Jafner.net/homelab/fighter/config/keycloak/docker-compose.yml

services:
  keycloak:
    image: quay.io/keycloak/keycloak:latest
    container_name: keycloak_keycloak
    networks:
      keycloak:
        aliases:
          - keycloak
      web:
        aliases:
          - keycloak
    restart: "no"
    depends_on:
      - postgres
    command: start --hostname=keycloak.jafner.net
    secrets:
      - keycloak_KC_DB_PASSWORD
      - keycloak_DB_PASS
      - keycloak_KEYCLOAK_ADMIN_PASSWORD
    environment:
      KC_DB: postgres
      KC_DB_URL: jdbc:postgresql://postgres/keycloak
      KC_DB_USERNAME: keycloak
      KC_PROXY_HEADERS: xforwarded
      KC_HTTP_ENABLED: true
      KC_HEALTH_ENABLED: true
      KC_METRICS_ENABLED: true
      KEYCLOAK_ADMIN: Jafner
      KC_DB_PASSWORD: /run/secrets/keycloak_KC_DB_PASSWORD
      DB_PASS: /run/secrets/keycloak_DB_PASS
      KEYCLOAK_ADMIN_PASSWORD: /run/secrets/keycloak_KEYCLOAK_ADMIN_PASSWORD
    labels:
      traefik.http.routers.keycloak.rule: Host(`keycloak.jafner.net`)
      traefik.http.routers.keycloak.tls.certresolver: lets-encrypt
      traefik.http.routers.keycloak.middlewares: keycloak-redirect
      traefik.http.services.keycloak.loadbalancer.server.port: 8080
      traefik.http.middlewares.keycloak-redirect.redirectregex.regex: ^https:\\/\\/([^\\//]+)\\/?$$"
      traefik.http.middlewares.keycloak-redirect.redirectregex.replacement: https://$$1/admin"

  forwardauth:
    image: mesosphere/traefik-forward-auth:latest
    container_name: keycloak_forwardauth
    networks:
      web:
        aliases:
          - forwardauth
    restart: "no"
    command: "./traefik-forward-auth"
    depends_on:
      - keycloak
    secrets:
      - forwardauth_CLIENT_SECRET
      - forwardauth_SECRET
      - forwardauth_ENCRYPTION_KEY
    environment:
      PROVIDER_URI: "https://keycloak.jafner.net/realms/Jafner.net"
      CLIENT_ID: "traefik-forward-auth"
      LOG_LEVEL: "debug"
      CLIENT_SECRET: /run/secrets/forwardauth_CLIENT_SECRET
      SECRET: /run/secrets/forwardauth_SECRET
      ENCRYPTION_KEY: /run/secrets/forwardauth_ENCRYPTION_KEY
    labels:
      - "traefik.enable=false"
      - "traefik.http.routers.forwardauth.rule=Path(`/_oauth`)"
      - "traefik.http.routers.forwardauth.tls.certresolver=lets-encrypt"

  forwardauth-privileged:
    image: mesosphere/traefik-forward-auth:latest
    container_name: keycloak_forwardauth-privileged
    networks:
      web:
        aliases:
          - forwardauth-privileged
    restart: "no"
    command: "./traefik-forward-auth --whitelist=jafner425@gmail.com"
    depends_on:
      - keycloak
    secrets:
      - forwardauth_privileged_CLIENT_SECRET
      - forwardauth_privileged_SECRET
      - forwardauth_privileged_ENCRYPTION_KEY
    environment:
      PROVIDER_URI: "https://keycloak.jafner.net/realms/Jafner.net"
      CLIENT_ID: "traefik-forward-auth-privileged"
      LOG_LEVEL: "debug"
      CLIENT_SECRET: /run/secrets/forwardauth_privileged_CLIENT_SECRET
      SECRET: /run/secrets/forwardauth_privileged_SECRET
      ENCRYPTION_KEY: /run/secrets/forwardauth_privileged_ENCRYPTION_KEY
    labels:
      - "traefik.enable=false"
      - "traefik.http.routers.forwardauth-privileged.rule=Path(`/_oauth`)"
      - "traefik.http.routers.forwardauth-privileged.tls.certresolver=lets-encrypt"

  postgres:
    image: postgres:latest
    container_name: keycloak_postgres
    networks:
      - keycloak
    secrets:
      - postgres_POSTGRES_USER
      - postgres_POSTGRES_PASSWORD
    environment:
      POSTGRES_DB: keycloak
      POSTGRES_USER: /run/secrets/postgres_POSTGRES_USER
      POSTGRES_PASSWORD: /run/secrets/postgres_POSTGRES_PASSWORD
    volumes:
      - postgres_data:/var/lib/postgresql/data

networks:
  web:
    external: true
  keycloak:

volumes:
  postgres_data:

secrets:
  forwardauth_privileged_CLIENT_SECRET:
    file: ./secrets/forwardauth-privileged_CLIENT_SECRET.txt
  forwardauth_privileged_SECRET: 
    file: ./secrets/forwardauth-privileged_SECRET.txt
  forwardauth_privileged_ENCRYPTION_KEY: 
    file: ./secrets/forwardauth-privileged_ENCRYPTION_KEY.txt
  forwardauth_CLIENT_SECRET:
    file: ./secrets/forwardauth_CLIENT_SECRET.txt
  forwardauth_SECRET:
    file: ./secrets/forwardauth_SECRET.txt
  forwardauth_ENCRYPTION_KEY:
    file: ./secrets/forwardauth_ENCRYPTION_KEY.txt
  keycloak_KC_DB_PASSWORD: 
    file: ./secrets/keycloak_KC_DB_PASSWORD.txt
  keycloak_DB_PASS: 
    file: ./secrets/keycloak_DB_PASS.txt
  keycloak_KEYCLOAK_ADMIN_PASSWORD: 
    file: ./secrets/keycloak_KEYCLOAK_ADMIN_PASSWORD.txt
  postgres_POSTGRES_USER: 
    file: ./secrets/postgres_POSTGRES_USER.txt
  postgres_POSTGRES_PASSWORD: 
    file: ./secrets/postgres_POSTGRES_PASSWORD.txt