ilnmors-homelab/ansible/roles/infra/tasks/services/set_ldap.yaml

---
- name: Set ldap container subuid
  ansible.builtin.set_fact:
    ldap_subuid: "100999"

- name: Create ldap directory
  ansible.builtin.file:
    path: "{{ node['home_path'] }}/containers/{{ item }}"
    owner: "{{ ldap_subuid }}"
    group: "svadmins"
    state: "directory"
    mode: "0770"
  loop:
    - "ldap"
    - "ldap/data"
    - "ldap/ssl"
  become: true

- name: Deploy ldap certificate and key
  ansible.builtin.copy:
    content: |
      {{ item.value }}
    dest: "{{ node['home_path'] }}/containers/ldap/ssl/{{ item.name }}"
    owner: "{{ ldap_subuid }}"
    group: "svadmins"
    mode: "{{ item.mode }}"
  loop:
    - name: "ilnmors_root_ca.crt"
      value: "{{ hostvars['console']['ca']['root']['crt'] }}"
      mode: "0440"
    - name: "ldap.crt"
      value: |
        {{ hostvars['console']['ldap']['crt'] | trim }}
        {{ hostvars['console']['ca']['intermediate']['crt'] }}
      mode: "0440"
    - name: "ldap.key"
      value: "{{ hostvars['console']['ldap']['key'] }}"
      mode: "0400"
  become: true
  notify: "notification_restart_ldap"
  no_log: true

- name: Register secret value to podman secret
  containers.podman.podman_secret:
    name: "{{ item.name }}"
    data: "{{ item.value }}"
    state: "present"
    force: true
  loop:
    # urlencode doesn't fix `/` as `%2F`. It needs replace
    - name: "LLDAP_DATABASE_URL"
      value: "postgres://ldap:{{ hostvars['console']['postgresql']['password']['ldap'] | urlencode | replace('/', '%2F') }}\
        @{{ infra_uri['postgresql']['domain'] }}/ldap_db?sslmode=verify-full&sslrootcert=/etc/ssl/ldap/ilnmors_root_ca.crt"
    - name: "LLDAP_KEY_SEED"
      value: "{{ hostvars['console']['ldap']['seed_key'] }}"
    - name: "LLDAP_JWT_SECRET"
      value: "{{ hostvars['console']['ldap']['jwt_secret'] }}"
  notify: "notification_restart_ldap"
  no_log: true

- name: Initiate ldap (When = false, If DB data does not exist in postgresql, activate this block)
  when: false
  become: true
  block:
    - name: Register extra secret value to podman secret
      containers.podman.podman_secret:
        name: "LLDAP_LDAP_USER_PASSWORD"
        data: "{{ hostvars['console']['ldap']['password']['user'] }}"
        state: "present"
        force: true
    # You must check the image version first (following container file on data/config/containers/infra/ldap/ldap.container)

    - name: Initiate ldap
      containers.podman.podman_container:
        name: "init_LLDAP"
        image: "docker.io/lldap/lldap:{{ version['containers']['ldap'] }}"
        rm: true
        detach: false
        env:
          TZ: "Asia/Seoul"
          LLDAP_LDAP_BASE_DN: "dc=ilnmors,dc=internal"
        secrets:
          - "LLDAP_DATABASE_URL,type=env"
          - "LLDAP_KEY_SEED,type=env"
          - "LLDAP_JWT_SECRET,type=env"
          - "LLDAP_LDAP_USER_PASSWORD,type=env"
        volumes:
          - "{{ node['home_path'] }}/containers/ldap/data:/data:rw"
          - "{{ node['home_path'] }}/containers/ldap/ssl:/etc/ssl/ldap:ro"

  always:
    - name: Clean extra secret value from podman secret
      containers.podman.podman_secret:
        name: "LLDAP_LDAP_USER_PASSWORD"
        state: "absent"

- name: Deploy container file
  ansible.builtin.template:
    src: "{{ hostvars['console']['node']['config_path'] }}/services/containers/infra/ldap/ldap.container.j2"
    dest: "{{ node['home_path'] }}/.config/containers/systemd/ldap.container"
    owner: "{{ ansible_user }}"
    group: "svadmins"
    mode: "0644"
  notify: "notification_restart_ldap"

- name: Enable ldap
  ansible.builtin.systemd:
    name: "ldap.service"
    state: "started"
    enabled: true
    daemon_reload: true
    scope: "user"