From 2dc4b6f5fd8744ad81cba5c4b9629c50bac14dd1 Mon Sep 17 00:00:00 2001
From: julian <j@jsts.xyz>
Date: Tue, 2 May 2023 06:12:56 +0200
Subject: [PATCH] Add keycloak

---
 inventories/z9/host_vars/keycloak.yaml        | 16 ++++
 inventories/z9/hosts.yml                      |  3 +
 playbooks/deploy_keycloak.yaml                |  8 ++
 playbooks/files/configs/keycloak/compose.yaml | 78 +++++++++++++++++++
 .../configs/keycloak/nginx/id.ccchh.net.conf  | 57 ++++++++++++++
 .../nginx/keycloak-admin.ccchh.net.conf       | 51 ++++++++++++
 6 files changed, 213 insertions(+)
 create mode 100644 inventories/z9/host_vars/keycloak.yaml
 create mode 100644 playbooks/deploy_keycloak.yaml
 create mode 100644 playbooks/files/configs/keycloak/compose.yaml
 create mode 100644 playbooks/files/configs/keycloak/nginx/id.ccchh.net.conf
 create mode 100644 playbooks/files/configs/keycloak/nginx/keycloak-admin.ccchh.net.conf

diff --git a/inventories/z9/host_vars/keycloak.yaml b/inventories/z9/host_vars/keycloak.yaml
new file mode 100644
index 0000000..9c0131f
--- /dev/null
+++ b/inventories/z9/host_vars/keycloak.yaml
@@ -0,0 +1,16 @@
+docker_compose__compose_file_content: "{{ lookup('ansible.builtin.file', 'configs/keycloak/compose.yaml') }}"
+docker_compose__configuration_files: [ ]
+
+cert__acme_account_email: j+letsencrypt-ccchh@jsts.xyz
+cert__domains:
+  - "id.ccchh.net"
+  - "keycloak-admin.ccchh.net"
+cert__bind_9_host: authoritative-dns
+cert__bind_9_zone: ccchh.net
+
+nginx__version_spec: ""
+nginx__configurations:
+  - name: id.ccchh.net
+    content: "{{ lookup('ansible.builtin.file', 'configs/keycloak/nginx/id.ccchh.net.conf') }}"
+  - name: keycloak-admin.ccchh.net
+    content: "{{ lookup('ansible.builtin.file', 'configs/keycloak/nginx/keycloak-admin.ccchh.net.conf') }}"
diff --git a/inventories/z9/hosts.yml b/inventories/z9/hosts.yml
index af0c334..659635d 100644
--- a/inventories/z9/hosts.yml
+++ b/inventories/z9/hosts.yml
@@ -24,3 +24,6 @@ all:
         authoritative-dns:
           ansible_host: authoritative-dns.z9.ccchh.net
           ansible_user: chaos
+        keycloak:
+          ansible_host: keycloak.z9.ccchh.net
+          ansible_user: chaos
diff --git a/playbooks/deploy_keycloak.yaml b/playbooks/deploy_keycloak.yaml
new file mode 100644
index 0000000..bf04fae
--- /dev/null
+++ b/playbooks/deploy_keycloak.yaml
@@ -0,0 +1,8 @@
+---
+- name: Deploy nginx and keycloak using docker_compose on keyloak
+  become: true
+  hosts: keycloak
+  roles:
+    - cert
+    - docker_compose
+    - nginx
diff --git a/playbooks/files/configs/keycloak/compose.yaml b/playbooks/files/configs/keycloak/compose.yaml
new file mode 100644
index 0000000..811a7a8
--- /dev/null
+++ b/playbooks/files/configs/keycloak/compose.yaml
@@ -0,0 +1,78 @@
+## Secrets:
+#
+# Secrets should be provided via the relevant `x_secrets.env` files to the
+# containers. Options to be set are documented by commented out environment
+# variables.
