job "openldap" { datacenters = ["homelab"] priority = 90 type = "service" meta { forcedeploy = "1" } constraint { attribute = "${attr.cpu.arch}" value = "amd64" } vault { policies = ["ldap"] } group "openldap" { network { mode = "host" port "ldap" { static = 389 to = 1389 } port "ldaps" { static = 636 to = 1636 } } task "selfsignedCertificate" { lifecycle { hook= "prestart" sidecar = false } driver= "docker" config{ image= "stakater/ssl-certs-generator" mount { type = "bind" source = "..${NOMAD_ALLOC_DIR}/data" target = "/certs" } } env { SSL_DNS="ldaps.service.consul,ldap.service.consul" } } task "openldap" { driver = "docker" service { name = "ldap" port = "ldap" tags = [ ] } service { name = "ldaps" port = "ldaps" tags = [ ] } config { image = "bitnami/openldap" ports = ["ldap", "ldaps"] volumes = [ "/mnt/diskstation/nomad/openldap:/bitnami/openldap", ] } env { LDAP_ADMIN_USERNAME = "admin" LDAP_ROOT = "dc=ducamps,dc=eu" LDAP_EXTRA_SCHEMAS = "cosine, inetorgperson" LDAP_CUSTOM_SCHEMA_DIR = "/local/schema" LDAP_CUSTOM_LDIF_DIR = "/local/ldif" LDAP_CONFIGURE_PPOLICY = "yes" LDAP_ALLOW_ANON_BINDING = "no" LDAP_LOGLEVEL = 64 LDAP_ENABLE_TLS = "yes" LDAP_TLS_CERT_FILE = "${NOMAD_ALLOC_DIR}/data/cert.pem" LDAP_TLS_KEY_FILE = "${NOMAD_ALLOC_DIR}/data/key.pem" LDAP_TLS_CA_FILE = "${NOMAD_ALLOC_DIR}/data/ca.pem" } #memberOf issue #https://github.com/bitnami/containers/issues/28335 # https://tylersguides.com/guides/openldap-memberof-overlay template { data = file("memberofOverlay.ldif") destination = "local/schema/memberofOverlay.ldif" } template { data = file("smbkrb5pwd.ldif") destination = "local/smbkrb5pwd.ldif" } template { data = file("rfc2307bis.ldif") destination = "local/schema/rfc2307bis.ldif" } template { data = file("samba.ldif") destination = "local/schema/samba.ldif" } template { data = file("tree.ldif") destination = "local/ldif/tree.ldif" } resources { memory = 300 } } } group ldpp-user-manager{ network{ mode = "host" port "http" { to = 80 } } task ldap-user-manager { driver = "docker" service { name = "ldap-user-manager" port = "http" tags = [ "traefik.enable=true", "traefik.http.routers.${NOMAD_JOB_NAME}.rule=Host(`ldap.ducamps.eu`)", "traefik.http.routers.${NOMAD_JOB_NAME}.tls.domains[0].sans=ldap.ducamps.eu", "traefik.http.routers.${NOMAD_JOB_NAME}.tls.certresolver=myresolver", "traefik.http.routers.${NOMAD_JOB_NAME}.entrypoints=web,websecure", ] } config { image = "wheelybird/ldap-user-manager" ports = ["http"] } template { data = <