services:
  openldap:
    image: osixia/openldap:1.5.0
    container_name: openldap
    restart: unless-stopped
    command: --loglevel debug --copy-service
    environment:
      LDAP_LOG_LEVEL: "256"
      LDAP_ORGANISATION: "Alice"
      LDAP_DOMAIN: "alice.ufsj"
      LDAP_BASE_DN: "dc=alice,dc=ufsj"
      LDAP_ADMIN_PASSWORD_FILE: "/run/secrets/ldap-admin"
      LDAP_CONFIG_PASSWORD_FILE: "/run/secrets/ldap-config"
      LDAP_READONLY_USER: "true"
      LDAP_READONLY_USER_USERNAME: "alice"
      LDAP_READONLY_USER_PASSWORD_FILE: "/run/secrets/ldap-readonly"
      LDAP_RFC2307BIS_SCHEMA: "true"
      LDAP_BACKEND: "mdb"
      LDAP_TLS: "false"

      # LDAP_TLS_CRT_FILENAME: "fullchain1.pem"
      # LDAP_TLS_KEY_FILENAME: "privkey1.pem"
      # LDAP_TLS_DH_PARAM_FILENAME: "dhparam.pem"
      # LDAP_TLS_CA_CRT_FILENAME: "ca/ca-certificates.crt"
      # LDAP_TLS_ENFORCE: "false"
      # LDAP_TLS_VERIFY_CLIENT: "demand"
      # LDAP_REPLICATION: "false"
      #LDAP_REPLICATION_CONFIG_SYNCPROV: 'binddn="cn=admin,cn=config" bindmethod=simple credentials="$$LDAP_CONFIG_PASSWORD" searchbase="cn=config" type=refreshAndPersist retry="60 +" timeout=1 starttls=critical'
      #LDAP_REPLICATION_DB_SYNCPROV: 'binddn="cn=admin,$$LDAP_BASE_DN" bindmethod=simple credentials="$$LDAP_ADMIN_PASSWORD" searchbase="$$LDAP_BASE_DN" type=refreshAndPersist interval=00:00:00:10 retry="60 +" timeout=1 starttls=critical'
      #LDAP_REPLICATION_HOSTS: "#PYTHON2BASH:['ldap://ldap.example.org','ldap://ldap2.example.org']"
      KEEP_EXISTING_CONFIG: "false"
      LDAP_REMOVE_CONFIG_AFTER_SETUP: "true"
      LDAP_SSL_HELPER_PREFIX: "ldap"
    tty: true
    stdin_open: true
    secrets:
      - ldap-admin
      - ldap-config
      - ldap-readonly
    volumes:
      - data:/var/lib/ldap
      - config:/etc/ldap/slapd.d
      - ./templates:/templates
      - ./custom:/container/service/slapd/assets/config/bootstrap/ldif/custom
    networks:
      - traefik-public
    labels:
      traefik.enable: true
      traefik.tcp.routers.ldaps.entrypoints: ldaps
      traefik.tcp.routers.ldaps.tls: true
      traefik.tcp.routers.ldaps.rule: HostSNI(`*`)
      traefik.tcp.services.ldaps.loadbalancer.server.port: 389

    # ports:
    #   - "389:389"
      # - "636:636"

    # For replication to work correctly, domainname and hostname must be
    # set correctly so that "hostname"."domainname" equates to the
    # fully-qualified domain name for the host.
    # domainname: "example.org"
    # hostname: "ldap-server"
volumes:
  data:
  config:

networks:
  traefik-public:
    external: true

secrets:
  ldap-admin:
    file: ./secrets/ldap-admin
  ldap-config:
    file: ./secrets/ldap-config
  ldap-readonly:
    file: ./secrets/ldap-readonly