ansible-infra/resources/chaosknoten/keycloak/docker_compose/compose.yaml.j2

## Secrets:
#
# Secrets should be provided via the relevant `x_secrets.env` files to the
# containers. Options to be set are documented by commented out environment
# variables.
#
## Links & Resources:
#
# https://www.keycloak.org/
# https://www.keycloak.org/documentation
# https://www.keycloak.org/getting-started/getting-started-docker
# https://www.keycloak.org/server/configuration
# https://www.keycloak.org/server/containers
# https://www.keycloak.org/server/configuration-production
# https://www.keycloak.org/server/db
# https://hub.docker.com/_/postgres
# https://github.com/docker-library/docs/blob/master/postgres/README.md
# https://www.keycloak.org/server/hostname
# https://www.keycloak.org/server/reverseproxy
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Forwarded
# https://www.keycloak.org/server/all-config

services:
  keycloak:
    image: git.hamburg.ccc.de/ccchh/oci-images/keycloak:26.4
    pull_policy: always
    restart: unless-stopped
    command: start --optimized
    depends_on:
      - db
    networks:
      - keycloak
    environment:
      KEYCLOAK_ADMIN: admin
      KEYCLOAK_ADMIN_PASSWORD: {{ secret__keycloak_admin_password }}
      KC_DB: postgres
      KC_DB_URL_HOST: db
      KC_DB_USERNAME: keycloak
      KC_DB_PASSWORD: {{ secret__keycloak_db_password }}
      KC_HOSTNAME: https://id.hamburg.ccc.de
      KC_HOSTNAME_BACKCHANNEL_DYNAMIC: false
      KC_HOSTNAME_ADMIN: https://keycloak-admin.hamburg.ccc.de
      KC_PROXY_HEADERS: xforwarded
      KC_HTTP_ENABLED: true
    ports:
      - "8080:8080"

  db:
    image: docker.io/library/postgres:15.14
    restart: unless-stopped
    networks:
      - keycloak
    volumes:
      - "./database:/var/lib/postgresql/data"
    environment:
      POSTGRES_USER: keycloak
      POSTGRES_PASSWORD: {{ secret__keycloak_db_password }}
      POSTGRES_DB: keycloak

  id-invite-web:
    image: git.hamburg.ccc.de/ccchh/id-invite/id-invite:latest
    command: web
    restart: unless-stopped
    networks:
      - web
      - email
      - keycloak
    ports:
      - 3000:3000
    environment:
      - "APP_EMAIL_BASE_URI=http://id-invite-email:3000"
      - "APP_KEYCLOAK_BASE_URI=http://id-invite-keycloak:3000"
      - "BOTTLE_HOST=0.0.0.0"
      - "BOTTLE_URL_SCHEME=https"
      - "IDINVITE_INVITE_REQUIRES_GROUP=id_invite"
      - "IDINVITE_URL=https://invite.hamburg.ccc.de"
      - "IDINVITE_KEYCLOAK_NAME=CCCHH ID"
      - "IDINVITE_VALID_HOURS=50"
      - "IDINVITE_SECRET={{ secret__idinvite_token_secret }}"
      - "IDINVITE_DISCOVERY_URL=https://id.hamburg.ccc.de/realms/ccchh/.well-known/openid-configuration"
      - "IDINVITE_CLIENT_ID=id-invite"
      - "IDINVITE_CLIENT_SECRET={{ secret__idinvite_client_secret }}"
      - "MAIL_FROM=no-reply@hamburg.ccc.de"
      - "BOTTLE_HOST=0.0.0.0"

  id-invite-email:
    image: git.hamburg.ccc.de/ccchh/id-invite/id-invite:latest
    command: email
    restart: unless-stopped
    networks:
      - email
      - web
    environment:
      - "BOTTLE_HOST=0.0.0.0"
      - "IDINVITE_KEYCLOAK_NAME=CCCHH ID"
      - "MAIL_FROM=no-reply@id.hamburg.ccc.de"
      - "SMTP_HOSTNAME=cow.hamburg.ccc.de"
      - "SMTP_USERNAME=no-reply@id.hamburg.ccc.de"
      - "SMTP_PASSWORD={{ secret__id_no_reply_smtp }}"

  id-invite-keycloak:
    image: git.hamburg.ccc.de/ccchh/id-invite/id-invite:latest
    command: keycloak
    restart: unless-stopped
    networks:
      - keycloak
    environment:
      - "BOTTLE_HOST=0.0.0.0"
      - "IDINVITE_CLIENT_ID=id-invite"
      - "IDINVITE_CLIENT_SECRET={{ secret__idinvite_client_secret }}"
      - "KEYCLOAK_API_URL=http://keycloak:8080"
      - "KEYCLOAK_API_USERNAME=id-invite"
      - "KEYCLOAK_API_PASSWORD={{ secret__idinvite_admin_password }}"
      - "KEYCLOAK_API_REALM=ccchh"
      - 'KEYCLOAK_GROUPS=["user"]'



networks:
  keycloak:
    external: false
  web:
  email:
    external: false