Add keycloak

This commit is contained in:
julian 2023-05-02 06:12:56 +02:00
parent 91274de823
commit 2dc4b6f5fd
6 changed files with 213 additions and 0 deletions

View file

@ -0,0 +1,16 @@
docker_compose__compose_file_content: "{{ lookup('ansible.builtin.file', 'configs/keycloak/compose.yaml') }}"
docker_compose__configuration_files: [ ]
cert__acme_account_email: j+letsencrypt-ccchh@jsts.xyz
cert__domains:
- "id.ccchh.net"
- "keycloak-admin.ccchh.net"
cert__bind_9_host: authoritative-dns
cert__bind_9_zone: ccchh.net
nginx__version_spec: ""
nginx__configurations:
- name: id.ccchh.net
content: "{{ lookup('ansible.builtin.file', 'configs/keycloak/nginx/id.ccchh.net.conf') }}"
- name: keycloak-admin.ccchh.net
content: "{{ lookup('ansible.builtin.file', 'configs/keycloak/nginx/keycloak-admin.ccchh.net.conf') }}"

View file

@ -24,3 +24,6 @@ all:
authoritative-dns:
ansible_host: authoritative-dns.z9.ccchh.net
ansible_user: chaos
keycloak:
ansible_host: keycloak.z9.ccchh.net
ansible_user: chaos

View file

@ -0,0 +1,8 @@
---
- name: Deploy nginx and keycloak using docker_compose on keyloak
become: true
hosts: keycloak
roles:
- cert
- docker_compose
- nginx

View file

@ -0,0 +1,78 @@
## Secrets:
#
# Secrets should be provided via the relevant `x_secrets.env` files to the
# containers. Options to be set are documented by commented out environment
# variables.
#
## Links & Resources:
#
# https://www.keycloak.org/
# https://www.keycloak.org/documentation
# https://www.keycloak.org/getting-started/getting-started-docker
# https://www.keycloak.org/server/configuration
# https://www.keycloak.org/server/containers
# https://www.keycloak.org/server/configuration-production
# https://www.keycloak.org/server/db
# https://hub.docker.com/_/postgres
# https://github.com/docker-library/docs/blob/master/postgres/README.md
# https://www.keycloak.org/server/hostname
# https://www.keycloak.org/server/reverseproxy
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Forwarded
# https://www.keycloak.org/server/all-config
services:
keycloak:
build:
context: .
dockerfile_inline: |
FROM quay.io/keycloak/keycloak:21.1 as builder
ENV KC_DB=postgres
WORKDIR /opt/keycloak
RUN /opt/keycloak/bin/kc.sh build
FROM quay.io/keycloak/keycloak:21.1
COPY --from=builder /opt/keycloak/ /opt/keycloak/
# Runtime options set in compose directly.
ENTRYPOINT ["/opt/keycloak/bin/kc.sh"]
command: start --optimized
depends_on:
- db
networks:
- keycloak
environment:
KEYCLOAK_ADMIN: admin
# KEYCLOAK_ADMIN_PASSWORD: in secrets file
KC_DB: postgres
KC_DB_URL_HOST: db
KC_DB_USERNAME: keycloak
# KC_DB_PASSWORD: in secrets file
KC_HOSTNAME: id.ccchh.net
KC_HOSTNAME_STRICT_BACKCHANNEL: true
KC_HOSTNAME_ADMIN: keycloak-admin.ccchh.net
KC_PROXY: edge
ports:
- "8080:8080"
env_file:
- keycloak_secrets.env # Must be managed by the admin manually. Not managed by Ansible.
db:
image: postgres:15.2
restart: always
networks:
- keycloak
volumes:
- "./database:/var/lib/postgresql/data"
environment:
POSTGRES_USER: keycloak
# POSTGRES_PASSWORD: in secrets file
POSTGRES_DB: keycloak
env_file:
- db_secrets.env # Must be managed by the admin manually. Not managed by Ansible.
networks:
keycloak:
external: false

