1 files changed, 72 insertions, 0 deletions

diff --git a/manifests/auth/local.pp b/manifests/auth/local.pp
new file mode 100644
index 0000000..289ce15
--- /dev/null
+++ b/manifests/auth/local.pp
@@ -0,0 +1,72 @@
+# @summary Concourse LDAP authentication
+# Most attributes maps directly to concourse's options, but with
+# `CONCOURSE_LDAP_` prefixed.
+class concourse::auth::ldap (
+  String $host,
+  String $bind_dn,
+  Variant[String, Sensitive[String]] $bind_pw,
+  String $user_search_base_dn,
+  String $user_search_username = 'uid',
+  Optional[String] $display_name = undef,
+  Optional[String] $user_search_filter = undef,
+  Optioal[String] $user_search_id_attr = undef,
+  Optional[String] $user_search_email_attr = undef,
+  Optional[String] $user_search_name_attr = undef,
+  Optional[Stdlib::Absolutepath] $ca_cert = undef,
+  Boolean $insecure_no_ssl = false,
+  Optional[String] $group_search_base_dn = undef,
+  String $group_search_name_attr = 'ou',
+  String $group_search_user_attr = 'uid',
+  String $group_search_group_attr = 'members',
+  Optional[String] $group_search_filter = undef,
+  Optional[Array[String]] $main_team_user,
+  Optional[Array[String]] $main_team_group,
+
+  Enum['absent', 'present'] $ensure = 'present',
+) {
+  $env_file = "${concourse::web::conf_dir}/auth-ldap"
+
+  $environment = {
+    'CONCOURSE_LDAP_HOST'                    => $host,
+    'CONCOURSE_LDAP_BIND_DN'                 => $bind_dn,
+    'CONCOURSE_LDAP_BIND_PW'                 => $bind_pw,
+    'CONCOURSE_LDAP_USER_SEARCH_BASE_DN'     => $user_search_base_dn,
+    'CONCOURSE_LDAP_USER_SEARCH_USERNAME'    => $user_search_username,
+    'CONCOURSE_LDAP_DISPLAY_NAME'            => $display_name,
+    'CONCOURSE_LDAP_USER_SEARCH_FILTER'      => $user_search_filter,
+    'CONCOURSE_LDAP_USER_SEARCH_ID_ATTR'     => $user_search_id_attr,
+    'CONCOURSE_LDAP_USER_SEARCH_EMAIL_ATTR'  => $user_search_email_attr,
+    'CONCOURSE_LDAP_USER_SEARCH_NAME_ATTR'   => $user_search_name_attr,
+    'CONCOURSE_LDAP_CA_CERT'                 => $ca_cert,
+    'CONCOURSE_LDAP_INSECURE_NO_SSL'         => $insecure_no_ssl,
+    'CONCOURSE_LDAP_GROUP_SEARCH_BASE_DN'    => $group_search_base_dn,
+    'CONCOURSE_LDAP_GROUP_SEARCH_NAME_ATTR'  => $group_search_name_attr,
+    'CONCOURSE_LDAP_GROUP_SEARCH_USER_ATTR'  => $group_search_user_attr,
+    'CONCOURSE_LDAP_GROUP_SEARCH_GROUP_ATTR' => $group_search_group_attr,
+    'CONCOURSE_LDAP_GROUP_SEARCH_FILTER'     => $group_search_filter,
+    'CONCOURSE_LDAP_MAIN_TEAM_LDAP_USER'     => $main_team_user ? {
+      Array   => $main_team_user.join(','),
+      default => undef,
+    },
+    'CONCOURSE_LDAP_MAIN_TEAM_LDAP_GROUP'    => $main_team_group ? {
+      Array   => $main_team_user.join(','),
+      default => undef,
+    },
+  }
+
+  file { $env_file:
+    ensure    => $ensure,
+    content   => epp("${module_name}/env.epp", $environment),
+    # To not show new password
+    show_diff => false,
+    mode      => '0600',
+  }
+
+  systemd::manage_dropin { 'concourse-ldap-auth':
+    ensure        => $ensure,
+    unit          => $concourse::web::service,
+    service_entry => {
+      'EnvironmentFile' => $env_file,
+    },
+  }
+}