mirror of
https://github.com/lldap/lldap.git
synced 2024-11-24 08:45:08 +00:00
Add a docker image
This commit is contained in:
parent
e09c73efce
commit
8e049c9e54
4 changed files with 178 additions and 0 deletions
20
.dockerignore
Normal file
20
.dockerignore
Normal file
|
@ -0,0 +1,20 @@
|
|||
# Don't track git
|
||||
.git/*
|
||||
|
||||
# Don't track cargo generated files
|
||||
target/*
|
||||
app/target/*
|
||||
model/target/*
|
||||
|
||||
# Don't track the generated JS
|
||||
app/pkg/*
|
||||
|
||||
# Don't track changes to the Dockerfile, triggering a rebuild without cache
|
||||
Dockerfile
|
||||
.dockerignore
|
||||
|
||||
# Various config files that shouldn't be tracked
|
||||
lldap_config.toml
|
||||
server_key
|
||||
users.db*
|
||||
.gitignore
|
55
Dockerfile
Normal file
55
Dockerfile
Normal file
|
@ -0,0 +1,55 @@
|
|||
# Build image
|
||||
FROM rust:alpine AS builder
|
||||
|
||||
RUN set -x \
|
||||
# Add user
|
||||
&& addgroup --gid 10001 app \
|
||||
&& adduser --disabled-password \
|
||||
--gecos '' \
|
||||
--ingroup app \
|
||||
--home /app \
|
||||
--uid 10001 \
|
||||
app
|
||||
RUN set -x \
|
||||
# Install required packages
|
||||
&& apk add npm openssl-dev musl-dev
|
||||
USER app
|
||||
WORKDIR /app
|
||||
RUN set -x \
|
||||
# Install build tools
|
||||
&& RUSTFLAGS=-Ctarget-feature=-crt-static cargo install wasm-pack \
|
||||
&& npm install rollup
|
||||
# Build
|
||||
COPY --chown=app:app . /app
|
||||
RUN cargo build --release
|
||||
# TODO: release mode.
|
||||
RUN ./app/build.sh
|
||||
|
||||
|
||||
# Final image
|
||||
FROM alpine
|
||||
|
||||
RUN set -x \
|
||||
# Add user
|
||||
&& addgroup --gid 10001 app \
|
||||
&& adduser --disabled-password \
|
||||
--gecos '' \
|
||||
--ingroup app \
|
||||
--home /app \
|
||||
--uid 10001 \
|
||||
app
|
||||
|
||||
RUN mkdir /data && chown app:app /data
|
||||
USER app
|
||||
WORKDIR /app
|
||||
COPY --chown=app:app --from=builder /app/app/index.html app/index.html
|
||||
COPY --chown=app:app --from=builder /app/app/main.js app/main.js
|
||||
COPY --chown=app:app --from=builder /app/app/pkg app/pkg
|
||||
COPY --chown=app:app --from=builder /app/target/release/lldap lldap
|
||||
|
||||
ENV LDAP_PORT=3890
|
||||
ENV HTTP_PORT=17170
|
||||
|
||||
EXPOSE ${LDAP_PORT} ${HTTP_PORT}
|
||||
|
||||
CMD ["/app/lldap", "--config_file", "/data/lldap_config.toml"]
|
38
README.md
38
README.md
|
@ -100,6 +100,44 @@ Make sure that you run `cargo fmt` in each crate that you modified (top-level,
|
|||
|
||||
### Setup
|
||||
|
||||
#### With Docker
|
||||
|
||||
The image is available at `nitnelave/lldap`. You should persist the `/data`
|
||||
folder, which contains your configuration, the database and the private key
|
||||
file (unless you move them in the config).
|
||||
|
||||
Configure the server by copying the `lldap_config.docker_template.toml` to
|
||||
`/data/lldap_config.toml` and updating the configuration values (especially the
|
||||
`jwt_secret` and `ldap_user_pass`, unless you override them with env variables).
|
||||
|
||||
Example for docker compose:
|
||||
|
||||
```yaml
|
||||
volumes:
|
||||
lldap_data:
|
||||
driver: local
|
||||
|
||||
services:
|
||||
lldap:
|
||||
image: nitnelave/lldap
|
||||
ports:
|
||||
# For LDAP
|
||||
- "3890:3890"
|
||||
# For the web front-end
|
||||
- "17170:17170"
|
||||
volumes:
|
||||
- "lldap_data:/data"
|
||||
environment:
|
||||
- JWT_SECRET=REPLACE_WITH_RANDOM
|
||||
- LDAP_USER_PASS=REPLACE_WITH_PASSWORD
|
||||
- LDAP_BASE_DN=dc=example,dc=com
|
||||
```
|
||||
|
||||
Then the service will listen on two ports, one for LDAP and one for the web
|
||||
front-end.
|
||||
|
||||
#### From source
|
||||
|
||||
To bring up the server, you'll need to compile the frontend. In addition to
|
||||
cargo, you'll need:
|
||||
|
||||
|
|
65
lldap_config.docker_template.toml
Normal file
65
lldap_config.docker_template.toml
Normal file
|
@ -0,0 +1,65 @@
|
|||
## Default configuration for Docker.
|
||||
## All the values can be overridden through environment variables. For
|
||||
## instance, "ldap_port" can be overridden with the "LDAP_PORT" variable.
|
||||
|
||||
## The port on which to have the LDAP server.
|
||||
#ldap_port = 3890
|
||||
|
||||
## The port on which to have the HTTP server, for user login and
|
||||
## administration.
|
||||
#http_port = 17170
|
||||
|
||||
## Random secret for JWT signature.
|
||||
## This secret should be random, and should be shared with application
|
||||
## servers that need to consume the JWTs.
|
||||
## Changing this secret will invalidate all user sessions and require
|
||||
## them to re-login.
|
||||
## You should probably set it through the JWT_SECRET environment
|
||||
## variable from a secret ".env" file.
|
||||
## You can generate it with (on linux):
|
||||
## LC_ALL=C tr -dc 'A-Za-z0-9!"#%&'\''()*+,-./:;<=>?@[\]^_{|}~' </dev/urandom | head -c 32; echo ''
|
||||
#jwt_secret = "REPLACE_WITH_RANDOM"
|
||||
|
||||
## Base DN for LDAP.
|
||||
## This is usually your domain name, and is used as a
|
||||
## namespace for your users. The choice is arbitrary, but will be needed
|
||||
## to configure the LDAP integration with other services.
|
||||
## The sample value is for "example.com", but you can extend it with as
|
||||
## many "dc" as you want, and you don't actually need to own the domain
|
||||
## name.
|
||||
#ldap_base_dn = "dc=example,dc=com"
|
||||
|
||||
## Admin username.
|
||||
## For the LDAP interface, a value of "admin" here will create the LDAP
|
||||
## user "cn=admin,dc=example,dc=com" (with the base DN above).
|
||||
## For the administration interface, this is the username.
|
||||
#ldap_user_dn = "admin"
|
||||
|
||||
## Admin password.
|
||||
## Password for the admin account, both for the LDAP bind and for the
|
||||
## administration interface.
|
||||
## You can set it with the LDAP_USER_PASS environment variable.
|
||||
## Note: you can create another admin user for LDAP/administration, this
|
||||
## is just the default one.
|
||||
#ldap_user_pass = "REPLACE_WITH_PASSWORD"
|
||||
|
||||
## Database URL.
|
||||
## This encodes the type of database (SQlite, Mysql and so
|
||||
## on), the path, the user, password, and sometimes the mode (when
|
||||
## relevant).
|
||||
## Note: Currently, only SQlite is supported. SQlite should come with
|
||||
## "?mode=rwc" to create the DB if not present.
|
||||
## Example URLs:
|
||||
## - "postgres://postgres-user:password@postgres-server/my-database"
|
||||
## - "mysql://mysql-user:password@mysql-server/my-database"
|
||||
##
|
||||
## This can be overridden with the DATABASE_URL env variable.
|
||||
database_url = "sqlite:///data/users.db?mode=rwc"
|
||||
|
||||
## Private key file.
|
||||
## Contains the secret private key used to store the passwords safely.
|
||||
## Note that even with a database dump and the private key, an attacker
|
||||
## would still have to perform an (expensive) brute force attack to find
|
||||
## each password.
|
||||
## Randomly generated on first run if it doesn't exist.
|
||||
key_file = "/data/private_key"
|
Loading…
Reference in a new issue