homelab-nomad/core/lldap.nomad

job "lldap" {
  datacenters = ["dc1"]
  type = "service"
  priority = 80

  group "lldap" {

    network {
      mode = "bridge"

      port "web" {
        host_network = "wesher"
      }

      port "ldap" {
        host_network = "wesher"
      }

      port "tls" {}
    }

    service {
      name = "lldap"
      provider = "nomad"
      port = "ldap"
    }

    service {
      name = "lldap-tls"
      provider = "nomad"
      port = "tls"
    }

    service {
      name = "ldap-admin"
      provider = "nomad"
      port = "web"

      tags = [
        "traefik.enable=true",
        "traefik.http.routers.ldap-admin.entryPoints=websecure",
      ]
    }

    task "lldap" {
      driver = "docker"

      config {
        image = "nitnelave/lldap:latest"
        ports = ["ldap", "web"]
        args = ["run", "--config-file", "${NOMAD_SECRETS_DIR}/lldap_config.toml"]
      }

      env = {
        "LLDAP_VERBOSE" = "true"
        "LLDAP_LDAP_PORT" = "${NOMAD_PORT_ldap}"
        "LLDAP_HTTP_PORT" = "${NOMAD_PORT_web}"
      }

      template {
        data = <<EOH
ldap_base_dn = "{{ with nomadVar "nomad/jobs" }}{{ .ldap_base_dn }}{{ end }}"

{{ with nomadVar "nomad/jobs/lldap" -}}
database_url = "mysql://{{ .db_user }}:{{ .db_pass }}@127.0.0.1:3306/{{ .db_name }}"
key_seed = "{{ .key_seed }}"
jwt_secret = "{{ .jwt_secret }}"

ldap_user_dn = "{{ .admin_user }}"
ldap_user_email = "{{ .admin_email }}"
ldap_user_pass = "{{ .admin_password }}"

[smtp_options]
from = "{{ .smtp_from }}"
reply_to = "{{ .smtp_reply_to }}"

enable_password_reset = true
{{- end }}

# TODO: Better access to SMTP creds using nomad ACLs
{{ with nomadVar "nomad/jobs" -}}
server = "{{ .smtp_server }}"
port = {{ .smtp_port }}
tls_required = {{ .smtp_tls.Value | toLower }}
user = "{{ .smtp_user }}"
password = "{{ .smtp_password }}"
{{ end -}}
        EOH
        destination = "${NOMAD_SECRETS_DIR}/lldap_config.toml"
        change_mode = "restart"
      }

      resources {
        cpu = 10
        memory = 200
        memory_max = 200
      }
    }

    task "bootstrap" {
      driver = "docker"

      lifecycle {
        hook = "prestart"
        sidecar = false
      }

      config {
        image = "mariadb:10"
        args = [
          "/usr/bin/timeout",
          "2m",
          "/bin/bash",
          "-c",
          "until /usr/bin/mysql --defaults-extra-file=${NOMAD_SECRETS_DIR}/my.cnf < ${NOMAD_SECRETS_DIR}/bootstrap.sql; do sleep 10; done",
        ]
      }

      template {
        data = <<EOF
[client]
host=127.0.0.1
port=3306
user=root
# TODO: Use via lesser scoped access
{{ with nomadVar "nomad/jobs/lldap/lldap/bootstrap" -}}
password={{ .mysql_root_password }}
{{ end -}}
        EOF
        destination = "${NOMAD_SECRETS_DIR}/my.cnf"
      }

      template {
        data = <<EOF
{{ with nomadVar "nomad/jobs/lldap" -}}
{{ $db_name := .db_name }}
CREATE DATABASE IF NOT EXISTS `{{ .db_name }}`
  CHARACTER SET = 'utf8mb4'
  COLLATE = 'utf8mb4_unicode_ci';
DROP USER IF EXISTS '{{ .db_user }}'@'%';
CREATE USER '{{ .db_user }}'@'%'
  IDENTIFIED BY '{{ .db_pass }}';
GRANT ALL ON `{{ .db_name }}`.*
  TO '{{ .db_user }}'@'%';
{{ else -}}
SELECT 'NOOP';
{{ end -}}
        EOF
        destination = "${NOMAD_SECRETS_DIR}/bootstrap.sql"
      }

      resources {
        cpu = 50
        memory = 50
      }
    }

    task "stunnel" {
      driver = "docker"

      lifecycle {
        hook = "prestart"
        sidecar = true
      }

      config {
        image = "alpine:3.17"
        ports = ["tls"]
        args = ["/bin/sh", "${NOMAD_TASK_DIR}/start.sh"]
      }

      resources {
        cpu = 100
        memory = 100
      }

      template {
        data = <<EOF
set -e
apk add stunnel
exec stunnel {{ env "NOMAD_TASK_DIR" }}/stunnel.conf
        EOF
        destination = "${NOMAD_TASK_DIR}/start.sh"
      }

      template {
        data = <<EOF
syslog = no
foreground = yes
delay = yes

[ldap_server]
accept = {{ env "NOMAD_PORT_tls" }}
connect = 127.0.0.1:{{ env "NOMAD_PORT_ldap" }}
ciphers = PSK
PSKsecrets = {{ env "NOMAD_TASK_DIR" }}/stunnel_psk.txt

[mysql_client]
client = yes
accept = 127.0.0.1:3306
{{ range nomadService 1 (env "NOMAD_ALLOC_ID") "mysql-tls" -}}
connect = {{ .Address }}:{{ .Port }}
{{- end }}
PSKsecrets = {{ env "NOMAD_SECRETS_DIR" }}/mysql_stunnel_psk.txt
        EOF
        destination = "${NOMAD_TASK_DIR}/stunnel.conf"
      }

      template {
        data = <<EOF
{{ with nomadVar "nomad/jobs/lldap/lldap/stunnel" -}}
{{ .allowed_psks }}
{{- end }}
EOF
        destination = "${NOMAD_TASK_DIR}/stunnel_psk.txt"
      }

      template {
        data = <<EOF
{{- with nomadVar "nomad/jobs/lldap/lldap/stunnel" }}{{ .mysql_stunnel_psk }}{{ end -}}
EOF
        destination = "${NOMAD_SECRETS_DIR}/mysql_stunnel_psk.txt"
      }

    }
  }
}