From df204a7b666bb09c17dbd0856cbe09386fd25f04 Mon Sep 17 00:00:00 2001
From: Olivier Navas <olivier.navas@libretic.fr>
Date: Sat, 30 Apr 2022 13:01:01 +0200
Subject: [PATCH] Premier commit

---
 README.md                         | 59 +++++++++++++++++++++++++++++++
 defaults/main.yml                 |  1 +
 handlers/main.yml                 | 10 ++++++
 tasks/configure_reverse_proxy.yml | 11 ++++++
 tasks/main.yml                    | 15 ++++++++
 templates/0_vhost.conf            |  2 ++
 templates/1_vhost_additional.conf |  1 +
 templates/2_mds_exclusion.conf    |  2 ++
 templates/config.php              | 50 ++++++++++++++++++++++++++
 templates/docker-compose.yml      | 23 ++++++++++++
 10 files changed, 174 insertions(+)
 create mode 100644 README.md
 create mode 100644 defaults/main.yml
 create mode 100644 handlers/main.yml
 create mode 100644 tasks/configure_reverse_proxy.yml
 create mode 100644 tasks/main.yml
 create mode 100644 templates/0_vhost.conf
 create mode 100644 templates/1_vhost_additional.conf
 create mode 100644 templates/2_mds_exclusion.conf
 create mode 100644 templates/config.php
 create mode 100644 templates/docker-compose.yml

diff --git a/README.md b/README.md
new file mode 100644
index 0000000..2f4c542
--- /dev/null
+++ b/README.md
@@ -0,0 +1,59 @@
+# Role : docker_kanboard
+
+
+## Services fournis
+
+- main.yml : Installation de kanboard sur un serveur docker_host - 
+
+Kanboard est configuré en lien avec un annuaire LDAP pour l'authentification
+
+
+- configure_reverse_proxy.yml : Configuration d'un reverse proxy préalablement installé par le role reverse_proxy
+
+
+## Variables
+
+Fournir les variables suivantes. Par exemple :
+
+```yaml
+docker_kanboard_fqdn: kanboard.libretic.fr
+docker_kanboard_data_dir: /data1
+docker_kanboard_service_id: kanboard
+docker_kanboard_rp_cert: LE
+docker_kanboard_rp_docker_host: machine.domaine.local
+docker_kanboard_ldap_server: mon-serveur-ldap.domaine.local
+docker_kanboard_ldab_binddn: uid=compte-service-kanboard,ou=comptes-de-service,dc=domaine,dc=local
+docker_kanboard_ldap_bindpwd: mdp_du_compte_de_service
+docker_kanboard_ldap_users_base: ou=utilisateurs,dc=domaine,dc=local
+docker_kanboard_ldap_users_filter: uid=%s
+docker_kanboard_ldap_group_admin_dn: cn=administrateurs-kanboard,ou=groupes,dc=domaine,dc=local
+docker_kanboard_ldap_group_manager_dn: cn=managers-kanboard,ou=groupes,dc=domaine,dc=local
+docker_kanboard_ldap_groups_base: ou=groupes,dc=domaine,dc=local
+docker_kanboard_ldap_groups_filter: "(&(objectClass=groupOfUniqueNames)(cn=%s*))"
+docker_kanboard_mail_from: nepasrepondre@libretic.fr
+docker_kanboard_mail_server: smtp-server.domaine.local
+docker_kanboard_mail_helo: machine.domaine.local
+```
+
+| Option                                | Valeur par défaut | Description                                                                               |
+|---------------------------------------|-------------------|-------------------------------------------------------------------------------------------|
+| docker_kanboard_fqdn                  |                   | Le nom de domaine pour lequel le service kanboard répond                                  |
+| docker_kanboard_data_dir              |                   | L'emplacement dans lequel se trouvent les volumes de donnees docker pour le service       |
+| docker_kanboard_service_id            |                   | Le nom de service souhaité : conditionne le nommage des volumes et le routage par traefik |
+| docker_kanboard_ssh_port              | 222               | Le numero de port local pour l'accès à kanboard par ssh                                   |
+| docker_kanboard_rp_docker_host        |                   | pour configure_reverse_proxy.yml: fqdn de la machine contenant le conteneur docker        |
