homelab-nomad/databases/lldap.nomad

257 lines
5.9 KiB
Plaintext
Raw Permalink Normal View History

2022-07-27 22:57:28 +00:00
job "lldap" {
datacenters = ["dc1"]
type = "service"
priority = 80
2022-07-27 22:57:28 +00:00
group "lldap" {
network {
mode = "bridge"
port "web" {
%{~ if use_wesher ~}
host_network = "wesher"
%{~ endif ~}
2022-07-27 22:57:28 +00:00
}
port "ldap" {
%{~ if use_wesher ~}
host_network = "wesher"
%{~ endif ~}
2022-07-27 22:57:28 +00:00
}
port "tls" {}
2022-07-27 22:57:28 +00:00
}
service {
name = "lldap"
provider = "nomad"
2022-07-27 22:57:28 +00:00
port = "ldap"
}
service {
name = "lldap-tls"
provider = "nomad"
port = "tls"
}
2022-07-27 22:57:28 +00:00
service {
name = "ldap-admin"
provider = "nomad"
2022-07-27 22:57:28 +00:00
port = "web"
tags = [
"traefik.enable=true",
"traefik.http.routers.ldap-admin.entryPoints=websecure",
]
}
task "lldap" {
driver = "docker"
config {
2023-09-14 19:14:07 +00:00
image = "ghcr.io/lldap/lldap:v0.5"
2022-07-27 22:57:28 +00:00
ports = ["ldap", "web"]
2023-08-29 21:56:06 +00:00
args = ["run", "--config-file", "$${NOMAD_TASK_DIR}/lldap_config.toml"]
2022-07-27 22:57:28 +00:00
}
2022-11-16 00:54:37 +00:00
env = {
"LLDAP_VERBOSE" = "true"
"LLDAP_LDAP_PORT" = "$${NOMAD_PORT_ldap}"
"LLDAP_HTTP_PORT" = "$${NOMAD_PORT_web}"
2023-08-29 21:56:06 +00:00
"LLDAP_DATABASE_URL_FILE" = "$${NOMAD_SECRETS_DIR}/database_url.txt"
"LLDAP_KEY_SEED_FILE" = "$${NOMAD_SECRETS_DIR}/key_seed.txt"
"LLDAP_JWT_SECRET_FILE" = "$${NOMAD_SECRETS_DIR}/jwt_secret.txt"
"LLDAP_USER_PASS_FILE" = "$${NOMAD_SECRETS_DIR}/user_pass.txt"
"LLDAP_SMTP_OPTIONS__PASSWORD_FILE" = "$${NOMAD_SECRETS_DIR}/smtp_password.txt"
2022-11-16 00:54:37 +00:00
}
2022-07-27 22:57:28 +00:00
template {
data = <<EOH
ldap_base_dn = "{{ with nomadVar "nomad/jobs" }}{{ .ldap_base_dn }}{{ end }}"
2023-07-06 00:29:26 +00:00
{{ with nomadVar "nomad/jobs/lldap" -}}
ldap_user_dn = "{{ .admin_user }}"
ldap_user_email = "{{ .admin_email }}"
2023-07-06 00:29:26 +00:00
2022-07-27 22:57:28 +00:00
[smtp_options]
2023-07-06 00:29:26 +00:00
from = "{{ .smtp_from }}"
reply_to = "{{ .smtp_reply_to }}"
2022-07-27 22:57:28 +00:00
enable_password_reset = true
2023-08-29 21:56:06 +00:00
{{ end -}}
{{ with nomadVar "secrets/smtp" -}}
server = "{{ .server }}"
port = {{ .port }}
tls_required = {{ .tls.Value | toLower }}
user = "{{ .user }}"
2022-07-27 22:57:28 +00:00
{{ end -}}
EOH
2023-08-29 21:56:06 +00:00
destination = "$${NOMAD_TASK_DIR}/lldap_config.toml"
change_mode = "restart"
}
template {
data = "{{ with nomadVar \"nomad/jobs/lldap\" }}mysql://{{ .db_user }}:{{ .db_pass }}@127.0.0.1:3306/{{ .db_name }}{{ end }}"
destination = "$${NOMAD_SECRETS_DIR}/database_url.txt"
change_mode = "restart"
}
template {
data = "{{ with nomadVar \"nomad/jobs/lldap\" }}{{ .key_seed }}{{ end }}"
destination = "$${NOMAD_SECRETS_DIR}/key_seed.txt"
change_mode = "restart"
}
template {
data = "{{ with nomadVar \"nomad/jobs/lldap\" }}{{ .jwt_secret }}{{ end }}"
destination = "$${NOMAD_SECRETS_DIR}/jwt_secret.txt"
change_mode = "restart"
