From 09e0c710afcf0587048fc1af8e04580382a4d354 Mon Sep 17 00:00:00 2001
From: julian <julian@jsts.xyz>
Date: Mon, 7 Aug 2023 23:33:15 +0200
Subject: [PATCH] Migrate Keycloak from ThinkCCCluster onto Chaosknoten

Co-authored-by: Max <max@mlem.cloud>
---
 .../host_vars/keycloak.yaml                   |  6 +++---
 inventories/chaosknoten/hosts.yaml            | 10 ++++++++++
 inventories/z9/hosts.yaml                     |  7 -------
 .../configs/keycloak/nginx/id.ccchh.net.conf  |  2 +-
 .../nginx/keycloak-admin.ccchh.net.conf       | 19 +++++++++++++++++--
 .../nginx/acme_challenge.conf                 |  2 ++
 .../public-reverse-proxy/nginx/nginx.conf     |  2 ++
 .../nginx/acme_challenge.conf                 |  2 --
 .../public-reverse-proxy/nginx/nginx.conf     |  1 -
 .../configs/keycloak/compose.yaml.j2          |  6 +++---
 10 files changed, 38 insertions(+), 19 deletions(-)
 rename inventories/{z9 => chaosknoten}/host_vars/keycloak.yaml (56%)
 rename playbooks/files/{z9 => chaosknoten}/configs/keycloak/nginx/id.ccchh.net.conf (98%)
 rename playbooks/files/{z9 => chaosknoten}/configs/keycloak/nginx/keycloak-admin.ccchh.net.conf (75%)
 rename playbooks/templates/{z9 => chaosknoten}/configs/keycloak/compose.yaml.j2 (87%)

diff --git a/inventories/z9/host_vars/keycloak.yaml b/inventories/chaosknoten/host_vars/keycloak.yaml
similarity index 56%
rename from inventories/z9/host_vars/keycloak.yaml
rename to inventories/chaosknoten/host_vars/keycloak.yaml
index 9e65adc..b9d22ff 100644
--- a/inventories/z9/host_vars/keycloak.yaml
+++ b/inventories/chaosknoten/host_vars/keycloak.yaml
@@ -1,4 +1,4 @@
-docker_compose__compose_file_content: "{{ lookup('ansible.builtin.template', 'z9/configs/keycloak/compose.yaml.j2') }}"
+docker_compose__compose_file_content: "{{ lookup('ansible.builtin.template', 'chaosknoten/configs/keycloak/compose.yaml.j2') }}"
 docker_compose__configuration_files: [ ]
 
