version: "3.3"
services:
  freeipa:
    image: freeipa/freeipa-server:centos-7
    container_name: freeipa
    domainname: freeipa.default.cn
    container_name: freeipa_idc
    networks:
      my_macvlan_net:
        ipv4_address: 10.0.0.10
    ports:
      - "80:80/tcp"
      - "443:443/tcp"
      # DNS
      - "53:53/tcp"
      - "53:53/udp"
      # LDAP(S)
      - "389:389/tcp"
      - "636:636/tcp"
      # Kerberos
      - "88:88/tcp"
      - "88:88/udp"
      - "464:464/tcp"
      - "464:464/udp"
      # NTP
      - "123:123/udp"
    dns:
      - 114.114.114.114
    tty: true
    stdin_open: true
    environment:
      IPA_SERVER_HOSTNAME: freeipa.deafult.cn
      #IPA_SERVER_IP: 10.0.4.52
      TZ: "Asia/Shanghai"
    command:
      - --domain=freeipa.default.cn
      - --realm=freeipa.default.cn
      - --admin-password=123456.com  #freeapi的admin管理員賬號
      - --http-pin=123456
      - --dirsrv-pin=123456
      - --ds-password=12345678
      - --no-dnssec-validation
      - --no-host-dns
      - --setup-dns
      - --auto-forwarders
      - --allow-zone-overlap
      - --unattended  # 自動無人工干預安裝
    cap_add:
      - SYS_TIME
      - NET_ADMIN
    restart: unless-stopped
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /sys/fs/cgroup:/sys/fs/cgroup:ro
      - /root/freeipa/data/free-ipa/data:/data
      - /root/freeipa/data/free-ipa/logs:/var/logs
    sysctls:
      - net.ipv6.conf.all.disable_ipv6=0
      - net.ipv6.conf.lo.disable_ipv6=0
    security_opt:
      - "seccomp:unconfined"
    labels:
      - idc-freeipa
#    extra_hosts:
#      - "xxxx.xxxx.com:10.0.4.52 "

networks:
    my_macvlan_net:
      driver: macvlan
      driver_opts:
        parent: ens192
      ipam:
        driver: default
        config:
          - subnet: 10.0.0.0/24
            gateway: 10.0.0.254