forked from Deuxfleurs/nixcfg
Add directory config for prod
This commit is contained in:
parent
41128f4c36
commit
6ea18bf8ae
15 changed files with 212 additions and 0 deletions
26
cluster/prod/app/directory/config/bottin/config.json.tpl
Normal file
26
cluster/prod/app/directory/config/bottin/config.json.tpl
Normal file
|
@ -0,0 +1,26 @@
|
|||
{
|
||||
"suffix": "{{ key "secrets/directory/ldap_base_dn" }}",
|
||||
"bind": "0.0.0.0:389",
|
||||
"log_level": "debug",
|
||||
"acl": [
|
||||
"*,{{ key "secrets/directory/ldap_base_dn" }}::read:*:* !userpassword !user_secret !alternate_user_secrets !garage_s3_secret_key",
|
||||
"*::read modify:SELF:*",
|
||||
"ANONYMOUS::bind:*,ou=users,{{ key "secrets/directory/ldap_base_dn" }}:",
|
||||
"ANONYMOUS::bind:cn=admin,{{ key "secrets/directory/ldap_base_dn" }}:",
|
||||
"*,ou=services,ou=users,{{ key "secrets/directory/ldap_base_dn" }}::bind:*,ou=users,{{ key "secrets/directory/ldap_base_dn" }}:*",
|
||||
"*,ou=services,ou=users,{{ key "secrets/directory/ldap_base_dn" }}::read:*:*",
|
||||
|
||||
"*:cn=asso_deuxfleurs,ou=groups,{{ key "secrets/directory/ldap_base_dn" }}:add:*,ou=invitations,{{ key "secrets/directory/ldap_base_dn" }}:*",
|
||||
"ANONYMOUS::bind:*,ou=invitations,{{ key "secrets/directory/ldap_base_dn" }}:",
|
||||
"*,ou=invitations,{{ key "secrets/directory/ldap_base_dn" }}::delete:SELF:*",
|
||||
|
||||
"*:cn=asso_deuxfleurs,ou=groups,{{ key "secrets/directory/ldap_base_dn" }}:add:*,ou=users,{{ key "secrets/directory/ldap_base_dn" }}:*",
|
||||
"*,ou=invitations,{{ key "secrets/directory/ldap_base_dn" }}::add:*,ou=users,{{ key "secrets/directory/ldap_base_dn" }}:*",
|
||||
|
||||
"*:cn=asso_deuxfleurs,ou=groups,{{ key "secrets/directory/ldap_base_dn" }}:modifyAdd:cn=email,ou=groups,{{ key "secrets/directory/ldap_base_dn" }}:*",
|
||||
"*,ou=invitations,{{ key "secrets/directory/ldap_base_dn" }}::modifyAdd:cn=email,ou=groups,{{ key "secrets/directory/ldap_base_dn" }}:*",
|
||||
|
||||
"cn=admin,{{ key "secrets/directory/ldap_base_dn" }}::read add modify delete:*:*",
|
||||
"*:cn=admin,ou=groups,{{ key "secrets/directory/ldap_base_dn" }}:read add modify delete:*:*"
|
||||
]
|
||||
}
|
34
cluster/prod/app/directory/config/guichet/config.json.tpl
Normal file
34
cluster/prod/app/directory/config/guichet/config.json.tpl
Normal file
|
@ -0,0 +1,34 @@
|
|||
{
|
||||
"http_bind_addr": ":9991",
|
||||
"ldap_server_addr": "ldap://bottin.service.staging.consul:389",
|
||||
|
||||
"base_dn": "{{ key "secrets/directory/ldap_base_dn" }}",
|
||||
"user_base_dn": "ou=users,{{ key "secrets/directory/ldap_base_dn" }}",
|
||||
"user_name_attr": "cn",
|
||||
"group_base_dn": "ou=groups,{{ key "secrets/directory/ldap_base_dn" }}",
|
||||
"group_name_attr": "cn",
|
||||
|
||||
"invitation_base_dn": "ou=invitations,{{ key "secrets/directory/ldap_base_dn" }}",
|
||||
"invitation_name_attr": "cn",
|
||||
"invited_mail_format": "{}@{{ key "secrets/directory/guichet/mail_domain" | trimSpace }}",
|
||||
"invited_auto_groups": [
|
||||
"cn=email,ou=groups,{{ key "secrets/directory/ldap_base_dn" }}"
|
||||
],
|
||||
|
||||
"web_address": "https://{{ key "secrets/directory/guichet/web_hostname" }}",
|
||||
"mail_from": "{{ key "secrets/directory/guichet/mail_from" }}",
|
||||
"smtp_server": "{{ key "secrets/directory/guichet/smtp_server" }}",
|
||||
"smtp_username": "{{ key "secrets/directory/guichet/smtp_user" | trimSpace }}",
|
||||
"smtp_password": "{{ key "secrets/directory/guichet/smtp_pass" | trimSpace }}",
|
||||
|
||||
"admin_account": "cn=admin,{{ key "secrets/directory/ldap_base_dn" }}",
|
||||
"group_can_admin": "cn=admin,ou=groups,{{ key "secrets/directory/ldap_base_dn" }}",
|
||||
"group_can_invite": "cn=asso_deuxfleurs,ou=groups,{{ key "secrets/directory/ldap_base_dn" }}",
|
||||
|
||||
"s3_endpoint": "{{ key "secrets/directory/guichet/s3_endpoint" }}",
|
||||
"s3_access_key": "{{ key "secrets/directory/guichet/s3_access_key" | trimSpace }}",
|
||||
"s3_secret_key": "{{ key "secrets/directory/guichet/s3_secret_key" | trimSpace }}",
|
||||
"s3_region": "{{ key "secrets/directory/guichet/s3_region" }}",
