Migrate Keycloak from ThinkCCCluster onto Chaosknoten
Co-authored-by: Max <max@mlem.cloud>
This commit is contained in:
parent
099bbe0e66
commit
09e0c710af
|
@ -1,4 +1,4 @@
|
||||||
docker_compose__compose_file_content: "{{ lookup('ansible.builtin.template', 'z9/configs/keycloak/compose.yaml.j2') }}"
|
docker_compose__compose_file_content: "{{ lookup('ansible.builtin.template', 'chaosknoten/configs/keycloak/compose.yaml.j2') }}"
|
||||||
docker_compose__configuration_files: [ ]
|
docker_compose__configuration_files: [ ]
|
||||||
|
|
||||||
certbot__version_spec: ""
|
certbot__version_spec: ""
|
||||||
|
@ -10,6 +10,6 @@ certbot__certificate_domains:
|
||||||
nginx__version_spec: ""
|
nginx__version_spec: ""
|
||||||
nginx__configurations:
|
nginx__configurations:
|
||||||
- name: id.ccchh.net
|
- name: id.ccchh.net
|
||||||
content: "{{ lookup('ansible.builtin.file', 'z9/configs/keycloak/nginx/id.ccchh.net.conf') }}"
|
content: "{{ lookup('ansible.builtin.file', 'chaosknoten/configs/keycloak/nginx/id.ccchh.net.conf') }}"
|
||||||
- name: keycloak-admin.ccchh.net
|
- name: keycloak-admin.ccchh.net
|
||||||
content: "{{ lookup('ansible.builtin.file', 'z9/configs/keycloak/nginx/keycloak-admin.ccchh.net.conf') }}"
|
content: "{{ lookup('ansible.builtin.file', 'chaosknoten/configs/keycloak/nginx/keycloak-admin.ccchh.net.conf') }}"
|
|
@ -4,6 +4,7 @@ all:
|
||||||
hosts:
|
hosts:
|
||||||
cloud:
|
cloud:
|
||||||
pad:
|
pad:
|
||||||
|
keycloak:
|
||||||
debian_12:
|
debian_12:
|
||||||
hosts:
|
hosts:
|
||||||
cloud:
|
cloud:
|
||||||
|
@ -20,10 +21,15 @@ all:
|
||||||
ansible_host: public-reverse-proxy.hamburg.ccc.de
|
ansible_host: public-reverse-proxy.hamburg.ccc.de
|
||||||
ansible_port: 42666
|
ansible_port: 42666
|
||||||
ansible_user: chaos
|
ansible_user: chaos
|
||||||
|
keycloak:
|
||||||
|
ansible_host: keycloak-intern.hamburg.ccc.de
|
||||||
|
ansible_user: chaos
|
||||||
|
ansible_ssh_common_args: -J ssh://public-reverse-proxy.hamburg.ccc.de:42666
|
||||||
docker_compose_hosts:
|
docker_compose_hosts:
|
||||||
hosts:
|
hosts:
|
||||||
cloud:
|
cloud:
|
||||||
pad:
|
pad:
|
||||||
|
keycloak:
|
||||||
nextcloud_hosts:
|
nextcloud_hosts:
|
||||||
hosts:
|
hosts:
|
||||||
cloud:
|
cloud:
|
||||||
|
@ -32,6 +38,10 @@ all:
|
||||||
cloud:
|
cloud:
|
||||||
pad:
|
pad:
|
||||||
public-reverse-proxy:
|
public-reverse-proxy:
|
||||||
|
keycloak:
|
||||||
public_reverse_proxy_hosts:
|
public_reverse_proxy_hosts:
|
||||||
hosts:
|
hosts:
|
||||||
public-reverse-proxy:
|
public-reverse-proxy:
|
||||||
|
ssh_server_config_hosts:
|
||||||
|
hosts:
|
||||||
|
keycloak:
|
||||||
|
|
|
@ -37,16 +37,12 @@ all:
|
||||||
public-reverse-proxy:
|
public-reverse-proxy:
|
||||||
ansible_host: public-reverse-proxy.z9.ccchh.net
|
ansible_host: public-reverse-proxy.z9.ccchh.net
|
||||||
ansible_user: chaos
|
ansible_user: chaos
|
||||||
keycloak:
|
|
||||||
ansible_host: keycloak.z9.ccchh.net
|
|
||||||
ansible_user: chaos
|
|
||||||
nginx_hosts:
|
nginx_hosts:
|
||||||
hosts:
|
hosts:
|
||||||
public-reverse-proxy:
|
public-reverse-proxy:
|
||||||
esphome:
|
esphome:
|
||||||
zigbee2mqtt:
|
zigbee2mqtt:
|
||||||
light:
|
light:
|
||||||
keycloak:
|
|
||||||
wiki:
|
wiki:
|
||||||
engelsystem:
|
engelsystem:
|
||||||
public_reverse_proxy_hosts:
|
public_reverse_proxy_hosts:
|
||||||
|
@ -58,18 +54,15 @@ all:
|
||||||
hosts:
|
hosts:
|
||||||
esphome:
|
esphome:
|
||||||
zigbee2mqtt:
|
zigbee2mqtt:
|
||||||
keycloak:
|
|
||||||
wiki:
|
wiki:
|
||||||
engelsystem:
|
engelsystem:
|
||||||
ssh_server_config_hosts:
|
ssh_server_config_hosts:
|
||||||
hosts:
|
hosts:
|
||||||
keycloak:
|
|
||||||
public-reverse-proxy:
|
public-reverse-proxy:
|
||||||
wiki:
|
wiki:
|
||||||
mailserver-endpoint:
|
mailserver-endpoint:
|
||||||
docker_compose_hosts:
|
docker_compose_hosts:
|
||||||
hosts:
|
hosts:
|
||||||
keycloak:
|
|
||||||
engelsystem:
|
engelsystem:
|
||||||
esphome_hosts:
|
esphome_hosts:
|
||||||
hosts:
|
hosts:
