example-web-sops.yaml

sparky-web-secret-key: some long random string
sparky-web-headscale-api-key: a headscale API key
sparky-web-probe-repo-privkey: |
    -----BEGIN OPENSSH PRIVATE KEY-----
    some ssh private key
    -----END OPENSSH PRIVATE KEY-----
sparky-web-probe-repo-pubkey: ssh-ed25519 some-ssh-pubkey sparky-web@sparky-web-host
sparky-web-probe-repo-access-token: a gitlab access token
sparky-web-metrics-api-key: some-long-random-string
sparky-web-ldap-config: |
    import ldap
    from django_auth_ldap.config import LDAPSearch, GroupOfNamesType

    # Baseline configuration.
    AUTH_LDAP_SERVER_URI = "ldaps://ldap1.example.com ldaps://ldap2.example.com ldaps://ldap3.example.com"

    AUTH_LDAP_BIND_DN = "uid=sparky-web,ou=service-users,dc=example,dc=com"
    AUTH_LDAP_BIND_PASSWORD = "topsecretpassword"
    AUTH_LDAP_USER_DN_TEMPLATE = 'uid=%(user)s,ou=accounts,dc=example,dc=com'

    # Set up the basic group parameters.
    AUTH_LDAP_GROUP_SEARCH = LDAPSearch(
        "ou=groups,dc=example,dc=com",
        ldap.SCOPE_SUBTREE,
        "(objectClass=groupOfNames)",
    )
    AUTH_LDAP_GROUP_TYPE = GroupOfNamesType(name_attr="member")

    # Simple group restrictions
    AUTH_LDAP_REQUIRE_GROUP = "cn=sparky-users,ou=groups,dc=example,dc=com"

    # Populate the Django user from the LDAP directory.
    AUTH_LDAP_USER_ATTR_MAP = {
        "first_name": "givenName",
        "last_name": "sn",
        "email": "mail",
    }
    
    AUTH_LDAP_USER_FLAGS_BY_GROUP = {
        "is_active": "cn=sparky-users,ou=groups,dc=example,dc=com",
        "is_staff": "cn=sparky-admins,ou=groups,dc=example,dc=com",
        "is_superuser": "cn=sparky-admins,ou=groups,dc=example,dc=com",
    }

    # This is the default, but I like to be explicit.
    AUTH_LDAP_ALWAYS_UPDATE_USER = True

    # Use LDAP group membership to calculate group permissions.
    AUTH_LDAP_FIND_GROUP_PERMS = False

    # Cache distinguished names and group memberships for an hour to minimize
    # LDAP traffic.
    AUTH_LDAP_CACHE_TIMEOUT = 3600