Add lldap

nomad/ansible_hosts.yml

@@ -13,6 +13,12 @@ all:
               group: "bin"
               mode: "0755"
               read_only: false
+            - name: lldap-data
+              path: /srv/volumes/lldap
+              owner: "root"
+              group: "bin"
+              mode: "0755"
+              read_only: false
         n2.thefij:
           nomad_node_role: both
           nomad_unique_host_volumes:

nomad/core.tf

@@ -71,21 +71,17 @@ resource "consul_config_entry" "loki_intent" {
 }
 
 resource "nomad_job" "syslog-ng" {
-  hcl2 {
-    enabled = true
-  }
-
   jobspec = file("${path.module}/syslogng.nomad")
 }
 
 resource "nomad_job" "ddclient" {
-  hcl2 {
-    enabled = true
-  }
-
   jobspec = file("${path.module}/ddclient.nomad")
 }
 
+resource "nomad_job" "lldap" {
+  jobspec = file("${path.module}/lldap.nomad")
+}
+
 resource "consul_config_entry" "syslogng_promtail_intent" {
   name = "syslogng-promtail"
   kind = "service-intentions"

nomad/lldap.nomad

@@ -0,0 +1,140 @@
+job "lldap" {
+  datacenters = ["dc1"]
+  type = "service"
+
+  group "lldap" {
+
+    network {
+      mode = "bridge"
+
+      port "web" {
+        host_network = "loopback"
+        to = 17170
+      }
+
+      port "ldap" {
+        host_network = "loopback"
+        to = 3890
+      }
+    }
+
+    volume "lldap-data" {
+      type = "host"
+      read_only = false
+      source = "lldap-data"
+    }
+
+    service {
+      name = "lldap"
+      port = "ldap"
+
+      connect {
+        sidecar_service {
+          proxy {
+            local_service_port = 3890
+
+            config {
+              protocol = "tcp"
+            }
+          }
+        }
+
+        sidecar_task {
+          resources {
+            cpu    = 50
+            memory = 20
+          }
+        }
+      }
+    }
+
+    service {
+      name = "ldap-admin"
+      port = "web"
+
+      connect {
+        sidecar_service {
+          proxy {
+            local_service_port = 17170
+          }
+        }
+
+        sidecar_task {
+          resources {
+            cpu    = 20
+            memory = 20
+          }
+        }
+      }
+
+      tags = [
+        "traefik.enable=true",
+        "traefik.http.routers.ldap-admin.entryPoints=websecure",
+      ]
+    }
+
+    task "lldap" {
+      driver = "docker"
+
+      volume_mount {
+        volume = "lldap-data"
+        destination = "/data"
+        read_only = false
+      }
+
+      config {
+        image = "nitnelave/lldap"
+        ports = ["ldap", "web"]
+        args = ["run", "--config-file", "/lldap_config.toml"]
+
+        mount {
+          type = "bind"
+          source = "secrets/lldap_config.toml"
+          target = "/lldap_config.toml"
+        }
+      }
+
+      vault {
+        policies = [
+          "access-tables",
+          "nomad-task",
+        ]
+      }
+
+      template {
+        data = <<EOH
+database_url = "sqlite:///data/users.db?mode=rwc"
+key_file = "/data/private_key"
+ldap_base_dn = "{{ keyOrDefault "global/ldap/base_dn" "dc=example,dc=com" }}"
+{{ with secret "kv/data/lldap" -}}
+jwt_secret = "{{ .Data.data.jwt_secret }}"
+ldap_user_dn = "{{ .Data.data.admin_user }}"
+ldap_user_email = "{{ .Data.data.admin_email }}"
+ldap_user_pass = "{{ .Data.data.admin_password }}"
+{{ end -}}
+{{ with secret "kv/data/smtp" -}}
+[smtp_options]
+enable_password_reset = true
+server = "{{ .Data.data.server }}"
+port = {{ .Data.data.port }}
+tls_required = {{ .Data.data.tls }}
+user = "{{ .Data.data.user }}"
+password = "{{ .Data.data.password }}"
+{{ with secret "kv/data/lldap" -}}
+from = "{{ .Data.data.smtp_from }}"
+reply_to = "{{ .Data.data.smtp_reply_to }}"
+{{ end -}}
+{{ end -}}
+        EOH
+        destination = "secrets/lldap_config.toml"
+        change_mode = "restart"
+      }
+
+      resources {
+        cpu = 10
+        memory = 20
+        memory_max = 100
+      }
+    }
+  }
+}