OpenConext · mrvanes · Mar 19, 2026 · Mar 25, 2026 · Mar 26, 2026 · Mar 26, 2026
diff --git a/roles/haproxy/templates/haproxy_backend.cfg.j2 b/roles/haproxy/templates/haproxy_backend.cfg.j2
@@ -67,3 +67,18 @@
   {% endfor %}
 {% endif %}
 {% endfor %}
+
+{% if haproxy_ldap_servers is defined %}
+#---------------------------------------------------------------------
+# ldap backend
+#---------------------------------------------------------------------
+backend ldap_servers
+  mode    tcp
+  option  tcpka
+
+  option ldap-check
+
+  {% for server in haproxy_ldap_servers -%}
+  server {{server.label}} {{server.ip}}:{{server.port}} ssl verify none check weight 10 {% if loop.index==1 %}on-marked-up shutdown-backup-sessions{% else %}backup{% endif %}
+  {% endfor %}
+{% endif %}
diff --git a/roles/haproxy/templates/haproxy_frontend.cfg.j2 b/roles/haproxy/templates/haproxy_frontend.cfg.j2
@@ -12,8 +12,8 @@ frontend stats
 # -------------------------------------------------------------------
 frontend internet_ip
 
-    bind {{ haproxy_sni_ip.ipv4 }}:443 ssl crt-list /etc/haproxy/maps/certlist.lst ssl crt /etc/haproxy/certs/ no-sslv3 no-tlsv10 no-tlsv11 alpn h2,http/1.1 transparent 
-    bind {{ haproxy_sni_ip.ipv6 }}:443 ssl crt-list /etc/haproxy/maps/certlist.lst ssl crt /etc/haproxy/certs/  no-sslv3 no-tlsv10 no-tlsv11 alpn h2,http/1.1 transparent 
+    bind {{ haproxy_sni_ip.ipv4 }}:443 ssl crt-list /etc/haproxy/maps/certlist.lst ssl crt /etc/haproxy/certs/ no-sslv3 no-tlsv10 no-tlsv11 alpn h2,http/1.1 transparent
+    bind {{ haproxy_sni_ip.ipv6 }}:443 ssl crt-list /etc/haproxy/maps/certlist.lst ssl crt /etc/haproxy/certs/  no-sslv3 no-tlsv10 no-tlsv11 alpn h2,http/1.1 transparent
     bind {{ haproxy_sni_ip.ipv4 }}:80 transparent
     bind {{ haproxy_sni_ip.ipv6 }}:80 transparent
     # Logging is done in the local_ip backend, otherwise all requests are logged twice
@@ -30,7 +30,7 @@ frontend internet_ip
     http-request redirect scheme https code 301 if !{ ssl_fc }
     # Log the user agent in the httplogs
     capture request header User-agent len 256
-    # Put the useragent header in a variable, shared between request and response. 
+    # Put the useragent header in a variable, shared between request and response.
     http-request set-var(txn.useragent) req.fhdr(User-Agent)
     # The ACL below makes sure only supported http methods are allowed
     acl valid_method method {{ haproxy_supported_http_methods }}
@@ -51,7 +51,7 @@ frontend internet_ip
     http-response replace-header Set-Cookie (?i)(^(?!.*samesite).*$) \1;\ SameSite=None if !no_same_site_uas
     # Remove an already present SameSite cookie attribute for unsupported browsers
     http-response replace-value Set-Cookie (^.*)(?i);\ *SameSite=(Lax|Strict|None)(.*$) \1\3 if no_same_site_uas
-    # Log whether the no_same_site_uas ACL has been hit 
+    # Log whether the no_same_site_uas ACL has been hit
     http-request set-header samesitesupport samesite_notsupported if no_same_site_uas
     http-request set-header samesitesupport samesite_supported if !no_same_site_uas
     # We need a dummy backend in order to be able to rewrite the loadbalancer cookies
@@ -66,7 +66,7 @@ frontend local_ip
     acl valid_vhost hdr(host) -f /etc/haproxy/acls/validvhostsunrestricted.acl
