keepass: vars
This commit is contained in:
parent
43f2c00745
commit
9721d501ca
|
@ -17,7 +17,6 @@ services:
|
|||
- /etc/localtime:/etc/localtime:ro
|
||||
- /etc/timezone:/etc/timezone:ro
|
||||
- "lldap_data:/data"
|
||||
- "./ldap_config.toml:/data/lldap_config.toml"
|
||||
environment:
|
||||
- UID=1000
|
||||
- GID=1000
|
||||
|
@ -25,6 +24,16 @@ services:
|
|||
- LLDAP_LDAP_USER_PASS={{ lookup('keepass', 'LLDAP_LDAP_USER_PASS', 'password') }}
|
||||
- LLDAP_LDAP_BASE_DN=dc=grote,dc=lan
|
||||
- LLDAP_DATABASE_URL=mysql://lldap-db-user:{{ lookup('keepass', 'LLDAP_MYSQL_PASSWORD', 'password') }}@lldap-db/lldap
|
||||
- LLDAP_SMTP_OPTIONS__ENABLE_PASSWORD_reset=true
|
||||
- LLDAP_SMTP_OPTIONS__SERVER=smtp.strato.de
|
||||
- LLDAP_SMTP_OPTIONS__PORT=587
|
||||
- LLDAP_SMTP_OPTIONS__SMTP_ENCRYPTION=TLS
|
||||
- LLDAP_SMTP_OPTIONS__USER=info@mgrote.net
|
||||
- LLDAP_SMTP_OPTIONS__PASSWORD={{ lookup('keepass', 'postfix_absender_passwort', 'password') }}
|
||||
- LLDAP_SMTP_OPTIONS__FROM="LLDAP Admin <info@mgrote.net>"
|
||||
- LLDAP_SMTP_OPTIONS__REPLY_TO="Do not reply <info@mgrote.net>"
|
||||
- LLDAP_KEY_FILE={{ lookup('keepass', 'LLDAP_KEY_FILE', 'password') }}
|
||||
- LLDAP_VERBOSE=true
|
||||
labels:
|
||||
- com.centurylinklabs.watchtower.enable=true
|
||||
- com.centurylinklabs.watchtower.depends-on=lldap-db
|
||||
|
@ -57,3 +66,7 @@ networks:
|
|||
intern:
|
||||
traefik:
|
||||
external: true
|
||||
|
||||
|
||||
## (example with "password"): - LLDAP_SMTP_OPTIONS__PASSWORD
|
||||
## Whether to enabled password reset via email, from LLDAP.
|
||||
|
|
|
@ -1,139 +0,0 @@
|
|||
## Default configuration for Docker.
|
||||
## All the values can be overridden through environment variables, prefixed
|
||||
## with "LLDAP_". For instance, "ldap_port" can be overridden with the
|
||||
## "LLDAP_LDAP_PORT" variable.
|
||||
|
||||
## Tune the logging to be more verbose by setting this to be true.
|
||||
## You can set it with the LLDAP_VERBOSE environment variable.
|
||||
# verbose=false
|
||||
|
||||
## The host address that the LDAP server will be bound to.
|
||||
## To enable IPv6 support, simply switch "ldap_host" to "::":
|
||||
## To only allow connections from localhost (if you want to restrict to local self-hosted services),
|
||||
## change it to "127.0.0.1" ("::1" in case of IPv6)".
|
||||
#ldap_host = "0.0.0.0"
|
||||
|
||||
## The port on which to have the LDAP server.
|
||||
#ldap_port = 3890
|
||||
|
||||
## The host address that the HTTP server will be bound to.
|
||||
## To enable IPv6 support, simply switch "http_host" to "::".
|
||||
## To only allow connections from localhost (if you want to restrict to local self-hosted services),
|
||||
## change it to "127.0.0.1" ("::1" in case of IPv6)".
|
||||
#http_host = "0.0.0.0"
|
||||
|
||||
## The port on which to have the HTTP server, for user login and
|
||||
## administration.
|
||||
#http_port = 17170
|
||||
|
||||
## The public URL of the server, for password reset links.
|
||||
#http_url = "http://localhost"
|
||||
|
||||
## Random secret for JWT signature.
|
||||
## This secret should be random, and should be shared with application
|
||||
## servers that need to consume the JWTs.
|
||||
## Changing this secret will invalidate all user sessions and require
|
||||
## them to re-login.
|
||||
## You should probably set it through the LLDAP_JWT_SECRET environment
|
||||
## variable from a secret ".env" file.
|
||||
## This can also be set from a file's contents by specifying the file path
|
||||
## in the LLDAP_JWT_SECRET_FILE environment variable
|
||||
## You can generate it with (on linux):
|
||||
## LC_ALL=C tr -dc 'A-Za-z0-9!#%&'\''()*+,-./:;<=>?@[\]^_{|}~' </dev/urandom | head -c 32; echo ''
|
||||
#jwt_secret = "REPLACE_WITH_RANDOM"
|
||||
|
||||
## Base DN for LDAP.
|
||||
## This is usually your domain name, and is used as a
|
||||
## namespace for your users. The choice is arbitrary, but will be needed
|
||||
## to configure the LDAP integration with other services.
|
||||
## The sample value is for "example.com", but you can extend it with as
|
||||
## many "dc" as you want, and you don't actually need to own the domain
|
||||
## name.
|
||||
#ldap_base_dn = "dc=example,dc=com"
|
||||
|
||||
## Admin username.
|
||||
## For the LDAP interface, a value of "admin" here will create the LDAP
|
||||
## user "cn=admin,ou=people,dc=example,dc=com" (with the base DN above).
|
||||
## For the administration interface, this is the username.
|
||||
#ldap_user_dn = "admin"
|
||||
|
||||
## Admin email.
|
||||
## Email for the admin account. It is only used when initially creating
|
||||
## the admin user, and can safely be omitted.
|
||||
#ldap_user_email = "admin@example.com"
|
||||
|
||||
## Admin password.
|
||||
## Password for the admin account, both for the LDAP bind and for the
|
||||
## administration interface. It is only used when initially creating
|
||||
## the admin user.
|
||||
## It should be minimum 8 characters long.
|
||||
## You can set it with the LLDAP_LDAP_USER_PASS environment variable.
|
||||
## This can also be set from a file's contents by specifying the file path
|
||||
## in the LLDAP_LDAP_USER_PASS_FILE environment variable
|
||||
## Note: you can create another admin user for user administration, this
|
||||
## is just the default one.
|
||||
#ldap_user_pass = "REPLACE_WITH_PASSWORD"
|
||||
|
||||
## Database URL.
|
||||
## This encodes the type of database (SQlite, MySQL, or PostgreSQL)
|
||||
## , the path, the user, password, and sometimes the mode (when
|
||||
## relevant).
|
||||
## Note: SQlite should come with "?mode=rwc" to create the DB
|
||||
## if not present.
|
||||
## Example URLs:
|
||||
## - "postgres://postgres-user:password@postgres-server/my-database"
|
||||
## - "mysql://mysql-user:password@mysql-server/my-database"
|
||||
##
|
||||
## This can be overridden with the LLDAP_DATABASE_URL env variable.
|
||||
database_url = "sqlite:///data/users.db?mode=rwc"
|
||||
|
||||
## Private key file.
|
||||
## Contains the secret private key used to store the passwords safely.
|
||||
## Note that even with a database dump and the private key, an attacker
|
||||
## would still have to perform an (expensive) brute force attack to find
|
||||
## each password.
|
||||
## Randomly generated on first run if it doesn't exist.
|
||||
key_file = "/data/private_key"
|
||||
|
||||
## Ignored attributes.
|
||||
## Some services will request attributes that are not present in LLDAP. When it
|
||||
## is the case, LLDAP will warn about the attribute being unknown. If you want
|
||||
## to ignore the attribute and the service works without, you can add it to this
|
||||
## list to silence the warning.
|
||||
#ignored_user_attributes = [ "sAMAccountName" ]
|
||||
#ignored_group_attributes = [ "mail", "userPrincipalName" ]
|
||||
|
||||
## Options to configure SMTP parameters, to send password reset emails.
|
||||
## To set these options from environment variables, use the following format
|
||||
## (example with "password"): LLDAP_SMTP_OPTIONS__PASSWORD
|
||||
#[smtp_options]
|
||||
## Whether to enabled password reset via email, from LLDAP.
|
||||
#enable_password_reset=true
|
||||
## The SMTP server.
|
||||
#server="smtp.gmail.com"
|
||||
## The SMTP port.
|
||||
#port=587
|
||||
## How the connection is encrypted, either "NONE" (no encryption), "TLS" or "STARTTLS".
|
||||
#smtp_encryption = "TLS"
|
||||
## The SMTP user, usually your email address.
|
||||
#user="sender@gmail.com"
|
||||
## The SMTP password.
|
||||
#password="password"
|
||||
## The header field, optional: how the sender appears in the email. The first
|
||||
## is a free-form name, followed by an email between <>.
|
||||
#from="LLDAP Admin <sender@gmail.com>"
|
||||
## Same for reply-to, optional.
|
||||
#reply_to="Do not reply <noreply@localhost>"
|
||||
|
||||
## Options to configure LDAPS.
|
||||
## To set these options from environment variables, use the following format
|
||||
## (example with "port"): LLDAP_LDAPS_OPTIONS__PORT
|
||||
#[ldaps_options]
|
||||
## Whether to enable LDAPS.
|
||||
#enabled=true
|
||||
## Port on which to listen.
|
||||
#port=6360
|
||||
## Certificate file.
|
||||
#cert_file="/data/cert.pem"
|
||||
## Certificate key file.
|
||||
#key_file="/data/key.pem"
|
BIN
keepass_db.kdbx
BIN
keepass_db.kdbx
Binary file not shown.
Loading…
Reference in New Issue