+| docker_kanboard_rp_cert               | LE                | Type de certificat pour le reverse proxy (LE = letsencrypt)                               |
+| docker_kanboard_ldap_server           |                   | Adresse du serveur LDAP                                                                   |
+| docker_kanboard_ldab_binddn           |                   | DN du compte de service de connexion à l'annuaire LDAP                                    |
+| docker_kanboard_ldap_bindpwd          |                   | Mot de passe du compte de service de connexion à l'annuaire LDAP                          |
+| docker_kanboard_ldap_users_base       |                   | DN du noeud de départ pour la recherche des utilisateurs                                  |
+| docker_kanboard_ldap_users_filter     |                   | Filtre de recherche des utilisateurs                                                      |
+| docker_kanboard_ldap_group_admin_dn   |                   | DN du groupe des administrateurs de kanboard                                              |
+| docker_kanboard_ldap_group_manager_dn |                   | DN du groupe des managers de kanboard                                                     |
+| docker_kanboard_ldap_groups_base      |                   | DN du noeud de départ pour la recherche des groupes                                       |
+| docker_kanboard_ldap_groups_filter    |                   | Filtre de recherche des groupes                                                           |
+| docker_kanboard_mail_from             |                   | Adresse email émettrice des messages envoyés par kanboard                                 |
+| docker_kanboard_mail_server           |                   | Adresse du serveur SMTP pour l'envoi de mails                                             |
+| docker_kanboard_mail_helo             |                   | fqdn présenté pour le helo smtp                                                           |
+
+
diff --git a/defaults/main.yml b/defaults/main.yml
new file mode 100644
index 0000000..611869c
--- /dev/null
+++ b/defaults/main.yml
@@ -0,0 +1 @@
+docker_kanboard_rp_cert: LE
diff --git a/handlers/main.yml b/handlers/main.yml
new file mode 100644
index 0000000..a416e03
--- /dev/null
+++ b/handlers/main.yml
@@ -0,0 +1,10 @@
+- name: docker-compose-up
+  shell: |
+    docker-compose up -d
+  args:
+    chdir: /opt/{{ docker_kanboard_service_id }}/
+
+- name: reverse-proxy-reload
+  service:
+    name: apache2
+    state: reloaded
diff --git a/tasks/configure_reverse_proxy.yml b/tasks/configure_reverse_proxy.yml
new file mode 100644
index 0000000..8563d01
--- /dev/null
+++ b/tasks/configure_reverse_proxy.yml
@@ -0,0 +1,11 @@
+- name: prepare reverse_proxy
+  template:
+    src: "{{ item }}"
+    dest: /etc/apache2/vhosts.d/{{ docker_kanboard_fqdn }}/
+  with_items:
+    - 0_vhost.conf
+    - 1_vhost_additional.conf
+    - 2_mds_exclusion.conf
+  notify: reverse-proxy-reload
+  
+
diff --git a/tasks/main.yml b/tasks/main.yml
new file mode 100644
index 0000000..88ae370
--- /dev/null
+++ b/tasks/main.yml
@@ -0,0 +1,15 @@
+- name: docker directory
+  file:
+    path: /opt/{{ docker_kanboard_service_id }}/
+    state: directory
+
+- name: prepare docker-compose.yml
+  template:
+    src: "{{ item }}"
+    dest: /opt/{{ docker_kanboard_service_id }}/
+  with_items:
+    - docker-compose.yml
+    - config.php
+  notify: docker-compose-up
+  
+
diff --git a/templates/0_vhost.conf b/templates/0_vhost.conf
new file mode 100644
index 0000000..bc30671
--- /dev/null
+++ b/templates/0_vhost.conf
@@ -0,0 +1,2 @@
+# {{ ansible_managed }}
