Switch lldap storage to mysql

2023-07-05 17:29:26 -07:00 · 2023-07-05 17:29:26 -07:00 · acc80868f9
commit acc80868f9
parent f606e0a17e
3 changed files with 141 additions and 31 deletions
--- a/ansible_playbooks/ansible_hosts.yml
+++ b/ansible_playbooks/ansible_hosts.yml
@ -25,12 +25,6 @@ all:
              group: "999"
              mode: "0755"
              read_only: false
-            - name: lldap-data
-              path: /srv/volumes/lldap
-              owner: "root"
-              group: "bin"
-              mode: "0755"
-              read_only: false
        n2.thefij:
          nfs_mounts:
            - src: 10.50.250.2:/srv/volumes
--- a/core/lldap.nomad
+++ b/core/lldap.nomad
@ -18,12 +18,6 @@ job "lldap" {
      }
    }

-    volume "lldap-data" {
-      type = "host"
-      read_only = false
-      source = "lldap-data"
-    }
-
    service {
      name = "lldap"
      provider = "nomad"
@ -44,14 +38,8 @@ job "lldap" {
    task "lldap" {
      driver = "docker"

-      volume_mount {
-        volume = "lldap-data"
-        destination = "/data"
-        read_only = false
-      }
-
      config {
-        image = "nitnelave/lldap:v0.4"
+        image = "nitnelave/lldap:v0.4.3"
        ports = ["ldap", "web"]
        args = ["run", "--config-file", "${NOMAD_SECRETS_DIR}/lldap_config.toml"]
      }
@ -63,27 +51,31 @@ job "lldap" {

