mirror of
https://github.com/nitnelave/lldap.git
synced 2023-04-12 14:25:13 +00:00
Add a docker image
This commit is contained in:
parent
e09c73efce
commit
8e049c9e54
20
.dockerignore
Normal file
20
.dockerignore
Normal file
@ -0,0 +1,20 @@
|
|||||||
|
# Don't track git
|
||||||
|
.git/*
|
||||||
|
|
||||||
|
# Don't track cargo generated files
|
||||||
|
target/*
|
||||||
|
app/target/*
|
||||||
|
model/target/*
|
||||||
|
|
||||||
|
# Don't track the generated JS
|
||||||
|
app/pkg/*
|
||||||
|
|
||||||
|
# Don't track changes to the Dockerfile, triggering a rebuild without cache
|
||||||
|
Dockerfile
|
||||||
|
.dockerignore
|
||||||
|
|
||||||
|
# Various config files that shouldn't be tracked
|
||||||
|
lldap_config.toml
|
||||||
|
server_key
|
||||||
|
users.db*
|
||||||
|
.gitignore
|
55
Dockerfile
Normal file
55
Dockerfile
Normal file
@ -0,0 +1,55 @@
|
|||||||
|
# Build image
|
||||||
|
FROM rust:alpine AS builder
|
||||||
|
|
||||||
|
RUN set -x \
|
||||||
|
# Add user
|
||||||
|
&& addgroup --gid 10001 app \
|
||||||
|
&& adduser --disabled-password \
|
||||||
|
--gecos '' \
|
||||||
|
--ingroup app \
|
||||||
|
--home /app \
|
||||||
|
--uid 10001 \
|
||||||
|
app
|
||||||
|
RUN set -x \
|
||||||
|
# Install required packages
|
||||||
|
&& apk add npm openssl-dev musl-dev
|
||||||
|
USER app
|
||||||
|
WORKDIR /app
|
||||||
|
RUN set -x \
|
||||||
|
# Install build tools
|
||||||
|
&& RUSTFLAGS=-Ctarget-feature=-crt-static cargo install wasm-pack \
|
||||||
|
&& npm install rollup
|
||||||
|
# Build
|
||||||
|
COPY --chown=app:app . /app
|
||||||
|
RUN cargo build --release
|
||||||
|
# TODO: release mode.
|
||||||
|
RUN ./app/build.sh
|
||||||
|
|
||||||
|
|
||||||
|
# Final image
|
||||||
|
FROM alpine
|
||||||
|
|
||||||
|
RUN set -x \
|
||||||
|
# Add user
|
||||||
|
&& addgroup --gid 10001 app \
|
||||||
|
&& adduser --disabled-password \
|
||||||
|
--gecos '' \
|
||||||
|
--ingroup app \
|
||||||
|
--home /app \
|
||||||
|
--uid 10001 \
|
||||||
|
app
|
||||||
|
|
||||||
|
RUN mkdir /data && chown app:app /data
|
||||||
|
USER app
|
||||||
|
WORKDIR /app
|
||||||
|
COPY --chown=app:app --from=builder /app/app/index.html app/index.html
|
||||||
|
COPY --chown=app:app --from=builder /app/app/main.js app/main.js
|
||||||
|
COPY --chown=app:app --from=builder /app/app/pkg app/pkg
|
||||||
|
COPY --chown=app:app --from=builder /app/target/release/lldap lldap
|
||||||
|
|
||||||
|
ENV LDAP_PORT=3890
|
||||||
|
ENV HTTP_PORT=17170
|
||||||
|
|
||||||
|
EXPOSE ${LDAP_PORT} ${HTTP_PORT}
|
||||||
|
|
||||||
|
CMD ["/app/lldap", "--config_file", "/data/lldap_config.toml"]
|
38
README.md
38
README.md
@ -100,6 +100,44 @@ Make sure that you run `cargo fmt` in each crate that you modified (top-level,
|
|||||||
|
|
||||||
### Setup
|
### Setup
|
||||||
|
|
||||||
|
#### With Docker
|
||||||
|
|
||||||
|
The image is available at `nitnelave/lldap`. You should persist the `/data`
|
||||||
|
folder, which contains your configuration, the database and the private key
|
||||||
|
file (unless you move them in the config).
|
||||||
|
|
||||||
|
Configure the server by copying the `lldap_config.docker_template.toml` to
|
||||||
|
`/data/lldap_config.toml` and updating the configuration values (especially the
|
||||||
|
`jwt_secret` and `ldap_user_pass`, unless you override them with env variables).
|
||||||
|
|
||||||
|
Example for docker compose:
|
||||||
|
|
||||||
|
```yaml
|
||||||
|
volumes:
|
||||||
|
lldap_data:
|
||||||
|
driver: local
|
||||||
|
|
||||||
|
services:
|
||||||
|
lldap:
|
||||||
|
image: nitnelave/lldap
|
||||||
|
ports:
|
||||||
|
# For LDAP
|
||||||
|
- "3890:3890"
|
||||||
|
# For the web front-end
|
||||||
|
- "17170:17170"
|
||||||
|
volumes:
|
||||||
|
- "lldap_data:/data"
|
||||||
|
environment:
|
||||||
|
- JWT_SECRET=REPLACE_WITH_RANDOM
|
||||||
|
- LDAP_USER_PASS=REPLACE_WITH_PASSWORD
|
||||||
|
- LDAP_BASE_DN=dc=example,dc=com
|
||||||
|
```
|
||||||
|
|
||||||
|
Then the service will listen on two ports, one for LDAP and one for the web
|
||||||
|
front-end.
|
||||||
|
|
||||||
|
#### From source
|
||||||
|
|
||||||
To bring up the server, you'll need to compile the frontend. In addition to
|
To bring up the server, you'll need to compile the frontend. In addition to
|
||||||
cargo, you'll need:
|
cargo, you'll need:
|
||||||
|
|
||||||
|
65
lldap_config.docker_template.toml
Normal file
65
lldap_config.docker_template.toml
Normal file
@ -0,0 +1,65 @@
|
|||||||
|
## Default configuration for Docker.
|
||||||
|
## All the values can be overridden through environment variables. For
|
||||||
|
## instance, "ldap_port" can be overridden with the "LDAP_PORT" variable.
|
||||||
|
|
||||||
|
## The port on which to have the LDAP server.
|
||||||
|
#ldap_port = 3890
|
||||||
|
|
||||||
|
## The port on which to have the HTTP server, for user login and
|
||||||
|
## administration.
|
||||||
|
#http_port = 17170
|
||||||
|
|
||||||
|
## Random secret for JWT signature.
|
||||||
|
## This secret should be random, and should be shared with application
|
||||||
|
## servers that need to consume the JWTs.
|
||||||
|
## Changing this secret will invalidate all user sessions and require
|
||||||
|
## them to re-login.
|
||||||
|
## You should probably set it through the JWT_SECRET environment
|
||||||
|
## variable from a secret ".env" file.
|
||||||
|
## You can generate it with (on linux):
|
||||||
|
## LC_ALL=C tr -dc 'A-Za-z0-9!"#%&'\''()*+,-./:;<=>?@[\]^_{|}~' </dev/urandom | head -c 32; echo ''
|
||||||
|
#jwt_secret = "REPLACE_WITH_RANDOM"
|
||||||
|
|
||||||
|
## Base DN for LDAP.
|
||||||
|
## This is usually your domain name, and is used as a
|
||||||
|
## namespace for your users. The choice is arbitrary, but will be needed
|
||||||
|
## to configure the LDAP integration with other services.
|
||||||
|
## The sample value is for "example.com", but you can extend it with as
|
||||||
|
## many "dc" as you want, and you don't actually need to own the domain
|
||||||
|
## name.
|
||||||
|
#ldap_base_dn = "dc=example,dc=com"
|
||||||
|
|
||||||
|
## Admin username.
|
||||||
|
## For the LDAP interface, a value of "admin" here will create the LDAP
|
||||||
|
## user "cn=admin,dc=example,dc=com" (with the base DN above).
|
||||||
|
## For the administration interface, this is the username.
|
||||||
|
#ldap_user_dn = "admin"
|
||||||
|
|
||||||
|
## Admin password.
|
||||||
|
## Password for the admin account, both for the LDAP bind and for the
|
||||||
|
## administration interface.
|
||||||
|
## You can set it with the LDAP_USER_PASS environment variable.
|
||||||
|
## Note: you can create another admin user for LDAP/administration, this
|
||||||
|
## is just the default one.
|
||||||
|
#ldap_user_pass = "REPLACE_WITH_PASSWORD"
|
||||||
|
|
||||||
|
## Database URL.
|
||||||
|
## This encodes the type of database (SQlite, Mysql and so
|
||||||
|
## on), the path, the user, password, and sometimes the mode (when
|
||||||
|
## relevant).
|
||||||
|
## Note: Currently, only SQlite is supported. SQlite should come with
|
||||||
|
## "?mode=rwc" to create the DB if not present.
|
||||||
|
## Example URLs:
|
||||||
|
## - "postgres://postgres-user:password@postgres-server/my-database"
|
||||||
|
## - "mysql://mysql-user:password@mysql-server/my-database"
|
||||||
|
##
|
||||||
|
## This can be overridden with the DATABASE_URL env variable.
|
||||||
|
database_url = "sqlite:///data/users.db?mode=rwc"
|
||||||
|
|
||||||
|
## Private key file.
|
||||||
|
## Contains the secret private key used to store the passwords safely.
|
||||||
|
## Note that even with a database dump and the private key, an attacker
|
||||||
|
## would still have to perform an (expensive) brute force attack to find
|
||||||
|
## each password.
|
||||||
|
## Randomly generated on first run if it doesn't exist.
|
||||||
|
key_file = "/data/private_key"
|
Loading…
Reference in New Issue
Block a user