+#
+## Links & Resources:
+#
+# https://www.keycloak.org/
+# https://www.keycloak.org/documentation
+# https://www.keycloak.org/getting-started/getting-started-docker
+# https://www.keycloak.org/server/configuration
+# https://www.keycloak.org/server/containers
+# https://www.keycloak.org/server/configuration-production
+# https://www.keycloak.org/server/db
+# https://hub.docker.com/_/postgres
+# https://github.com/docker-library/docs/blob/master/postgres/README.md
+# https://www.keycloak.org/server/hostname
+# https://www.keycloak.org/server/reverseproxy
+# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Forwarded
+# https://www.keycloak.org/server/all-config
+
+services:
+  keycloak:
+    build:
+      context: .
+      dockerfile_inline: |
+        FROM quay.io/keycloak/keycloak:21.1 as builder
+
+        ENV KC_DB=postgres
+
+        WORKDIR /opt/keycloak
+        RUN /opt/keycloak/bin/kc.sh build
+
+        FROM quay.io/keycloak/keycloak:21.1
+        COPY --from=builder /opt/keycloak/ /opt/keycloak/
+
+        # Runtime options set in compose directly.
+
+        ENTRYPOINT ["/opt/keycloak/bin/kc.sh"]
+    command: start --optimized
+    depends_on:
+      - db
+    networks:
+      - keycloak
+    environment:
+      KEYCLOAK_ADMIN: admin
+      # KEYCLOAK_ADMIN_PASSWORD: in secrets file
+      KC_DB: postgres
+      KC_DB_URL_HOST: db
+      KC_DB_USERNAME: keycloak
+      # KC_DB_PASSWORD: in secrets file
+      KC_HOSTNAME: id.ccchh.net
+      KC_HOSTNAME_STRICT_BACKCHANNEL: true
+      KC_HOSTNAME_ADMIN: keycloak-admin.ccchh.net
+      KC_PROXY: edge
+    ports:
+      - "8080:8080"
+    env_file:
+      - keycloak_secrets.env  # Must be managed by the admin manually. Not managed by Ansible.
+
+  db:
+    image: postgres:15.2
+    restart: always
+    networks:
+      - keycloak
+    volumes:
+      - "./database:/var/lib/postgresql/data"
+    environment:
+      POSTGRES_USER: keycloak
+      # POSTGRES_PASSWORD: in secrets file
+      POSTGRES_DB: keycloak
+    env_file:
+      - db_secrets.env  # Must be managed by the admin manually. Not managed by Ansible.
+
+networks:
+  keycloak:
+    external: false
diff --git a/playbooks/files/configs/keycloak/nginx/id.ccchh.net.conf b/playbooks/files/configs/keycloak/nginx/id.ccchh.net.conf
new file mode 100644
index 0000000..b87ff52
--- /dev/null
+++ b/playbooks/files/configs/keycloak/nginx/id.ccchh.net.conf
@@ -0,0 +1,57 @@
+# partly generated 2022-01-08, Mozilla Guideline v5.6, nginx 1.17.7, OpenSSL 1.1.1k, intermediate configuration
+# https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
+# Also see: https://www.keycloak.org/server/reverseproxy
+server {
+    # # Listen on a custom port for the proxy protocol.
+    # listen 8443 ssl http2 proxy_protocol;
+    # # Make use of the ngx_http_realip_module to set the $remote_addr and
+    # # $remote_port to the client address and client port, when using proxy
+    # # protocol.
+    # # First set our proxy protocol proxy as trusted.
+    # set_real_ip_from 10.31.206.11;
+    # # Then tell the realip_module to get the addreses from the proxy protocol
+    # # header.
+    # real_ip_header proxy_protocol;
+    # Temporarily internal-only.