View file

@ -0,0 +1,57 @@
# partly generated 2022-01-08, Mozilla Guideline v5.6, nginx 1.17.7, OpenSSL 1.1.1k, intermediate configuration
# https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
# Also see: https://www.keycloak.org/server/reverseproxy
server {
# # Listen on a custom port for the proxy protocol.
# listen 8443 ssl http2 proxy_protocol;
# # Make use of the ngx_http_realip_module to set the $remote_addr and
# # $remote_port to the client address and client port, when using proxy
# # protocol.
# # First set our proxy protocol proxy as trusted.
# set_real_ip_from 10.31.206.11;
# # Then tell the realip_module to get the addreses from the proxy protocol
# # header.
# real_ip_header proxy_protocol;
# Temporarily internal-only.
listen 443 ssl http2;
server_name id.ccchh.net;
ssl_certificate /etc/ansible_certs/certs/id.ccchh.net/fullchain.pem;
ssl_certificate_key /etc/ansible_certs/certs/id.ccchh.net/privkey.pem;
# verify chain of trust of OCSP response using Root CA and Intermediate certs
ssl_trusted_certificate /etc/ansible_certs/certs/id.ccchh.net/chain.pem;
# HSTS (ngx_http_headers_module is required) (63072000 seconds)
add_header Strict-Transport-Security "max-age=63072000" always;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Port 443;
# This is https in any case.
proxy_set_header X-Forwarded-Proto https;
# Hide the X-Forwarded header.
proxy_hide_header X-Forwarded;
# Assume we are the only Reverse Proxy (well using Proxy Protocol, but that
# is transparent).
# Also provide "_hidden" for by, since it's not relevant.
proxy_set_header Forwarded "for=$remote_addr;proto=https;host=$host;by=_hidden";
location /js/ {
proxy_pass http://127.0.0.1:8080/js/;
}
location /realms/ {
proxy_pass http://127.0.0.1:8080/realms/;
}
location /resources/ {
proxy_pass http://127.0.0.1:8080/resources/;
}
location /robots.txt {
proxy_pass http://127.0.0.1:8080/robots.txt;
}
}

View file

@ -0,0 +1,51 @@
# partly generated 2022-01-08, Mozilla Guideline v5.6, nginx 1.17.7, OpenSSL 1.1.1k, intermediate configuration
# https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
# Also see: https://www.keycloak.org/server/reverseproxy
server {
listen 443 ssl http2;
#listen [::]:443 ssl http2;
server_name keycloak-admin.ccchh.net;
ssl_certificate /etc/ansible_certs/certs/keycloak-admin.ccchh.net/fullchain.pem;
ssl_certificate_key /etc/ansible_certs/certs/keycloak-admin.ccchh.net/privkey.pem;
# verify chain of trust of OCSP response using Root CA and Intermediate certs
ssl_trusted_certificate /etc/ansible_certs/certs/keycloak-admin.ccchh.net/chain.pem;
# HSTS (ngx_http_headers_module is required) (63072000 seconds)
add_header Strict-Transport-Security "max-age=63072000" always;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Port 443;
# This is https in any case.
proxy_set_header X-Forwarded-Proto https;
# Hide the X-Forwarded header.
proxy_hide_header X-Forwarded;
# Assume we are the only Reverse Proxy (well using Proxy Protocol, but that
# is transparent).
# Also provide "_hidden" for by, since it's not relevant.
proxy_set_header Forwarded "for=$remote_addr;proto=https;host=$host;by=_hidden";
location /js/ {
proxy_pass http://127.0.0.1:8080/js/;
}
location /realms/ {
proxy_pass http://127.0.0.1:8080/realms/;
}
location /resources/ {
proxy_pass http://127.0.0.1:8080/resources/;
}
location /robots.txt {
proxy_pass http://127.0.0.1:8080/robots.txt;
}
location /admin/ {
proxy_pass http://127.0.0.1:8080/admin/;
}
}