Add LDAP support with LLDAP

This sets the stage for moving common authentication from IMAP/Dovecot
to LDAP, which allows for more control over user information, as well as
a basic form of RBAC.

No services are currently set up to support LDAP -- support will follow
soon after this commit.

host/virtual/spec.bu

@@ -26,6 +26,7 @@ ignition:
       - local: service/prometheus/spec.ign
       - local: service/grafana/spec.ign
       - local: service/gitea/spec.ign
+      - local: service/lldap/spec.ign
 
 passwd:
   users:
@@ -136,6 +137,14 @@ systemd:
             [Service]
             Environment=UPSTREAM_HOST=gitea UPSTREAM_PORT=8080
 
+    - name: nginx-proxy-http@lldap.localhost.service
+      enabled: true
+      dropins:
+        - name: lldap-upstream.conf
+          contents: |
+            [Service]
+            Environment=UPSTREAM_HOST=lldap UPSTREAM_PORT=8080
+
     - name: letsencrypt-dns-register@localhost.service
       enabled: true
       dropins:

host/virtual/virtual.env

@@ -57,3 +57,10 @@ GITEA_SECRET_KEY=password
 GITEA_DISABLE_REGISTRATION=true
 GITEA_REQUIRE_SIGNIN_VIEW=false
 GITEA_MAILER_FROM=noreply@gitea.localhost
+
+# Configuration for LLDAP.
+LLDAP_HOST=lldap.localhost
+LLDAP_JWT_SECRET=password
+LLDAP_ADMIN_EMAIL=admin@localhost
+LLDAP_ADMIN_USERNAME=admin
+LLDAP_ADMIN_PASSWORD=password

service/lldap/Containerfile

@@ -0,0 +1,36 @@
+FROM docker.io/rust:1.63 AS builder
+ARG VERSION=8b01271e94671df88c68abbc69efb9bcec117498
+
+RUN apt-get update -y && apt-get install -y --no-install-recommends \
+    git npm wget
+
+RUN cargo install wasm-pack && rustup target add wasm32-unknown-unknown
+RUN npm install -g rollup
+
+RUN git clone https://github.com/nitnelave/lldap.git /lldap && \
+    cd /lldap && git reset --hard ${VERSION} && \
+    cargo build --release -p lldap -p migration-tool && app/build.sh
+
+RUN cd /lldap/app/static && \
+    for file in $(cat libraries.txt); do wget "$file"; done && \
+    for file in $(cat fonts/fonts.txt); do wget -P fonts "$file"; done
+
+FROM docker.io/debian:bullseye-slim
+
+RUN apt-get update -y && apt-get install -y --no-install-recommends \
+    gettext gosu
+
+RUN addgroup --system --gid 10000 lldap
+RUN adduser --system --uid 10000 --ingroup lldap --home /var/lib/lldap lldap
+RUN mkdir -p /opt/lldap/app
+
+COPY --from=builder /lldap/app/index_local.html /opt/lldap/app/index.html
+COPY --from=builder /lldap/app/static /opt/lldap/app/static
+COPY --from=builder /lldap/app/pkg /opt/lldap/app/pkg
+COPY --from=builder /lldap/target/release/lldap /lldap/target/release/migration-tool /opt/lldap
+
+COPY container/config /etc/lldap
+COPY container/run-lldap /run-lldap
+
+EXPOSE 3890 8080
+ENTRYPOINT ["/run-lldap"]

service/lldap/container/config/config.toml.template

@@ -0,0 +1,60 @@
+## The port on which to have the LDAP server.
+ldap_port = 3890
+
+## The port on which to have the HTTP server, for user login and administration.
+http_port = 8080
+
+## The public URL of the server, for password reset links.
+http_url = "https://${LLDAP_HOST}"
+
+## Random secret for JWT signature.
+jwt_secret = "${LLDAP_JWT_SECRET}"
+
+## Base DN for LDAP.
+## This is usually your domain name, and is used as a namespace for your users. The choice is
+## arbitrary, but will be needed to configure the LDAP integration with other services. The sample
+## value is for "example.com", but you can extend it with as many "dc" as you want, and you don't
+## actually need to own the domain name.
+ldap_base_dn = "dc=ldap,dc=local"
+
+## Admin email.
+## Email for the admin account. It is only used when initially creating the admin user, and can
+## safely be omitted.
+ldap_user_email = "${LLDAP_ADMIN_EMAIL}"
+
+## Admin username.
+## For the LDAP interface, a value of "admin" here will create the LDAP user
+## "cn=admin,ou=people,dc=example,dc=com" (with the base DN above). For the administration
+## interface, this is the username.
+ldap_user_dn = "${LLDAP_ADMIN_USERNAME}"
+
+## Admin password.
+## Password for the admin account, both for the LDAP bind and for the
+## administration interface. It is only used when initially creating
+## the admin user.
+## It should be minimum 8 characters long.
+ldap_user_pass = "${LLDAP_ADMIN_PASSWORD}"
+
+## Database URL.
+## This encodes the type of database (SQlite, MySQL and so on), the path, the user, password, and
+## sometimes the mode (when relevant).
+## Note: Currently, only SQlite is supported. SQlite should come with "?mode=rwc" to create the DB
+## if not present.
+##
+## Example URLs:
+##  - "postgres://postgres-user:password@postgres-server/my-database"
+##  - "mysql://mysql-user:password@mysql-server/my-database"
+database_url = "sqlite:///var/lib/lldap/lldap.db?mode=rwc"
+
+## Private key file.
+## Contains the secret private key used to store the passwords safely. Note that even with a
+## database dump and the private key, an attacker would still have to perform an (expensive) brute
+## force attack to find each password.
+## Randomly generated on first run if it doesn't exist.
+key_file = "/var/lib/lldap/private.key"
+
+## Options to configure SMTP parameters, to send password reset emails. To set these options from
+## environment variables, use the following format
+[smtp_options]
+## Whether to enabled password reset via email, from LLDAP.
+enable_password_reset=false

service/lldap/container/run-lldap

@@ -0,0 +1,12 @@
+#!/bin/sh
+set -eu
+
+# Create configuration file from collected templates.
+envsubst < /etc/lldap/config.toml.template > /etc/lldap/config.toml
+
+# Create data directories and correct permissions for data files.
+install --owner lldap --group lldap --mode 700 --directory /var/lib/lldap
+chown -R lldap:lldap /etc/lldap /var/lib/lldap
+
+# Run entrypoint under specific user.
+cd /opt/lldap && gosu lldap /opt/lldap/lldap run --config-file /etc/lldap/config.toml "$@"

service/lldap/lldap.env.template

@@ -0,0 +1,8 @@
+# Application settings.
+LLDAP_HOST=${LLDAP_HOST}
+LLDAP_JWT_SECRET=${LLDAP_JWT_SECRET}
+
+# Admin user settings.
+LLDAP_ADMIN_EMAIL=${LLDAP_ADMIN_EMAIL}
+LLDAP_ADMIN_USERNAME=${LLDAP_ADMIN_USERNAME}
+LLDAP_ADMIN_PASSWORD=${LLDAP_ADMIN_PASSWORD}

service/lldap/spec.bu

@@ -0,0 +1,12 @@
+variant: fcos
+version: 1.3.0
+storage:
+  trees:
+    - path: /etc/coreos-home-server/lldap
+      local: service/lldap/
+    - path: /etc/systemd/system
+      local: service/lldap/systemd/
+systemd:
+  units:
+    - name: lldap.service
+      enabled: true

service/lldap/systemd/lldap.service

@@ -0,0 +1,20 @@
+[Unit]
+Description=LLDAP Light LDAP server
+Wants=container-build@%N.service container-volume@%N.service
+After=container-build@%N.service container-volume@%N.service
+
+[Service]
+Type=notify
+NotifyAccess=all
+SyslogIdentifier=%N
+Restart=on-failure
+Environment=PODMAN_SYSTEMD_UNIT=%n
+ExecStart=/bin/podman run --replace --name %N --net internal --sdnotify=conmon \
+                          --env-file %E/coreos-home-server/%N/%N.env \
+                          --volume %N:/var/lib/%N:z \
+                          localhost/%N:latest
+ExecStop=/bin/podman stop --ignore --time 10 %N
+ExecStopPost=/bin/podman rm --ignore --force %N
+
+[Install]
+WantedBy=multi-user.target