      template {
        data = <<EOH
-database_url = "sqlite:///data/users.db?mode=rwc"
-key_file = "/data/private_key"
 ldap_base_dn = "{{ with nomadVar "nomad/jobs" }}{{ .base_dn }}{{ end }}"
+
 {{ with nomadVar "nomad/jobs/lldap" -}}
+database_url = "mysql://{{ .db_user }}:{{ .db_pass }}@127.0.0.1:3306/{{ .db_name }}"
+key_seed = "{{ .key_seed }}"
 jwt_secret = "{{ .jwt_secret }}"
+
 ldap_user_dn = "{{ .admin_user }}"
 ldap_user_email = "{{ .admin_email }}"
 ldap_user_pass = "{{ .admin_password }}"
-{{- end }}
-{{ with nomadVar "nomad/jobs" -}}
+
 [smtp_options]
+from = "{{ .smtp_from }}"
+reply_to = "{{ .smtp_reply_to }}"
+
 enable_password_reset = true
+{{- end }}
+
+# TODO: Better access to SMTP creds using nomad ACLs
+{{ with nomadVar "nomad/jobs" -}}
 server = "{{ .smtp_server }}"
 port = {{ .smtp_port }}
 tls_required = {{ .smtp_tls.Value | toLower }}
 user = "{{ .smtp_user }}"
 password = "{{ .smtp_password }}"
-{{ end -}}
-{{ with nomadVar "nomad/jobs/lldap" -}}
-from = "{{ .smtp_from }}"
-reply_to = "{{ .smtp_reply_to }}"
 {{ end -}}
        EOH
        destination = "${NOMAD_SECRETS_DIR}/lldap_config.toml"
@ -96,5 +88,116 @@ reply_to = "{{ .smtp_reply_to }}"
        memory_max = 200
      }
    }
+
+    task "bootstrap" {
+      driver = "docker"
+
+      lifecycle {
+        hook = "prestart"
+        sidecar = false
+      }
+
+      config {
+        image = "mariadb:10"
+        args = [
+          "/usr/bin/timeout",
+          "2m",
+          "/bin/bash",
+          "-c",
+          "until /usr/bin/mysql --defaults-extra-file=${NOMAD_SECRETS_DIR}/my.cnf < ${NOMAD_SECRETS_DIR}/bootstrap.sql; do sleep 10; done",
+        ]
+      }
+
+      template {
+        data = <<EOF
+[client]
+host=127.0.0.1
+port=3306
+user=root
+# TODO: Use via lesser scoped access
+{{ with nomadVar "nomad/jobs/lldap/lldap/bootstrap" -}}
+password={{ .mysql_root_password }}
+{{ end -}}
+        EOF
+        destination = "${NOMAD_SECRETS_DIR}/my.cnf"
+      }
+
+      template {
+        data = <<EOF
+{{ with nomadVar "nomad/jobs/lldap" -}}
+{{ $db_name := .db_name }}
+CREATE DATABASE IF NOT EXISTS `{{ .db_name }}`
+  CHARACTER SET = 'utf8mb4'
+  COLLATE = 'utf8mb4_unicode_ci';
+DROP USER IF EXISTS '{{ .db_user }}'@'%';
+CREATE USER '{{ .db_user }}'@'%'
+  IDENTIFIED BY '{{ .db_pass }}';
+GRANT ALL ON `{{ .db_name }}`.*
+  TO '{{ .db_user }}'@'%';
+{{ else -}}
+SELECT 'NOOP';
+{{ end -}}
+        EOF
+        destination = "${NOMAD_SECRETS_DIR}/bootstrap.sql"
+      }
+
+      resources {
+        cpu = 50
+        memory = 50
+      }
+    }
+
+    task "stunnel" {
+      driver = "docker"
+
+      lifecycle {
+        hook = "prestart"
+        sidecar = true
+      }
+
+      config {
+        image = "alpine:3.17"
+        args = ["/bin/sh", "${NOMAD_TASK_DIR}/start.sh"]
+      }
+
+      resources {
+        cpu = 100
+        memory = 100
+      }
+
+      template {
+        data = <<EOF
+set -e
+apk add stunnel
+exec stunnel {{ env "NOMAD_TASK_DIR" }}/stunnel.conf
+        EOF
+        destination = "${NOMAD_TASK_DIR}/start.sh"
+      }
+
+      template {
+        data = <<EOF
+syslog = no
+foreground = yes
+delay = yes
+
+[mysql_client]
+client = yes
+accept = 127.0.0.1:3306
+{{ range nomadService 1 (env "NOMAD_ALLOC_ID") "mysql-tls" -}}
+connect = {{ .Address }}:{{ .Port }}
+{{- end }}
+PSKsecrets = {{ env "NOMAD_SECRETS_DIR" }}/mysql_stunnel_psk.txt
+        EOF
+        destination = "${NOMAD_TASK_DIR}/stunnel.conf"
+      }
+
+      template {
+        data = <<EOF
+{{- with nomadVar "nomad/jobs/lldap/lldap/stunnel" }}{{ .mysql_stunnel_psk }}{{ end -}}
+EOF
+        destination = "${NOMAD_SECRETS_DIR}/mysql_stunnel_psk.txt"
+      }
+
+    }
  }
 }
--- a/services/backups/jobs/lldap.hcl
+++ b/services/backups/jobs/lldap.hcl
@ -6,13 +6,26 @@ job "lldap" {
    passphrase = env("BACKUP_PASSPHRASE")
  }

-  sqlite "Backup database" {
-    path    = "/data/lldap/users.db"
-    dump_to = "/data/lldap/users.db.bak"
+  task "Create local backup dir" {
+    pre_script {
+      on_backup = "mkdir -p /local/lldap"
+    }
+  }
+
+  task "Backup database" {
+    mysql "Backup database" {
+      hostname       = env("MYSQL_HOST")
+      port           = env("MYSQL_PORT")
+      username       = env("MYSQL_USER")
+      password       = env("MYSQL_PASSWORD")
+      database       = "lldap"
+      no_tablespaces = true
+      dump_to        = "/local/lldap/dump.sql"
+    }
  }

  backup {
-    paths = ["/data/lldap"]
+    paths = ["/local/lldap"]
    # Because path is absolute
    restore_opts {
      Target = "/"