131 lines
3.6 KiB
YAML
131 lines
3.6 KiB
YAML
---
|
|
|
|
instance: lemonldap-ng
|
|
|
|
llng:
|
|
|
|
# The same engine can run portal, manager and handler
|
|
# The settings below are for the uwsgi engine itself
|
|
engine:
|
|
|
|
# Number of instance to run
|
|
count: 1
|
|
|
|
# Docker image to use
|
|
image: '[[ .docker.repo ]]lemonldap-ng:2.18.1-4'
|
|
|
|
# Resource allocation
|
|
resources:
|
|
cpu: 500
|
|
memory: 512
|
|
|
|
# Connect to the database from the service mesh
|
|
consul:
|
|
connect:
|
|
upstreams:
|
|
- destination_name: postgres[[ .consul.suffix ]]
|
|
local_bind_port: 5432
|
|
|
|
# Additional env vars to pass to the container
|
|
env:
|
|
# Database settings
|
|
PGHOST: 127.0.0.1
|
|
PGPORT: 5432
|
|
PGUSER: '{{ with secret "[[ .vault.prefix ]]database/creds/[[ .instance ]]" }}{{ .Data.username }}{{ end }}'
|
|
PGPASSWORD: '{{ with secret "[[ .vault.prefix ]]database/creds/[[ .instance ]]" }}{{ .Data.password }}{{ end }}'
|
|
PGDATABASE: '[[ .instance ]]'
|
|
# No need for SSL if postgres is accessed from the mesh
|
|
PGSSLMODE: disable
|
|
# Max number of uwsgi workers. You might need to allocation more memory
|
|
# if you need to rise this value (or you can just run several instances instead)
|
|
LLNG_WORKERS: 6
|
|
|
|
# Download assets (used to customize the portal)
|
|
artifacts:
|
|
defaults:
|
|
source: git::https://git.lapiole.org/nomad/lemonldap-ng.git//files/assets
|
|
destination: local/assets/static/common
|
|
|
|
# Settings for the portal itself
|
|
portal:
|
|
# URL used by users to reach the portal
|
|
public_url: https://sso.example.org
|
|
|
|
# Available languages on the portal
|
|
languages:
|
|
- en
|
|
- fr
|
|
- es
|
|
- it
|
|
- de
|
|
|
|
# Traefik settings
|
|
traefik:
|
|
|
|
# If disabled, the portal won't be exposed by Traefik
|
|
enabled: true
|
|
|
|
# Override base_middleware to remove csp-relaxed@file as Lemonldap::NG handle CSP itself
|
|
base_middlewares:
|
|
- rate-limit-std@file
|
|
- inflight-std@file
|
|
- security-headers@file
|
|
- hsts@file
|
|
- compression@file
|
|
|
|
# List of middlewares to apply
|
|
middlewares: {}
|
|
|
|
# Settings for the configuration manager
|
|
manager:
|
|
# protection can be "none" (no authentication) or "manager" (the manager is protected by Lemonldap::NG itself, and you must add appropriate
|
|
# access rules to access the manager). On initial configuration, you will likely need to set this to none, and switch back to manager only after
|
|
# the configuration is working
|
|
protection: manager
|
|
|
|
# The URL to reach the manager
|
|
public_url: https://manager.example.org
|
|
|
|
# Available languages for the manager
|
|
languages:
|
|
- en
|
|
|
|
# Traefik settings
|
|
traefik:
|
|
|
|
# If disabled, the manager will not be exposed by Traefik
|
|
enabled: true
|
|
|
|
# Override base_middleware to remove csp-relaxed@file as Lemonldap::NG handle CSP itself
|
|
base_middlewares:
|
|
- rate-limit-std@file
|
|
- inflight-std@file
|
|
- security-headers@file
|
|
- hsts@file
|
|
- compression@file
|
|
|
|
# List of middlewares to apply
|
|
middlewares: {}
|
|
|
|
# The API is exposed by the portal, but usually must be secured differently
|
|
# The following settings only apply to the REST/SOAP API
|
|
api:
|
|
|
|
# Traefik settings
|
|
traefik:
|
|
|
|
# If disabled, Traefik won't expose the API
|
|
enabled: false
|
|
|
|
# Override base_middleware to remove csp-relaxed@file as Lemonldap::NG handle CSP itself
|
|
base_middlewares:
|
|
- rate-limit-std@file
|
|
- inflight-std@file
|
|
- security-headers@file
|
|
- hsts@file
|
|
- compression@file
|
|
|
|
# List of middlewares to apply
|
|
middlewares: {}
|
|
|