Adding lldap and authelia.
This commit is contained in:
4
all-apps/lldap/0.6.3/Caddyfile
Normal file
4
all-apps/lldap/0.6.3/Caddyfile
Normal file
@@ -0,0 +1,4 @@
|
||||
{$lldap_SUBDOMAIN}.{$ROOT_DOMAIN} {
|
||||
import maintenance_intercept
|
||||
reverse_proxy http://lldap:17170
|
||||
}
|
||||
21
all-apps/lldap/0.6.3/Makefile
Normal file
21
all-apps/lldap/0.6.3/Makefile
Normal file
@@ -0,0 +1,21 @@
|
||||
IMAGE_DEPS := $(IMAGE_DEPS) \
|
||||
app/lldap/postgres_db \
|
||||
app/lldap/postgres_user \
|
||||
app/lldap/postgres_password \
|
||||
app/lldap/admin_password \
|
||||
app/lldap/jwt_secret \
|
||||
app/lldap/lldap-config/lldap_config.toml
|
||||
|
||||
app/lldap/postgres_db: $(apps_config)
|
||||
bash -c 'source ./$(apps_config); printf "%s\n" "$$LLDAP_POSTGRES_DB" > $@'
|
||||
app/lldap/postgres_user: $(apps_config)
|
||||
bash -c 'source ./$(apps_config); printf "%s\n" "$$LLDAP_POSTGRES_USER" > $@'
|
||||
app/lldap/postgres_password: $(apps_config)
|
||||
bash -c 'source ./$(apps_config); printf "%s\n" "$$LLDAP_POSTGRES_PASSWORD" > $@'
|
||||
app/lldap/admin_password: $(apps_config)
|
||||
bash -c 'source ./$(apps_config); printf "%s\n" "$$LLDAP_ADMIN_PASSWORD" > $@'
|
||||
app/lldap/jwt_secret: $(apps_config)
|
||||
bash -c 'source ./$(apps_config); printf "%s\n" "$$LLDAP_JWT_SECRET" > $@'
|
||||
app/lldap/lldap-config/lldap_config.toml: $(apps_config) app/lldap/lldap-config/lldap_config.toml.tmpl \
|
||||
app/lldap/make-lldap-config.sh
|
||||
./app/lldap/make-lldap-config.sh $(apps_config)
|
||||
65
all-apps/lldap/0.6.3/docker-compose.yaml
Normal file
65
all-apps/lldap/0.6.3/docker-compose.yaml
Normal file
@@ -0,0 +1,65 @@
|
||||
secrets:
|
||||
lldap_postgres_db:
|
||||
file: ./lldap/postgres_db
|
||||
lldap_postgres_password:
|
||||
file: ./lldap/postgres_password
|
||||
lldap_postgres_user:
|
||||
file: ./lldap/postgres_user
|
||||
lldap_admin_password:
|
||||
file: ./lldap/admin_password
|
||||
lldap_jwt_secret:
|
||||
file: ./lldap/jwt_secret
|
||||
|
||||
services:
|
||||
lldap_db:
|
||||
image: postgres:18-trixie
|
||||
environment:
|
||||
- POSTGRES_DB_FILE=/run/secrets/lldap_postgres_db
|
||||
- POSTGRES_USER_FILE=/run/secrets/lldap_postgres_user
|
||||
- POSTGRES_PASSWORD_FILE=/run/secrets/lldap_postgres_password
|
||||
shm_size: 128mb
|
||||
restart: always
|
||||
volumes:
|
||||
- /nassella/lldap/var-lib-postgresql:/var/lib/postgresql
|
||||
networks:
|
||||
- lldap_db_internal
|
||||
healthcheck:
|
||||
test: ["CMD-SHELL", "pg_isready -d `cat $$POSTGRES_DB_FILE` -U `cat $$POSTGRES_USER_FILE`"]
|
||||
start_period: 15s
|
||||
interval: 30s
|
||||
retries: 3
|
||||
timeout: 5s
|
||||
secrets:
|
||||
- lldap_postgres_db
|
||||
- lldap_postgres_password
|
||||
- lldap_postgres_user
|
||||
|
||||
lldap:
|
||||
image: lldap/lldap:stable
|
||||
environment:
|
||||
- LLDAP_JWT_SECRET_FILE=/run/secrets/lldap_jwt_secret
|
||||
- LLDAP_LDAP_USER_PASS_FILE=/run/secrets/lldap_admin_password
|
||||
volumes:
|
||||
- ./lldap/lldap-config/:/data
|
||||
networks:
|
||||
- lb
|
||||
- lldap_internal
|
||||
- lldap_db_internal
|
||||
depends_on:
|
||||
lldap_db:
|
||||
condition: service_healthy
|
||||
secrets:
|
||||
- lldap_postgres_db
|
||||
- lldap_postgres_password
|
||||
- lldap_postgres_user
|
||||
- lldap_jwt_secret
|
||||
- lldap_admin_password
|
||||
|
||||
networks:
|
||||
lb:
|
||||
lldap_internal:
|
||||
driver: bridge
|
||||
internal: true
|
||||
lldap_db_internal:
