secrets:
  LLDAP_JWT_SECRET:
    file: ${DB_PATH}/lldap/secrets/LLDAP_JWT_SECRET
  LLDAP_KEY_SEED:
    file: ${DB_PATH}/lldap/secrets/LLDAP_KEY_SEED

services:
  lldap:
    extends:
      file: ${TEMPLATES_PATH}
      service: default
    container_name: lldap
    image: lldap/lldap:latest
    ports:
      # For LDAP, not recommended to expose, see Usage section.
      - "3890:3890"
      # For LDAPS (LDAP Over SSL), enable port if LLDAP_LDAPS_OPTIONS__ENABLED set true, look env below
      # - "6360:6360"
      # For the web front-end
      - "17170:17170"
    volumes:
      - "${DB_PATH}/lldap/data:/data"
    environment:
      - LLDAP_JWT_SECRET=/run/secrets/LLDAP_JWT_SECRET
      - LLDAP_KEY_SEED=/run/secrets/LLDAP_KEY_SEED
      - LLDAP_LDAP_BASE_DN=dc=${SECOND_LEVEL_DOMAIN},dc=${TOP_LEVEL_DOMAIN}
      # If using LDAPS, set enabled true and configure cert and key path
      # - LLDAP_LDAPS_OPTIONS__ENABLED=true
      # - LLDAP_LDAPS_OPTIONS__CERT_FILE=/data/certfile.crt
      # - LLDAP_LDAPS_OPTIONS__KEY_FILE=/data/keyfile.key
      # You can also set a different database:
      - LLDAP_DATABASE_URL=postgres://lldap:${LLDAP_DB_PASSWORD}@postgres/lldap
    labels:
      # Watchtower
      - "com.centurylinklabs.watchtower.enable=true"
      # Traefik
      - "traefik.enable=true"
      - "traefik.http.routers.lldap.rule=Host(`ldap.${PUBLIC_DOMAIN}`)"
      - "traefik.http.routers.lldap.entrypoints=https"
      - "traefik.http.routers.lldap.tls=true"
      - "traefik.http.routers.lldap.tls.certresolver=myresolver"
      - "traefik.http.routers.lldap.service=lldap-service"
      - "traefik.http.services.lldap-service.loadbalancer.server.port=17170"
      - "traefik.http.services.lldap-service.loadbalancer.server.scheme=http"
      # middlewares
      - "traefik.http.routers.lldap.middlewares=crowdsec-bouncer@file"