     acl staging req.cook(staging) -m str true
     acl staging src -f /etc/haproxy/acls/stagingips.acl
-    acl stagingvhost hdr(host) -i -M -f /etc/haproxy/maps/backendsstaging.map 
+    acl stagingvhost hdr(host) -i -M -f /etc/haproxy/maps/backendsstaging.map
     use_backend %[req.hdr(host),lower,map(/etc/haproxy/maps/backendsstaging.map)] if stagingvhost staging
     use_backend %[req.hdr(host),lower,map(/etc/haproxy/maps/backends.map)]
     option httplog
@@ -82,7 +82,7 @@ frontend local_ip
     http-request capture sc_http_req_rate(0) len 4
     # Create an ACL when the request rate exceeds {{ haproxy_max_request_rate }} per 10s
     acl exceeds_max_request_rate_per_ip sc_http_req_rate(0) gt {{ haproxy_max_request_rate }}
-    # Measure and log the request rate per path and ip 
+    # Measure and log the request rate per path and ip
     http-request track-sc1 base32+src table st_httpreqs_per_ip_and_path
     http-request capture sc_http_req_rate(1) len 4
     # Some paths allow for a higher ratelimit. These are in a seperate mapfile
@@ -96,7 +96,7 @@ frontend local_ip
     http-request deny if ! valid_vhost
     # Deny the request when the request rate exceeds {{ haproxy_max_request_rate }} per 10s
     http-request deny deny_status 429 if exceeds_max_request_rate_per_ip !allowlist
-    # Deny the request when the request rate per host header url path and src ip exceeds {{ haproxy_max_request_rate_ip_path }} per 1 m 
+    # Deny the request when the request rate per host header url path and src ip exceeds {{ haproxy_max_request_rate_ip_path }} per 1 m
     http-request deny deny_status 429 if exceeds_max_request_rate_per_ip_and_path !allowlist
     # Create some http redirects
     {% if haproxy_securitytxt_target_url is defined %}
@@ -111,8 +111,8 @@ frontend local_ip
 ## -------------------------------------------------------------------
 frontend internet_restricted_ip
 
-    bind {{ haproxy_sni_ip_restricted.ipv4 }}:443 ssl crt-list /etc/haproxy/maps/certlist.lst ssl crt /etc/haproxy/certs/ no-sslv3 no-tlsv10 no-tlsv11 alpn h2,http/1.1 transparent 
-    bind {{ haproxy_sni_ip_restricted.ipv6 }}:443 ssl crt-list /etc/haproxy/maps/certlist.lst ssl crt /etc/haproxy/certs/ no-sslv3 no-tlsv10 no-tlsv11 alpn h2,http/1.1 transparent 
+    bind {{ haproxy_sni_ip_restricted.ipv4 }}:443 ssl crt-list /etc/haproxy/maps/certlist.lst ssl crt /etc/haproxy/certs/ no-sslv3 no-tlsv10 no-tlsv11 alpn h2,http/1.1 transparent
+    bind {{ haproxy_sni_ip_restricted.ipv6 }}:443 ssl crt-list /etc/haproxy/maps/certlist.lst ssl crt /etc/haproxy/certs/ no-sslv3 no-tlsv10 no-tlsv11 alpn h2,http/1.1 transparent
     bind {{ haproxy_sni_ip_restricted.ipv4 }}:80 transparent
     bind {{ haproxy_sni_ip_restricted.ipv6 }}:80 transparent
     # Logging is done in the local_ip_restriced backend, otherwise all requests are logged twice
@@ -128,8 +128,8 @@ frontend internet_restricted_ip
     # We redirect all port 80 to port 443
     http-request redirect scheme https code 301 if !{ ssl_fc }
     # Log the user agent in the httplogs
-    capture request header User-agent len 256 
-    # Put the useragent header in a variable, shared between request and response. 
+    capture request header User-agent len 256
+    # Put the useragent header in a variable, shared between request and response.
