tixie/nixcfg
1
0
Fork 0
forked from Deuxfleurs/nixcfg
Code Pull requests Activity

Add directory

Browse source
This commit is contained in:
Alex 2022-06-01 14:04:20 +02:00
parent 53309d3845
commit bee58a7891
Signed by untrusted user: lx
GPG key ID: 0E496D15096376BE
16 changed files with 216 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

26
app/directory/config/bottin/config.json.tpl Normal file
View file

@ -0,0 +1,26 @@
{
"suffix": "{{ key "secrets/directory/ldap_base_dn" }}",
"bind": "0.0.0.0:389",
"log_level": "debug",
"acl": [
"*,{{ key "secrets/directory/ldap_base_dn" }}::read:*:* !userpassword !user_secret !alternate_user_secrets !garage_s3_secret_key",
"*::read modify:SELF:*",
"ANONYMOUS::bind:*,ou=users,{{ key "secrets/directory/ldap_base_dn" }}:",
"ANONYMOUS::bind:cn=admin,{{ key "secrets/directory/ldap_base_dn" }}:",
"*,ou=services,ou=users,{{ key "secrets/directory/ldap_base_dn" }}::bind:*,ou=users,{{ key "secrets/directory/ldap_base_dn" }}:*",
"*,ou=services,ou=users,{{ key "secrets/directory/ldap_base_dn" }}::read:*:*",
"*:cn=asso_deuxfleurs,ou=groups,{{ key "secrets/directory/ldap_base_dn" }}:add:*,ou=invitations,{{ key "secrets/directory/ldap_base_dn" }}:*",
"ANONYMOUS::bind:*,ou=invitations,{{ key "secrets/directory/ldap_base_dn" }}:",
"*,ou=invitations,{{ key "secrets/directory/ldap_base_dn" }}::delete:SELF:*",
"*:cn=asso_deuxfleurs,ou=groups,{{ key "secrets/directory/ldap_base_dn" }}:add:*,ou=users,{{ key "secrets/directory/ldap_base_dn" }}:*",
"*,ou=invitations,{{ key "secrets/directory/ldap_base_dn" }}::add:*,ou=users,{{ key "secrets/directory/ldap_base_dn" }}:*",
"*:cn=asso_deuxfleurs,ou=groups,{{ key "secrets/directory/ldap_base_dn" }}:modifyAdd:cn=email,ou=groups,{{ key "secrets/directory/ldap_base_dn" }}:*",
"*,ou=invitations,{{ key "secrets/directory/ldap_base_dn" }}::modifyAdd:cn=email,ou=groups,{{ key "secrets/directory/ldap_base_dn" }}:*",
"cn=admin,{{ key "secrets/directory/ldap_base_dn" }}::read add modify delete:*:*",
"*:cn=admin,ou=groups,{{ key "secrets/directory/ldap_base_dn" }}:read add modify delete:*:*"
]
}

34
app/directory/config/guichet/config.json.tpl Normal file
View file

@ -0,0 +1,34 @@
{
"http_bind_addr": ":9991",
"ldap_server_addr": "ldap://bottin2.service.2.cluster.deuxfleurs.fr:389",
"base_dn": "{{ key "secrets/directory/ldap_base_dn" }}",
"user_base_dn": "ou=users,{{ key "secrets/directory/ldap_base_dn" }}",
"user_name_attr": "cn",
"group_base_dn": "ou=groups,{{ key "secrets/directory/ldap_base_dn" }}",
"group_name_attr": "cn",
"invitation_base_dn": "ou=invitations,{{ key "secrets/directory/ldap_base_dn" }}",
"invitation_name_attr": "cn",
"invited_mail_format": "{}@{{ key "secrets/directory/guichet/mail_domain" | trimSpace }}",
"invited_auto_groups": [
"cn=email,ou=groups,{{ key "secrets/directory/ldap_base_dn" }}"
],
"web_address": "https://{{ key "secrets/directory/guichet/web_hostname" }}",
"mail_from": "{{ key "secrets/directory/guichet/mail_from" }}",
"smtp_server": "{{ key "secrets/directory/guichet/smtp_server" }}",
"smtp_username": "{{ key "secrets/directory/guichet/smtp_user" | trimSpace }}",
"smtp_password": "{{ key "secrets/directory/guichet/smtp_pass" | trimSpace }}",
"admin_account": "cn=admin,{{ key "secrets/directory/ldap_base_dn" }}",
"group_can_admin": "cn=admin,ou=groups,{{ key "secrets/directory/ldap_base_dn" }}",
"group_can_invite": "cn=asso_deuxfleurs,ou=groups,{{ key "secrets/directory/ldap_base_dn" }}",
"s3_endpoint": "{{ key "secrets/directory/guichet/s3_endpoint" }}",
"s3_access_key": "{{ key "secrets/directory/guichet/s3_access_key" | trimSpace }}",
"s3_secret_key": "{{ key "secrets/directory/guichet/s3_secret_key" | trimSpace }}",
"s3_region": "{{ key "secrets/directory/guichet/s3_region" }}",
"s3_bucket": "{{ key "secrets/directory/guichet/s3_bucket" }}"
}

141
app/directory/deploy/directory.hcl Normal file
View file

@ -0,0 +1,141 @@
job "directory" {
datacenters = ["dc1", "neptune"]
type = "service"
priority = 90
constraint {
attribute = "${attr.cpu.arch}"
value = "amd64"
}
group "bottin" {
count = 1
network {
port "ldap_port" {
static = 389
to = 389
}
}
task "bottin" {
driver = "docker"
config {
image = "superboum/bottin_amd64:22"
network_mode = "host"
readonly_rootfs = true
ports = [ "ldap_port" ]
volumes = [
"secrets/config.json:/config.json",
"secrets:/etc/bottin",
]
}
resources {
memory = 100
}
template {
data = file("../config/bottin/config.json.tpl")
destination = "secrets/config.json"
}
template {
data = "{{ key \"secrets/consul/consul-ca.crt\" }}"
destination = "secrets/consul-ca.crt"
}
template {
data = "{{ key \"secrets/consul/consul-client.crt\" }}"
destination = "secrets/consul-client.crt"
}
template {
data = "{{ key \"secrets/consul/consul-client.key\" }}"
destination = "secrets/consul-client.key"
}
template {
data = <<EOH
CONSUL_HTTP_ADDR=https://localhost:8501
CONSUL_HTTP_SSL=true
CONSUL_CACERT=/etc/bottin/consul-ca.crt
CONSUL_CLIENT_CERT=/etc/bottin/consul-client.crt
CONSUL_CLIENT_KEY=/etc/bottin/consul-client.key
EOH
destination = "secrets/env"
env = true
}
service {
tags = ["bottin"]
port = "ldap_port"
address_mode = "host"
name = "bottin"
check {
type = "tcp"
port = "ldap_port"
interval = "60s"
timeout = "5s"
check_restart {
limit = 3
grace = "90s"
ignore_warnings = false
}
}
}
}
}
group "guichet" {
count = 1
network {
port "web_port" { to = 9991 }
}
task "guichet" {
driver = "docker"
config {
image = "superboum/guichet_amd64:15"
readonly_rootfs = true
ports = [ "web_port" ]
volumes = [
"secrets/config.json:/config.json"
]
}
template {
data = file("../config/guichet/config.json.tpl")
destination = "secrets/config.json"
}
resources {
memory = 200
}
service {
name = "guichet"
tags = [
"guichet",
"tricot guichet-staging.home.adnab.me",
"tricot guichet.staging.deuxfleurs.org",
]
port = "web_port"
address_mode = "host"
check {
type = "tcp"
port = "web_port"
interval = "60s"
timeout = "5s"
check_restart {
limit = 3
grace = "90s"
ignore_warnings = false
}
}
}
}
}
}

1
app/directory/secrets/directory/guichet/mail_domain Normal file
View file

@ -0,0 +1 @@
USER E-mail domain for new users (e.g. example.com)

1
app/directory/secrets/directory/guichet/mail_from Normal file
View file

@ -0,0 +1 @@
USER E-mail address from which to send welcome emails to new users

1
app/directory/secrets/directory/guichet/s3_access_key Normal file
View file

@ -0,0 +1 @@
USER Garage access key for Guichet profile pictures

1
app/directory/secrets/directory/guichet/s3_bucket Normal file
View file

@ -0,0 +1 @@
USER S3 bucket in which to store data files (such as profile pictures)

1
app/directory/secrets/directory/guichet/s3_endpoint Normal file
View file

@ -0,0 +1 @@
USER S3 endpoint URL

1
app/directory/secrets/directory/guichet/s3_region Normal file
View file

@ -0,0 +1 @@
USER S3 region

1
app/directory/secrets/directory/guichet/s3_secret_key Normal file
View file

@ -0,0 +1 @@
USER Garage secret key for Guichet profile pictures

1
app/directory/secrets/directory/guichet/smtp_pass Normal file
View file

@ -0,0 +1 @@
USER SMTP password

1
app/directory/secrets/directory/guichet/smtp_server Normal file
View file

@ -0,0 +1 @@
USER SMTP server address (hostname:port)

1
app/directory/secrets/directory/guichet/smtp_user Normal file
View file

@ -0,0 +1 @@
USER SMTP username

1
app/directory/secrets/directory/guichet/web_hostname Normal file
View file

@ -0,0 +1 @@
USER Public hostname from which Guichet is accessible via HTTP (e.g. guichet.example.com)

1
app/directory/secrets/directory/ldap_base_dn Normal file
View file

@ -0,0 +1 @@
USER LDAP base DN for everything (e.g. dc=example,dc=com)

3
app/garage-staging/deploy/garage.hcl
View file

@ -57,6 +57,7 @@ job "garage-staging" {
tags = [ tags = [
"garage-staging-api", "garage-staging-api",
"tricot garage-staging.home.adnab.me", "tricot garage-staging.home.adnab.me",
"tricot garage.staging.deuxfleurs.org",
"tricot-add-header Access-Control-Allow-Origin *", "tricot-add-header Access-Control-Allow-Origin *",
] ]
port = 3990 port = 3990
@ -122,6 +123,8 @@ job "garage-staging" {
tags = [ tags = [
"garage-staging-web", "garage-staging-web",
"tricot *.garage-staging-web.home.adnab.me", "tricot *.garage-staging-web.home.adnab.me",
"tricot *.web.staging.deuxfleurs.org",
"tricot staging.deuxfleurs.org",
"tricot matrix.home.adnab.me/.well-known/matrix/server", "tricot matrix.home.adnab.me/.well-known/matrix/server",
"tricot rust-docs", "tricot rust-docs",
"tricot-add-header Access-Control-Allow-Origin *", "tricot-add-header Access-Control-Allow-Origin *",