lldap: access shared smtp secrets
This commit is contained in:
parent
2bd939e651
commit
edeb6cf444
@ -50,15 +50,20 @@ job "lldap" {
|
|||||||
driver = "docker"
|
driver = "docker"
|
||||||
|
|
||||||
config {
|
config {
|
||||||
image = "nitnelave/lldap:latest"
|
image = "ghcr.io/lldap/lldap:latest"
|
||||||
ports = ["ldap", "web"]
|
ports = ["ldap", "web"]
|
||||||
args = ["run", "--config-file", "$${NOMAD_SECRETS_DIR}/lldap_config.toml"]
|
args = ["run", "--config-file", "$${NOMAD_TASK_DIR}/lldap_config.toml"]
|
||||||
}
|
}
|
||||||
|
|
||||||
env = {
|
env = {
|
||||||
"LLDAP_VERBOSE" = "true"
|
"LLDAP_VERBOSE" = "true"
|
||||||
"LLDAP_LDAP_PORT" = "$${NOMAD_PORT_ldap}"
|
"LLDAP_LDAP_PORT" = "$${NOMAD_PORT_ldap}"
|
||||||
"LLDAP_HTTP_PORT" = "$${NOMAD_PORT_web}"
|
"LLDAP_HTTP_PORT" = "$${NOMAD_PORT_web}"
|
||||||
|
"LLDAP_DATABASE_URL_FILE" = "$${NOMAD_SECRETS_DIR}/database_url.txt"
|
||||||
|
"LLDAP_KEY_SEED_FILE" = "$${NOMAD_SECRETS_DIR}/key_seed.txt"
|
||||||
|
"LLDAP_JWT_SECRET_FILE" = "$${NOMAD_SECRETS_DIR}/jwt_secret.txt"
|
||||||
|
"LLDAP_USER_PASS_FILE" = "$${NOMAD_SECRETS_DIR}/user_pass.txt"
|
||||||
|
"LLDAP_SMTP_OPTIONS__PASSWORD_FILE" = "$${NOMAD_SECRETS_DIR}/smtp_password.txt"
|
||||||
}
|
}
|
||||||
|
|
||||||
template {
|
template {
|
||||||
@ -66,31 +71,52 @@ job "lldap" {
|
|||||||
ldap_base_dn = "{{ with nomadVar "nomad/jobs" }}{{ .ldap_base_dn }}{{ end }}"
|
ldap_base_dn = "{{ with nomadVar "nomad/jobs" }}{{ .ldap_base_dn }}{{ end }}"
|
||||||
|
|
||||||
{{ with nomadVar "nomad/jobs/lldap" -}}
|
{{ with nomadVar "nomad/jobs/lldap" -}}
|
||||||
database_url = "mysql://{{ .db_user }}:{{ .db_pass }}@127.0.0.1:3306/{{ .db_name }}"
|
|
||||||
key_seed = "{{ .key_seed }}"
|
|
||||||
jwt_secret = "{{ .jwt_secret }}"
|
|
||||||
|
|
||||||
ldap_user_dn = "{{ .admin_user }}"
|
ldap_user_dn = "{{ .admin_user }}"
|
||||||
ldap_user_email = "{{ .admin_email }}"
|
ldap_user_email = "{{ .admin_email }}"
|
||||||
ldap_user_pass = "{{ .admin_password }}"
|
|
||||||
|
|
||||||
[smtp_options]
|
[smtp_options]
|
||||||
from = "{{ .smtp_from }}"
|
from = "{{ .smtp_from }}"
|
||||||
reply_to = "{{ .smtp_reply_to }}"
|
reply_to = "{{ .smtp_reply_to }}"
|
||||||
|
|
||||||
enable_password_reset = true
|
enable_password_reset = true
|
||||||
{{- end }}
|
{{ end -}}
|
||||||
|
{{ with nomadVar "secrets/smtp" -}}
|
||||||
# TODO: Better access to SMTP creds using nomad ACLs
|
server = "{{ .server }}"
|
||||||
{{ with nomadVar "nomad/jobs" -}}
|
port = {{ .port }}
|
||||||
server = "{{ .smtp_server }}"
|
tls_required = {{ .tls.Value | toLower }}
|
||||||
port = {{ .smtp_port }}
|
user = "{{ .user }}"
|
||||||
tls_required = {{ .smtp_tls.Value | toLower }}
|
|
||||||
user = "{{ .smtp_user }}"
|
|
||||||
password = "{{ .smtp_password }}"
|
|
||||||
{{ end -}}
|
{{ end -}}
|
||||||
EOH
|
EOH
|
||||||
