Migrate Keycloak from ThinkCCCluster onto Chaosknoten

Co-authored-by: Max <max@mlem.cloud>

inventories/chaosknoten/host_vars/keycloak.yaml

@@ -1,4 +1,4 @@
-docker_compose__compose_file_content: "{{ lookup('ansible.builtin.template', 'z9/configs/keycloak/compose.yaml.j2') }}"
+docker_compose__compose_file_content: "{{ lookup('ansible.builtin.template', 'chaosknoten/configs/keycloak/compose.yaml.j2') }}"
 docker_compose__configuration_files: [ ]
 
 certbot__version_spec: ""
@@ -10,6 +10,6 @@ certbot__certificate_domains:
 nginx__version_spec: ""
 nginx__configurations:
   - name: id.ccchh.net
-    content: "{{ lookup('ansible.builtin.file', 'z9/configs/keycloak/nginx/id.ccchh.net.conf') }}"
+    content: "{{ lookup('ansible.builtin.file', 'chaosknoten/configs/keycloak/nginx/id.ccchh.net.conf') }}"
   - name: keycloak-admin.ccchh.net
-    content: "{{ lookup('ansible.builtin.file', 'z9/configs/keycloak/nginx/keycloak-admin.ccchh.net.conf') }}"
+    content: "{{ lookup('ansible.builtin.file', 'chaosknoten/configs/keycloak/nginx/keycloak-admin.ccchh.net.conf') }}"

inventories/chaosknoten/hosts.yaml

@@ -4,6 +4,7 @@ all:
       hosts:
         cloud:
         pad:
+        keycloak:
     debian_12:
       hosts:
         cloud:
@@ -20,10 +21,15 @@ all:
           ansible_host: public-reverse-proxy.hamburg.ccc.de
           ansible_port: 42666
           ansible_user: chaos
+        keycloak:
+          ansible_host: keycloak-intern.hamburg.ccc.de
+          ansible_user: chaos
+          ansible_ssh_common_args: -J ssh://public-reverse-proxy.hamburg.ccc.de:42666
     docker_compose_hosts:
       hosts:
         cloud:
         pad:
+        keycloak:
     nextcloud_hosts:
       hosts:
         cloud:
@@ -32,6 +38,10 @@ all:
         cloud:
         pad:
         public-reverse-proxy:
+        keycloak:
     public_reverse_proxy_hosts:
       hosts:
         public-reverse-proxy:
+    ssh_server_config_hosts:
+      hosts:
+        keycloak:

inventories/z9/hosts.yaml

@@ -37,16 +37,12 @@ all:
         public-reverse-proxy:
           ansible_host: public-reverse-proxy.z9.ccchh.net
           ansible_user: chaos
-        keycloak:
-          ansible_host: keycloak.z9.ccchh.net
-          ansible_user: chaos
     nginx_hosts:
       hosts:
         public-reverse-proxy:
         esphome:
         zigbee2mqtt:
         light:
-        keycloak:
         wiki:
         engelsystem:
     public_reverse_proxy_hosts:
@@ -58,18 +54,15 @@ all:
       hosts:
         esphome:
         zigbee2mqtt:
-        keycloak:
         wiki:
         engelsystem:
     ssh_server_config_hosts:
       hosts:
-        keycloak:
         public-reverse-proxy:
         wiki:
         mailserver-endpoint:
     docker_compose_hosts:
       hosts:
-        keycloak:
         engelsystem:
     esphome_hosts:
       hosts:

playbooks/files/chaosknoten/configs/keycloak/nginx/id.ccchh.net.conf

@@ -8,7 +8,7 @@ server {
     # $remote_port to the client address and client port, when using proxy
     # protocol.
     # First set our proxy protocol proxy as trusted.
-    set_real_ip_from 10.31.206.11;
+    set_real_ip_from 172.31.17.140;
     # Then tell the realip_module to get the addreses from the proxy protocol
     # header.
     real_ip_header proxy_protocol;

playbooks/files/chaosknoten/configs/keycloak/nginx/keycloak-admin.ccchh.net.conf

@@ -2,8 +2,20 @@
 # https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
 # Also see: https://www.keycloak.org/server/reverseproxy
 server {
-    listen 443 ssl http2;
+    # Disable this for now.
-    #listen [::]:443 ssl http2;
+    #listen 443 ssl http2;
+    ##listen [::]:443 ssl http2;
+
+    # Listen on a custom port for the proxy protocol.
+    listen 8444 ssl http2 proxy_protocol;
+    # Make use of the ngx_http_realip_module to set the $remote_addr and
+    # $remote_port to the client address and client port, when using proxy
+    # protocol.
+    # First set our proxy protocol proxy as trusted.
+    set_real_ip_from 172.31.17.140;
+    # Then tell the realip_module to get the addreses from the proxy protocol
+    # header.
+    real_ip_header proxy_protocol;
 
     server_name keycloak-admin.ccchh.net;
 
