networks:
  netgrimoire:
    external: true

services:
  lldap-db:
    image: postgres:16
    networks:
      - netgrimoire
    #user: "1001:998"
    environment:
      TZ: America/Chicago
      PUID: "1964"
      PGID: "1964"
      POSTGRES_DB: lldap
      POSTGRES_USER: lldap
      POSTGRES_PASSWORD: F@lcon13
    volumes:
      - /DockerVol/lldap-db/data:/var/lib/postgresql/data
    deploy:
      restart_policy:
        condition: any
        delay: 5s
        max_attempts: 3
        window: 120s
      placement:
        constraints:
          - node.platform.arch != arm
          - node.platform.arch != aarch64
          - node.hostname == docker4
      labels:
        gremlin.version: "2026-04-1"
        diun.enable: true
        gremlin.caddy.skip: "true"
        gremlin.homepage.skip: "true"
        gremlin.monitor.skip: "true"
        gremlin.network.skip: "true"
    restart: unless-stopped

  lldap:
    image: lldap/lldap:stable
    networks:
      - netgrimoire
    #user: "1001:998"
    environment:
      TZ: America/Chicago
      PUID: "1964"
      PGID: "1964"

      # Base DN
      LLDAP_LDAP_BASE_DN: "dc=netgrimoire,dc=com"
      LLDAP_DOMAIN: netgrimoire.com

      # User/admin bind password (you will replace)
      LLDAP_LDAP_USER_PASS: F@lcon13

      # Generated secrets (leave as-is unless you want to rotate)
      LLDAP_JWT_SECRET: lougu9MjGLmLp1SPDkkCBsQm-MdHpGGuOn-wW7FRWRdzglIn1nJRyBQkQ7HDcDh0
      LLDAP_KEY_SEED: Kss_fNlMBH3XRo9aYHo_pI9gWQecQ1v3-yYzULckoWUm-iKIkV2DMygPYyKaN-u_

      # Postgres
      LLDAP_DATABASE_URL: postgres://lldap:F@lcon13@lldap-db:5432/lldap

    volumes:
      - /DockerVol/lldap/data:/data

    # Expose to LAN via swarm routing mesh (ingress)
    ports:
      - target: 17170
        published: 17170
        protocol: tcp
        mode: ingress
      - target: 3890
        published: 3890
        protocol: tcp
        mode: ingress
      # If/when you enable LDAPS:
      # - target: 6360
      #   published: 6360
      #   protocol: tcp
      #   mode: ingress

    deploy:
      restart_policy:
        condition: any
        delay: 5s
        max_attempts: 3
        window: 120s
      placement:
        constraints:
          - node.platform.arch != arm
          - node.platform.arch != aarch64
          - node.hostname == docker4
      labels:
        diun.enable: "true"
        # Homepage
        - homepage.group=Authentication
        - homepage.name=LLDAP
        - homepage.icon=ldap.png
        - homepage.href=https://ldap.netgrimoire.com
        - homepage.description=Lightweight LDAP directory

        # Kuma
        - kuma.lldap.http.name=LLDAP
        - kuma.lldap.http.url=http://lldap:17170

        # Caddy / Authentik (protect UI)
        - caddy=ldap.netgrimoire.com
        - caddy.import=authentik
        - caddy.reverse_proxy=lldap:17170

        # Diun
        - diun.enable=true

    restart: unless-stopped