Add directory config for prod

This commit is contained in:
Alex 2022-08-24 16:03:52 +02:00
parent 41128f4c36
commit 6ea18bf8ae
Signed by untrusted user: lx
GPG key ID: 0E496D15096376BE
15 changed files with 212 additions and 0 deletions

View file

@ -0,0 +1,26 @@
{
"suffix": "{{ key "secrets/directory/ldap_base_dn" }}",
"bind": "0.0.0.0:389",
"log_level": "debug",
"acl": [
"*,{{ key "secrets/directory/ldap_base_dn" }}::read:*:* !userpassword !user_secret !alternate_user_secrets !garage_s3_secret_key",
"*::read modify:SELF:*",
"ANONYMOUS::bind:*,ou=users,{{ key "secrets/directory/ldap_base_dn" }}:",
"ANONYMOUS::bind:cn=admin,{{ key "secrets/directory/ldap_base_dn" }}:",
"*,ou=services,ou=users,{{ key "secrets/directory/ldap_base_dn" }}::bind:*,ou=users,{{ key "secrets/directory/ldap_base_dn" }}:*",
"*,ou=services,ou=users,{{ key "secrets/directory/ldap_base_dn" }}::read:*:*",
"*:cn=asso_deuxfleurs,ou=groups,{{ key "secrets/directory/ldap_base_dn" }}:add:*,ou=invitations,{{ key "secrets/directory/ldap_base_dn" }}:*",
"ANONYMOUS::bind:*,ou=invitations,{{ key "secrets/directory/ldap_base_dn" }}:",
"*,ou=invitations,{{ key "secrets/directory/ldap_base_dn" }}::delete:SELF:*",
"*:cn=asso_deuxfleurs,ou=groups,{{ key "secrets/directory/ldap_base_dn" }}:add:*,ou=users,{{ key "secrets/directory/ldap_base_dn" }}:*",
"*,ou=invitations,{{ key "secrets/directory/ldap_base_dn" }}::add:*,ou=users,{{ key "secrets/directory/ldap_base_dn" }}:*",
"*:cn=asso_deuxfleurs,ou=groups,{{ key "secrets/directory/ldap_base_dn" }}:modifyAdd:cn=email,ou=groups,{{ key "secrets/directory/ldap_base_dn" }}:*",
"*,ou=invitations,{{ key "secrets/directory/ldap_base_dn" }}::modifyAdd:cn=email,ou=groups,{{ key "secrets/directory/ldap_base_dn" }}:*",
"cn=admin,{{ key "secrets/directory/ldap_base_dn" }}::read add modify delete:*:*",
"*:cn=admin,ou=groups,{{ key "secrets/directory/ldap_base_dn" }}:read add modify delete:*:*"
]
}

View file

@ -0,0 +1,34 @@
{
"http_bind_addr": ":9991",
"ldap_server_addr": "ldap://bottin.service.staging.consul:389",
"base_dn": "{{ key "secrets/directory/ldap_base_dn" }}",
"user_base_dn": "ou=users,{{ key "secrets/directory/ldap_base_dn" }}",
"user_name_attr": "cn",
"group_base_dn": "ou=groups,{{ key "secrets/directory/ldap_base_dn" }}",
"group_name_attr": "cn",
"invitation_base_dn": "ou=invitations,{{ key "secrets/directory/ldap_base_dn" }}",
"invitation_name_attr": "cn",
"invited_mail_format": "{}@{{ key "secrets/directory/guichet/mail_domain" | trimSpace }}",
"invited_auto_groups": [
"cn=email,ou=groups,{{ key "secrets/directory/ldap_base_dn" }}"
],
"web_address": "https://{{ key "secrets/directory/guichet/web_hostname" }}",
"mail_from": "{{ key "secrets/directory/guichet/mail_from" }}",
"smtp_server": "{{ key "secrets/directory/guichet/smtp_server" }}",
"smtp_username": "{{ key "secrets/directory/guichet/smtp_user" | trimSpace }}",
"smtp_password": "{{ key "secrets/directory/guichet/smtp_pass" | trimSpace }}",
"admin_account": "cn=admin,{{ key "secrets/directory/ldap_base_dn" }}",
"group_can_admin": "cn=admin,ou=groups,{{ key "secrets/directory/ldap_base_dn" }}",
"group_can_invite": "cn=asso_deuxfleurs,ou=groups,{{ key "secrets/directory/ldap_base_dn" }}",
"s3_endpoint": "{{ key "secrets/directory/guichet/s3_endpoint" }}",
"s3_access_key": "{{ key "secrets/directory/guichet/s3_access_key" | trimSpace }}",
"s3_secret_key": "{{ key "secrets/directory/guichet/s3_secret_key" | trimSpace }}",
"s3_region": "{{ key "secrets/directory/guichet/s3_region" }}",
"s3_bucket": "{{ key "secrets/directory/guichet/s3_bucket" }}"
}

