Add a docker image

This commit is contained in:
Valentin Tolmer 2021-06-30 16:54:33 +02:00 committed by nitnelave
parent e09c73efce
commit 8e049c9e54
4 changed files with 178 additions and 0 deletions

20
.dockerignore Normal file
View File

@ -0,0 +1,20 @@
# Don't track git
.git/*
# Don't track cargo generated files
target/*
app/target/*
model/target/*
# Don't track the generated JS
app/pkg/*
# Don't track changes to the Dockerfile, triggering a rebuild without cache
Dockerfile
.dockerignore
# Various config files that shouldn't be tracked
lldap_config.toml
server_key
users.db*
.gitignore

55
Dockerfile Normal file
View File

@ -0,0 +1,55 @@
# Build image
FROM rust:alpine AS builder
RUN set -x \
# Add user
&& addgroup --gid 10001 app \
&& adduser --disabled-password \
--gecos '' \
--ingroup app \
--home /app \
--uid 10001 \
app
RUN set -x \
# Install required packages
&& apk add npm openssl-dev musl-dev
USER app
WORKDIR /app
RUN set -x \
# Install build tools
&& RUSTFLAGS=-Ctarget-feature=-crt-static cargo install wasm-pack \
&& npm install rollup
# Build
COPY --chown=app:app . /app
RUN cargo build --release
# TODO: release mode.
RUN ./app/build.sh
# Final image
FROM alpine
RUN set -x \
# Add user
&& addgroup --gid 10001 app \
&& adduser --disabled-password \
--gecos '' \
--ingroup app \
--home /app \
--uid 10001 \
app
RUN mkdir /data && chown app:app /data
USER app
WORKDIR /app
COPY --chown=app:app --from=builder /app/app/index.html app/index.html
COPY --chown=app:app --from=builder /app/app/main.js app/main.js
COPY --chown=app:app --from=builder /app/app/pkg app/pkg
COPY --chown=app:app --from=builder /app/target/release/lldap lldap
ENV LDAP_PORT=3890
ENV HTTP_PORT=17170
EXPOSE ${LDAP_PORT} ${HTTP_PORT}
CMD ["/app/lldap", "--config_file", "/data/lldap_config.toml"]

View File

@ -100,6 +100,44 @@ Make sure that you run `cargo fmt` in each crate that you modified (top-level,
### Setup ### Setup
#### With Docker
The image is available at `nitnelave/lldap`. You should persist the `/data`
folder, which contains your configuration, the database and the private key
file (unless you move them in the config).
Configure the server by copying the `lldap_config.docker_template.toml` to
`/data/lldap_config.toml` and updating the configuration values (especially the
`jwt_secret` and `ldap_user_pass`, unless you override them with env variables).
Example for docker compose:
```yaml
volumes:
lldap_data:
driver: local
services:
lldap:
image: nitnelave/lldap
ports:
# For LDAP
- "3890:3890"
# For the web front-end
- "17170:17170"
volumes:
- "lldap_data:/data"
environment:
- JWT_SECRET=REPLACE_WITH_RANDOM
- LDAP_USER_PASS=REPLACE_WITH_PASSWORD
- LDAP_BASE_DN=dc=example,dc=com
```
Then the service will listen on two ports, one for LDAP and one for the web
front-end.
#### From source
To bring up the server, you'll need to compile the frontend. In addition to To bring up the server, you'll need to compile the frontend. In addition to
cargo, you'll need: cargo, you'll need:

View File

@ -0,0 +1,65 @@
## Default configuration for Docker.
## All the values can be overridden through environment variables. For
## instance, "ldap_port" can be overridden with the "LDAP_PORT" variable.
## The port on which to have the LDAP server.
#ldap_port = 3890
## The port on which to have the HTTP server, for user login and
## administration.
#http_port = 17170
## Random secret for JWT signature.
## This secret should be random, and should be shared with application
## servers that need to consume the JWTs.
## Changing this secret will invalidate all user sessions and require
## them to re-login.
## You should probably set it through the JWT_SECRET environment
## variable from a secret ".env" file.
## You can generate it with (on linux):
## LC_ALL=C tr -dc 'A-Za-z0-9!"#%&'\''()*+,-./:;<=>?@[\]^_{|}~' </dev/urandom | head -c 32; echo ''
#jwt_secret = "REPLACE_WITH_RANDOM"
## Base DN for LDAP.
## This is usually your domain name, and is used as a
## namespace for your users. The choice is arbitrary, but will be needed
## to configure the LDAP integration with other services.
## The sample value is for "example.com", but you can extend it with as
## many "dc" as you want, and you don't actually need to own the domain
## name.
#ldap_base_dn = "dc=example,dc=com"
## Admin username.
## For the LDAP interface, a value of "admin" here will create the LDAP
## user "cn=admin,dc=example,dc=com" (with the base DN above).
## For the administration interface, this is the username.
#ldap_user_dn = "admin"
## Admin password.
## Password for the admin account, both for the LDAP bind and for the
## administration interface.
## You can set it with the LDAP_USER_PASS environment variable.
## Note: you can create another admin user for LDAP/administration, this
## is just the default one.
#ldap_user_pass = "REPLACE_WITH_PASSWORD"
## Database URL.
## This encodes the type of database (SQlite, Mysql and so
## on), the path, the user, password, and sometimes the mode (when
## relevant).
## Note: Currently, only SQlite is supported. SQlite should come with
## "?mode=rwc" to create the DB if not present.
## Example URLs:
## - "postgres://postgres-user:password@postgres-server/my-database"
## - "mysql://mysql-user:password@mysql-server/my-database"
##
## This can be overridden with the DATABASE_URL env variable.
database_url = "sqlite:///data/users.db?mode=rwc"
## Private key file.
## Contains the secret private key used to store the passwords safely.
## Note that even with a database dump and the private key, an attacker
## would still have to perform an (expensive) brute force attack to find
## each password.
## Randomly generated on first run if it doesn't exist.
key_file = "/data/private_key"