use ldap secret in login role

login.yaml

@@ -10,9 +10,9 @@
 - hosts: login
   roles:
       - role: dns_record
-      - role: login
       - role: reverse_proxy
-        hostname: login3
+        hostname: login
+      - role: login
 - hosts: status
   roles:
     - role: icinga2-monitoring

roles/login/meta/main.yaml

@@ -4,5 +4,5 @@ dependencies:
     is_proxy: true
     config_name: "login"
     remote_host: "http://localhost:5000"
-    server_fqdn: "login3.lilik.it"
+    server_fqdn: "login.lilik.it"
     parent_role_path: "login"

roles/login/tasks/main.yaml

@@ -18,6 +18,35 @@
   notify:
     - restart login
 
+- name: add login user
+  user:
+    name: login
+    system: yes
+    home: /srv/login
+
+- name: slurp slap secret file
+  slurp:
+    src: /etc/slapd.secret
+  register: slapdsecret
+  failed_when: false
+  changed_when: false
+  delegate_to: ldap
+
+- set_fact:
+    ldap_password: "{{ slapdsecret['content'] | b64decode }}"
+
+- name: add login config
+  template:
+    src: config.py.j2
+    dest: /srv/login/config.py
+    mode: 440
+    owner: login
+    group: login
+
+  register: add_login_startup_script
+  notify:
+    - restart login
+
 - name: add login init script
   template: src=login.j2 dest=/etc/init.d/login mode=755
   register: add_login_startup_script

roles/login/templates/login.j2

@@ -17,7 +17,7 @@ DAEMON_NAME=login
 DAEMON_OPTS=""
 
 # This next line determines what user the script runs as.
-DAEMON_USER=root
+DAEMON_USER=login
 
 # The process ID of the script when it runs is stored here:
 PIDFILE=/var/run/$DAEMON_NAME.pid