diff --git a/databases/lldap.nomad b/databases/lldap.nomad index 7de4129..a91b299 100644 --- a/databases/lldap.nomad +++ b/databases/lldap.nomad @@ -50,15 +50,20 @@ job "lldap" { driver = "docker" config { - image = "nitnelave/lldap:latest" + image = "ghcr.io/lldap/lldap:latest" ports = ["ldap", "web"] - args = ["run", "--config-file", "$${NOMAD_SECRETS_DIR}/lldap_config.toml"] + args = ["run", "--config-file", "$${NOMAD_TASK_DIR}/lldap_config.toml"] } env = { "LLDAP_VERBOSE" = "true" "LLDAP_LDAP_PORT" = "$${NOMAD_PORT_ldap}" "LLDAP_HTTP_PORT" = "$${NOMAD_PORT_web}" + "LLDAP_DATABASE_URL_FILE" = "$${NOMAD_SECRETS_DIR}/database_url.txt" + "LLDAP_KEY_SEED_FILE" = "$${NOMAD_SECRETS_DIR}/key_seed.txt" + "LLDAP_JWT_SECRET_FILE" = "$${NOMAD_SECRETS_DIR}/jwt_secret.txt" + "LLDAP_USER_PASS_FILE" = "$${NOMAD_SECRETS_DIR}/user_pass.txt" + "LLDAP_SMTP_OPTIONS__PASSWORD_FILE" = "$${NOMAD_SECRETS_DIR}/smtp_password.txt" } template { @@ -66,31 +71,52 @@ job "lldap" { ldap_base_dn = "{{ with nomadVar "nomad/jobs" }}{{ .ldap_base_dn }}{{ end }}" {{ with nomadVar "nomad/jobs/lldap" -}} -database_url = "mysql://{{ .db_user }}:{{ .db_pass }}@127.0.0.1:3306/{{ .db_name }}" -key_seed = "{{ .key_seed }}" -jwt_secret = "{{ .jwt_secret }}" - ldap_user_dn = "{{ .admin_user }}" ldap_user_email = "{{ .admin_email }}" -ldap_user_pass = "{{ .admin_password }}" [smtp_options] from = "{{ .smtp_from }}" reply_to = "{{ .smtp_reply_to }}" - enable_password_reset = true -{{- end }} - -# TODO: Better access to SMTP creds using nomad ACLs -{{ with nomadVar "nomad/jobs" -}} -server = "{{ .smtp_server }}" -port = {{ .smtp_port }} -tls_required = {{ .smtp_tls.Value | toLower }} -user = "{{ .smtp_user }}" -password = "{{ .smtp_password }}" +{{ end -}} +{{ with nomadVar "secrets/smtp" -}} +server = "{{ .server }}" +port = {{ .port }} +tls_required = {{ .tls.Value | toLower }} +user = "{{ .user }}" {{ end -}} EOH - destination = "$${NOMAD_SECRETS_DIR}/lldap_config.toml" + destination = "$${NOMAD_TASK_DIR}/lldap_config.toml" + change_mode = "restart" + } + + template { + data = "{{ with nomadVar \"nomad/jobs/lldap\" }}mysql://{{ .db_user }}:{{ .db_pass }}@127.0.0.1:3306/{{ .db_name }}{{ end }}" + destination = "$${NOMAD_SECRETS_DIR}/database_url.txt" + change_mode = "restart" + } + + template { + data = "{{ with nomadVar \"nomad/jobs/lldap\" }}{{ .key_seed }}{{ end }}" + destination = "$${NOMAD_SECRETS_DIR}/key_seed.txt" + change_mode = "restart" + } + + template { + data = "{{ with nomadVar \"nomad/jobs/lldap\" }}{{ .jwt_secret }}{{ end }}" + destination = "$${NOMAD_SECRETS_DIR}/jwt_secret.txt" + change_mode = "restart" + } + + template { + data = "{{ with nomadVar \"nomad/jobs/lldap\" }}{{ .admin_password }}{{ end }}" + destination = "$${NOMAD_SECRETS_DIR}/user_pass.txt" + change_mode = "restart" + } + + template { + data = "{{ with nomadVar \"secrets/smtp\" }}{{ .password }}{{ end }}" + destination = "$${NOMAD_SECRETS_DIR}/smtp_password.txt" change_mode = "restart" } diff --git a/databases/lldap.tf b/databases/lldap.tf index d4c1143..5f092ad 100644 --- a/databases/lldap.tf +++ b/databases/lldap.tf @@ -9,6 +9,27 @@ resource "nomad_job" "lldap" { detach = false } +# Give access to smtp secrets +resource "nomad_acl_policy" "lldap_smtp_secrets" { + name = "lldap-secrets-smtp" + description = "Give access to SMTP secrets" + rules_hcl = <