mirror of
https://git.lapiole.org/dani/ansible-roles.git
synced 2025-04-12 00:03:17 +02:00
94 lines
3.1 KiB
YAML
94 lines
3.1 KiB
YAML
---
|
|
|
|
llng_handler: True
|
|
llng_portal: False
|
|
llng_manager: False
|
|
|
|
# Either httpd or nginx
|
|
llng_server: httpd
|
|
|
|
# When using nginx, you can choose between fastcgi or uwsgi
|
|
# uwsgi is faster but doesn't handle UTF-8 in the portal
|
|
# so default is fastcgi. This setting has not effet when llng_server == 'httpd'
|
|
llng_engine: fastcgi
|
|
|
|
llng_portal_vhost: auth.{{ ansible_domain }}
|
|
llng_api_vhost: sso-api.{{ ansible_domain }}
|
|
llng_manager_vhost: sso-manager.{{ ansible_domain }}
|
|
|
|
# If llng_portal and llng_manager are both set to False (only the handler is deployed)
|
|
# which conf backend to use. can be api or mysql
|
|
llng_conf_backend: api
|
|
llng_sessions_backend: "{{ llng_conf_backend }}"
|
|
|
|
# If using the REST API as backend, you must configure the URL endpoint
|
|
# llng_api_conf_url: https://auth.example.org/index.psgi/config
|
|
# llng_api_sessions_url: https://auth.example.org/index.psgi/sessions/global
|
|
|
|
# List of IP allowed to access SOAP endpoints
|
|
# Empty or undefined disable api endpoints
|
|
llng_api_src_ip: []
|
|
|
|
# List of IP allowed to access the manager
|
|
llng_manager_src_ip: "{{ trusted_ip }}"
|
|
|
|
# List of IP allowed to call the reload URI
|
|
llng_reload_src_ip: "{{ ansible_all_ipv4_addresses + ['127.0.0.1'] }}"
|
|
|
|
# When the manager send requests to handlers to reload their config
|
|
# should there request use the globally defined proxy.
|
|
# This is often not wanted because you want to limit access to the reload
|
|
# endpoint only from the manager IP, not from a proxy
|
|
llng_reload_use_proxy: False
|
|
|
|
# If defined, access to api endpoints will require basic auth.
|
|
llng_api_user: lemonldapapi
|
|
# llng_api_pass: sEcr3t.P@ssw0rd
|
|
# If basic auth is used to access the API, you must set the realm
|
|
llng_api_realm: Lemonldap::NG API
|
|
|
|
# SSL for vhosts
|
|
# llng_portal_ssl:
|
|
# letsencrypt_cert: auth.{{ ansible_domain }}
|
|
#
|
|
# Or
|
|
#
|
|
# llng_portal_ssl:
|
|
# cert: /etc/pki/tls/cert/mycert.crt
|
|
# key: /etc/pki/tls/private/mykey.key
|
|
# cert_chain: /etc/pki/tls/cert/mychain.crt
|
|
#
|
|
# Same keys exist for api and manager (llng_api_ssl and llng_manager_ssl
|
|
|
|
# Path to a CA cert if using SSL auth
|
|
# llng_portal_ssl.ca: /etc/pki/tls/privateca.crt
|
|
|
|
# How the manager is protected. Can be none, authenticate, manager, or directly a access rule
|
|
llng_manager_protection: manager
|
|
|
|
# Possibliity to use a MySQL backend
|
|
llng_db_server: "{{ mysql_server | default('localhost') }}"
|
|
llng_db_name: lemonldapng
|
|
llng_db_user: lemonldapng
|
|
llng_handler_db_user: lemonldapnghandler
|
|
# llng_db_pass: s3cr3t.
|
|
# llng_handler_db_pass
|
|
# Should database connections use SSL
|
|
llng_db_ssl: False
|
|
llng_db_ssl_ca: /etc/pki/tls/cert.pem
|
|
|
|
# Number of llng-fastcgi-server or uwsgi workers. The upstream default is 7 but you might need to adjust to your load
|
|
llng_workers: 6
|
|
|
|
# Sessions are cached locally for performance reasons. You can set the duration (in seconds) for which the cache will be considered valid
|
|
llng_session_cache: 300
|
|
|
|
# You can, inject a custom configuration in lemonldap-ng.ini (all section)
|
|
# llng_custom_config: |
|
|
# messageBrokerOptions = { \
|
|
# 'server' => 'lemonldap-ng-valkey.example.org:6379', \
|
|
# 'ssl' => 1, \
|
|
# 'password' => '{{ vault_llng_redis_pwd }}' \
|
|
# }
|
|
|