|
||||
"s3_bucket": "{{ key "secrets/directory/guichet/s3_bucket" }}"
|
||||
}
|
||||
|
140
cluster/prod/app/directory/deploy/directory.hcl
Normal file
140
cluster/prod/app/directory/deploy/directory.hcl
Normal file
|
@ -0,0 +1,140 @@
|
|||
job "directory" {
|
||||
datacenters = ["dc1", "neptune"]
|
||||
type = "service"
|
||||
priority = 90
|
||||
|
||||
constraint {
|
||||
attribute = "${attr.cpu.arch}"
|
||||
value = "amd64"
|
||||
}
|
||||
|
||||
group "bottin" {
|
||||
count = 1
|
||||
|
||||
network {
|
||||
port "ldap_port" {
|
||||
static = 389
|
||||
to = 389
|
||||
}
|
||||
}
|
||||
|
||||
task "bottin" {
|
||||
driver = "docker"
|
||||
config {
|
||||
image = "superboum/bottin_amd64:22"
|
||||
network_mode = "host"
|
||||
readonly_rootfs = true
|
||||
ports = [ "ldap_port" ]
|
||||
volumes = [
|
||||
"secrets/config.json:/config.json",
|
||||
"secrets:/etc/bottin",
|
||||
]
|
||||
}
|
||||
|
||||
resources {
|
||||
memory = 100
|
||||
}
|
||||
|
||||
template {
|
||||
data = file("../config/bottin/config.json.tpl")
|
||||
destination = "secrets/config.json"
|
||||
}
|
||||
|
||||
template {
|
||||
data = "{{ key \"secrets/consul/consul-ca.crt\" }}"
|
||||
destination = "secrets/consul-ca.crt"
|
||||
}
|
||||
|
||||
template {
|
||||
data = "{{ key \"secrets/consul/consul-client.crt\" }}"
|
||||
destination = "secrets/consul-client.crt"
|
||||
}
|
||||
|
||||
template {
|
||||
data = "{{ key \"secrets/consul/consul-client.key\" }}"
|
||||
destination = "secrets/consul-client.key"
|
||||
}
|
||||
|
||||
template {
|
||||
data = <<EOH
|
||||
CONSUL_HTTP_ADDR=https://localhost:8501
|
||||
CONSUL_HTTP_SSL=true
|
||||
CONSUL_CACERT=/etc/bottin/consul-ca.crt
|
||||
CONSUL_CLIENT_CERT=/etc/bottin/consul-client.crt
|
||||
CONSUL_CLIENT_KEY=/etc/bottin/consul-client.key
|
||||
EOH
|
||||
destination = "secrets/env"
|
||||
env = true
|
||||
}
|
||||
|
||||
service {
|
||||
tags = ["bottin"]
|
||||
port = "ldap_port"
|
||||
address_mode = "host"
|
||||
name = "bottin"
|
||||
check {
|
||||
type = "tcp"
|
||||
port = "ldap_port"
|
||||
interval = "60s"
|
||||
timeout = "5s"
|
||||
check_restart {
|
||||
limit = 3
|
||||
grace = "90s"
|
||||
ignore_warnings = false
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
group "guichet" {
|
||||
count = 1
|
||||
|
||||
network {
|
||||
port "web_port" { to = 9991 }
|
||||
}
|
||||
|
||||
task "guichet" {
|
||||
driver = "docker"
|
||||
config {
|
||||
image = "superboum/guichet_amd64:15"
|
||||
readonly_rootfs = true
|
||||
ports = [ "web_port" ]
|
||||
volumes = [
|
||||
"secrets/config.json:/config.json"
|
||||
]
|
||||
}
|
||||
|
||||
template {
|
||||
data = file("../config/guichet/config.json.tpl")
|
||||
destination = "secrets/config.json"
|
||||
}
|
||||
|
||||
resources {
|
||||
memory = 200
|
||||
}
|
||||
|
||||
service {
|
||||
name = "guichet"
|
||||
tags = [
|
||||
"guichet",
|
||||
"tricot guichet-new.deuxfleurs.fr",
|
||||
]
|
||||
port = "web_port"
|
||||
address_mode = "host"
|
||||
check {
|
||||
type = "tcp"
|
||||
port = "web_port"
|
||||
interval = "60s"
|
||||
timeout = "5s"
|
||||
check_restart {
|
||||
limit = 3
|
||||
grace = "90s"
|
||||
ignore_warnings = false
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
@ -0,0 +1 @@
|
|||
USER E-mail domain for new users (e.g. example.com)
|
|
@ -0,0 +1 @@
|
|||
USER E-mail address from which to send welcome emails to new users
|
|
@ -0,0 +1 @@
|
|||
USER Garage access key for Guichet profile pictures
|
|
@ -0,0 +1 @@
|
|||
USER S3 bucket in which to store data files (such as profile pictures)
|
|
@ -0,0 +1 @@
|
|||
USER S3 endpoint URL
|
|
@ -0,0 +1 @@
|
|||
USER S3 region
|
|
@ -0,0 +1 @@
|
|||
USER Garage secret key for Guichet profile pictures
|
|
@ -0,0 +1 @@
|
|||
USER SMTP password
|
|
@ -0,0 +1 @@
|
|||
USER SMTP server address (hostname:port)
|
|
@ -0,0 +1 @@
|
|||
USER SMTP username
|
|
@ -0,0 +1 @@
|
|||
USER Public hostname from which Guichet is accessible via HTTP (e.g. guichet.example.com)
|
|
@ -0,0 +1 @@
|
|||
USER LDAP base DN for everything (e.g. dc=example,dc=com)
|
Loading…
Reference in a new issue