Migrate Keycloak from ThinkCCCluster onto Chaosknoten

Co-authored-by: Max <max@mlem.cloud>
This commit is contained in:
June 2023-08-07 23:33:15 +02:00 committed by julian
parent 099bbe0e66
commit 09e0c710af
10 changed files with 38 additions and 19 deletions

View file

@ -1,4 +1,4 @@
docker_compose__compose_file_content: "{{ lookup('ansible.builtin.template', 'z9/configs/keycloak/compose.yaml.j2') }}" docker_compose__compose_file_content: "{{ lookup('ansible.builtin.template', 'chaosknoten/configs/keycloak/compose.yaml.j2') }}"
docker_compose__configuration_files: [ ] docker_compose__configuration_files: [ ]
certbot__version_spec: "" certbot__version_spec: ""
@ -10,6 +10,6 @@ certbot__certificate_domains:
nginx__version_spec: "" nginx__version_spec: ""
nginx__configurations: nginx__configurations:
- name: id.ccchh.net - name: id.ccchh.net
content: "{{ lookup('ansible.builtin.file', 'z9/configs/keycloak/nginx/id.ccchh.net.conf') }}" content: "{{ lookup('ansible.builtin.file', 'chaosknoten/configs/keycloak/nginx/id.ccchh.net.conf') }}"
- name: keycloak-admin.ccchh.net - name: keycloak-admin.ccchh.net
content: "{{ lookup('ansible.builtin.file', 'z9/configs/keycloak/nginx/keycloak-admin.ccchh.net.conf') }}" content: "{{ lookup('ansible.builtin.file', 'chaosknoten/configs/keycloak/nginx/keycloak-admin.ccchh.net.conf') }}"

View file

@ -4,6 +4,7 @@ all:
hosts: hosts:
cloud: cloud:
pad: pad:
keycloak:
debian_12: debian_12:
hosts: hosts:
cloud: cloud:
@ -20,10 +21,15 @@ all:
ansible_host: public-reverse-proxy.hamburg.ccc.de ansible_host: public-reverse-proxy.hamburg.ccc.de
ansible_port: 42666 ansible_port: 42666
ansible_user: chaos ansible_user: chaos
keycloak:
ansible_host: keycloak-intern.hamburg.ccc.de
ansible_user: chaos
ansible_ssh_common_args: -J ssh://public-reverse-proxy.hamburg.ccc.de:42666
docker_compose_hosts: docker_compose_hosts:
hosts: hosts:
cloud: cloud:
pad: pad:
keycloak:
nextcloud_hosts: nextcloud_hosts:
hosts: hosts:
cloud: cloud:
@ -32,6 +38,10 @@ all:
cloud: cloud:
pad: pad:
public-reverse-proxy: public-reverse-proxy:
keycloak:
public_reverse_proxy_hosts: public_reverse_proxy_hosts:
hosts: hosts:
public-reverse-proxy: public-reverse-proxy:
ssh_server_config_hosts:
hosts:
keycloak:

View file

@ -37,16 +37,12 @@ all:
public-reverse-proxy: public-reverse-proxy:
ansible_host: public-reverse-proxy.z9.ccchh.net ansible_host: public-reverse-proxy.z9.ccchh.net
ansible_user: chaos ansible_user: chaos
keycloak:
ansible_host: keycloak.z9.ccchh.net
ansible_user: chaos
nginx_hosts: nginx_hosts:
hosts: hosts:
public-reverse-proxy: public-reverse-proxy:
esphome: esphome:
zigbee2mqtt: zigbee2mqtt:
light: light:
keycloak:
wiki: wiki:
engelsystem: engelsystem:
public_reverse_proxy_hosts: public_reverse_proxy_hosts:
@ -58,18 +54,15 @@ all:
hosts: hosts:
esphome: esphome:
zigbee2mqtt: zigbee2mqtt:
keycloak:
wiki: wiki:
engelsystem: engelsystem:
ssh_server_config_hosts: ssh_server_config_hosts:
hosts: hosts:
keycloak:
public-reverse-proxy: public-reverse-proxy:
wiki: wiki:
mailserver-endpoint: mailserver-endpoint:
docker_compose_hosts: docker_compose_hosts:
hosts: hosts:
keycloak:
engelsystem: engelsystem:
esphome_hosts: esphome_hosts:
hosts: hosts:

View file

@ -8,7 +8,7 @@ server {
# $remote_port to the client address and client port, when using proxy # $remote_port to the client address and client port, when using proxy
# protocol. # protocol.
# First set our proxy protocol proxy as trusted. # First set our proxy protocol proxy as trusted.
set_real_ip_from 10.31.206.11; set_real_ip_from 172.31.17.140;
# Then tell the realip_module to get the addreses from the proxy protocol # Then tell the realip_module to get the addreses from the proxy protocol
# header. # header.
real_ip_header proxy_protocol; real_ip_header proxy_protocol;

View file

@ -2,8 +2,20 @@
# https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6 # https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
# Also see: https://www.keycloak.org/server/reverseproxy # Also see: https://www.keycloak.org/server/reverseproxy
server { server {
listen 443 ssl http2; # Disable this for now.
#listen [::]:443 ssl http2; #listen 443 ssl http2;
##listen [::]:443 ssl http2;
# Listen on a custom port for the proxy protocol.
listen 8444 ssl http2 proxy_protocol;
# Make use of the ngx_http_realip_module to set the $remote_addr and
# $remote_port to the client address and client port, when using proxy
# protocol.
# First set our proxy protocol proxy as trusted.
set_real_ip_from 172.31.17.140;
# Then tell the realip_module to get the addreses from the proxy protocol
# header.
real_ip_header proxy_protocol;
server_name keycloak-admin.ccchh.net; server_name keycloak-admin.ccchh.net;
@ -29,6 +41,9 @@ server {
# Also provide "_hidden" for by, since it's not relevant. # Also provide "_hidden" for by, since it's not relevant.
proxy_set_header Forwarded "for=$remote_addr;proto=https;host=$host;by=_hidden"; proxy_set_header Forwarded "for=$remote_addr;proto=https;host=$host;by=_hidden";
allow 185.161.129.132/32;
deny all;
location /js/ { location /js/ {
proxy_pass http://127.0.0.1:8080/js/; proxy_pass http://127.0.0.1:8080/js/;
} }

View file

@ -1,6 +1,8 @@
map $host $upstream_acme_challenge_host { map $host $upstream_acme_challenge_host {
cloud.hamburg.ccc.de cloud-intern.hamburg.ccc.de:31820; cloud.hamburg.ccc.de cloud-intern.hamburg.ccc.de:31820;
pad.hamburg.ccc.de pad-intern.hamburg.ccc.de:31820; pad.hamburg.ccc.de pad-intern.hamburg.ccc.de:31820;
id.ccchh.net 172.31.17.144:31820;
keycloak-admin.ccchh.net 172.31.17.144:31820;
default ""; default "";
} }

View file

@ -20,6 +20,8 @@ stream {
map $ssl_preread_server_name $address { map $ssl_preread_server_name $address {
cloud.hamburg.ccc.de cloud-intern.hamburg.ccc.de:8443; cloud.hamburg.ccc.de cloud-intern.hamburg.ccc.de:8443;
pad.hamburg.ccc.de pad-intern.hamburg.ccc.de:8443; pad.hamburg.ccc.de pad-intern.hamburg.ccc.de:8443;
id.ccchh.net 172.31.17.144:8443;
keycloak-admin.ccchh.net 172.31.17.144:8444;
} }
server { server {

View file

@ -8,8 +8,6 @@ map $host $upstream_acme_challenge_host {
thinkcccore3.ccchh.net 10.31.242.6; thinkcccore3.ccchh.net 10.31.242.6;
wiki.ccchh.net 10.31.206.13:31820; wiki.ccchh.net 10.31.206.13:31820;
zigbee2mqtt.ccchh.net 10.31.208.25:31820; zigbee2mqtt.ccchh.net 10.31.208.25:31820;
id.ccchh.net 10.31.206.12:31820;
keycloak-admin.ccchh.net 10.31.206.12:31820;
esphome.ccchh.net 10.31.208.24:31820; esphome.ccchh.net 10.31.208.24:31820;
aes.ccchh.net 10.31.206.14:31820; aes.ccchh.net 10.31.206.14:31820;
proxmox-backup-server.ccchh.net 10.31.208.28; proxmox-backup-server.ccchh.net 10.31.208.28;

View file

@ -17,7 +17,6 @@ events {
stream { stream {
map $ssl_preread_server_name $address { map $ssl_preread_server_name $address {
wiki.ccchh.net 10.31.206.13:8443; wiki.ccchh.net 10.31.206.13:8443;
id.ccchh.net 10.31.206.12:8443;
aes.ccchh.net 10.31.206.14:8443; aes.ccchh.net 10.31.206.14:8443;
default 127.0.0.1:8443; default 127.0.0.1:8443;
} }

View file

@ -46,11 +46,11 @@ services:
- keycloak - keycloak
environment: environment:
KEYCLOAK_ADMIN: admin KEYCLOAK_ADMIN: admin
KEYCLOAK_ADMIN_PASSWORD: {{ lookup("community.general.passwordstore", "noc/vm-secrets/z9/keycloak/KEYCLOAK_ADMIN_PASSWORD", create=false, missing="error") }} KEYCLOAK_ADMIN_PASSWORD: {{ lookup("community.general.passwordstore", "noc/vm-secrets/chaosknoten/keycloak/KEYCLOAK_ADMIN_PASSWORD", create=false, missing="error") }}
KC_DB: postgres KC_DB: postgres
KC_DB_URL_HOST: db KC_DB_URL_HOST: db
KC_DB_USERNAME: keycloak KC_DB_USERNAME: keycloak
KC_DB_PASSWORD: {{ lookup("community.general.passwordstore", "noc/vm-secrets/z9/keycloak/KC_DB_PASSWORD", create=false, missing="error") }} KC_DB_PASSWORD: {{ lookup("community.general.passwordstore", "noc/vm-secrets/chaosknoten/keycloak/KC_DB_PASSWORD", create=false, missing="error") }}
KC_HOSTNAME: id.ccchh.net KC_HOSTNAME: id.ccchh.net
KC_HOSTNAME_STRICT_BACKCHANNEL: true KC_HOSTNAME_STRICT_BACKCHANNEL: true
KC_HOSTNAME_ADMIN: keycloak-admin.ccchh.net KC_HOSTNAME_ADMIN: keycloak-admin.ccchh.net
@ -67,7 +67,7 @@ services:
- "./database:/var/lib/postgresql/data" - "./database:/var/lib/postgresql/data"
environment: environment:
POSTGRES_USER: keycloak POSTGRES_USER: keycloak
POSTGRES_PASSWORD: {{ lookup("community.general.passwordstore", "noc/vm-secrets/z9/keycloak/POSTGRES_PASSWORD", create=false, missing="error") }} POSTGRES_PASSWORD: {{ lookup("community.general.passwordstore", "noc/vm-secrets/chaosknoten/keycloak/POSTGRES_PASSWORD", create=false, missing="error") }}
POSTGRES_DB: keycloak POSTGRES_DB: keycloak
networks: networks: