diff --git a/deploy.yml b/deploy.yml index 88a4379..6d51670 100644 --- a/deploy.yml +++ b/deploy.yml @@ -8,3 +8,6 @@ - name: Certbot certificate cloudflare setup ansible.builtin.import_playbook: playbooks/deploy-certbot.yml + +- name: Kanidm + ansible.builtin.import_playbook: playbooks/deploy-kanidm.yml diff --git a/group_vars/kanidm.yml b/group_vars/kanidm.yml new file mode 100644 index 0000000..996fbaa --- /dev/null +++ b/group_vars/kanidm.yml @@ -0,0 +1,3 @@ +--- + +kanidm_domain: auth.hatecomputers.club diff --git a/playbooks/deploy-kanidm.yml b/playbooks/deploy-kanidm.yml new file mode 100644 index 0000000..6476e57 --- /dev/null +++ b/playbooks/deploy-kanidm.yml @@ -0,0 +1,6 @@ +--- + +- name: Kanidm setup + hosts: kanidm + roles: + - kanidm diff --git a/playbooks/roles/certbot/tasks/main.yml b/playbooks/roles/certbot/tasks/main.yml index deed32c..c3879f6 100644 --- a/playbooks/roles/certbot/tasks/main.yml +++ b/playbooks/roles/certbot/tasks/main.yml @@ -11,7 +11,7 @@ ansible.builtin.template: src: cloudflare-credentials.ini.j2 dest: "{{ cloudflare_credentials_destination }}" - mode: o=rw + mode: 0700 - name: Ensure existance of {{ certbot_post_hook_dir }} ansible.builtin.file: diff --git a/playbooks/roles/kanidm/tasks/main.yml b/playbooks/roles/kanidm/tasks/main.yml new file mode 100644 index 0000000..4afebdf --- /dev/null +++ b/playbooks/roles/kanidm/tasks/main.yml @@ -0,0 +1,39 @@ +--- + +- name: Ensure kanidm docker/compose exist + ansible.builtin.file: + path: /etc/docker/compose/kanidm + state: directory + owner: root + group: root + mode: 0700 + +- name: Build kanidm docker-compose.yml.j2 + ansible.builtin.template: + src: docker-compose.yml.j2 + dest: /etc/docker/compose/kanidm/docker-compose.yml + owner: root + group: root + mode: 0700 + +- name: Ensure kanidm docker/compose/data exist + ansible.builtin.file: + path: /etc/docker/compose/kanidm/data + state: directory + owner: root + group: root + mode: 0700 + +- name: Build kanidm config + ansible.builtin.template: + src: server.toml.j2 + dest: /etc/docker/compose/kanidm/data/server.toml + owner: root + group: root + mode: 0755 + +- name: Enable kanidm + ansible.builtin.systemd_service: + state: restarted + enabled: true + name: docker-compose@kanidm diff --git a/playbooks/roles/kanidm/templates/docker-compose.yml.j2 b/playbooks/roles/kanidm/templates/docker-compose.yml.j2 new file mode 100644 index 0000000..0bb5527 --- /dev/null +++ b/playbooks/roles/kanidm/templates/docker-compose.yml.j2 @@ -0,0 +1,13 @@ + +version: '3' + +services: + kanidm: + image: kanidm/server:latest + restart: always + volumes: + - ./data:/data + - /etc/letsencrypt:/certs:ro + ports: + - 127.0.0.1:8443:8443 + - 0.0.0.0:3636:3636 diff --git a/playbooks/roles/kanidm/templates/server.toml.j2 b/playbooks/roles/kanidm/templates/server.toml.j2 new file mode 100644 index 0000000..ac470cc --- /dev/null +++ b/playbooks/roles/kanidm/templates/server.toml.j2 @@ -0,0 +1,10 @@ +bindaddress = "[::]:8443" +ldapbindaddress = "[::]:3636" +trust_x_forward_for = true +db_path = "/data/kanidm.db" +tls_chain = "/certs/live/{{ kanidm_domain }}/fullchain.pem" +tls_key = "/certs/live/{{ kanidm_domain }}/privkey.pem" +log_level = "info" + +domain = "{{ kanidm_domain }}" +origin = "https://{{ kanidm_domain }}"