|
||||||
|
|
|
@ -8,7 +8,7 @@ server {
|
||||||
# $remote_port to the client address and client port, when using proxy
|
# $remote_port to the client address and client port, when using proxy
|
||||||
# protocol.
|
# protocol.
|
||||||
# First set our proxy protocol proxy as trusted.
|
# First set our proxy protocol proxy as trusted.
|
||||||
set_real_ip_from 10.31.206.11;
|
set_real_ip_from 172.31.17.140;
|
||||||
# Then tell the realip_module to get the addreses from the proxy protocol
|
# Then tell the realip_module to get the addreses from the proxy protocol
|
||||||
# header.
|
# header.
|
||||||
real_ip_header proxy_protocol;
|
real_ip_header proxy_protocol;
|
|
@ -2,8 +2,20 @@
|
||||||
# https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
|
# https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
|
||||||
# Also see: https://www.keycloak.org/server/reverseproxy
|
# Also see: https://www.keycloak.org/server/reverseproxy
|
||||||
server {
|
server {
|
||||||
listen 443 ssl http2;
|
# Disable this for now.
|
||||||
#listen [::]:443 ssl http2;
|
#listen 443 ssl http2;
|
||||||
|
##listen [::]:443 ssl http2;
|
||||||
|
|
||||||
|
# Listen on a custom port for the proxy protocol.
|
||||||
|
listen 8444 ssl http2 proxy_protocol;
|
||||||
|
# Make use of the ngx_http_realip_module to set the $remote_addr and
|
||||||
|
# $remote_port to the client address and client port, when using proxy
|
||||||
|
# protocol.
|
||||||
|
# First set our proxy protocol proxy as trusted.
|
||||||
|
set_real_ip_from 172.31.17.140;
|
||||||
|
# Then tell the realip_module to get the addreses from the proxy protocol
|
||||||
|
# header.
|
||||||
|
real_ip_header proxy_protocol;
|
||||||
|
|
||||||
server_name keycloak-admin.ccchh.net;
|
server_name keycloak-admin.ccchh.net;
|
||||||
|
|
||||||
|
@ -29,6 +41,9 @@ server {
|
||||||
# Also provide "_hidden" for by, since it's not relevant.
|
# Also provide "_hidden" for by, since it's not relevant.
|
||||||
proxy_set_header Forwarded "for=$remote_addr;proto=https;host=$host;by=_hidden";
|
proxy_set_header Forwarded "for=$remote_addr;proto=https;host=$host;by=_hidden";
|
||||||
|
|
||||||
|
allow 185.161.129.132/32;
|
||||||
|
deny all;
|
||||||
|
|
||||||
location /js/ {
|
location /js/ {
|
||||||
proxy_pass http://127.0.0.1:8080/js/;
|
proxy_pass http://127.0.0.1:8080/js/;
|
||||||
}
|
}
|
|
@ -1,6 +1,8 @@
|
||||||
map $host $upstream_acme_challenge_host {
|
map $host $upstream_acme_challenge_host {
|
||||||
cloud.hamburg.ccc.de cloud-intern.hamburg.ccc.de:31820;
|
cloud.hamburg.ccc.de cloud-intern.hamburg.ccc.de:31820;
|
||||||
pad.hamburg.ccc.de pad-intern.hamburg.ccc.de:31820;
|
pad.hamburg.ccc.de pad-intern.hamburg.ccc.de:31820;
|
||||||
|
id.ccchh.net 172.31.17.144:31820;
|
||||||
|
keycloak-admin.ccchh.net 172.31.17.144:31820;
|
||||||
default "";
|
default "";
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -20,6 +20,8 @@ stream {
|
||||||
map $ssl_preread_server_name $address {
|
map $ssl_preread_server_name $address {
|
||||||
cloud.hamburg.ccc.de cloud-intern.hamburg.ccc.de:8443;
|
cloud.hamburg.ccc.de cloud-intern.hamburg.ccc.de:8443;
|
||||||
pad.hamburg.ccc.de pad-intern.hamburg.ccc.de:8443;
|
pad.hamburg.ccc.de pad-intern.hamburg.ccc.de:8443;
|
||||||
|
id.ccchh.net 172.31.17.144:8443;
|
||||||
|
keycloak-admin.ccchh.net 172.31.17.144:8444;
|
||||||
}
|
}
|
||||||
|
|
||||||
server {
|
server {
|
||||||
|
|
|
@ -8,8 +8,6 @@ map $host $upstream_acme_challenge_host {
|
||||||
thinkcccore3.ccchh.net 10.31.242.6;
|
thinkcccore3.ccchh.net 10.31.242.6;
|
||||||
wiki.ccchh.net 10.31.206.13:31820;
|
wiki.ccchh.net 10.31.206.13:31820;
|
||||||
zigbee2mqtt.ccchh.net 10.31.208.25:31820;
|
zigbee2mqtt.ccchh.net 10.31.208.25:31820;
|
||||||
id.ccchh.net 10.31.206.12:31820;
|
|
||||||
keycloak-admin.ccchh.net 10.31.206.12:31820;
|
|
||||||
esphome.ccchh.net 10.31.208.24:31820;
|
esphome.ccchh.net 10.31.208.24:31820;
|
||||||
aes.ccchh.net 10.31.206.14:31820;
|
aes.ccchh.net 10.31.206.14:31820;
|
||||||
proxmox-backup-server.ccchh.net 10.31.208.28;
|
proxmox-backup-server.ccchh.net 10.31.208.28;
|
||||||
|
|
|
@ -17,7 +17,6 @@ events {
|
||||||
stream {
|
stream {
|
||||||
map $ssl_preread_server_name $address {
|
map $ssl_preread_server_name $address {
|
||||||
wiki.ccchh.net 10.31.206.13:8443;
|
wiki.ccchh.net 10.31.206.13:8443;
|
||||||
id.ccchh.net 10.31.206.12:8443;
|
|
||||||
aes.ccchh.net 10.31.206.14:8443;
|
aes.ccchh.net 10.31.206.14:8443;
|
||||||
default 127.0.0.1:8443;
|
default 127.0.0.1:8443;
|
||||||
}
|
}
|
||||||
|
|
|
@ -46,11 +46,11 @@ services:
|
||||||
- keycloak
|
- keycloak
|
||||||
environment:
|
environment:
|
||||||
KEYCLOAK_ADMIN: admin
|
KEYCLOAK_ADMIN: admin
|
||||||
KEYCLOAK_ADMIN_PASSWORD: {{ lookup("community.general.passwordstore", "noc/vm-secrets/z9/keycloak/KEYCLOAK_ADMIN_PASSWORD", create=false, missing="error") }}
|
KEYCLOAK_ADMIN_PASSWORD: {{ lookup("community.general.passwordstore", "noc/vm-secrets/chaosknoten/keycloak/KEYCLOAK_ADMIN_PASSWORD", create=false, missing="error") }}
|
||||||
KC_DB: postgres
|
KC_DB: postgres
|
||||||
KC_DB_URL_HOST: db
|
KC_DB_URL_HOST: db
|
||||||
KC_DB_USERNAME: keycloak
|
KC_DB_USERNAME: keycloak
|
||||||
KC_DB_PASSWORD: {{ lookup("community.general.passwordstore", "noc/vm-secrets/z9/keycloak/KC_DB_PASSWORD", create=false, missing="error") }}
|
KC_DB_PASSWORD: {{ lookup("community.general.passwordstore", "noc/vm-secrets/chaosknoten/keycloak/KC_DB_PASSWORD", create=false, missing="error") }}
|
||||||
KC_HOSTNAME: id.ccchh.net
|
KC_HOSTNAME: id.ccchh.net
|
||||||
KC_HOSTNAME_STRICT_BACKCHANNEL: true
|
KC_HOSTNAME_STRICT_BACKCHANNEL: true
|
||||||
KC_HOSTNAME_ADMIN: keycloak-admin.ccchh.net
|
KC_HOSTNAME_ADMIN: keycloak-admin.ccchh.net
|
||||||
|
@ -67,7 +67,7 @@ services:
|
||||||
- "./database:/var/lib/postgresql/data"
|
- "./database:/var/lib/postgresql/data"
|
||||||
environment:
|
environment:
|
||||||
POSTGRES_USER: keycloak
|
POSTGRES_USER: keycloak
|
||||||
POSTGRES_PASSWORD: {{ lookup("community.general.passwordstore", "noc/vm-secrets/z9/keycloak/POSTGRES_PASSWORD", create=false, missing="error") }}
|
POSTGRES_PASSWORD: {{ lookup("community.general.passwordstore", "noc/vm-secrets/chaosknoten/keycloak/POSTGRES_PASSWORD", create=false, missing="error") }}
|
||||||
POSTGRES_DB: keycloak
|
POSTGRES_DB: keycloak
|
||||||
|
|
||||||
networks:
|
networks:
|
Loading…
Reference in a new issue