 certbot__version_spec: ""
@@ -10,6 +10,6 @@ certbot__certificate_domains:
 nginx__version_spec: ""
 nginx__configurations:
   - name: id.ccchh.net
-    content: "{{ lookup('ansible.builtin.file', 'z9/configs/keycloak/nginx/id.ccchh.net.conf') }}"
+    content: "{{ lookup('ansible.builtin.file', 'chaosknoten/configs/keycloak/nginx/id.ccchh.net.conf') }}"
   - name: keycloak-admin.ccchh.net
-    content: "{{ lookup('ansible.builtin.file', 'z9/configs/keycloak/nginx/keycloak-admin.ccchh.net.conf') }}"
+    content: "{{ lookup('ansible.builtin.file', 'chaosknoten/configs/keycloak/nginx/keycloak-admin.ccchh.net.conf') }}"
diff --git a/inventories/chaosknoten/hosts.yaml b/inventories/chaosknoten/hosts.yaml
index 7956eae..59b1fad 100644
--- a/inventories/chaosknoten/hosts.yaml
+++ b/inventories/chaosknoten/hosts.yaml
@@ -4,6 +4,7 @@ all:
       hosts:
         cloud:
         pad:
+        keycloak:
     debian_12:
       hosts:
         cloud:
@@ -20,10 +21,15 @@ all:
           ansible_host: public-reverse-proxy.hamburg.ccc.de
           ansible_port: 42666
           ansible_user: chaos
+        keycloak:
+          ansible_host: keycloak-intern.hamburg.ccc.de
+          ansible_user: chaos
+          ansible_ssh_common_args: -J ssh://public-reverse-proxy.hamburg.ccc.de:42666
     docker_compose_hosts:
       hosts:
         cloud:
         pad:
+        keycloak:
     nextcloud_hosts:
       hosts:
         cloud:
@@ -32,6 +38,10 @@ all:
         cloud:
         pad:
         public-reverse-proxy:
+        keycloak:
     public_reverse_proxy_hosts:
       hosts:
         public-reverse-proxy:
+    ssh_server_config_hosts:
+      hosts:
+        keycloak:
diff --git a/inventories/z9/hosts.yaml b/inventories/z9/hosts.yaml
index 51fc978..2467b47 100644
--- a/inventories/z9/hosts.yaml
+++ b/inventories/z9/hosts.yaml
@@ -37,16 +37,12 @@ all:
         public-reverse-proxy:
           ansible_host: public-reverse-proxy.z9.ccchh.net
           ansible_user: chaos
-        keycloak:
-          ansible_host: keycloak.z9.ccchh.net
-          ansible_user: chaos
     nginx_hosts:
       hosts:
         public-reverse-proxy:
         esphome:
         zigbee2mqtt:
         light:
-        keycloak:
         wiki:
         engelsystem:
     public_reverse_proxy_hosts:
@@ -58,18 +54,15 @@ all:
       hosts:
         esphome:
         zigbee2mqtt:
-        keycloak:
         wiki:
         engelsystem:
     ssh_server_config_hosts:
       hosts:
-        keycloak:
         public-reverse-proxy:
         wiki:
         mailserver-endpoint:
     docker_compose_hosts:
       hosts:
-        keycloak:
         engelsystem:
     esphome_hosts:
       hosts:
diff --git a/playbooks/files/z9/configs/keycloak/nginx/id.ccchh.net.conf b/playbooks/files/chaosknoten/configs/keycloak/nginx/id.ccchh.net.conf
similarity index 98%
rename from playbooks/files/z9/configs/keycloak/nginx/id.ccchh.net.conf
rename to playbooks/files/chaosknoten/configs/keycloak/nginx/id.ccchh.net.conf
index 309c552..3a5d4ca 100644
--- a/playbooks/files/z9/configs/keycloak/nginx/id.ccchh.net.conf
+++ b/playbooks/files/chaosknoten/configs/keycloak/nginx/id.ccchh.net.conf
@@ -8,7 +8,7 @@ server {
     # $remote_port to the client address and client port, when using proxy
     # protocol.
     # First set our proxy protocol proxy as trusted.
-    set_real_ip_from 10.31.206.11;
+    set_real_ip_from 172.31.17.140;
     # Then tell the realip_module to get the addreses from the proxy protocol
     # header.
     real_ip_header proxy_protocol;
diff --git a/playbooks/files/z9/configs/keycloak/nginx/keycloak-admin.ccchh.net.conf b/playbooks/files/chaosknoten/configs/keycloak/nginx/keycloak-admin.ccchh.net.conf
similarity index 75%
rename from playbooks/files/z9/configs/keycloak/nginx/keycloak-admin.ccchh.net.conf
rename to playbooks/files/chaosknoten/configs/keycloak/nginx/keycloak-admin.ccchh.net.conf
index 657188f..8ceebfa 100644
--- a/playbooks/files/z9/configs/keycloak/nginx/keycloak-admin.ccchh.net.conf
+++ b/playbooks/files/chaosknoten/configs/keycloak/nginx/keycloak-admin.ccchh.net.conf
@@ -2,8 +2,20 @@
 # https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
 # Also see: https://www.keycloak.org/server/reverseproxy
 server {
-    listen 443 ssl http2;
-    #listen [::]:443 ssl http2;
+    # Disable this for now.
+    #listen 443 ssl http2;
+    ##listen [::]:443 ssl http2;
+
+    # Listen on a custom port for the proxy protocol.
+    listen 8444 ssl http2 proxy_protocol;
+    # Make use of the ngx_http_realip_module to set the $remote_addr and
+    # $remote_port to the client address and client port, when using proxy
+    # protocol.
+    # First set our proxy protocol proxy as trusted.
+    set_real_ip_from 172.31.17.140;
+    # Then tell the realip_module to get the addreses from the proxy protocol
+    # header.
+    real_ip_header proxy_protocol;
 
     server_name keycloak-admin.ccchh.net;
 
@@ -29,6 +41,9 @@ server {
     # Also provide "_hidden" for by, since it's not relevant.
     proxy_set_header Forwarded "for=$remote_addr;proto=https;host=$host;by=_hidden";
 
+    allow 185.161.129.132/32;
+    deny all;
+
     location /js/ {
         proxy_pass http://127.0.0.1:8080/js/;
     }
diff --git a/playbooks/files/chaosknoten/configs/public-reverse-proxy/nginx/acme_challenge.conf b/playbooks/files/chaosknoten/configs/public-reverse-proxy/nginx/acme_challenge.conf
index 7359613..4226e8e 100644
--- a/playbooks/files/chaosknoten/configs/public-reverse-proxy/nginx/acme_challenge.conf
+++ b/playbooks/files/chaosknoten/configs/public-reverse-proxy/nginx/acme_challenge.conf
@@ -1,6 +1,8 @@
 map $host $upstream_acme_challenge_host {
     cloud.hamburg.ccc.de cloud-intern.hamburg.ccc.de:31820;
     pad.hamburg.ccc.de pad-intern.hamburg.ccc.de:31820;
+    id.ccchh.net 172.31.17.144:31820;
+    keycloak-admin.ccchh.net 172.31.17.144:31820;
     default "";
 }
 
