services/swarm/lldap.yaml

version: "3.9"

networks:
  netgrimoire:
    external: true

services:
  lldap-db:
    image: postgres:16
    networks:
      - netgrimoire
    #user: "1001:998"
    environment:
      - TZ=America/Chicago
      - PUID=1001
      - PGID=998
      - POSTGRES_DB=lldap
      - POSTGRES_USER=lldap
      - POSTGRES_PASSWORD=F@lcon13
    volumes:
      - /DockerVol/lldap-db/data:/var/lib/postgresql/data
    deploy:
      placement:
        constraints:
          - node.hostname == docker4
      labels:
        - diun.enable=true
    restart: unless-stopped

  lldap:
    image: lldap/lldap:stable
    networks:
      - netgrimoire
    #user: "1001:998"
    environment:
      - TZ=America/Chicago
      - PUID=1001
      - PGID=998

      # Base DN
      - LLDAP_LDAP_BASE_DN=dc=netgrimoire,dc=com
      - LLDAP_DOMAIN=netgrimoire.com

      # User/admin bind password (you will replace)
      - LLDAP_LDAP_USER_PASS=F@lcon13

      # Generated secrets (leave as-is unless you want to rotate)
      - LLDAP_JWT_SECRET=lougu9MjGLmLp1SPDkkCBsQm-MdHpGGuOn-wW7FRWRdzglIn1nJRyBQkQ7HDcDh0
      - LLDAP_KEY_SEED=Kss_fNlMBH3XRo9aYHo_pI9gWQecQ1v3-yYzULckoWUm-iKIkV2DMygPYyKaN-u_

      # Postgres
      - LLDAP_DATABASE_URL=postgres://lldap:F@lcon13@lldap-db:5432/lldap

    volumes:
      - /DockerVol/lldap/data:/data

    # Expose to LAN via swarm routing mesh (ingress)
    ports:
      - target: 17170
        published: 17170
        protocol: tcp
        mode: ingress
      - target: 3890
        published: 3890
        protocol: tcp
        mode: ingress
      # If/when you enable LDAPS:
      # - target: 6360
      #   published: 6360
      #   protocol: tcp
      #   mode: ingress

    deploy:
      placement:
        constraints:
          - node.hostname == docker4
      labels:
        # Homepage
        - homepage.group=Management
        - homepage.name=LLDAP
        - homepage.icon=ldap.png
        - homepage.href=https://ldap.netgrimoire.com
        - homepage.description=Lightweight LDAP directory

        # Kuma
        - kuma.lldap.http.name=LLDAP
        - kuma.lldap.http.url=http://lldap:17170

        # Caddy / Authentik (protect UI)
        - caddy=ldap.netgrimoire.com
        - caddy.import=authentik
        - caddy.reverse_proxy=lldap:17170

        # Diun
        - diun.enable=true

    depends_on:
      - lldap-db
    restart: unless-stopped