From e98699146630e7f6e6e9a577e145ae7867dbe823 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Luk=C3=A1=C5=A1=20Kucharczyk?= Date: Tue, 18 May 2021 23:10:37 +0200 Subject: [PATCH] Add Keycloak (#1) --- README.adoc | 1 + playbook.yml | 1 + roles/keycloak/tasks/main.yml | 25 ++++++++++++++++++++++ roles/keycloak/templates/keycloak.conf.j2 | 26 +++++++++++++++++++++++ roles/postgres/templates/keycloak.sql.j2 | 3 +++ 5 files changed, 56 insertions(+) create mode 100644 roles/keycloak/tasks/main.yml create mode 100644 roles/keycloak/templates/keycloak.conf.j2 create mode 100644 roles/postgres/templates/keycloak.sql.j2 diff --git a/README.adoc b/README.adoc index 25833b0..42f41a1 100644 --- a/README.adoc +++ b/README.adoc @@ -15,6 +15,7 @@ homelab. * NGINX * Jellyfin * PostgreSQL +* Keycloak === Testing To run locally, specify the inventory file with `-i hosts`. diff --git a/playbook.yml b/playbook.yml index a945adf..b2079c2 100644 --- a/playbook.yml +++ b/playbook.yml @@ -6,6 +6,7 @@ - jellyfin - openldap - postgres + - keycloak vars_files: - vault/certs/{{ base_domain }}.yml - vault/passwords.yml diff --git a/roles/keycloak/tasks/main.yml b/roles/keycloak/tasks/main.yml new file mode 100644 index 0000000..066db09 --- /dev/null +++ b/roles/keycloak/tasks/main.yml @@ -0,0 +1,25 @@ +- name: run container + docker_container: + name: "keycloak" + image: "quay.io/keycloak/keycloak" + ports: + - "8080:8080" + networks: + - name: postgres + - name: nginx-internal + env: + "KEYCLOAK_USER": "{{ vault_keycloak_user }}" + "KEYCLOAK_PASSWORD": "{{ vault_keycloak_password }}" + "DB_VENDOR": POSTGRES + "DB_ADDR": postgres + "DB_DATABASE": keycloak + "DB_USER": keycloak + "DB_SCHEMA": public + "DB_PASSWORD": "{{ vault_postgres_keycloak_user_password }}" + "PROXY_ADDRESS_FORWARDING": "true" +- name: copy nginx conf + template: + src: "keycloak.conf.j2" + dest: "{{ data_folder }}/nginx/conf.d/{{ role_name}}.{{ base_domain }}.conf" + mode: "755" + notify: reload nginx \ No newline at end of file diff --git a/roles/keycloak/templates/keycloak.conf.j2 b/roles/keycloak/templates/keycloak.conf.j2 new file mode 100644 index 0000000..e16765c --- /dev/null +++ b/roles/keycloak/templates/keycloak.conf.j2 @@ -0,0 +1,26 @@ +server { + listen 80; + return 301 https://$host$request_uri; +} + +server { + listen 443 ssl http2; + server_name "keycloak.{{ base_domain }}"; + set $keycloak keycloak; + + # Security/XSS Mitigation Headers + add_header X-Frame-Options "SAMEORIGIN"; + add_header X-XSS-Protection "1; mode=block"; + add_header X-Content-Type-Options "nosniff"; + + location / { + proxy_pass http://$keycloak:8080; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Protocol $scheme; + proxy_set_header X-Forwarded-Host $http_host; + proxy_buffering off; + } +} \ No newline at end of file diff --git a/roles/postgres/templates/keycloak.sql.j2 b/roles/postgres/templates/keycloak.sql.j2 new file mode 100644 index 0000000..05bc40a --- /dev/null +++ b/roles/postgres/templates/keycloak.sql.j2 @@ -0,0 +1,3 @@ +CREATE USER keycloak WITH PASSWORD '{{ vault_postgres_keycloak_user_password }}'; +CREATE DATABASE keycloak; +GRANT ALL PRIVILEGES ON DATABASE keycloak TO keycloak; \ No newline at end of file