150 lines
3.9 KiB
YAML
150 lines
3.9 KiB
YAML
---
|
|
|
|
instance: lemonldap-ng
|
|
|
|
llng:
|
|
|
|
nomad:
|
|
# A lot of services depends on lemonldap
|
|
# so make it a bit higher priority than normal
|
|
priority: 60
|
|
# Ensure we run different alloc on different hosts
|
|
constraints:
|
|
- operator: distinct_hosts
|
|
value: true
|
|
|
|
# The same engine can run portal, manager and handler
|
|
# The settings below are for the uwsgi engine itself
|
|
engine:
|
|
|
|
# Number of instance to run
|
|
count: 1
|
|
|
|
# Version of Lemonldap::NG to use
|
|
version: 2.19.0
|
|
|
|
# Docker image to use
|
|
image: '[[ .docker.repo ]]lemonldap-ng:[[ .llng.engine.version ]]-2'
|
|
|
|
# Resource allocation
|
|
resources:
|
|
cpu: 500
|
|
memory: 512
|
|
|
|
# Connect to the database from the service mesh
|
|
consul:
|
|
connect:
|
|
upstreams:
|
|
- destination_name: postgres[[ .consul.suffix ]]
|
|
local_bind_port: 5432
|
|
|
|
wait_for:
|
|
- service: postgres[[ .consul.suffix ]]
|
|
|
|
# Vault policices
|
|
vault:
|
|
policies:
|
|
- '[[ .instance ]][[ .consul.suffix ]]'
|
|
|
|
# Database settings
|
|
postgres:
|
|
database: '[[ .instance ]]'
|
|
user: '{{ with secret "[[ .vault.root ]]database/creds/[[ .instance ]]" }}{{ .Data.username }}{{ end }}'
|
|
password: '{{ with secret "[[ .vault.root ]]database/creds/[[ .instance ]]" }}{{ .Data.password }}{{ end }}'
|
|
|
|
# Additional env vars to pass to the container
|
|
env:
|
|
# Max number of uwsgi workers. You might need to allocation more memory
|
|
# if you need to rise this value (or you can just run several instances instead)
|
|
LLNG_WORKERS: 6
|
|
|
|
# Download assets (used to customize the portal)
|
|
artifacts:
|
|
defaults:
|
|
source: git::https://git.lapiole.org/nomad/lemonldap-ng.git//files/assets
|
|
destination: local/assets/static/common
|
|
|
|
# Log level of the engine
|
|
log_level: notice
|
|
|
|
# Settings for the portal itself
|
|
portal:
|
|
# URL used by users to reach the portal
|
|
public_url: https://sso.example.org
|
|
|
|
# Available languages on the portal
|
|
languages:
|
|
- en
|
|
- fr
|
|
- es
|
|
- it
|
|
- de
|
|
|
|
# Traefik settings
|
|
traefik:
|
|
|
|
# If disabled, the portal won't be exposed by Traefik
|
|
enabled: true
|
|
|
|
# Disable default CSP as Lemonldap::NG handles it itself
|
|
csp: false
|
|
|
|
auto_rule: false
|
|
router: '[[ .instance ]]-portal[[ .consul.suffix ]]'
|
|
|
|
# Cron jobs
|
|
cron:
|
|
# Rotate oidc keys (default is disabled)
|
|
rotate_oidc_keys: ''
|
|
# Cleanup global session store by removing obsolete ones
|
|
# Note that this task will only be scheduled on the first allocation (NOMAD_ALLOC_INDEX 0)
|
|
# as there's no need to do the cleanup on every instance
|
|
clean_global_cache: '@every 10m'
|
|
# Cleanup local session and config cache
|
|
# This task will also only be scheduled on the first allocation
|
|
clean_local_cache: '@every 1h'
|
|
|
|
# Settings for the configuration manager
|
|
manager:
|
|
# protection can be "none" (no authentication) or "manager" (the manager is protected by Lemonldap::NG itself, and you must add appropriate
|
|
# access rules to access the manager). On initial configuration, you will likely need to set this to none, and switch back to manager only after
|
|
# the configuration is working
|
|
protection: manager
|
|
|
|
# The URL to reach the manager
|
|
public_url: https://manager.example.org
|
|
|
|
# Available languages for the manager
|
|
languages:
|
|
- en
|
|
|
|
# Traefik settings
|
|
traefik:
|
|
|
|
# If disabled, the manager will not be exposed by Traefik
|
|
enabled: true
|
|
|
|
# Disable default CSP as Lemonldap::NG handle CSP itself
|
|
csp: false
|
|
|
|
router: manager
|
|
|
|
# The API is exposed by the portal, but usually must be secured differently
|
|
# The following settings only apply to the REST/SOAP API
|
|
api:
|
|
|
|
# Traefik settings
|
|
traefik:
|
|
|
|
# If disabled, Traefik won't expose the API
|
|
enabled: false
|
|
|
|
csp: false
|
|
|
|
middlewares:
|
|
compression: false
|
|
|
|
auto_rule: false
|
|
router: api
|
|
|