## Secrets: # # Secrets should be provided via the relevant `x_secrets.env` files to the # containers. Options to be set are documented by commented out environment # variables. # ## Links & Resources: # # https://www.keycloak.org/ # https://www.keycloak.org/documentation # https://www.keycloak.org/getting-started/getting-started-docker # https://www.keycloak.org/server/configuration # https://www.keycloak.org/server/containers # https://www.keycloak.org/server/configuration-production # https://www.keycloak.org/server/db # https://hub.docker.com/_/postgres # https://github.com/docker-library/docs/blob/master/postgres/README.md # https://www.keycloak.org/server/hostname # https://www.keycloak.org/server/reverseproxy # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Forwarded # https://www.keycloak.org/server/all-config services: keycloak: build: context: . dockerfile_inline: | FROM quay.io/keycloak/keycloak:25.0 as builder ENV KC_DB=postgres WORKDIR /opt/keycloak RUN /opt/keycloak/bin/kc.sh build FROM quay.io/keycloak/keycloak:25.0 COPY --from=builder /opt/keycloak/ /opt/keycloak/ # Runtime options set in compose directly. ENTRYPOINT ["/opt/keycloak/bin/kc.sh"] restart: unless-stopped command: start --optimized depends_on: - db networks: - keycloak environment: KEYCLOAK_ADMIN: admin KEYCLOAK_ADMIN_PASSWORD: {{ lookup("community.general.passwordstore", "noc/vm-secrets/chaosknoten/keycloak/KEYCLOAK_ADMIN_PASSWORD", create=false, missing="error") }} KC_DB: postgres KC_DB_URL_HOST: db KC_DB_USERNAME: keycloak KC_DB_PASSWORD: {{ lookup("community.general.passwordstore", "noc/vm-secrets/chaosknoten/keycloak/KC_DB_PASSWORD", create=false, missing="error") }} KC_HOSTNAME: https://id.hamburg.ccc.de KC_HOSTNAME_BACKCHANNEL_DYNAMIC: false KC_HOSTNAME_ADMIN: https://keycloak-admin.hamburg.ccc.de KC_PROXY_HEADERS: xforwarded KC_HTTP_ENABLED: true ports: - "8080:8080" db: image: postgres:15.2 restart: always networks: - keycloak volumes: - "./database:/var/lib/postgresql/data" environment: POSTGRES_USER: keycloak POSTGRES_PASSWORD: {{ lookup("community.general.passwordstore", "noc/vm-secrets/chaosknoten/keycloak/POSTGRES_PASSWORD", create=false, missing="error") }} POSTGRES_DB: keycloak id-invite-web: image: git.hamburg.ccc.de/ccchh/id-invite/id-invite:latest command: web restart: always networks: - web - email - keycloak ports: - 3000:3000 environment: - "APP_EMAIL_BASE_URI=http://id-invite-email:3000" - "APP_KEYCLOAK_BASE_URI=http://id-invite-keycloak:3000" - "IDINVITE_URL=https://invite.hamburg.ccc.de" - "IDINVITE_KEYCLOAK_NAME=CCCHH ID" - "IDINVITE_VALID_HOURS=50" - "IDINVITE_SECRET={{ lookup("community.general.passwordstore", "noc/vm-secrets/chaosknoten/keycloak/IDINVITE_TOKEN_SECRET", create=false, missing="error") }}" - "IDINVITE_DISCOVERY_URL=https://id.hamburg.ccc.de/realms/ccchh/.well-known/openid-configuration" - "IDINVITE_CLIENT_ID=id-invite" - "IDINVITE_CLIENT_SECRET={{ lookup("community.general.passwordstore", "noc/vm-secrets/chaosknoten/keycloak/IDINVITE_CLIENT_SECRET", create=false, missing="error") }}" - "MAIL_FROM=no-reply@hamburg.ccc.de" - "BOTTLE_HOST=0.0.0.0" id-invite-email: image: git.hamburg.ccc.de/ccchh/id-invite/id-invite:latest command: email restart: always networks: - email - web environment: - "IDINVITE_KEYCLOAK_NAME=CCCHH ID" - "SMTP_HOSTNAME=cow.hamburg.ccc.de" - "SMTP_USERNAME=no-reply@id.hamburg.ccc.de" - "SMTP_PASSWORD={{ lookup("community.general.passwordstore", "noc/vm-secrets/chaosknoten/keycloak/NO_REPLY_SMTP", create=false, missing="error") }}" id-invite-keycloak: image: git.hamburg.ccc.de/ccchh/id-invite/id-invite:latest command: keycloak restart: always networks: - keycloak environment: - "KEYCLOAK_API_URL=http://keycloak:8080" - "KEYCLOAK_API_USERNAME=id-invite" - "KEYCLOAK_API_PASSWORD={{ lookup("community.general.passwordstore", "noc/vm-secrets/chaosknoten/keycloak/IDINVITE_ADMIN_PASSWORD", create=false, missing="error") }}" - "KEYCLOAK_API_REALM=ccchh" networks: keycloak: external: false web: email: external: false