+    listen 443 ssl http2;
+
+    server_name id.ccchh.net;
+
+    ssl_certificate /etc/ansible_certs/certs/id.ccchh.net/fullchain.pem;
+    ssl_certificate_key /etc/ansible_certs/certs/id.ccchh.net/privkey.pem;
+    # verify chain of trust of OCSP response using Root CA and Intermediate certs
+    ssl_trusted_certificate /etc/ansible_certs/certs/id.ccchh.net/chain.pem;
+
+    # HSTS (ngx_http_headers_module is required) (63072000 seconds)
+    add_header Strict-Transport-Security "max-age=63072000" always;
+
+    proxy_set_header Host $host;
+    proxy_set_header X-Forwarded-Host $host;
+    proxy_set_header X-Real-IP $remote_addr;
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header X-Forwarded-Port 443;
+    # This is https in any case.
+    proxy_set_header X-Forwarded-Proto https;
+    # Hide the X-Forwarded header.
+    proxy_hide_header X-Forwarded;
+    # Assume we are the only Reverse Proxy (well using Proxy Protocol, but that
+    # is transparent).
+    # Also provide "_hidden" for by, since it's not relevant.
+    proxy_set_header Forwarded "for=$remote_addr;proto=https;host=$host;by=_hidden";
+
+    location /js/ {
+        proxy_pass http://127.0.0.1:8080/js/;
+    }
+
+    location /realms/ {
+        proxy_pass http://127.0.0.1:8080/realms/;
+    }
+
+    location /resources/ {
+        proxy_pass http://127.0.0.1:8080/resources/;
+    }
+
+    location /robots.txt {
+        proxy_pass http://127.0.0.1:8080/robots.txt;
+    }
+}
diff --git a/playbooks/files/configs/keycloak/nginx/keycloak-admin.ccchh.net.conf b/playbooks/files/configs/keycloak/nginx/keycloak-admin.ccchh.net.conf
new file mode 100644
index 0000000..0bff51f
--- /dev/null
+++ b/playbooks/files/configs/keycloak/nginx/keycloak-admin.ccchh.net.conf
@@ -0,0 +1,51 @@
+# partly generated 2022-01-08, Mozilla Guideline v5.6, nginx 1.17.7, OpenSSL 1.1.1k, intermediate configuration
+# https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
+# Also see: https://www.keycloak.org/server/reverseproxy
+server {
+    listen 443 ssl http2;
+    #listen [::]:443 ssl http2;
+
+    server_name keycloak-admin.ccchh.net;
+
+    ssl_certificate /etc/ansible_certs/certs/keycloak-admin.ccchh.net/fullchain.pem;
+    ssl_certificate_key /etc/ansible_certs/certs/keycloak-admin.ccchh.net/privkey.pem;
+    # verify chain of trust of OCSP response using Root CA and Intermediate certs
+    ssl_trusted_certificate /etc/ansible_certs/certs/keycloak-admin.ccchh.net/chain.pem;
+
+    # HSTS (ngx_http_headers_module is required) (63072000 seconds)
+    add_header Strict-Transport-Security "max-age=63072000" always;
+
+    proxy_set_header Host $host;
+    proxy_set_header X-Forwarded-Host $host;
+    proxy_set_header X-Real-IP $remote_addr;
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header X-Forwarded-Port 443;
+    # This is https in any case.
+    proxy_set_header X-Forwarded-Proto https;
+    # Hide the X-Forwarded header.
+    proxy_hide_header X-Forwarded;
+    # Assume we are the only Reverse Proxy (well using Proxy Protocol, but that
+    # is transparent).
+    # Also provide "_hidden" for by, since it's not relevant.
+    proxy_set_header Forwarded "for=$remote_addr;proto=https;host=$host;by=_hidden";
+
+    location /js/ {
+        proxy_pass http://127.0.0.1:8080/js/;
+    }
+
+    location /realms/ {
+        proxy_pass http://127.0.0.1:8080/realms/;
+    }
+
+    location /resources/ {
+        proxy_pass http://127.0.0.1:8080/resources/;
+    }
+
+    location /robots.txt {
+        proxy_pass http://127.0.0.1:8080/robots.txt;
+    }
+
+    location /admin/ {
+        proxy_pass http://127.0.0.1:8080/admin/;
+    }
+}