+Use vhost_HTTPS_Generic {{ docker_kanboard_fqdn }} {{ docker_kanboard_rp_cert }} http {{ docker_kanboard_rp_docker_host }} info OpenAccessPolicy BlockCrawlerIndexing On
diff --git a/templates/1_vhost_additional.conf b/templates/1_vhost_additional.conf
new file mode 100644
index 0000000..e2bb153
--- /dev/null
+++ b/templates/1_vhost_additional.conf
@@ -0,0 +1 @@
+# {{ ansible_managed }}
diff --git a/templates/2_mds_exclusion.conf b/templates/2_mds_exclusion.conf
new file mode 100644
index 0000000..ab0d77f
--- /dev/null
+++ b/templates/2_mds_exclusion.conf
@@ -0,0 +1,2 @@
+# {{ ansible_managed }}
+
diff --git a/templates/config.php b/templates/config.php
new file mode 100644
index 0000000..e200907
--- /dev/null
+++ b/templates/config.php
@@ -0,0 +1,50 @@
+<?php
+//
+// {{ ansible_managed }}
+//
+
+defined('ENABLE_URL_REWRITE') or define('ENABLE_URL_REWRITE', true);
+defined('LOG_DRIVER') or define('LOG_DRIVER', 'system');
+
+// LDAP Configuration
+define('LDAP_AUTH', true);
+define('LDAP_SERVER', '{{ docker_kanboard_ldap_server }}');
+define('LDAP_PORT', 389);
+define('LDAP_BIND_TYPE', 'proxy');
+define('LDAP_USERNAME', '{{ docker_kanboard_ldab_binddn }}');
+define('LDAP_PASSWORD', '{{ docker_kanboard_ldap_bindpwd }}');
+define('LDAP_USER_BASE_DN', '{{ docker_kanboard_ldap_users_base }}');
+define('LDAP_USER_FILTER', '{{ docker_kanboard_ldap_users_filter }}');
+define('LDAP_GROUP_ADMIN_DN', '{{ docker_kanboard_ldap_group_admin_dn }}');
+define('LDAP_GROUP_MANAGER_DN', '{{ docker_kanboard_ldap_group_manager_dn }}');
+define('LDAP_GROUP_PROVIDER', true);
+define('LDAP_GROUP_BASE_DN', '{{ docker_kanboard_ldap_groups_base }}');
+define('LDAP_GROUP_FILTER', '{{ docker_kanboard_ldap_groups_filter }}');
+
+
+// Enable/disable email configuration from the user interface
+define('MAIL_CONFIGURATION', true);
+
+// E-mail address used for the "From" header (notifications)
+define('MAIL_FROM', '{{ docker_kanboard_mail_from }}');
+
+// Mail transport to use: "smtp", "sendmail" or "mail" (PHP mail function)
+define('MAIL_TRANSPORT', 'smtp');
+
+// SMTP configuration to use when the "smtp" transport is chosen
+define('MAIL_SMTP_HOSTNAME', '{{ docker_kanboard_mail_server }}');
+define('MAIL_SMTP_PORT', 25);
+define('MAIL_SMTP_USERNAME', '');
+define('MAIL_SMTP_PASSWORD', '');
+define('MAIL_SMTP_HELO_NAME', '{{ docker_kanboard_mail_helo }}'); // valid: null (default), or FQDN
+define('MAIL_SMTP_ENCRYPTION', null); // Valid values are "null", "ssl" or "tls"
+
+
+// Enable captcha after 3 authentication failure
+define('BRUTEFORCE_CAPTCHA', 3);
+
+// Lock the account after 6 authentication failure
+define('BRUTEFORCE_LOCKDOWN', 6);
+
+// Lock account duration in minute
+define('BRUTEFORCE_LOCKDOWN_DURATION', 15);
diff --git a/templates/docker-compose.yml b/templates/docker-compose.yml
new file mode 100644
index 0000000..75fbffb
--- /dev/null
+++ b/templates/docker-compose.yml
@@ -0,0 +1,23 @@
+# {{ ansible_managed }}
+version: '3.1'
+
+services:
+  kanboard:
+    image: kanboard/kanboard:latest
+    volumes:
+      - ./config.php:/var/www/app/config.php
+      - {{ docker_kanboard_data_dir }}/{{ docker_kanboard_service_id }}/kanboard_data:/var/www/app/data
+      - {{ docker_kanboard_data_dir }}/{{ docker_kanboard_service_id }}/kanboard_plugins:/var/www/app/plugins
+    restart: always
+    labels:
+      - "traefik.enable=true"
+      - "traefik.docker.network=traefik"
+      - "traefik.http.routers.{{ docker_kanboard_service_id }}.entrypoints=web"
+      - "traefik.http.routers.{{ docker_kanboard_service_id }}.rule=Host(`{{ docker_kanboard_fqdn }}`)"
+      - "traefik.http.services.{{ docker_kanboard_service_id }}.loadbalancer.server.port=80"
+    networks:
+      - traefik
+
+networks:
+  traefik:
+    external: true