Add Keycloak (#1)

README.adoc

@@ -15,6 +15,7 @@ homelab.
 * NGINX
 * Jellyfin
 * PostgreSQL
+* Keycloak
 
 === Testing
 To run locally, specify the inventory file with `-i hosts`.

playbook.yml

@@ -6,6 +6,7 @@
     - jellyfin
     - openldap
     - postgres
+    - keycloak
   vars_files:
     - vault/certs/{{ base_domain }}.yml
     - vault/passwords.yml

roles/keycloak/tasks/main.yml

@@ -0,0 +1,25 @@
+- name: run container
+  docker_container:
+    name: "keycloak"
+    image: "quay.io/keycloak/keycloak"
+    ports:
+      - "8080:8080"
+    networks:
+      - name: postgres
+      - name: nginx-internal
+    env:
+      "KEYCLOAK_USER": "{{ vault_keycloak_user }}"
+      "KEYCLOAK_PASSWORD": "{{ vault_keycloak_password }}"
+      "DB_VENDOR": POSTGRES
+      "DB_ADDR": postgres
+      "DB_DATABASE": keycloak
+      "DB_USER": keycloak
+      "DB_SCHEMA": public
+      "DB_PASSWORD": "{{ vault_postgres_keycloak_user_password }}"
+      "PROXY_ADDRESS_FORWARDING": "true"
+- name: copy nginx conf
+  template:
+    src: "keycloak.conf.j2"
+    dest: "{{ data_folder }}/nginx/conf.d/{{ role_name}}.{{ base_domain }}.conf"
+    mode: "755"
+  notify: reload nginx

roles/keycloak/templates/keycloak.conf.j2

@@ -0,0 +1,26 @@
+server {
+  listen 80;
+  return 301 https://$host$request_uri;
+}
+
+server {
+  listen 443 ssl http2;
+  server_name "keycloak.{{ base_domain }}";
+  set $keycloak keycloak;
+
+  # Security/XSS Mitigation Headers
+  add_header X-Frame-Options "SAMEORIGIN";
+  add_header X-XSS-Protection "1; mode=block";
+  add_header X-Content-Type-Options "nosniff";
+
+  location / {
+    proxy_pass http://$keycloak:8080;
+    proxy_set_header Host $host;
+    proxy_set_header X-Real-IP $remote_addr;
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header X-Forwarded-Proto $scheme;
+    proxy_set_header X-Forwarded-Protocol $scheme;
+    proxy_set_header X-Forwarded-Host $http_host;
+    proxy_buffering off;
+  }
+}

roles/postgres/templates/keycloak.sql.j2

@@ -0,0 +1,3 @@
+CREATE USER keycloak WITH PASSWORD '{{ vault_postgres_keycloak_user_password }}';
+CREATE DATABASE keycloak;
+GRANT ALL PRIVILEGES ON DATABASE keycloak TO keycloak;