From 8650ab973ad0cecd022941ba69d6940b84d6505b Mon Sep 17 00:00:00 2001
From: Ian Fijolek <ian@iamthefij.com>
Date: Thu, 6 Jul 2023 17:16:36 -0700
Subject: [PATCH] Add stunnel for ldap as part of service template

---
 core/lldap.nomad                        | 30 +++++++++++++++++++++----
 services/service/service_template.nomad | 22 +++++++++++++++++-
 2 files changed, 47 insertions(+), 5 deletions(-)

diff --git a/core/lldap.nomad b/core/lldap.nomad
index 738328c..3cee62c 100644
--- a/core/lldap.nomad
+++ b/core/lldap.nomad
@@ -9,13 +9,13 @@ job "lldap" {
 
       port "web" {
         host_network = "wesher"
-        to = 17170
       }
 
       port "ldap" {
         host_network = "wesher"
-        to = 3890
       }
+
+      port "tls" {}
     }
 
     service {
@@ -24,6 +24,12 @@ job "lldap" {
       port = "ldap"
     }
 
+    service {
+      name = "lldap-tls"
+      provider = "nomad"
+      port = "tls"
+    }
+
     service {
       name = "ldap-admin"
       provider = "nomad"
@@ -39,7 +45,7 @@ job "lldap" {
       driver = "docker"
 
       config {
-        image = "nitnelave/lldap:v0.4.3"
+        image = "nitnelave/lldap:latest"
         ports = ["ldap", "web"]
         args = ["run", "--config-file", "${NOMAD_SECRETS_DIR}/lldap_config.toml"]
       }
@@ -51,7 +57,7 @@ job "lldap" {
 
       template {
         data = <<EOH
-ldap_base_dn = "{{ with nomadVar "nomad/jobs" }}{{ .base_dn }}{{ end }}"
+ldap_base_dn = "{{ with nomadVar "nomad/jobs" }}{{ .ldap_base_dn }}{{ end }}"
 
 {{ with nomadVar "nomad/jobs/lldap" -}}
 database_url = "mysql://{{ .db_user }}:{{ .db_pass }}@127.0.0.1:3306/{{ .db_name }}"
@@ -157,6 +163,7 @@ SELECT 'NOOP';
 
       config {
         image = "alpine:3.17"
+        ports = ["tls"]
         args = ["/bin/sh", "${NOMAD_TASK_DIR}/start.sh"]
       }
 
@@ -180,6 +187,12 @@ syslog = no
 foreground = yes
 delay = yes
 
+[ldap_server]
+accept = {{ env "NOMAD_PORT_tls" }}
+connect = 127.0.0.1:{{ env "NOMAD_PORT_ldap" }}
+ciphers = PSK
+PSKsecrets = {{ env "NOMAD_TASK_DIR" }}/stunnel_psk.txt
+
 [mysql_client]
 client = yes
 accept = 127.0.0.1:3306
@@ -191,6 +204,15 @@ PSKsecrets = {{ env "NOMAD_SECRETS_DIR" }}/mysql_stunnel_psk.txt
         destination = "${NOMAD_TASK_DIR}/stunnel.conf"
       }
 
+      template {
+        data = <<EOF
+{{ with nomadVar "nomad/jobs/lldap/lldap/stunnel" -}}
+{{ .allowed_psks }}
+{{- end }}
+EOF
+        destination = "${NOMAD_TASK_DIR}/stunnel_psk.txt"
+      }
+
       template {
         data = <<EOF
 {{- with nomadVar "nomad/jobs/lldap/lldap/stunnel" }}{{ .mysql_stunnel_psk }}{{ end -}}
diff --git a/services/service/service_template.nomad b/services/service/service_template.nomad
index 937c553..1addb55 100644
--- a/services/service/service_template.nomad
+++ b/services/service/service_template.nomad
@@ -267,6 +267,16 @@ accept = 127.0.0.1:6379
 connect = {{ .Address }}:{{ .Port }}
 {{- end }}
 PSKsecrets = {{ env "NOMAD_SECRETS_DIR" }}/redis_stunnel_psk.txt
+%{~ endif }
+
+%{~ if use_ldap }
+[ldap_client]
+client = yes
+accept = 127.0.0.1:389
+{{ range nomadService 1 (env "NOMAD_ALLOC_ID") "lldap-tls" -}}
+connect = {{ .Address }}:{{ .Port }}
+{{- end }}
+PSKsecrets = {{ env "NOMAD_SECRETS_DIR" }}/ldap_stunnel_psk.txt
 %{~ endif }
         EOF
         destination = "$${NOMAD_TASK_DIR}/stunnel.conf"
@@ -274,21 +284,31 @@ PSKsecrets = {{ env "NOMAD_SECRETS_DIR" }}/redis_stunnel_psk.txt
 
       %{~ if use_mysql }
       template {
+        # TODO: move psk to nomad/jobs/name/name/stunnel
         data = <<EOF
 {{- with nomadVar "nomad/jobs/${name}" }}{{ .mysql_stunnel_psk }}{{ end -}}
 EOF
         destination = "$${NOMAD_SECRETS_DIR}/mysql_stunnel_psk.txt"
       }
       %{ endif }
-
       %{~ if use_redis }
       template {
+        # TODO: move psk to nomad/jobs/name/name/stunnel
         data = <<EOF
 {{- with nomadVar "nomad/jobs/${name}" }}{{ .redis_stunnel_psk }}{{ end -}}
 EOF
         destination = "$${NOMAD_SECRETS_DIR}/redis_stunnel_psk.txt"
       }
       %{~ endif }
+      %{~ if use_ldap }
+      template {
+        # TODO: move psk to nomad/jobs/name/name/stunnel
+        data = <<EOF
+{{- with nomadVar "nomad/jobs/${name}" }}{{ .ldap_stunnel_psk }}{{ end -}}
+EOF
+        destination = "$${NOMAD_SECRETS_DIR}/ldap_stunnel_psk.txt"
+      }
+      %{~ endif }
     }
     %{~ endif }
   }