keycloak(host): move to new network and hostname

Also just listen on port 8443 for keycloak-admin proxy protocol.
2025-12-16 21:50:40 +01:00 · 2025-12-16 21:50:40 +01:00 · 366456eff8
commit 366456eff8
parent 1ca71a053e
6 changed files with 15 additions and 12 deletions
--- a/inventories/chaosknoten/hosts.yaml
+++ b/inventories/chaosknoten/hosts.yaml
@ -23,9 +23,9 @@ all:
      ansible_user: chaos
      ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de
    keycloak:
-      ansible_host: keycloak-intern.hamburg.ccc.de
+      ansible_host: keycloak.hosts.hamburg.ccc.de
      ansible_user: chaos
-      ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de
+      ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de
    lists:
      ansible_host: lists.hamburg.ccc.de
      ansible_user: chaos
--- a/resources/chaosknoten/keycloak/nginx/id.hamburg.ccc.de.conf
+++ b/resources/chaosknoten/keycloak/nginx/id.hamburg.ccc.de.conf
@ -4,11 +4,12 @@
 server {
    # Listen on a custom port for the proxy protocol.
    listen 8443 ssl http2 proxy_protocol;
+    listen [::]:8443 ssl http2 proxy_protocol;
    # Make use of the ngx_http_realip_module to set the $remote_addr and
    # $remote_port to the client address and client port, when using proxy
    # protocol.
    # First set our proxy protocol proxy as trusted.
-    set_real_ip_from 172.31.17.140;
+    set_real_ip_from 2a00:14b0:4200:3000:125::1;
    # Then tell the realip_module to get the addreses from the proxy protocol
    # header.
    real_ip_header proxy_protocol;
--- a/resources/chaosknoten/keycloak/nginx/invite.hamburg.ccc.de.conf
+++ b/resources/chaosknoten/keycloak/nginx/invite.hamburg.ccc.de.conf
@ -4,11 +4,12 @@
 server {
    # Listen on a custom port for the proxy protocol.
    listen 8443 ssl http2 proxy_protocol;
+    listen [::]:8443 ssl http2 proxy_protocol;
    # Make use of the ngx_http_realip_module to set the $remote_addr and
    # $remote_port to the client address and client port, when using proxy
    # protocol.
    # First set our proxy protocol proxy as trusted.
-    set_real_ip_from 172.31.17.140;
+    set_real_ip_from 2a00:14b0:4200:3000:125::1;
    # Then tell the realip_module to get the addreses from the proxy protocol
    # header.
    real_ip_header proxy_protocol;
--- a/resources/chaosknoten/keycloak/nginx/keycloak-admin.hamburg.ccc.de.conf
+++ b/resources/chaosknoten/keycloak/nginx/keycloak-admin.hamburg.ccc.de.conf
@ -7,12 +7,13 @@ server {
    ##listen [::]:443 ssl http2;

    # Listen on a custom port for the proxy protocol.
-    listen 8444 ssl http2 proxy_protocol;
+    listen 8443 ssl http2 proxy_protocol;
+    listen [::]:8443 ssl http2 proxy_protocol;
    # Make use of the ngx_http_realip_module to set the $remote_addr and
    # $remote_port to the client address and client port, when using proxy
    # protocol.
    # First set our proxy protocol proxy as trusted.
-    set_real_ip_from 172.31.17.140;
+    set_real_ip_from 2a00:14b0:4200:3000:125::1;
    # Then tell the realip_module to get the addreses from the proxy protocol
    # header.
    real_ip_header proxy_protocol;
--- a/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf
+++ b/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf
@ -13,9 +13,9 @@ map $host $upstream_acme_challenge_host {
    hackertours.hamburg.ccc.de 172.31.17.151:31820;
    staging.hackertours.hamburg.ccc.de 172.31.17.151:31820;
    hamburg.ccc.de 172.31.17.151:31820;
-    id.hamburg.ccc.de 172.31.17.144:31820;
-    invite.hamburg.ccc.de 172.31.17.144:31820;
-    keycloak-admin.hamburg.ccc.de 172.31.17.144:31820;
+    id.hamburg.ccc.de keycloak.hosts.hamburg.ccc.de:31820;
+    invite.hamburg.ccc.de keycloak.hosts.hamburg.ccc.de:31820;
+    keycloak-admin.hamburg.ccc.de keycloak.hosts.hamburg.ccc.de:31820;
    matrix.hamburg.ccc.de 172.31.17.150:31820;
    mas.hamburg.ccc.de 172.31.17.150:31820;
    element-admin.hamburg.ccc.de 172.31.17.151:31820;
--- a/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf
+++ b/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf
@ -23,9 +23,9 @@ stream {
        cloud.hamburg.ccc.de cloud.hosts.hamburg.ccc.de:8443;
        pad.hamburg.ccc.de pad.hosts.hamburg.ccc.de:8443;
        pretalx.hamburg.ccc.de pretalx-intern.hamburg.ccc.de:8443;
-        id.hamburg.ccc.de 172.31.17.144:8443;
-        invite.hamburg.ccc.de 172.31.17.144:8443;
-        keycloak-admin.hamburg.ccc.de 172.31.17.144:8444;
+        id.hamburg.ccc.de keycloak.hosts.hamburg.ccc.de:8443;
+        invite.hamburg.ccc.de keycloak.hosts.hamburg.ccc.de:8443;
+        keycloak-admin.hamburg.ccc.de keycloak.hosts.hamburg.ccc.de:8443;
        grafana.hamburg.ccc.de 172.31.17.145:8443;
        wiki.ccchh.net wiki.hosts.hamburg.ccc.de:8443;
        wiki.hamburg.ccc.de wiki.hosts.hamburg.ccc.de:8443;