide_toolTests', v: 'true'}
|
|
- {k: 'tools: tool_hide_toolServerInformation', v: 'true'}
|
|
- {k: 'tools: tool_hide_toolProfileEditor', v: 'true'}
|
|
- {k: 'tools: tool_hide_toolPDFEditor', v: 'true'}
|
|
- {k: 'tools: tool_hide_toolOUEditor', v: 'true'}
|
|
- {k: 'tools: tool_hide_toolFileUpload', v: 'true'}
|
|
- {k: 'tools: tool_hide_toolMultiEdit', v: 'true'}
|
|
- {k: 'activeTypes', v: 'user,mailAlias'}
|
|
- {k: 'types: suffix_user', v: 'ou=Users,{{ldap_root}}'}
|
|
- {k: 'types: attr_user', v: '#uid;#givenName;#cn;#sn;#mail'}
|
|
- {k: 'types: modules_user', v: 'inetOrgPerson'}
|
|
- {k: 'types: suffix_group', v: 'ou=Groups,{{ldap_root}}'}
|
|
- {k: 'types: attr_group', v: '#cn;#memberUID'}
|
|
- {k: 'types: modules_group', v: 'posixGroup'}
|
|
- {k: 'types: suffix_mailAlias', v: 'ou=Aliases,{{ldap_root}}'}
|
|
- {k: 'types: attr_mailAlias', v: '#cn;#rfc822MailMember'}
|
|
- {k: 'types: modules_mailAlias', v: 'nisMailAlias'}
|
|
- {k: 'modules: posixAccount_pwdHash', v: 'SSHA'}
|
|
- {k: 'modules: inetOrgPerson_hideDescription', v: 'true'}
|
|
- {k: 'modules: inetOrgPerson_hideStreet', v: 'true'}
|
|
- {k: 'modules: inetOrgPerson_hidePostOfficeBox', v: 'true'}
|
|
- {k: 'modules: inetOrgPerson_hidePostalCode', v: 'true'}
|
|
- {k: 'modules: inetOrgPerson_hideLocation', v: 'true'}
|
|
- {k: 'modules: inetOrgPerson_hideState', v: 'true'}
|
|
- {k: 'modules: inetOrgPerson_hidePostalAddress', v: 'true'}
|
|
- {k: 'modules: inetOrgPerson_hideRegisteredAddress', v: 'true'}
|
|
- {k: 'modules: inetOrgPerson_hideOfficeName', v: 'true'}
|
|
- {k: 'modules: inetOrgPerson_hideRoomNumber', v: 'true'}
|
|
- {k: 'modules: inetOrgPerson_hideTelephoneNumber', v: 'true'}
|
|
- {k: 'modules: inetOrgPerson_hideHomeTelephoneNumber', v: 'true'}
|
|
- {k: 'modules: inetOrgPerson_hideMobileNumber', v: 'true'}
|
|
- {k: 'modules: inetOrgPerson_hideFaxNumber', v: 'true'}
|
|
- {k: 'modules: inetOrgPerson_hidePager', v: 'true'}
|
|
- {k: 'modules: inetOrgPerson_hideJobTitle', v: 'true'}
|
|
- {k: 'modules: inetOrgPerson_hideCarLicense', v: 'true'}
|
|
- {k: 'modules: inetOrgPerson_hideEmployeeType', v: 'true'}
|
|
- {k: 'modules: inetOrgPerson_hideBusinessCategory', v: 'true'}
|
|
- {k: 'modules: inetOrgPerson_hideDepartments', v: 'true'}
|
|
- {k: 'modules: inetOrgPerson_hideManager', v: 'true'}
|
|
- {k: 'modules: inetOrgPerson_hideOu', v: 'true'}
|
|
- {k: 'modules: inetOrgPerson_hideO', v: 'true'}
|
|
- {k: 'modules: inetOrgPerson_hideEmployeeNumber', v: 'true'}
|
|
- {k: 'modules: inetOrgPerson_hideInitials', v: 'true'}
|
|
- {k: 'modules: inetOrgPerson_hideuserCertificate', v: 'true'}
|
|
- {k: 'modules: inetOrgPerson_addAddressbook', v: 'false'}
|
|
- {k: 'modules: inetOrgPerson_readOnly_mail', v: 'true'}
|
|
- {k: 'modules: inetOrgPerson_readOnly_uid', v: 'true'}
|
|
- {k: 'modules: inetOrgPerson_hideUID', v: 'false'}
|
|
|
|
- name: configure nginx for ldap-account-manager
|
|
copy:
|
|
content: |
|
|
location {{http_pfx_lam}} {
|
|
alias /usr/share/webapps/ldap-account-manager;
|
|
autoindex on;
|
|
rewrite ^({{http_pfx_lam}})(/.*?\.php)(/.*)?$ /php...$document_root/...$1/...$2/...$3 last;
|
|
}
|
|
dest: /etc/nginx/inc.d/lam.https.inc
|
|
mode: 0440
|
|
owner: http
|
|
group: http
|
|
notify:
|
|
- restart nginx.service
|
|
|
|
### LOCAL COMMIT ⇒ ###
|
|
- name: commit local changes
|
|
include_role: name=etckeeper.inc allow_duplicates=true tasks_from=local.yml
|
|
vars:
|
|
msg: LDAP Account Manager
|
|
### ⇐ LOCAL COMMIT ###
|
|
- meta: flush_handlers
|