@@ -29,6 +41,9 @@ server {
     # Also provide "_hidden" for by, since it's not relevant.
     proxy_set_header Forwarded "for=$remote_addr;proto=https;host=$host;by=_hidden";
 
+    allow 185.161.129.132/32;
+    deny all;
+
     location /js/ {
         proxy_pass http://127.0.0.1:8080/js/;
     }

playbooks/files/chaosknoten/configs/public-reverse-proxy/nginx/acme_challenge.conf

@@ -1,6 +1,8 @@
 map $host $upstream_acme_challenge_host {
     cloud.hamburg.ccc.de cloud-intern.hamburg.ccc.de:31820;
     pad.hamburg.ccc.de pad-intern.hamburg.ccc.de:31820;
+    id.ccchh.net 172.31.17.144:31820;
+    keycloak-admin.ccchh.net 172.31.17.144:31820;
     default "";
 }
 

playbooks/files/chaosknoten/configs/public-reverse-proxy/nginx/nginx.conf

@@ -20,6 +20,8 @@ stream {
     map $ssl_preread_server_name $address {
         cloud.hamburg.ccc.de cloud-intern.hamburg.ccc.de:8443;
         pad.hamburg.ccc.de pad-intern.hamburg.ccc.de:8443;
+        id.ccchh.net 172.31.17.144:8443;
+        keycloak-admin.ccchh.net 172.31.17.144:8444;
     }
 
     server {

playbooks/files/z9/configs/public-reverse-proxy/nginx/acme_challenge.conf

@@ -8,8 +8,6 @@ map $host $upstream_acme_challenge_host {
     thinkcccore3.ccchh.net 10.31.242.6;
     wiki.ccchh.net 10.31.206.13:31820;
     zigbee2mqtt.ccchh.net 10.31.208.25:31820;
-    id.ccchh.net 10.31.206.12:31820;
-    keycloak-admin.ccchh.net 10.31.206.12:31820;
     esphome.ccchh.net 10.31.208.24:31820;
     aes.ccchh.net 10.31.206.14:31820;
     proxmox-backup-server.ccchh.net 10.31.208.28;

playbooks/files/z9/configs/public-reverse-proxy/nginx/nginx.conf

@@ -17,7 +17,6 @@ events {
 stream {
     map $ssl_preread_server_name $address {
         wiki.ccchh.net 10.31.206.13:8443;
-        id.ccchh.net 10.31.206.12:8443;
         aes.ccchh.net 10.31.206.14:8443;
         default 127.0.0.1:8443;
     }

playbooks/templates/chaosknoten/configs/keycloak/compose.yaml.j2

@@ -46,11 +46,11 @@ services:
       - keycloak
     environment:
       KEYCLOAK_ADMIN: admin
-      KEYCLOAK_ADMIN_PASSWORD: {{ lookup("community.general.passwordstore", "noc/vm-secrets/z9/keycloak/KEYCLOAK_ADMIN_PASSWORD", create=false, missing="error") }}
+      KEYCLOAK_ADMIN_PASSWORD: {{ lookup("community.general.passwordstore", "noc/vm-secrets/chaosknoten/keycloak/KEYCLOAK_ADMIN_PASSWORD", create=false, missing="error") }}
       KC_DB: postgres
       KC_DB_URL_HOST: db
       KC_DB_USERNAME: keycloak
-      KC_DB_PASSWORD: {{ lookup("community.general.passwordstore", "noc/vm-secrets/z9/keycloak/KC_DB_PASSWORD", create=false, missing="error") }}
+      KC_DB_PASSWORD: {{ lookup("community.general.passwordstore", "noc/vm-secrets/chaosknoten/keycloak/KC_DB_PASSWORD", create=false, missing="error") }}
       KC_HOSTNAME: id.ccchh.net
       KC_HOSTNAME_STRICT_BACKCHANNEL: true
       KC_HOSTNAME_ADMIN: keycloak-admin.ccchh.net
@@ -67,7 +67,7 @@ services:
       - "./database:/var/lib/postgresql/data"
     environment:
       POSTGRES_USER: keycloak
-      POSTGRES_PASSWORD: {{ lookup("community.general.passwordstore", "noc/vm-secrets/z9/keycloak/POSTGRES_PASSWORD", create=false, missing="error") }}
+      POSTGRES_PASSWORD: {{ lookup("community.general.passwordstore", "noc/vm-secrets/chaosknoten/keycloak/POSTGRES_PASSWORD", create=false, missing="error") }}
       POSTGRES_DB: keycloak
 
 networks: