migrate lldap to docker #238
16 changed files with 89 additions and 12 deletions
52
docker-compose/lldap/docker-compose.yml.j2
Normal file
52
docker-compose/lldap/docker-compose.yml.j2
Normal file
|
|
@ -0,0 +1,52 @@
|
||||||
|
services:
|
||||||
|
lldap:
|
||||||
|
image: lldap/lldap:v0.6.0-debian-rootless
|
||||||
|
container_name: lldap
|
||||||
|
restart: unless-stopped
|
||||||
|
pull_policy: missing
|
||||||
|
ports:
|
||||||
|
- "3890:3890"
|
||||||
|
- "17170:17170" # front-end
|
||||||
|
volumes:
|
||||||
|
- "lldap_data:/data"
|
||||||
|
- "./lldap_config.toml:/data/lldap_config.toml"
|
||||||
|
environment:
|
||||||
|
TZ: Europe/Berlin
|
||||||
|
networks:
|
||||||
|
- traefik
|
||||||
|
- postfix
|
||||||
|
- internal
|
||||||
|
depends_on:
|
||||||
|
- lldap-db17
|
||||||
|
|
||||||
|
######## Postgres ########
|
||||||
|
lldap-db17:
|
||||||
|
container_name: "lldap-db"
|
||||||
|
image: "postgres:17.0"
|
||||||
|
restart: unless-stopped
|
||||||
|
pull_policy: missing
|
||||||
|
environment:
|
||||||
|
POSTGRES_USER: lldap
|
||||||
|
POSTGRES_PASSWORD: "{{ lookup('viczem.keepass.keepass', 'lldap/lldap_db_pass', 'password') }}"
|
||||||
|
TZ: Europe/Berlin
|
||||||
|
volumes:
|
||||||
|
- db17:/var/lib/postgresql/data
|
||||||
|
networks:
|
||||||
|
- internal
|
||||||
|
healthcheck:
|
||||||
|
test: ["CMD", "pg_isready", "-U", "lldap"]
|
||||||
|
interval: 10s
|
||||||
|
start_period: 30s
|
||||||
|
|
||||||
|
######## Networks ########
|
||||||
|
networks:
|
||||||
|
traefik:
|
||||||
|
external: true
|
||||||
|
postfix:
|
||||||
|
external: true
|
||||||
|
internal:
|
||||||
|
|
||||||
|
######## Volumes ########
|
||||||
|
volumes:
|
||||||
|
lldap_data:
|
||||||
|
db17:
|
||||||
28
docker-compose/lldap/lldap_config.toml.j2
Executable file
28
docker-compose/lldap/lldap_config.toml.j2
Executable file
|
|
@ -0,0 +1,28 @@
|
||||||
|
verbose = false
|
||||||
|
|
||||||
|
ldap_host = "0.0.0.0"
|
||||||
|
ldap_port = 3890
|
||||||
|
|
||||||
|
http_host = "0.0.0.0"
|
||||||
|
http_port = 17170
|
||||||
|
http_url = "https://ldap.mgrote.net"
|
||||||
|
|
||||||
|
jwt_secret = "{{ lookup('viczem.keepass.keepass', 'lldap/lldap_jwt_secret', 'password') }}"
|
||||||
|
|
||||||
|
ldap_base_dn = "dc=mgrote,dc=net"
|
||||||
|
ldap_user_dn = "{{ lookup('viczem.keepass.keepass', 'lldap/lldap_admin_user', 'username') }}"
|
||||||
|
ldap_user_email = "lldap-admin@mgrote.net"
|
||||||
|
ldap_user_pass = "{{ lookup('viczem.keepass.keepass', 'lldap/lldap_admin_user', 'password') }}"
|
||||||
|
|
||||||
|
database_url = "postgres://lldap:{{ lookup('viczem.keepass.keepass', 'lldap/lldap_db_pass', 'password') }}@lldap-db/lldap"
|
||||||
|
|
||||||
|
key_seed = "{{ lookup('viczem.keepass.keepass', 'lldap/lldap_key_seed', 'password') }}"
|
||||||
|
|
||||||
|
force_ldap_user_pass_reset = "always"
|
||||||
|
|
||||||
|
[smtp_options]
|
||||||
|
enable_password_reset = false
|
||||||
|
server = "postfix"
|
||||||
|
port = 25
|
||||||
|
smtp_encryption = "NONE"
|
||||||
|
reply_to ="Do not reply <info@mgrote.net>"
|
||||||
|
|
@ -10,7 +10,7 @@ php occ app:enable user_ldap
|
||||||
#php occ ldap:create-empty-config # wird nur bei komplett neuer nextcloud benötigt, legt sonst bei jedem durchlauf weitere ldap-configs an
|
#php occ ldap:create-empty-config # wird nur bei komplett neuer nextcloud benötigt, legt sonst bei jedem durchlauf weitere ldap-configs an
|
||||||
|
|
||||||
# EDIT: domain
|
# EDIT: domain
|
||||||
php occ ldap:set-config s01 ldapHost "ldap://ldap.mgrote.net."
