Ian Fijolek
cda2842f8f
Rather than installing on container startup, using an image with stunnel pre-installed. This avoids issues with DNS breaking the container on startup.
248 lines
5.7 KiB
HCL
248 lines
5.7 KiB
HCL
job "lldap" {
|
|
datacenters = ["dc1"]
|
|
type = "service"
|
|
priority = 80
|
|
|
|
group "lldap" {
|
|
|
|
network {
|
|
mode = "bridge"
|
|
|
|
port "web" {
|
|
%{~ if use_wesher ~}
|
|
host_network = "wesher"
|
|
%{~ endif ~}
|
|
}
|
|
|
|
port "ldap" {
|
|
%{~ if use_wesher ~}
|
|
host_network = "wesher"
|
|
%{~ endif ~}
|
|
}
|
|
|
|
port "tls" {}
|
|
}
|
|
|
|
service {
|
|
name = "lldap"
|
|
provider = "nomad"
|
|
port = "ldap"
|
|
}
|
|
|
|
service {
|
|
name = "lldap-tls"
|
|
provider = "nomad"
|
|
port = "tls"
|
|
}
|
|
|
|
service {
|
|
name = "ldap-admin"
|
|
provider = "nomad"
|
|
port = "web"
|
|
|
|
tags = [
|
|
"traefik.enable=true",
|
|
"traefik.http.routers.ldap-admin.entryPoints=websecure",
|
|
]
|
|
}
|
|
|
|
task "lldap" {
|
|
driver = "docker"
|
|
|
|
config {
|
|
image = "ghcr.io/lldap/lldap:v0.5"
|
|
ports = ["ldap", "web"]
|
|
args = ["run", "--config-file", "$${NOMAD_TASK_DIR}/lldap_config.toml"]
|
|
}
|
|
|
|
env = {
|
|
"LLDAP_VERBOSE" = "true"
|
|
"LLDAP_LDAP_PORT" = "$${NOMAD_PORT_ldap}"
|
|
"LLDAP_HTTP_PORT" = "$${NOMAD_PORT_web}"
|
|
"LLDAP_DATABASE_URL_FILE" = "$${NOMAD_SECRETS_DIR}/database_url.txt"
|
|
"LLDAP_KEY_SEED_FILE" = "$${NOMAD_SECRETS_DIR}/key_seed.txt"
|
|
"LLDAP_JWT_SECRET_FILE" = "$${NOMAD_SECRETS_DIR}/jwt_secret.txt"
|
|
"LLDAP_USER_PASS_FILE" = "$${NOMAD_SECRETS_DIR}/user_pass.txt"
|
|
"LLDAP_SMTP_OPTIONS__PASSWORD_FILE" = "$${NOMAD_SECRETS_DIR}/smtp_password.txt"
|
|
}
|
|
|
|
template {
|
|
data = <<EOH
|
|
ldap_base_dn = "{{ with nomadVar "nomad/jobs" }}{{ .ldap_base_dn }}{{ end }}"
|
|
|
|
{{ with nomadVar "nomad/jobs/lldap" -}}
|
|
ldap_user_dn = "{{ .admin_user }}"
|
|
ldap_user_email = "{{ .admin_email }}"
|
|
|
|
[smtp_options]
|
|
from = "{{ .smtp_from }}"
|
|
reply_to = "{{ .smtp_reply_to }}"
|
|
enable_password_reset = true
|
|
{{ end -}}
|
|
{{ with nomadVar "secrets/smtp" -}}
|
|
server = "{{ .server }}"
|
|
port = {{ .port }}
|
|
tls_required = {{ .tls.Value | toLower }}
|
|
user = "{{ .user }}"
|
|
{{ end -}}
|
|
EOH
|
|
destination = "$${NOMAD_TASK_DIR}/lldap_config.toml"
|
|
change_mode = "restart"
|
|
}
|
|
|
|
template {
|
|
data = "{{ with nomadVar \"nomad/jobs/lldap\" }}mysql://{{ .db_user }}:{{ .db_pass }}@127.0.0.1:3306/{{ .db_name }}{{ end }}"
|
|
destination = "$${NOMAD_SECRETS_DIR}/database_url.txt"
|
|
change_mode = "restart"
|
|
}
|
|
|
|
template {
|
|
data = "{{ with nomadVar \"nomad/jobs/lldap\" }}{{ .key_seed }}{{ end }}"
|
|
destination = "$${NOMAD_SECRETS_DIR}/key_seed.txt"
|
|
change_mode = "restart"
|
|
}
|
|
|
|
template {
|
|
data = "{{ with nomadVar \"nomad/jobs/lldap\" }}{{ .jwt_secret }}{{ end }}"
|
|
destination = "$${NOMAD_SECRETS_DIR}/jwt_secret.txt"
|
|
change_mode = "restart"
|
|
}
|
|
|
|
template {
|
|
data = "{{ with nomadVar \"nomad/jobs/lldap\" }}{{ .admin_password }}{{ end }}"
|
|
destination = "$${NOMAD_SECRETS_DIR}/user_pass.txt"
|
|
change_mode = "restart"
|
|
}
|
|
|
|
template {
|
|
data = "{{ with nomadVar \"secrets/smtp\" }}{{ .password }}{{ end }}"
|
|
destination = "$${NOMAD_SECRETS_DIR}/smtp_password.txt"
|
|
change_mode = "restart"
|
|
}
|
|
|
|
resources {
|
|
cpu = 10
|
|
memory = 200
|
|
memory_max = 200
|
|
}
|
|
}
|
|
|
|
task "bootstrap" {
|
|
driver = "docker"
|
|
|
|
lifecycle {
|
|
hook = "prestart"
|
|
sidecar = false
|
|
}
|
|
|
|
config {
|
|
image = "mariadb:10"
|
|
args = [
|
|
"/usr/bin/timeout",
|
|
"2m",
|
|
"/bin/bash",
|
|
"-c",
|
|
"until /usr/bin/mysql --defaults-extra-file=$${NOMAD_SECRETS_DIR}/my.cnf < $${NOMAD_SECRETS_DIR}/bootstrap.sql; do sleep 10; done",
|
|
]
|
|
}
|
|
|
|
template {
|
|
data = <<EOF
|
|
[client]
|
|
host=127.0.0.1
|
|
port=3306
|
|
user=root
|
|
{{ with nomadVar "secrets/mysql" -}}
|
|
password={{ .mysql_root_password }}
|
|
{{ end -}}
|
|
EOF
|
|
destination = "$${NOMAD_SECRETS_DIR}/my.cnf"
|
|
}
|
|
|
|
template {
|
|
data = <<EOF
|
|
{{ with nomadVar "nomad/jobs/lldap" -}}
|
|
{{ $db_name := .db_name }}
|
|
CREATE DATABASE IF NOT EXISTS `{{ .db_name }}`
|
|
CHARACTER SET = 'utf8mb4'
|
|
COLLATE = 'utf8mb4_unicode_ci';
|
|
DROP USER IF EXISTS '{{ .db_user }}'@'%';
|
|
CREATE USER '{{ .db_user }}'@'%'
|
|
IDENTIFIED BY '{{ .db_pass }}';
|
|
GRANT ALL ON `{{ .db_name }}`.*
|
|
TO '{{ .db_user }}'@'%';
|
|
{{ else -}}
|
|
SELECT 'NOOP';
|
|
{{ end -}}
|
|
EOF
|
|
destination = "$${NOMAD_SECRETS_DIR}/bootstrap.sql"
|
|
}
|
|
|
|
resources {
|
|
cpu = 50
|
|
memory = 50
|
|
}
|
|
}
|
|
|
|
task "stunnel" {
|
|
driver = "docker"
|
|
|
|
lifecycle {
|
|
hook = "prestart"
|
|
sidecar = true
|
|
}
|
|
|
|
config {
|
|
image = "iamthefij/stunnel:latest"
|
|
args = ["$${NOMAD_TASK_DIR}/stunnel.conf"]
|
|
ports = ["tls"]
|
|
}
|
|
|
|
resources {
|
|
cpu = 100
|
|
memory = 100
|
|
}
|
|
|
|
template {
|
|
data = <<EOF
|
|
syslog = no
|
|
foreground = yes
|
|
delay = yes
|
|
|
|
[ldap_server]
|
|
accept = {{ env "NOMAD_PORT_tls" }}
|
|
connect = 127.0.0.1:{{ env "NOMAD_PORT_ldap" }}
|
|
ciphers = PSK
|
|
PSKsecrets = {{ env "NOMAD_TASK_DIR" }}/stunnel_psk.txt
|
|
|
|
[mysql_client]
|
|
client = yes
|
|
accept = 127.0.0.1:3306
|
|
{{ range nomadService 1 (env "NOMAD_ALLOC_ID") "mysql-tls" -}}
|
|
connect = {{ .Address }}:{{ .Port }}
|
|
{{- end }}
|
|
PSKsecrets = {{ env "NOMAD_SECRETS_DIR" }}/mysql_stunnel_psk.txt
|
|
EOF
|
|
destination = "$${NOMAD_TASK_DIR}/stunnel.conf"
|
|
}
|
|
|
|
template {
|
|
data = <<EOF
|
|
{{ range nomadVarList "secrets/ldap/allowed_psks" -}}
|
|
{{ with nomadVar .Path }}{{ .psk }}{{ end }}
|
|
{{ end -}}
|
|
EOF
|
|
destination = "$${NOMAD_TASK_DIR}/stunnel_psk.txt"
|
|
}
|
|
|
|
template {
|
|
data = <<EOF
|
|
{{- with nomadVar "secrets/mysql/allowed_psks/lldap" }}{{ .psk }}{{ end -}}
|
|
EOF
|
|
destination = "$${NOMAD_SECRETS_DIR}/mysql_stunnel_psk.txt"
|
|
}
|
|
|
|
}
|
|
}
|
|
}
|