}
template {
data = "{{ with nomadVar \"nomad/jobs/lldap\" }}{{ .admin_password }}{{ end }}"
destination = "$${NOMAD_SECRETS_DIR}/user_pass.txt"
change_mode = "restart"
}
template {
data = "{{ with nomadVar \"secrets/smtp\" }}{{ .password }}{{ end }}"
destination = "$${NOMAD_SECRETS_DIR}/smtp_password.txt"
2022-07-27 22:57:28 +00:00
change_mode = "restart"
}
resources {
cpu = 10
memory = 200
memory_max = 200
2022-07-27 22:57:28 +00:00
}
}
2023-07-06 00:29:26 +00:00
task "bootstrap" {
driver = "docker"
lifecycle {
hook = "prestart"
sidecar = false
}
config {
image = "mariadb:10"
args = [
"/usr/bin/timeout",
"2m",
"/bin/bash",
"-c",
"until /usr/bin/mysql --defaults-extra-file=$${NOMAD_SECRETS_DIR}/my.cnf < $${NOMAD_SECRETS_DIR}/bootstrap.sql; do sleep 10; done",
2023-07-06 00:29:26 +00:00
]
}
template {
data = <<EOF
[client]
host=127.0.0.1
port=3306
user=root
{{ with nomadVar "secrets/mysql" -}}
2023-07-06 00:29:26 +00:00
password={{ .mysql_root_password }}
{{ end -}}
EOF
destination = "$${NOMAD_SECRETS_DIR}/my.cnf"
2023-07-06 00:29:26 +00:00
}
template {
data = <<EOF
{{ with nomadVar "nomad/jobs/lldap" -}}
{{ $db_name := .db_name }}
CREATE DATABASE IF NOT EXISTS `{{ .db_name }}`
CHARACTER SET = 'utf8mb4'
COLLATE = 'utf8mb4_unicode_ci';
DROP USER IF EXISTS '{{ .db_user }}'@'%';
CREATE USER '{{ .db_user }}'@'%'
IDENTIFIED BY '{{ .db_pass }}';
GRANT ALL ON `{{ .db_name }}`.*
TO '{{ .db_user }}'@'%';
{{ else -}}
SELECT 'NOOP';
{{ end -}}
EOF
destination = "$${NOMAD_SECRETS_DIR}/bootstrap.sql"
2023-07-06 00:29:26 +00:00
}
resources {
cpu = 50
memory = 50
}
}
task "stunnel" {
driver = "docker"
lifecycle {
hook = "prestart"
sidecar = true
}
config {
image = "alpine:3.17"
ports = ["tls"]
args = ["/bin/sh", "$${NOMAD_TASK_DIR}/start.sh"]
2023-07-06 00:29:26 +00:00
}
resources {
cpu = 100
memory = 100
}
template {
data = <<EOF
set -e
apk add stunnel
exec stunnel {{ env "NOMAD_TASK_DIR" }}/stunnel.conf
EOF
destination = "$${NOMAD_TASK_DIR}/start.sh"
2023-07-06 00:29:26 +00:00
}
template {
data = <<EOF
syslog = no
foreground = yes
delay = yes
[ldap_server]
accept = {{ env "NOMAD_PORT_tls" }}
connect = 127.0.0.1:{{ env "NOMAD_PORT_ldap" }}
ciphers = PSK
PSKsecrets = {{ env "NOMAD_TASK_DIR" }}/stunnel_psk.txt
2023-07-06 00:29:26 +00:00
[mysql_client]
client = yes
accept = 127.0.0.1:3306
{{ range nomadService 1 (env "NOMAD_ALLOC_ID") "mysql-tls" -}}
connect = {{ .Address }}:{{ .Port }}
{{- end }}
PSKsecrets = {{ env "NOMAD_SECRETS_DIR" }}/mysql_stunnel_psk.txt
EOF
destination = "$${NOMAD_TASK_DIR}/stunnel.conf"
2023-07-06 00:29:26 +00:00
}
template {
data = <<EOF
{{ range nomadVarList "secrets/ldap/allowed_psks" -}}
{{ with nomadVar .Path }}{{ .psk }}{{ end }}
{{ end -}}
EOF
destination = "$${NOMAD_TASK_DIR}/stunnel_psk.txt"
}
2023-07-06 00:29:26 +00:00
template {
data = <<EOF
{{- with nomadVar "secrets/mysql/allowed_psks/lldap" }}{{ .psk }}{{ end -}}
2023-07-06 00:29:26 +00:00
EOF
destination = "$${NOMAD_SECRETS_DIR}/mysql_stunnel_psk.txt"
2023-07-06 00:29:26 +00:00
}
}
2022-07-27 22:57:28 +00:00
}
}