diff --git a/playbooks/files/chaosknoten/configs/public-reverse-proxy/nginx/nginx.conf b/playbooks/files/chaosknoten/configs/public-reverse-proxy/nginx/nginx.conf
index 16ad9a9..ec9a652 100644
--- a/playbooks/files/chaosknoten/configs/public-reverse-proxy/nginx/nginx.conf
+++ b/playbooks/files/chaosknoten/configs/public-reverse-proxy/nginx/nginx.conf
@@ -20,6 +20,8 @@ stream {
     map $ssl_preread_server_name $address {
         cloud.hamburg.ccc.de cloud-intern.hamburg.ccc.de:8443;
         pad.hamburg.ccc.de pad-intern.hamburg.ccc.de:8443;
+        id.ccchh.net 172.31.17.144:8443;
+        keycloak-admin.ccchh.net 172.31.17.144:8444;
     }
 
     server {
diff --git a/playbooks/files/z9/configs/public-reverse-proxy/nginx/acme_challenge.conf b/playbooks/files/z9/configs/public-reverse-proxy/nginx/acme_challenge.conf
index f5c9a8e..80d4e62 100644
--- a/playbooks/files/z9/configs/public-reverse-proxy/nginx/acme_challenge.conf
+++ b/playbooks/files/z9/configs/public-reverse-proxy/nginx/acme_challenge.conf
@@ -8,8 +8,6 @@ map $host $upstream_acme_challenge_host {
     thinkcccore3.ccchh.net 10.31.242.6;
     wiki.ccchh.net 10.31.206.13:31820;
     zigbee2mqtt.ccchh.net 10.31.208.25:31820;
-    id.ccchh.net 10.31.206.12:31820;
-    keycloak-admin.ccchh.net 10.31.206.12:31820;
     esphome.ccchh.net 10.31.208.24:31820;
     aes.ccchh.net 10.31.206.14:31820;
     proxmox-backup-server.ccchh.net 10.31.208.28;
diff --git a/playbooks/files/z9/configs/public-reverse-proxy/nginx/nginx.conf b/playbooks/files/z9/configs/public-reverse-proxy/nginx/nginx.conf
index 64c4e38..bf0abe2 100644
--- a/playbooks/files/z9/configs/public-reverse-proxy/nginx/nginx.conf
+++ b/playbooks/files/z9/configs/public-reverse-proxy/nginx/nginx.conf
@@ -17,7 +17,6 @@ events {
 stream {
     map $ssl_preread_server_name $address {
         wiki.ccchh.net 10.31.206.13:8443;
-        id.ccchh.net 10.31.206.12:8443;
         aes.ccchh.net 10.31.206.14:8443;
         default 127.0.0.1:8443;
     }
diff --git a/playbooks/templates/z9/configs/keycloak/compose.yaml.j2 b/playbooks/templates/chaosknoten/configs/keycloak/compose.yaml.j2
similarity index 87%
rename from playbooks/templates/z9/configs/keycloak/compose.yaml.j2
rename to playbooks/templates/chaosknoten/configs/keycloak/compose.yaml.j2
index 4ae51bd..c7a97d5 100644
--- a/playbooks/templates/z9/configs/keycloak/compose.yaml.j2
+++ b/playbooks/templates/chaosknoten/configs/keycloak/compose.yaml.j2
@@ -46,11 +46,11 @@ services:
       - keycloak
     environment:
       KEYCLOAK_ADMIN: admin
-      KEYCLOAK_ADMIN_PASSWORD: {{ lookup("community.general.passwordstore", "noc/vm-secrets/z9/keycloak/KEYCLOAK_ADMIN_PASSWORD", create=false, missing="error") }}
+      KEYCLOAK_ADMIN_PASSWORD: {{ lookup("community.general.passwordstore", "noc/vm-secrets/chaosknoten/keycloak/KEYCLOAK_ADMIN_PASSWORD", create=false, missing="error") }}
       KC_DB: postgres
       KC_DB_URL_HOST: db
       KC_DB_USERNAME: keycloak
-      KC_DB_PASSWORD: {{ lookup("community.general.passwordstore", "noc/vm-secrets/z9/keycloak/KC_DB_PASSWORD", create=false, missing="error") }}
+      KC_DB_PASSWORD: {{ lookup("community.general.passwordstore", "noc/vm-secrets/chaosknoten/keycloak/KC_DB_PASSWORD", create=false, missing="error") }}
       KC_HOSTNAME: id.ccchh.net
       KC_HOSTNAME_STRICT_BACKCHANNEL: true
       KC_HOSTNAME_ADMIN: keycloak-admin.ccchh.net
@@ -67,7 +67,7 @@ services:
       - "./database:/var/lib/postgresql/data"
     environment:
       POSTGRES_USER: keycloak
-      POSTGRES_PASSWORD: {{ lookup("community.general.passwordstore", "noc/vm-secrets/z9/keycloak/POSTGRES_PASSWORD", create=false, missing="error") }}
+      POSTGRES_PASSWORD: {{ lookup("community.general.passwordstore", "noc/vm-secrets/chaosknoten/keycloak/POSTGRES_PASSWORD", create=false, missing="error") }}
       POSTGRES_DB: keycloak
 
 networks: