Support storing password for ldap-based realms

Author: mrtwnklr

README.md

@@ -472,25 +472,32 @@ One realm should have the `default: 1` property to mark it as the default:
 pve_domains_cfg:
   - name: pam
     type: pam
-    comment: Linux PAM standard authentication
+    attributes:
+      comment: Linux PAM standard authentication
   - name: pve
     type: pve
-    comment: Proxmox VE authentication server
-  - name: AD
+    attributes:
+      comment: Proxmox VE authentication server
+  - name: ad
     type: ad
-    comment: Active Directory authentication
-    domain: yourdomain.com
-    server1: dc01.yourdomain.com
-    default: 1
-    secure: 1
-    server2: dc02.yourdomain.com
-  - name: LDAP
+    attributes:
+      comment: Active Directory authentication
+      domain: yourdomain.com
+      server1: dc01.yourdomain.com
+      default: 1
+      secure: 1
+      server2: dc02.yourdomain.com
+  - name: ldap
     type: ldap
-    base_dn: CN=Users,dc=yourdomain,dc=com
-    server1: ldap1.yourdomain.com
-    user_attr: uid
-    secure: 1
-    server2: ldap2.yourdomain.com
+    attributes:
+      comment: LDAP authentication
+      base_dn: CN=Users,dc=yourdomain,dc=com
+      bind_dn: "uid=svc-reader,CN=Users,dc=yourdomain,dc=com"
+      bind_password: "{{ secret_ldap_svc_reader_password }}"
+      server1: ldap1.yourdomain.com
+      user_attr: uid
+      secure: 1
+      server2: ldap2.yourdomain.com
 ```
 
 ## Dependencies

tasks/realms_config.yml

@@ -22,12 +22,47 @@
     content: |
       {% for domain in pve_domains_cfg %}
       {{ domain.type }}: {{ domain.name }}
-      {% for k,v in domain.items() %}
-      {% if k != 'name' %}
-      {% if k != 'type' %}
+      {% if domain.attributes %}
+      {% for k,v in domain.attributes.items() %}
+      {% if k != 'bind_password' %}
       	{{ k }} {{ v }}
       {% endif %}
-      {% endif %}
       {% endfor %}
+      {% endif %}
 
       {% endfor %}
+
+- name: Select ldap-based realms with bind_password
+  set_fact:
+    pve_ldap_realms_with_bind_pw: |
+      {{ pve_domains_cfg | selectattr('type', 'in', ['ad', 'ldap'])
+                         | selectattr('attributes.bind_password', 'defined') }}
+
+- name: Ensure /etc/pve/priv/realm/ exists
+  ansible.builtin.file:
+    path: /etc/pve/priv/realm
+    state: directory
+    owner: root
+    group: www-data
+    mode: 0700
+  when: pve_ldap_realms_with_bind_pw | length
+
+- name: Ensure ldap-based realm secret files exists
+  ansible.builtin.file:
+    path: "/etc/pve/priv/realm/{{ item.name }}.pw"
+    access_time: preserve
+    modification_time: preserve
+    state: touch
+    mode: 0600
+  with_items:
+    - "{{ pve_ldap_realms_with_bind_pw }}"
+
+- name: Update ldap-based realm secret files
+  ansible.builtin.copy:
+    content: "{{ item.attributes.bind_password }}"
+    dest: "/etc/pve/priv/realm/{{ item.name }}.pw"
+    owner: root
+    group: www-data
+    mode: 0600
+  with_items:
+    - "{{ pve_ldap_realms_with_bind_pw }}"