Add keycloak
This commit is contained in:
parent
91274de823
commit
2dc4b6f5fd
16
inventories/z9/host_vars/keycloak.yaml
Normal file
16
inventories/z9/host_vars/keycloak.yaml
Normal file
|
@ -0,0 +1,16 @@
|
||||||
|
docker_compose__compose_file_content: "{{ lookup('ansible.builtin.file', 'configs/keycloak/compose.yaml') }}"
|
||||||
|
docker_compose__configuration_files: [ ]
|
||||||
|
|
||||||
|
cert__acme_account_email: j+letsencrypt-ccchh@jsts.xyz
|
||||||
|
cert__domains:
|
||||||
|
- "id.ccchh.net"
|
||||||
|
- "keycloak-admin.ccchh.net"
|
||||||
|
cert__bind_9_host: authoritative-dns
|
||||||
|
cert__bind_9_zone: ccchh.net
|
||||||
|
|
||||||
|
nginx__version_spec: ""
|
||||||
|
nginx__configurations:
|
||||||
|
- name: id.ccchh.net
|
||||||
|
content: "{{ lookup('ansible.builtin.file', 'configs/keycloak/nginx/id.ccchh.net.conf') }}"
|
||||||
|
- name: keycloak-admin.ccchh.net
|
||||||
|
content: "{{ lookup('ansible.builtin.file', 'configs/keycloak/nginx/keycloak-admin.ccchh.net.conf') }}"
|
|
@ -24,3 +24,6 @@ all:
|
||||||
authoritative-dns:
|
authoritative-dns:
|
||||||
ansible_host: authoritative-dns.z9.ccchh.net
|
ansible_host: authoritative-dns.z9.ccchh.net
|
||||||
ansible_user: chaos
|
ansible_user: chaos
|
||||||
|
keycloak:
|
||||||
|
ansible_host: keycloak.z9.ccchh.net
|
||||||
|
ansible_user: chaos
|
||||||
|
|
8
playbooks/deploy_keycloak.yaml
Normal file
8
playbooks/deploy_keycloak.yaml
Normal file
|
@ -0,0 +1,8 @@
|
||||||
|
---
|
||||||
|
- name: Deploy nginx and keycloak using docker_compose on keyloak
|
||||||
|
become: true
|
||||||
|
hosts: keycloak
|
||||||
|
roles:
|
||||||
|
- cert
|
||||||
|
- docker_compose
|
||||||
|
- nginx
|
78
playbooks/files/configs/keycloak/compose.yaml
Normal file
78
playbooks/files/configs/keycloak/compose.yaml
Normal file
|
@ -0,0 +1,78 @@
|
||||||
|
## Secrets:
|
||||||
|
#
|
||||||
|
# Secrets should be provided via the relevant `x_secrets.env` files to the
|
||||||
|
# containers. Options to be set are documented by commented out environment
|
||||||
|
# variables.
|
||||||
|
#
|
||||||
|
## Links & Resources:
|
||||||
|
#
|
||||||
|
# https://www.keycloak.org/
|
||||||
|
# https://www.keycloak.org/documentation
|
||||||
|
# https://www.keycloak.org/getting-started/getting-started-docker
|
||||||
|
# https://www.keycloak.org/server/configuration
|
||||||
|
# https://www.keycloak.org/server/containers
|
||||||
|
# https://www.keycloak.org/server/configuration-production
|
||||||
|
# https://www.keycloak.org/server/db
|
||||||
|
# https://hub.docker.com/_/postgres
|
||||||
|
# https://github.com/docker-library/docs/blob/master/postgres/README.md
|
||||||
|
# https://www.keycloak.org/server/hostname
|
||||||
|
# https://www.keycloak.org/server/reverseproxy
|
||||||
|
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Forwarded
|
||||||
|
# https://www.keycloak.org/server/all-config
|
||||||
|
|
||||||
|
services:
|
||||||
|
keycloak:
|
||||||
|
build:
|
||||||
|
context: .