|
||||
driver: bridge
|
||||
internal: true
|
||||
161
all-apps/lldap/0.6.3/lldap-config/lldap_config.toml.tmpl
Normal file
161
all-apps/lldap/0.6.3/lldap-config/lldap_config.toml.tmpl
Normal file
@@ -0,0 +1,161 @@
|
||||
## Default configuration for Docker.
|
||||
## All the values can be overridden through environment variables, prefixed
|
||||
## with "LLDAP_". For instance, "ldap_port" can be overridden with the
|
||||
## "LLDAP_LDAP_PORT" variable.
|
||||
|
||||
## Tune the logging to be more verbose by setting this to be true.
|
||||
## You can set it with the LLDAP_VERBOSE environment variable.
|
||||
# verbose=false
|
||||
|
||||
## The host address that the LDAP server will be bound to.
|
||||
## To enable IPv6 support, simply switch "ldap_host" to "::":
|
||||
## To only allow connections from localhost (if you want to restrict to local self-hosted services),
|
||||
## change it to "127.0.0.1" ("::1" in case of IPv6).
|
||||
## If LLDAP server is running in docker, set it to "0.0.0.0" ("::" for IPv6) to allow connections
|
||||
## originating from outside the container.
|
||||
ldap_host = "0.0.0.0"
|
||||
|
||||
## The port on which to have the LDAP server.
|
||||
#ldap_port = 3890
|
||||
|
||||
## The host address that the HTTP server will be bound to.
|
||||
## To enable IPv6 support, simply switch "http_host" to "::".
|
||||
## To only allow connections from localhost (if you want to restrict to local self-hosted services),
|
||||
## change it to "127.0.0.1" ("::1" in case of IPv6).
|
||||
## If LLDAP server is running in docker, set it to "0.0.0.0" ("::" for IPv6) to allow connections
|
||||
## originating from outside the container.
|
||||
http_host = "0.0.0.0"
|
||||
|
||||
## The port on which to have the HTTP server, for user login and
|
||||
## administration.
|
||||
#http_port = 17170
|
||||
|
||||
## The public URL of the server, for password reset links.
|
||||
http_url = "https://$LLDAP_FULL_DOMAIN"
|
||||
|
||||
## The path to the front-end assets (relative to the working directory).
|
||||
#assets_path = "./app"
|
||||
|
||||
## Random secret for JWT signature.
|
||||
## This secret should be random, and should be shared with application
|
||||
## servers that need to consume the JWTs.
|
||||
## Changing this secret will invalidate all user sessions and require
|
||||
## them to re-login.
|
||||
## You should probably set it through the LLDAP_JWT_SECRET environment
|
||||
## variable from a secret ".env" file.
|
||||
## This can also be set from a file's contents by specifying the file path
|
||||
## in the LLDAP_JWT_SECRET_FILE environment variable
|
||||
## You can generate it with (on linux):
|
||||
## LC_ALL=C tr -dc 'A-Za-z0-9!#%&'\''()*+,-./:;<=>?@[\]^_{|}~' </dev/urandom | head -c 32; echo ''
|
||||
# jwt_secret = "$NASSELLA_LLDAP_JWT_SECRET"
|
||||
|
||||
## Base DN for LDAP.
|
||||
## This is usually your domain name, and is used as a
|
||||
## namespace for your users. The choice is arbitrary, but will be needed
|
||||
## to configure the LDAP integration with other services.
|
||||
## The sample value is for "example.com", but you can extend it with as
|
||||
## many "dc" as you want, and you don't actually need to own the domain
|
||||
## name.
|
||||
ldap_base_dn = "dc=nassella,dc=org"
|
||||
|
||||
## Admin username.
|
||||
## For the LDAP interface, a value of "admin" here will create the LDAP
|
||||
## user "cn=admin,ou=people,dc=example,dc=com" (with the base DN above).
|
||||
## For the administration interface, this is the username.
|
||||
#ldap_user_dn = "admin"
|
||||
|
||||
## Admin email.
|
||||
## Email for the admin account. It is only used when initially creating
|
||||
## the admin user, and can safely be omitted.
|
||||
ldap_user_email = "$LLDAP_USER_EMAIL"