|
php occ ldap:set-config s01 ldapHost "ldap://lldap."
|
||||||
php occ ldap:set-config s01 ldapPort 3890
|
php occ ldap:set-config s01 ldapPort 3890
|
||||||
# EDIT: admin user
|
# EDIT: admin user
|
||||||
php occ ldap:set-config s01 ldapAgentName "uid=nextcloud_bind_user,ou=people,dc=mgrote,dc=net"
|
php occ ldap:set-config s01 ldapAgentName "uid=nextcloud_bind_user,ou=people,dc=mgrote,dc=net"
|
||||||
|
|
|
||||||
|
|
@ -67,7 +67,7 @@ authentication_backend:
|
||||||
refresh_interval: 1m
|
refresh_interval: 1m
|
||||||
ldap:
|
ldap:
|
||||||
implementation: custom
|
implementation: custom
|
||||||
address: ldap://ldap.mgrote.net:3890
|
address: ldap://lldap:3890
|
||||||
timeout: 5s
|
timeout: 5s
|
||||||
start_tls: false
|
start_tls: false
|
||||||
base_dn: dc=mgrote,dc=net
|
base_dn: dc=mgrote,dc=net
|
||||||
|
|
|
||||||
|
|
@ -85,7 +85,7 @@ blocky_custom_lookups: # optional
|
||||||
- name: fritz.box
|
- name: fritz.box
|
||||||
ip: 192.168.5.1
|
ip: 192.168.5.1
|
||||||
- name: ldap.mgrote.net
|
- name: ldap.mgrote.net
|
||||||
ip: 192.168.2.47
|
ip: 192.168.2.43
|
||||||
- name: munin.mgrote.net
|
- name: munin.mgrote.net
|
||||||
ip: 192.168.2.40
|
ip: 192.168.2.40
|
||||||
- name: s3.mgrote.net
|
- name: s3.mgrote.net
|
||||||
|
|
|
||||||
|
|
@ -148,7 +148,7 @@ gitea_fail2ban_jail_bantime: "600"
|
||||||
gitea_fail2ban_jail_action: "iptables-allports"
|
gitea_fail2ban_jail_action: "iptables-allports"
|
||||||
|
|
||||||
### mgrote_gitea_setup
|
### mgrote_gitea_setup
|
||||||
gitea_ldap_host: "ldap.mgrote.net"
|
gitea_ldap_host: "docker10.mgrote.net"
|
||||||
gitea_ldap_base_path: "dc=mgrote,dc=net"
|
gitea_ldap_base_path: "dc=mgrote,dc=net"
|
||||||
gitea_ldap_bind_user: "forgejo_bind_user"
|
gitea_ldap_bind_user: "forgejo_bind_user"
|
||||||
gitea_ldap_bind_pass: "{{ lookup('viczem.keepass.keepass', 'forgejo/lldap_forgejo_bind_user', 'password') }}"
|
gitea_ldap_bind_pass: "{{ lookup('viczem.keepass.keepass', 'forgejo/lldap_forgejo_bind_user', 'password') }}"
|
||||||
|
|
|
||||||
|
|
@ -67,9 +67,6 @@ munin_hosts:
|
||||||
- name: blocky.mgrote.net
|
- name: blocky.mgrote.net
|
||||||
address: blocky.mgrote.net
|
address: blocky.mgrote.net
|
||||||
extra: ["use_node_name yes"]
|
extra: ["use_node_name yes"]
|
||||||
- name: ldap.mgrote.net
|
|
||||||
address: ldap.mgrote.net
|
|
||||||
extra: ["use_node_name yes"]
|
|
||||||
|
|
||||||
### mgrote_munin_node
|
### mgrote_munin_node
|
||||||
munin_node_bind_host: "127.0.0.1"
|
munin_node_bind_host: "127.0.0.1"