|
||||||
|
dockerfile_inline: |
|
||||||
|
FROM quay.io/keycloak/keycloak:21.1 as builder
|
||||||
|
|
||||||
|
ENV KC_DB=postgres
|
||||||
|
|
||||||
|
WORKDIR /opt/keycloak
|
||||||
|
RUN /opt/keycloak/bin/kc.sh build
|
||||||
|
|
||||||
|
FROM quay.io/keycloak/keycloak:21.1
|
||||||
|
COPY --from=builder /opt/keycloak/ /opt/keycloak/
|
||||||
|
|
||||||
|
# Runtime options set in compose directly.
|
||||||
|
|
||||||
|
ENTRYPOINT ["/opt/keycloak/bin/kc.sh"]
|
||||||
|
command: start --optimized
|
||||||
|
depends_on:
|
||||||
|
- db
|
||||||
|
networks:
|
||||||
|
- keycloak
|
||||||
|
environment:
|
||||||
|
KEYCLOAK_ADMIN: admin
|
||||||
|
# KEYCLOAK_ADMIN_PASSWORD: in secrets file
|
||||||
|
KC_DB: postgres
|
||||||
|
KC_DB_URL_HOST: db
|
||||||
|
KC_DB_USERNAME: keycloak
|
||||||
|
# KC_DB_PASSWORD: in secrets file
|
||||||
|
KC_HOSTNAME: id.ccchh.net
|
||||||
|
KC_HOSTNAME_STRICT_BACKCHANNEL: true
|
||||||
|
KC_HOSTNAME_ADMIN: keycloak-admin.ccchh.net
|
||||||
|
KC_PROXY: edge
|
||||||
|
ports:
|
||||||
|
- "8080:8080"
|
||||||
|
env_file:
|
||||||
|
- keycloak_secrets.env # Must be managed by the admin manually. Not managed by Ansible.
|
||||||
|
|
||||||
|
db:
|
||||||
|
image: postgres:15.2
|
||||||
|
restart: always
|
||||||
|
networks:
|
||||||
|
- keycloak
|
||||||
|
volumes:
|
||||||
|
- "./database:/var/lib/postgresql/data"
|
||||||
|
environment:
|
||||||
|
POSTGRES_USER: keycloak
|
||||||
|
# POSTGRES_PASSWORD: in secrets file
|
||||||
|
POSTGRES_DB: keycloak
|
||||||
|
env_file:
|
||||||
|
- db_secrets.env # Must be managed by the admin manually. Not managed by Ansible.
|
||||||
|
|
||||||
|
networks:
|
||||||
|
keycloak:
|
||||||
|
external: false
|
57
playbooks/files/configs/keycloak/nginx/id.ccchh.net.conf
Normal file
57
playbooks/files/configs/keycloak/nginx/id.ccchh.net.conf
Normal file
|
@ -0,0 +1,57 @@
|
||||||
|
# partly generated 2022-01-08, Mozilla Guideline v5.6, nginx 1.17.7, OpenSSL 1.1.1k, intermediate configuration
|
||||||
|
# https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
|
||||||
|
# Also see: https://www.keycloak.org/server/reverseproxy
|
||||||
|
server {
|
||||||
|
# # Listen on a custom port for the proxy protocol.
|
||||||
|
# listen 8443 ssl http2 proxy_protocol;
|
||||||
|
# # Make use of the ngx_http_realip_module to set the $remote_addr and
|
||||||
|
# # $remote_port to the client address and client port, when using proxy
|
||||||
|
# # protocol.
|
||||||
|
# # First set our proxy protocol proxy as trusted.
|
||||||
|
# set_real_ip_from 10.31.206.11;
|
||||||
|
# # Then tell the realip_module to get the addreses from the proxy protocol
|
||||||
|
# # header.
|
||||||
|
# real_ip_header proxy_protocol;
|
||||||
|
# Temporarily internal-only.
|
||||||
|
listen 443 ssl http2;
|
||||||
|
|
||||||
|
server_name id.ccchh.net;
|
||||||
|
|
||||||
|
ssl_certificate /etc/ansible_certs/certs/id.ccchh.net/fullchain.pem;
|
||||||
|
ssl_certificate_key /etc/ansible_certs/certs/id.ccchh.net/privkey.pem;
|
||||||
|
# verify chain of trust of OCSP response using Root CA and Intermediate certs
|
||||||
|
ssl_trusted_certificate /etc/ansible_certs/certs/id.ccchh.net/chain.pem;
|
||||||
|
|
||||||
|
# HSTS (ngx_http_headers_module is required) (63072000 seconds)
|
||||||
|
add_header Strict-Transport-Security "max-age=63072000" always;
|
||||||
|
|
||||||
|
proxy_set_header Host $host;
|
||||||
|
proxy_set_header X-Forwarded-Host $host;
|
||||||
|
proxy_set_header X-Real-IP $remote_addr;
|
||||||
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||||
|
proxy_set_header X-Forwarded-Port 443;