|
||||
|
||||
## Admin password.
|
||||
## Password for the admin account, both for the LDAP bind and for the
|
||||
## administration interface. It is only used when initially creating
|
||||
## the admin user.
|
||||
## It should be minimum 8 characters long.
|
||||
## You can set it with the LLDAP_LDAP_USER_PASS environment variable.
|
||||
## This can also be set from a file's contents by specifying the file path
|
||||
## in the LLDAP_LDAP_USER_PASS_FILE environment variable
|
||||
## Note: you can create another admin user for user administration, this
|
||||
## is just the default one.
|
||||
# ldap_user_pass = ""
|
||||
|
||||
## Force reset of the admin password.
|
||||
## Break glass in case of emergency: if you lost the admin password, you
|
||||
## can set this to true to force a reset of the admin password to the value
|
||||
## of ldap_user_pass above.
|
||||
## Alternatively, you can set it to "always" to reset every time the server starts.
|
||||
# force_ldap_user_pass_reset = false
|
||||
|
||||
## Database URL.
|
||||
## This encodes the type of database (SQlite, MySQL, or PostgreSQL)
|
||||
## , the path, the user, password, and sometimes the mode (when
|
||||
## relevant).
|
||||
## Note: SQlite should come with "?mode=rwc" to create the DB
|
||||
## if not present.
|
||||
## Example URLs:
|
||||
## - "postgres://postgres-user:password@postgres-server/my-database"
|
||||
## - "mysql://mysql-user:password@mysql-server/my-database"
|
||||
##
|
||||
## This can be overridden with the LLDAP_DATABASE_URL env variable.
|
||||
database_url = "postgres://lldap:$LLDAP_POSTGRES_PASSWORD@lldap_db/lldap"
|
||||
|
||||
## Private key file.
|
||||
## Not recommended, use key_seed instead.
|
||||
## Contains the secret private key used to store the passwords safely.
|
||||
## Note that even with a database dump and the private key, an attacker
|
||||
## would still have to perform an (expensive) brute force attack to find
|
||||
## each password.
|
||||
## Randomly generated on first run if it doesn't exist.
|
||||
## Env variable: LLDAP_KEY_FILE
|
||||
#key_file = "/data/private_key"
|
||||
|
||||
## Seed to generate the server private key, see key_file above.
|
||||
## This can be any random string, the recommendation is that it's at least 12
|
||||
## characters long.
|
||||
## Env variable: LLDAP_KEY_SEED
|
||||
key_seed = "$LLDAP_KEY_SEED"
|
||||
|
||||
## Ignored attributes.
|
||||
## Some services will request attributes that are not present in LLDAP. When it
|
||||
## is the case, LLDAP will warn about the attribute being unknown. If you want
|
||||
## to ignore the attribute and the service works without, you can add it to this
|
||||
## list to silence the warning.
|
||||
#ignored_user_attributes = [ "sAMAccountName" ]
|
||||
#ignored_group_attributes = [ "mail", "userPrincipalName" ]
|
||||
|
||||
## Options to configure SMTP parameters, to send password reset emails.
|
||||
## To set these options from environment variables, use the following format
|
||||
## (example with "password"): LLDAP_SMTP_OPTIONS__PASSWORD
|
||||
[smtp_options]
|
||||
## Whether to enabled password reset via email, from LLDAP.
|
||||
enable_password_reset=true
|
||||
## The SMTP server.
|
||||
server="$SMTP_HOST"
|
||||
## The SMTP port.
|
||||
port=$SMTP_PORT
|
||||
## How the connection is encrypted, either "NONE" (no encryption), "TLS" or "STARTTLS".
|
||||
smtp_encryption = "TLS"
|
||||
## The SMTP user, usually your email address.
|
||||
user="$SMTP_AUTH_USER"
|
||||
## The SMTP password.
|
||||
password="$SMTP_AUTH_PASSSWORD"
|
||||
## The header field, optional: how the sender appears in the email. The first
|
||||
## is a free-form name, followed by an email between <>.
|
||||
from="$SMTP_FROM"
|
||||
## Same for reply-to, optional.
|
||||
#reply_to="Do not reply <noreply@localhost>"
|
||||
|
||||
## Options to configure LDAPS.
|
||||
## To set these options from environment variables, use the following format
|
||||
## (example with "port"): LLDAP_LDAPS_OPTIONS__PORT
|
||||
[ldaps_options]
|
||||
## Whether to enable LDAPS.
|
||||
#enabled=true
|
||||
## Port on which to listen.
|
||||
#port=6360
|
||||
## Certificate file.
|
||||
#cert_file="/data/cert.pem"
|
||||
## Certificate key file.
|
||||
#key_file="/data/key.pem"
|
||||
25
all-apps/lldap/0.6.3/make-lldap-config.sh
Executable file
25
all-apps/lldap/0.6.3/make-lldap-config.sh
Executable file
@@ -0,0 +1,25 @@
|
||||
#!/bin/bash
|
||||
|
||||
set -e
|
||||
set -a # export everything in the config for later use by envsubst
|
||||
|
||||
. $1 # source the apps.config file with then env vars
|
||||
|
||||
read -r -a APP_CONFIGS <<< "$APP_CONFIGS"
|
||||
|
||||
lldap_subdomain=
|
||||
|
||||
for config_string in ${APP_CONFIGS[@]}; do
|
||||
IFS=','
|
||||
read -r -a config <<< "$config_string"
|
||||
|
||||
app=${config[0]}
|
||||
subdomain=${config[1]}
|
||||
|
||||
if [ "$app" = "lldap" ]; then
|
||||
lldap_subdomain="$subdomain"
|
||||
fi
|
||||
done
|
||||
|
||||
export LLDAP_FULL_DOMAIN="$lldap_subdomain.$ROOT_DOMAIN"
|
||||
envsubst < app/lldap/lldap-config/lldap_config.toml.tmpl > app/lldap/lldap-config/lldap_config.toml
|
||||
Reference in New Issue
Block a user