|
||||||
|
|
@ -104,7 +101,7 @@ munin_node_plugins:
|
||||||
src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/http/http_response
|
src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/http/http_response
|
||||||
config: |
|
config: |
|
||||||
[http_response]
|
[http_response]
|
||||||
env.sites https://git.mgrote.net http://ldap.mgrote.net:17170 https://docker10.mgrote.net:8443 https://rui.mgrote.net/ http://munin.mgrote.net http://192.168.5.1 http://192.168.3.1 http://192.168.3.108:8080 http://192.168.3.204 http://docker10.mgrote.net:6483 https://miniflux.mgrote.net/ https://nextcloud.mgrote.net https://audio.mgrote.net/mg http://wiki.mgrote.net https://s3.mgrote.net https://auth.mgrote.net
|
env.sites https://git.mgrote.net https://docker10.mgrote.net:8443 https://rui.mgrote.net/ http://munin.mgrote.net http://192.168.5.1 http://192.168.3.1 http://192.168.3.108:8080 http://192.168.3.204 http://docker10.mgrote.net:6483 https://miniflux.mgrote.net/ https://nextcloud.mgrote.net https://audio.mgrote.net/mg http://wiki.mgrote.net https://s3.mgrote.net https://auth.mgrote.net http://docker10.mgrote.net:17170
|
||||||
env.max_time 20
|
env.max_time 20
|
||||||
env.short_label true
|
env.short_label true
|
||||||
env.follow_redirect true
|
env.follow_redirect true
|
||||||
|
|
|
||||||
|
|
@ -50,8 +50,12 @@ compose_files:
|
||||||
state: present
|
state: present
|
||||||
- name: act-runner
|
- name: act-runner
|
||||||
state: present
|
state: present
|
||||||
|
- name: lldap
|
||||||
|
state: present
|
||||||
|
network: traefik
|
||||||
- name: minio
|
- name: minio
|
||||||
state: present
|
state: present
|
||||||
|
network: traefik
|
||||||
|
|
||||||
### oefenweb.ufw
|
### oefenweb.ufw
|
||||||
ufw_rules:
|
ufw_rules:
|
||||||
|
|
|
||||||
|
|
@ -6,9 +6,6 @@ all:
|
||||||
blocky:
|
blocky:
|
||||||
hosts:
|
hosts:
|
||||||
blocky.mgrote.net:
|
blocky.mgrote.net:
|
||||||
ldap:
|
|
||||||
hosts:
|
|
||||||
ldap.mgrote.net:
|
|
||||||
lxc:
|
lxc:
|
||||||
hosts:
|
hosts:
|
||||||
fileserver3.mgrote.net:
|
fileserver3.mgrote.net:
|
||||||
|
|
@ -47,7 +44,6 @@ all:
|
||||||
docker10.mgrote.net:
|
docker10.mgrote.net:
|
||||||
pbs.mgrote.net:
|
pbs.mgrote.net:
|
||||||
blocky.mgrote.net:
|
blocky.mgrote.net:
|
||||||
ldap.mgrote.net:
|
|
||||||
munin.mgrote.net:
|
munin.mgrote.net:
|
||||||
test:
|
test:
|
||||||
hosts:
|
hosts:
|
||||||
|
|
|
||||||
BIN
keepass_db.kdbx
BIN
keepass_db.kdbx
Binary file not shown.
Loading…
Reference in a new issue