From 928559890a8c2ba27904d285cd0f3cfb5cab08b2 Mon Sep 17 00:00:00 2001
From: Yuki <13830452+baka-yuki@users.noreply.github.com>
Date: Fri, 14 Mar 2025 01:46:57 +0900
Subject: [PATCH] example_configs: add example with podman quadlets for pgsql
 deployment w/ secrets

---
 README.md                                     |  8 +++
 .../podman-quadlets/lldap-db.container        | 38 ++++++++++
 .../podman-quadlets/lldap.container           | 71 +++++++++++++++++++
 3 files changed, 117 insertions(+)
 create mode 100644 example_configs/podman-quadlets/lldap-db.container
 create mode 100644 example_configs/podman-quadlets/lldap.container

diff --git a/README.md b/README.md
index abee137..ae9f1ab 100644
--- a/README.md
+++ b/README.md
@@ -36,6 +36,7 @@
 - [About](#about)
 - [Installation](#installation)
   - [With Docker](#with-docker)
+  - [With Podman](#with-podman)
   - [With Kubernetes](#with-kubernetes)
   - [From a package repository](#from-a-package-repository)
   - [With FreeBSD](#with-freebsd)
@@ -179,6 +180,13 @@ services:
 Then the service will listen on two ports, one for LDAP and one for the web
 front-end.
 
+### With Podman
+
+LLDAP works well with rootless Podman either through command line deployment
+or using [quadlets](example_configs/podman-quadlets/). The example quadlets
+include configuration with postgresql and file based secrets, but have comments
+for several other deployment strategies.
+
 ### With Kubernetes
 
 See https://github.com/Evantage-WS/lldap-kubernetes for a LLDAP deployment for Kubernetes
diff --git a/example_configs/podman-quadlets/lldap-db.container b/example_configs/podman-quadlets/lldap-db.container
new file mode 100644
index 0000000..1236400
--- /dev/null
+++ b/example_configs/podman-quadlets/lldap-db.container
@@ -0,0 +1,38 @@
+###
+### lldap-db - podman quadlet file
+### https://docs.podman.io/en/latest/markdown/podman-systemd.unit.5.html
+###
+
+[Unit]
+Description=LLDAP-DB container
+Documentation=https://hub.docker.com/_/postgres
+# likely only needed for Podman < 5.3 (see containers/podman#22197 and #24637)
+After=podman-user-wait-network-online.service
+
+[Service]
+Restart=on-failure
+
+[Container]
+AutoUpdate=registry
+ContainerName=lldap-db
+Image=docker.io/postgres:17
+
+# this is optional to keep db/web services separate
+Network=backend.network
+
+# health check
+HealthCmd=pg_isready -U lldapuser -d lldap
+HealthInterval=5s
+HealthRetries=3
+HealthStartPeriod=15s
+HealthTimeout=30s
+
+# environment variables
+Environment=POSTGRES_DB=lldap
+Environment=POSTGRES_PASSWORD=lldappass
+Environment=POSTGRES_USER=lldapuser
+
+Volume=lldap-db.volume:/var/lib/postgresql/data:Z
+
+[Install]
+WantedBy=default.target
diff --git a/example_configs/podman-quadlets/lldap.container b/example_configs/podman-quadlets/lldap.container
new file mode 100644
index 0000000..bd2e6e9
--- /dev/null
+++ b/example_configs/podman-quadlets/lldap.container
@@ -0,0 +1,71 @@
+###
+### lldap - podman quadlet file
+### https://docs.podman.io/en/latest/markdown/podman-systemd.unit.5.html
+###
+
+[Unit]
+Description=LLDAP container
+Documentation=https://github.com/lldap/lldap
+Requires=lldap-db.service
+
+[Service]
+Restart=on-failure
+
+[Container]
+AutoUpdate=registry
+ContainerName=lldap
+Image=docker.io/lldap/lldap:stable-debian
+
+# using multiple networks for traefik and db, not essential
+Network=frontend.network
+Network=backend.network
+
+# environment variables
+Environment=UID=1000
+Environment=GID=1000
+Environment=LLDAP_LDAP_BASE_DN=dc=example,dc=com
+Environment=LLDAP_DATABASE_URL=postgres://lldapuser:lldappass@lldap-db/lldap
+Environment=LLDAP_LDAP_USER_EMAIL=admin@example.com
+
+# set secrets in files, see below for environment variable method
+Environment=LLDAP_KEY_SEED_FILE=/run/secrets/lldap-key-seed
+Environment=LLDAP_JWT_SECRET_FILE=/run/secrets/lldap-jwt-secret
+Environment=LLDAP_LDAP_USER_PASS_FILE=/run/secrets/lldap-ldap-user-pass
+
+# bootstrap.sh environment variables
+# Environment=LLDAP_URL=http://localhost:17170
+# Environment=LLDAP_ADMIN_USERNAME=admin
+# Environment=LLDAP_ADMIN_PASSWORD_FILE=/run/secrets/lldap-ldap-user-pass
+
+# health check
+HealthCmd=/app/lldap healthcheck
+HealthInterval=30s
+HealthRetries=3
+HealthStartPeriod=15s
+HealthTimeout=30s
+
+# if using traefik, automatically configure to proxy the web service
+# Label=traefik.enable="true"
+# Label=traefik.http.routers.lldap.rule="Host(`lldap.example.com`)"
+# Label=traefik.http.routers.lldap.middlewares="authelia@docker"
+# Label=traefik.http.services.lldap.loadbalancer.server.port=17170
+
+# secrets
+# file based secrets
+Secret=lldap-jwt-secret,type=mount,uid=1000
+Secret=lldap-key-seed,type=mount,uid=1000
+Secret=lldap-ldap-user-pass,type=mount,uid=1000
+
+# env variable secrets
+# Secret=lldap-jwt-secret,type=env,target=LLDAP_JWT_SECRET
+# Secret=lldap-key-seed,type=env,target=LLDAP_KEY_SEED
+# Secret=lldap-ldap-user-pass,type=env,target=LLDAP_LDAP_USER_PASS
+
+# for bootstrap.sh script
+# Secret=lldap-ldap-user-pass,type=env,target=LLDAP_ADMIN_PASSWORD
+
+# volumes - only needed for bootstrap.sh
+# Volume=%h/containers/lldap:/bootstrap:ro,Z
+
+[Install]
+WantedBy=default.target