destination = "$${NOMAD_SECRETS_DIR}/lldap_config.toml"
|
destination = "$${NOMAD_TASK_DIR}/lldap_config.toml"
|
||||||
|
change_mode = "restart"
|
||||||
|
}
|
||||||
|
|
||||||
|
template {
|
||||||
|
data = "{{ with nomadVar \"nomad/jobs/lldap\" }}mysql://{{ .db_user }}:{{ .db_pass }}@127.0.0.1:3306/{{ .db_name }}{{ end }}"
|
||||||
|
destination = "$${NOMAD_SECRETS_DIR}/database_url.txt"
|
||||||
|
change_mode = "restart"
|
||||||
|
}
|
||||||
|
|
||||||
|
template {
|
||||||
|
data = "{{ with nomadVar \"nomad/jobs/lldap\" }}{{ .key_seed }}{{ end }}"
|
||||||
|
destination = "$${NOMAD_SECRETS_DIR}/key_seed.txt"
|
||||||
|
change_mode = "restart"
|
||||||
|
}
|
||||||
|
|
||||||
|
template {
|
||||||
|
data = "{{ with nomadVar \"nomad/jobs/lldap\" }}{{ .jwt_secret }}{{ end }}"
|
||||||
|
destination = "$${NOMAD_SECRETS_DIR}/jwt_secret.txt"
|
||||||
|
change_mode = "restart"
|
||||||
|
}
|
||||||
|
|
||||||
|
template {
|
||||||
|
data = "{{ with nomadVar \"nomad/jobs/lldap\" }}{{ .admin_password }}{{ end }}"
|
||||||
|
destination = "$${NOMAD_SECRETS_DIR}/user_pass.txt"
|
||||||
|
change_mode = "restart"
|
||||||
|
}
|
||||||
|
|
||||||
|
template {
|
||||||
|
data = "{{ with nomadVar \"secrets/smtp\" }}{{ .password }}{{ end }}"
|
||||||
|
destination = "$${NOMAD_SECRETS_DIR}/smtp_password.txt"
|
||||||
change_mode = "restart"
|
change_mode = "restart"
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@ -9,6 +9,27 @@ resource "nomad_job" "lldap" {
|
|||||||
detach = false
|
detach = false
|
||||||
}
|
}
|
||||||
|
|
||||||
|
# Give access to smtp secrets
|
||||||
|
resource "nomad_acl_policy" "lldap_smtp_secrets" {
|
||||||
|
name = "lldap-secrets-smtp"
|
||||||
|
description = "Give access to SMTP secrets"
|
||||||
|
rules_hcl = <<EOH
|
||||||
|
namespace "default" {
|
||||||
|
variables {
|
||||||
|
path "secrets/smtp" {
|
||||||
|
capabilities = ["read"]
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
EOH
|
||||||
|
|
||||||
|
job_acl {
|
||||||
|
job_id = "lldap"
|
||||||
|
group = "lldap"
|
||||||
|
task = "lldap"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
# Generate secrets and policies for access to MySQL
|
# Generate secrets and policies for access to MySQL
|
||||||
resource "nomad_acl_policy" "lldap_mysql_bootstrap_secrets" {
|
resource "nomad_acl_policy" "lldap_mysql_bootstrap_secrets" {
|
||||||
name = "lldap-secrets-mysql"
|
name = "lldap-secrets-mysql"
|
||||||
|
|||||||
@ -216,7 +216,6 @@ EOF
|
|||||||
host=127.0.0.1
|
host=127.0.0.1
|
||||||
port=3306
|
port=3306
|
||||||
user=root
|
user=root
|
||||||
# TODO: Use via lesser scoped access
|
|
||||||
{{ with nomadVar "secrets/mysql" -}}
|
{{ with nomadVar "secrets/mysql" -}}
|
||||||
password={{ .mysql_root_password }}
|
password={{ .mysql_root_password }}
|
||||||
{{ end -}}
|
{{ end -}}
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user