     http-request set-var(txn.useragent) req.fhdr(User-Agent)
     # The ACL below makes sure only supported http methods are allowed
     acl valid_method method {{ haproxy_supported_http_methods }}
@@ -155,12 +155,12 @@ frontend internet_restricted_ip
 #  frontend restricted ip addresses localhost
 #  traffic coming back from the dummy backend ends up here
 # -------------------------------------------------------------------
-frontend localhost_restricted    
+frontend localhost_restricted
     bind 127.0.0.1:82 accept-proxy
     acl valid_vhost hdr(host) -f /etc/haproxy/acls/validvhostsrestricted.acl
     acl staging req.cook(staging) -m str true
     acl staging src -f /etc/haproxy/acls/stagingips.acl
-    acl stagingvhost hdr(host) -i -M -f /etc/haproxy/maps/backendsstaging.map 
+    acl stagingvhost hdr(host) -i -M -f /etc/haproxy/maps/backendsstaging.map
     use_backend %[req.hdr(host),lower,map(/etc/haproxy/maps/backendsstaging.map)] if stagingvhost staging
     use_backend %[req.hdr(host),lower,map(/etc/haproxy/maps/backends.map)]
     option httplog
@@ -177,7 +177,7 @@ frontend localhost_restricted
     # Create an ACL when the request rate exceeds {{ haproxy_max_request_rate }} per 10s
     acl exceeds_max_request_rate_per_ip sc_http_req_rate(0) gt {{ haproxy_max_request_rate }}
     http-request deny deny_status 429 if exceeds_max_request_rate_per_ip !allowlist
-    # Measure and log the request rate per path and ip 
+    # Measure and log the request rate per path and ip
     http-request track-sc1 base32+src table st_httpreqs_per_ip_and_path
     http-request capture sc_http_req_rate(1) len 4
     # Some paths allow for a higher ratelimit. These are in a seperate mapfile
@@ -191,7 +191,7 @@ frontend localhost_restricted
     http-request deny if ! valid_vhost
     # Deny the request when the request rate exceeds {{ haproxy_max_request_rate }} per 10s
     http-request deny deny_status 429 if exceeds_max_request_rate_per_ip !allowlist
-    # Deny the request when the request rate per host header url path and src ip exceeds {{ haproxy_max_request_rate_ip_path }} per 1 m 
+    # Deny the request when the request rate per host header url path and src ip exceeds {{ haproxy_max_request_rate_ip_path }} per 1 m
     http-request deny deny_status 429 if exceeds_max_request_rate_per_ip_and_path !allowlist
     # Create some http redirects
     {% if haproxy_securitytxt_target_url is defined %}
@@ -201,3 +201,19 @@ frontend localhost_restricted
     http-request redirect location %[base,map_reg(/etc/haproxy/maps/redirects.map)] if { base,map_reg(/etc/haproxy/maps/redirects.map) -m found }
 
 {% endif %}
+
+{% if haproxy_ldap_servers is defined %}
+#--------------------------------------------------------------------
+#  frontend public ips ldap
+# -------------------------------------------------------------------
+listen ldap
+  mode tcp
+  no option dontlognull
+  option tcplog
+  option  logasap
+  timeout client 900s
+  timeout server 901s
+  bind {{ haproxy_sni_ip.ipv4 }}:636 ssl crt-list /etc/haproxy/maps/certlist.lst ssl crt /etc/haproxy/certs/ no-sslv3 no-tlsv10 no-tlsv11 transparent
+  bind {{ haproxy_sni_ip.ipv6 }}:636 ssl crt-list /etc/haproxy/maps/certlist.lst ssl crt /etc/haproxy/certs/ no-sslv3 no-tlsv10 no-tlsv11 transparent
+  use_backend ldap_servers
+{% endif %}
diff --git a/roles/mailpit/defaults/main.yml b/roles/mailpit/defaults/main.yml
@@ -0,0 +1,8 @@
+---
+mailpit: "{{ mailpit_defaults | combine(mailpit_overrides, recursive=true) }}"
+
+mailpit_defaults:
+  image: "axllent/mailpit"
+  hostname: "mailpit.{{ base_domain }}"
+  user: "mailpit"
+  group: "mailpit"
diff --git a/roles/mailpit/tasks/main.yml b/roles/mailpit/tasks/main.yml
@@ -0,0 +1,37 @@
+---
+- name: "Create mailpit group"
+  group:
+    name: "{{ mailpit.group }}"
+    state: "present"
+  register: "result"
+
+- name: "Create mailpit user"
+  user:
+    name: "{{ mailpit.user }}"
+    group: "{{ mailpit.group }}"
+    comment: "User to run Mailpit service"
+    shell: "/bin/false"
+    password: "!"