View file

@ -0,0 +1,140 @@
job "directory" {
datacenters = ["dc1", "neptune"]
type = "service"
priority = 90
constraint {
attribute = "${attr.cpu.arch}"
value = "amd64"
}
group "bottin" {
count = 1
network {
port "ldap_port" {
static = 389
to = 389
}
}
task "bottin" {
driver = "docker"
config {
image = "superboum/bottin_amd64:22"
network_mode = "host"
readonly_rootfs = true
ports = [ "ldap_port" ]
volumes = [
"secrets/config.json:/config.json",
"secrets:/etc/bottin",
]
}
resources {
memory = 100
}
template {
data = file("../config/bottin/config.json.tpl")
destination = "secrets/config.json"
}
template {
data = "{{ key \"secrets/consul/consul-ca.crt\" }}"
destination = "secrets/consul-ca.crt"
}
template {
data = "{{ key \"secrets/consul/consul-client.crt\" }}"
destination = "secrets/consul-client.crt"
}
template {
data = "{{ key \"secrets/consul/consul-client.key\" }}"
destination = "secrets/consul-client.key"
}
template {
data = <<EOH
CONSUL_HTTP_ADDR=https://localhost:8501
CONSUL_HTTP_SSL=true
CONSUL_CACERT=/etc/bottin/consul-ca.crt
CONSUL_CLIENT_CERT=/etc/bottin/consul-client.crt
CONSUL_CLIENT_KEY=/etc/bottin/consul-client.key
EOH
destination = "secrets/env"
env = true
}
service {
tags = ["bottin"]
port = "ldap_port"
address_mode = "host"
name = "bottin"
check {
type = "tcp"
port = "ldap_port"
interval = "60s"
timeout = "5s"
check_restart {
limit = 3
grace = "90s"
ignore_warnings = false
}
}
}
}
}
group "guichet" {
count = 1
network {
port "web_port" { to = 9991 }
}
task "guichet" {
driver = "docker"
config {
image = "superboum/guichet_amd64:15"
readonly_rootfs = true
ports = [ "web_port" ]
volumes = [
"secrets/config.json:/config.json"
]
}
template {
data = file("../config/guichet/config.json.tpl")
destination = "secrets/config.json"
}
resources {
memory = 200
}
service {
name = "guichet"
tags = [
"guichet",
"tricot guichet-new.deuxfleurs.fr",
]
port = "web_port"
address_mode = "host"
check {
type = "tcp"
port = "web_port"
interval = "60s"
timeout = "5s"
check_restart {
limit = 3
grace = "90s"
ignore_warnings = false
}
}
}
}
}
}

View file

@ -0,0 +1 @@
USER E-mail domain for new users (e.g. example.com)

View file

@ -0,0 +1 @@
USER E-mail address from which to send welcome emails to new users

View file

@ -0,0 +1 @@
USER Garage access key for Guichet profile pictures

View file

@ -0,0 +1 @@
USER S3 bucket in which to store data files (such as profile pictures)

View file

@ -0,0 +1 @@
USER S3 endpoint URL

View file

@ -0,0 +1 @@
USER S3 region

View file

@ -0,0 +1 @@
USER Garage secret key for Guichet profile pictures

View file

@ -0,0 +1 @@
USER SMTP password

View file

@ -0,0 +1 @@
USER SMTP server address (hostname:port)

View file

@ -0,0 +1 @@
USER SMTP username

View file

@ -0,0 +1 @@
USER Public hostname from which Guichet is accessible via HTTP (e.g. guichet.example.com)

View file

@ -0,0 +1 @@
USER LDAP base DN for everything (e.g. dc=example,dc=com)