initial: no secrets

roles/usermanagement/templates/fix_ldap.py

@@ -0,0 +1,45 @@
+#!/usr/bin/python3
+
+from ldap3 import Server, Connection, MODIFY_ADD, MODIFY_DELETE
+
+ldap_server = 'ldap://localhost'
+ldap_user = '{{ ldap_bind_dn }}'
+ldap_password = '{{ ldap_password }}'
+base_dn = '{{ ldap_user_dn }}'
+groups_base_dn = '{{ ldap_group_dn }}'
+new_objectclass = 'verification'
+
+# Connect to the LDAP server
+server = Server(ldap_server)
+conn = Connection(server, user=ldap_user, password=ldap_password)
+
+if not conn.bind():
+    print(f"Failed to bind to LDAP server: {conn.last_error}")
+    exit(1)
+
+# handle groups #
+conn.search(groups_base_dn, '(objectClass=*)')
+for entry in conn.entries:
+
+    dn = entry.entry_dn
+   
+    # add verification class if it is missing #
+    conn.modify(dn, {'member': [(MODIFY_DELETE, [""])]})
+
+# handle people #
+conn.search(base_dn, '(objectClass=person)')
+for entry in conn.entries:
+
+    dn = entry.entry_dn
+   
+    # add verification class if it is missing #
+    conn.modify(dn, {'objectClass': [(MODIFY_ADD, ["verification"])]})
+    
+    # set verification value if it is not set #
+    modifications = {
+        'emailVerified': [(MODIFY_ADD, ["false"])]
+    }
+    conn.modify(dn, modifications)
+
+# Unbind from the LDAP server
+conn.unbind()

roles/usermanagement/templates/keycloak.yaml

@@ -0,0 +1,52 @@
+---
+
+version: '3.3'
+
+services:
+  keycloak:
+    container_name: keycloak-container
+    command: start --hostname-strict=false --log-level=WARNING
+    image: quay.io/keycloak/keycloak:23.0.3
+    environment:
+      - KEYCLOAK_ADMIN=admin
+      - KEYCLOAK_ADMIN_PASSWORD={{ keycloak_admin_password }}
+      - PROXY_ADDRESS_FORWARDING=true
+      - KC_PROXY=edge
+      - KC_LOG_LEVEL=ALL
+      - KC_DB_URL_HOST=postgres
+      - KC_DB_USERNAME=keycloak
+      - KC_DB_PASSWORD={{ keycloak_postgres_password }}
+      - KC_HEALTH_ENABLED=true
+      - KC_METRICS_ENABLED=true
+      - KC_DB=postgres
+      - KEYCLOAK_LOGLEVEL=WARN
+    restart: unless-stopped
+    ports:
+    - 5050:8080
+    depends_on:
+    - postgres
+    secrets:
+    - postgres_password
+    volumes:
+    - /data/atlantis-keycloak-themes/themes/:/opt/keycloak/themes/
+  postgres:
+    container_name: postgres-container
+    image: postgres:15.1
+    environment:
+      - POSTGRES_DB=keycloak
+      - POSTGRES_PASSWORD_FILE=/run/secrets/postgres_password
+      - POSTGRES_USER=keycloak
+    restart: unless-stopped
+    secrets:
+    - postgres_password
+    volumes:
+    - /data/keycloak-postgres/:/var/lib/postgresql/data
+
+secrets:
+  postgres_password:
+    file: postgres_password
+
+volumes:
+  postgres-data:
+
+...

roles/usermanagement/templates/ldap.conf

@@ -0,0 +1,2 @@
+BASE {{ ldap_bind_dn }}
+URI {{ ldap_connection_url }}

roles/usermanagement/templates/postgres_password

@@ -0,0 +1 @@
+{{ keycloak_postgres_password }}

roles/usermanagement/templates/slapd-custom.service

@@ -0,0 +1,29 @@
+[Unit]
+Description=Slapd Custom Service
+
+[Service]
+
+Type=forking
+ExecStart=/usr/sbin/slapd -f /etc/ldap/slapd.conf -h "ldap:///"
+
+User=openldap
+Group=openldap
+
+CapabilityBoundingSet=CAP_NET_BIND_SERVICE
+AmbientCapabilities=CAP_NET_BIND_SERVICE
+
+Restart=on-failure
+
+PrivateTmp=yes
+ProtectSystem=full
+ProtectHome=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+ProtectControlGroups=yes
+NoNewPrivileges=yes
+MountFlags=private
+SystemCallArchitectures=native
+PrivateDevices=yes
+
+[Install]
+WantedBy=multi-user.target

roles/usermanagement/templates/slapd.conf

@@ -0,0 +1,29 @@
+modulepath /usr/lib/ldap/
+moduleload back_bdb.la
+
+pidfile         /var/lib/ldap/slapd.pid
+argsfile        /var/lib/ldap/slapd.args
+
+include /etc/ldap/schema/core.schema
+include /etc/ldap/schema/cosine.schema
+include /etc/ldap/schema/inetorgperson.schema
+include /etc/ldap/schema/nis.schema
+include /etc/ldap/schema/verification.schema
+
+database    bdb
+suffix      "{{ ldap_suffix }}"
+rootdn      "{{ ldap_bind_dn }}"
+rootpw      {SSHA}6nIaokLhkEKaA3i33QsWiRov+jDIvx7l
+
+#TLSCACertificateFile  /etc/ssl/certs/ca-certificates.crt
+#TLSCertificateFile    /etc/letsencrypt/live/ldap.atlantishq.de/cert.pem
+#TLSCertificateKeyFile /etc/letsencrypt/live/ldap.atlantishq.de/privkey.pem
+TLSVerifyClient try
+
+
+logfile /var/log/slapd.log
+#loglevel -1
+loglevel none
+
+directory /var/lib/ldap/
+cachesize 2000