|
||||||
|
# This is https in any case.
|
||||||
|
proxy_set_header X-Forwarded-Proto https;
|
||||||
|
# Hide the X-Forwarded header.
|
||||||
|
proxy_hide_header X-Forwarded;
|
||||||
|
# Assume we are the only Reverse Proxy (well using Proxy Protocol, but that
|
||||||
|
# is transparent).
|
||||||
|
# Also provide "_hidden" for by, since it's not relevant.
|
||||||
|
proxy_set_header Forwarded "for=$remote_addr;proto=https;host=$host;by=_hidden";
|
||||||
|
|
||||||
|
location /js/ {
|
||||||
|
proxy_pass http://127.0.0.1:8080/js/;
|
||||||
|
}
|
||||||
|
|
||||||
|
location /realms/ {
|
||||||
|
proxy_pass http://127.0.0.1:8080/realms/;
|
||||||
|
}
|
||||||
|
|
||||||
|
location /resources/ {
|
||||||
|
proxy_pass http://127.0.0.1:8080/resources/;
|
||||||
|
}
|
||||||
|
|
||||||
|
location /robots.txt {
|
||||||
|
proxy_pass http://127.0.0.1:8080/robots.txt;
|
||||||
|
}
|
||||||
|
}
|
|
@ -0,0 +1,51 @@
|
||||||
|
# partly generated 2022-01-08, Mozilla Guideline v5.6, nginx 1.17.7, OpenSSL 1.1.1k, intermediate configuration
|
||||||
|
# https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
|
||||||
|
# Also see: https://www.keycloak.org/server/reverseproxy
|
||||||
|
server {
|
||||||
|
listen 443 ssl http2;
|
||||||
|
#listen [::]:443 ssl http2;
|
||||||
|
|
||||||
|
server_name keycloak-admin.ccchh.net;
|
||||||
|
|
||||||
|
ssl_certificate /etc/ansible_certs/certs/keycloak-admin.ccchh.net/fullchain.pem;
|
||||||
|
ssl_certificate_key /etc/ansible_certs/certs/keycloak-admin.ccchh.net/privkey.pem;
|
||||||
|
# verify chain of trust of OCSP response using Root CA and Intermediate certs
|
||||||
|
ssl_trusted_certificate /etc/ansible_certs/certs/keycloak-admin.ccchh.net/chain.pem;
|
||||||
|
|
||||||
|
# HSTS (ngx_http_headers_module is required) (63072000 seconds)
|
||||||
|
add_header Strict-Transport-Security "max-age=63072000" always;
|
||||||
|
|
||||||
|
proxy_set_header Host $host;
|
||||||
|
proxy_set_header X-Forwarded-Host $host;
|
||||||
|
proxy_set_header X-Real-IP $remote_addr;
|
||||||
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||||
|
proxy_set_header X-Forwarded-Port 443;
|
||||||
|
# This is https in any case.
|
||||||
|
proxy_set_header X-Forwarded-Proto https;
|
||||||
|
# Hide the X-Forwarded header.
|
||||||
|
proxy_hide_header X-Forwarded;
|
||||||
|
# Assume we are the only Reverse Proxy (well using Proxy Protocol, but that
|
||||||
|
# is transparent).
|
||||||
|
# Also provide "_hidden" for by, since it's not relevant.
|
||||||
|
proxy_set_header Forwarded "for=$remote_addr;proto=https;host=$host;by=_hidden";
|
||||||
|
|
||||||
|
location /js/ {
|
||||||
|
proxy_pass http://127.0.0.1:8080/js/;
|
||||||
|
}
|
||||||
|
|
||||||
|
location /realms/ {
|
||||||
|
proxy_pass http://127.0.0.1:8080/realms/;
|
||||||
|
}
|
||||||
|
|
||||||
|
location /resources/ {
|
||||||
|
proxy_pass http://127.0.0.1:8080/resources/;
|
||||||
|
}
|
||||||
|
|
||||||
|
location /robots.txt {
|
||||||
|
proxy_pass http://127.0.0.1:8080/robots.txt;
|
||||||
|
}
|
||||||
|
|
||||||
|
location /admin/ {
|
||||||
|
proxy_pass http://127.0.0.1:8080/admin/;
|
||||||
|
}
|
||||||
|
}
|
Loading…
Reference in a new issue