+    create_home: false
+    state: "present"
+  register: "result"
+
+- name: "Save mailpit user uid"
+  set_fact:
+    mailpit_user_uid: "{{ result.uid }}"
+
+- name: "Create mailpit container"
+  docker_container:
+    name: "mailpit"
+    image: "{{ mailpit.image }}"
+    restart_policy: "always"
+    state: "started"
+    user: "{{ mailpit_user_uid }}"
+    ports:
+    networks:
+      - name: "loadbalancer"
+    labels:
+      traefik.enable: "true"
+      traefik.http.routers.mailpit.rule: "Host(`{{ mailpit.hostname }}`)"
+      traefik.http.routers.mailpit.tls: "true"
+      traefik.http.services.mailpit.loadbalancer.server.port: 8025
diff --git a/roles/sram-ldap/defaults/main.yml b/roles/sram-ldap/defaults/main.yml
@@ -0,0 +1,41 @@
+---
+ldap: "{{ ldap_defaults | combine(ldap_overrides, recursive=true) }}"
+
+ldap_defaults:
+  image: "ghcr.io/surfscz/sram-ldap:main"
+  conf_dir: "{{ current_release_appdir }}/sram/ldap"
+  ldif_dir: "{{ ldap_defaults.conf_dir }}/schema"
+  certs_dir: "{{ ldap_defaults.conf_dir }}/certs"
+  backup_dir: "{{ ldap_defaults.conf_dir }}/ldap"
+  data_dir: "{{ ldap_defaults.conf_dir}}/data"
+  uri: "ldap://localhost/"
+
+  user: "openldap"
+  group: "openldap"
+
+  # admin_group: "ldap_admin"
+  admins:
+    - name: Admin
+      uid: admin
+      pw_hash: <slappasswd output>
+      sshkey: ""
+
+  loglevel: "stats stats2 filter"
+
+  services_password: secret
+  monitor_password: secret
+  ldap_monitor_password: secret
+
+  uri: "ldap://localhost/"
+  rid_prefix: "ldap://"
+
+  base_domain: "{{ base_domain }}"
+  base_dn: >-
+    {{ ((ldap_defaults.base_domain.split('.')|length)*['dc=']) |
+    zip(ldap_defaults.base_domain.split('.')) | list | map('join', '') | list | join(',') }}
+  services_dn:
+    basedn: "dc=services,{{ ldap_defaults.base_dn }}"
+    o:      "Services"
+    binddn: "cn=admin,{{ ldap_defaults.base_dn }}"
+
+  hosts: {}
diff --git a/roles/sram-ldap/files/eduMember.ldif b/roles/sram-ldap/files/eduMember.ldif
@@ -0,0 +1,27 @@
+dn: cn=eduMember,cn=schema,cn=config
+objectClass: olcSchemaConfig
+cn: eduMember
+# Internet X.500 Schema for Ldappc
+# Includes the eduMember ObjectClass schema
+#
+#
+# An auxiliary object class, "eduMember," is a convenient container 
+# for an extensible set of attributes concerning group memberships. 
+# At this time, the only attributes specified as belonging to the 
+# object class are "isMemberOf" and "hasMember."
+#
+olcAttributeTypes: ( 1.3.6.1.4.1.5923.1.5.1.1
+  NAME 'isMemberOf'
+  DESC 'identifiers for groups to which containing entity belongs'
+  EQUALITY caseExactMatch
+  SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
+olcAttributeTypes: ( 1.3.6.1.4.1.5923.1.5.1.2
+  NAME 'hasMember'
+  DESC 'identifiers for entities that are members of the group'
+  EQUALITY caseExactMatch
+  SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
+olcObjectClasses: ( 1.3.6.1.4.1.5923.1.5.2.1
+  NAME 'eduMember'
+  AUXILIARY
+  MAY ( isMemberOf $ hasMember )
+  )
diff --git a/roles/sram-ldap/files/eduPerson.ldif b/roles/sram-ldap/files/eduPerson.ldif
@@ -0,0 +1,83 @@
+dn: cn=eduperson,cn=schema,cn=config
+objectClass: olcSchemaConfig
+cn: eduperson
+olcAttributeTypes: ( 1.3.6.1.4.1.5923.1.1.1.1 
+ NAME 'eduPersonAffiliation' 
+ DESC 'eduPerson per Internet2 and EDUCAUSE' 
+ EQUALITY caseIgnoreMatch 
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
+olcAttributeTypes: ( 1.3.6.1.4.1.5923.1.1.1.7 
+ NAME 'eduPersonEntitlement' 
+ DESC 'eduPerson per Internet2 and EDUCAUSE' 
+ EQUALITY caseExactMatch 
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
+olcAttributeTypes: ( 1.3.6.1.4.1.5923.1.1.1.2 
+ NAME 'eduPersonNickName' 
+ DESC 'eduPerson per Internet2 and EDUCAUSE' 
+ EQUALITY caseIgnoreMatch 
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
+olcAttributeTypes: ( 1.3.6.1.4.1.5923.1.1.1.3 
+ NAME 'eduPersonOrgDN' 
+ DESC 'eduPerson per Internet2 and EDUCAUSE' 
+ EQUALITY distinguishedNameMatch 
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE )
+olcAttributeTypes: ( 1.3.6.1.4.1.5923.1.1.1.4 
+ NAME 'eduPersonOrgUnitDN' 
+ DESC 'eduPerson per Internet2 and EDUCAUSE' 
+ EQUALITY distinguishedNameMatch 
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
+olcAttributeTypes: ( 1.3.6.1.4.1.5923.1.1.1.5
+ NAME 'eduPersonPrimaryAffiliation' 
+ DESC 'eduPerson per Internet2 and EDUCAUSE' 
+ EQUALITY caseIgnoreMatch 
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
+olcAttributeTypes: ( 1.3.6.1.4.1.5923.1.1.1.8 
+ NAME 'eduPersonPrimaryOrgUnitDN' 
+ DESC 'eduPerson per Internet2 and EDUCAUSE' 
+ EQUALITY distinguishedNameMatch  
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE )
+olcAttributeTypes: ( 1.3.6.1.4.1.5923.1.1.1.6 
+ NAME 'eduPersonPrincipalName' 
+ DESC 'eduPerson per Internet2 and EDUCAUSE' 
+ EQUALITY caseIgnoreMatch  
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
+olcAttributeTypes: ( 1.3.6.1.4.1.5923.1.1.1.12 
+ NAME 'eduPersonPrincipalNamePrior' 
+ DESC 'eduPersonPrincipalNamePrior per Internet2' 
+ EQUALITY caseIgnoreMatch 
+ SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' )
+olcAttributeTypes: ( 1.3.6.1.4.1.5923.1.1.1.9 
+ NAME 'eduPersonScopedAffiliation' 
+ DESC 'eduPerson per Internet2 and EDUCAUSE' 
+ EQUALITY caseIgnoreMatch 
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
+olcAttributeTypes: ( 1.3.6.1.4.1.5923.1.1.1.10 
+ NAME 'eduPersonTargetedID' 
+ DESC 'eduPerson per Internet2 and EDUCAUSE' 
+ EQUALITY caseExactMatch 
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
+olcAttributeTypes: ( 1.3.6.1.4.1.5923.1.1.1.11 
+ NAME 'eduPersonAssurance' 
+ DESC 'eduPerson per Internet2 and EDUCAUSE' 
+ EQUALITY caseExactMatch 
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
+olcAttributeTypes: ( 1.3.6.1.4.1.5923.1.1.1.13 
+ NAME 'eduPersonUniqueId' 
+ DESC 'eduPersonUniqueId per Internet2' 
+ EQUALITY caseIgnoreMatch 
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
+olcAttributeTypes: ( 1.3.6.1.4.1.5923.1.1.1.16 
+ NAME 'eduPersonOrcid' 
+ DESC 'ORCID researcher identifiers belonging to the principal' 
+ EQUALITY caseIgnoreMatch 
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
+olcObjectClasses: ( 1.3.6.1.4.1.5923.1.1.2 
+ NAME 'eduPerson' 
+ AUXILIARY 
+ MAY ( 
+ eduPersonAffiliation $ eduPersonNickname $ eduPersonOrgDN $ 
+ eduPersonOrgUnitDN $ eduPersonPrimaryAffiliation $ 
+ eduPersonPrincipalName $ eduPersonEntitlement $ eduPersonPrimaryOrgUnitDN $ 
+ eduPersonScopedAffiliation $ eduPersonTargetedID $ eduPersonAssurance $ 
+ eduPersonPrincipalNamePrior $ eduPersonUniqueId $ eduPersonOrcid ) 
+ )
diff --git a/roles/sram-ldap/files/groupOfMembers.ldif b/roles/sram-ldap/files/groupOfMembers.ldif
@@ -0,0 +1,19 @@
+# Internet X.500 Schema for Ldappc
+# Includes the groupOfMembers ObjectClass schema
+#
+# Taken from RFC2307bis draft 2
+# https://tools.ietf.org/html/draft-howard-rfc2307bis-02
+#
+# An structural object class, "groupOfMembers" is a convenient container
+# for an extensible set of attributes concerning group memberships.
+#
+dn: cn=groupOfMembers,cn=schema,cn=config
+objectClass: olcSchemaConfig
+cn: groupOfMembers
+olcObjectClasses: ( 1.3.6.1.1.1.2.18 SUP top STRUCTURAL
+  NAME 'groupOfMembers'
+  DESC 'A group with members (DNs)'
+  MUST cn
+  MAY ( businessCategory $ seeAlso $ owner $ ou $ o $
+        description $ member )
+  )