diff --git a/homelab/fighter/config/keycloak/Dockerfile b/homelab/fighter/config/keycloak/Dockerfile index e152e9f7..daa02413 100644 --- a/homelab/fighter/config/keycloak/Dockerfile +++ b/homelab/fighter/config/keycloak/Dockerfile @@ -5,7 +5,7 @@ ENV KC_HEALTH_ENABLED=true ENV KC_METRICS_ENABLED=true # Configure a database vendor -ENV KC_DB=${DB:-postgres} +ENV KC_DB=postgres WORKDIR /opt/keycloak # for demonstration purposes only, please make sure to use proper certificates in production instead @@ -16,9 +16,10 @@ FROM quay.io/keycloak/keycloak:latest COPY --from=builder /opt/keycloak/ /opt/keycloak/ # change these values to point to a running postgres instance -ENV KC_DB=${DB:-postgres} -ENV KC_DB_URL=${DB_URL:-postgres} -ENV KC_DB_USERNAME=${DB_USER:-keycloak} -ENV KC_DB_PASSWORD=${DB_PASS:-changeme} -ENV KC_HOSTNAME=${HOST:-keycloak} +ENV KC_DB=${DB} +ENV KC_DB_URL=${DB_URL} +ENV KC_DB_USERNAME=${DB_USER} +ENV KC_DB_PASSWORD=${DB_PASS} +ENV KC_HOSTNAME=${HOST} + ENTRYPOINT ["/opt/keycloak/bin/kc.sh"] \ No newline at end of file diff --git a/homelab/fighter/config/keycloak/docker-compose.yml b/homelab/fighter/config/keycloak/docker-compose.yml index ac0dee73..da88d161 100644 --- a/homelab/fighter/config/keycloak/docker-compose.yml +++ b/homelab/fighter/config/keycloak/docker-compose.yml @@ -66,34 +66,39 @@ services: - "traefik.http.routers.forwardauth-privileged.tls.certresolver=lets-encrypt" keycloak-wip: - build: - dockerfile: Dockerfile - context: . + image: quay.io/keycloak/keycloak:23.0 container_name: keycloak_keycloak-wip volumes: - $KEYCLOAK_DATA/import:/opt/keycloak/data/import networks: + keycloak: + aliases: + - keycloak-wip web: aliases: - - keycloak - keycloak: + - keycloak-wip restart: "no" + depends_on: + - postgres command: start env_file: - keycloak-wip.env - keycloak-wip_secrets.env labels: - traefik.http.routers.keycloak.rule: Host(`keycloak-wip.jafner.net`) - traefik.http.routers.keycloak.tls.certresolver: lets-encrypt - traefik.http.routers.keycloak.middlewares: lan-only@file - traefik.http.services.keycloak.loadbalancer.server.port: 8080 + traefik.http.routers.keycloak-wip.rule: Host(`keycloak-wip.jafner.net`) + traefik.http.routers.keycloak-wip.tls.certresolver: lets-encrypt + traefik.http.routers.keycloak-wip.middlewares: keycloak-redirect + traefik.http.services.keycloak-wip.loadbalancer.server.port: 8080 + traefik.http.middlewares.keycloak-redirect.redirectregex.regex: ^https:\\/\\/([^\\//]+)\\/?$$" + traefik.http.middlewares.keycloak-redirect.redirectregex.replacement: https://$$1/admin" postgres: - image: postgres:13 + image: postgres:15 container_name: keycloak_postgres networks: - keycloak env_file: + - postgres.env - postgres_secrets.env volumes: - postgres_data:/var/lib/postgresql/data diff --git a/homelab/fighter/config/keycloak/keycloak-wip.env b/homelab/fighter/config/keycloak/keycloak-wip.env index 0224623f..2a5fc2ec 100644 --- a/homelab/fighter/config/keycloak/keycloak-wip.env +++ b/homelab/fighter/config/keycloak/keycloak-wip.env @@ -1,9 +1,6 @@ KC_DB=postgres -KC_DB_URL=postgres +KC_DB_URL=jdbc:postgresql://postgres/keycloak KC_DB_USERNAME=keycloak -KC_HOSTNAME=keycloak - -DB=postgres -DB_URL=http://postgres:5432 -DB_USER=keycloak -DB_PASS=weakpassword \ No newline at end of file +KC_HOSTNAME_URL=https://keycloak-wip.jafner.net +KC_PROXY=edge +KEYCLOAK_ADMIN=Jafner \ No newline at end of file diff --git a/homelab/fighter/config/traefik/config/config_addons.yaml b/homelab/fighter/config/traefik/config/config_addons.yaml index 9bcc1de9..a56731e0 100644 --- a/homelab/fighter/config/traefik/config/config_addons.yaml +++ b/homelab/fighter/config/traefik/config/config_addons.yaml @@ -8,22 +8,6 @@ http: simple-auth: basicAuth: usersFile: "/.htpasswd" - authentik: - forwardauth: - address: http://authentik-server:9000/outpost.goauthentik.io/auth/traefik - trustForwardHeader: true - authResponseHeaders: - - X-authentik-username - - X-authentik-groups - - X-authentik-email - - X-authentik-name - - X-authentik-uid - - X-authentik-jwt - - X-authentik-meta-jwks - - X-authentik-meta-outpost - - X-authentik-meta-provider - - X-authentik-meta-app - - X-authentik-meta-version securityheaders: headers: customResponseHeaders: @@ -82,6 +66,16 @@ http: permanent: true regex: "https://(.*)/.well-known/(card|cal)dav" replacement: "https://${1}/remote.php/dav/" + keycloak: + headers: + customResponseHeaders: + X-Robots-Tag: "noindex, nofollow" + referrerPolicy: "same-origin" + hostsProxyHeaders: + - "X-Forwarded-Host" + customRequestHeaders: + X-Forwarded-Proto: "https" + X-Scheme: https serversTransports: insecureskipverify: