Add Keycloak (#1)

This commit is contained in:
Lukáš Kucharczyk 2021-05-18 23:10:37 +02:00
parent 6dcb21fe75
commit e986991466
No known key found for this signature in database
GPG Key ID: 65524498C0196B64
5 changed files with 56 additions and 0 deletions

View File

@ -15,6 +15,7 @@ homelab.
* NGINX
* Jellyfin
* PostgreSQL
* Keycloak
=== Testing
To run locally, specify the inventory file with `-i hosts`.

View File

@ -6,6 +6,7 @@
- jellyfin
- openldap
- postgres
- keycloak
vars_files:
- vault/certs/{{ base_domain }}.yml
- vault/passwords.yml

View File

@ -0,0 +1,25 @@
- name: run container
docker_container:
name: "keycloak"
image: "quay.io/keycloak/keycloak"
ports:
- "8080:8080"
networks:
- name: postgres
- name: nginx-internal
env:
"KEYCLOAK_USER": "{{ vault_keycloak_user }}"
"KEYCLOAK_PASSWORD": "{{ vault_keycloak_password }}"
"DB_VENDOR": POSTGRES
"DB_ADDR": postgres
"DB_DATABASE": keycloak
"DB_USER": keycloak
"DB_SCHEMA": public
"DB_PASSWORD": "{{ vault_postgres_keycloak_user_password }}"
"PROXY_ADDRESS_FORWARDING": "true"
- name: copy nginx conf
template:
src: "keycloak.conf.j2"
dest: "{{ data_folder }}/nginx/conf.d/{{ role_name}}.{{ base_domain }}.conf"
mode: "755"
notify: reload nginx

View File

@ -0,0 +1,26 @@
server {
listen 80;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl http2;
server_name "keycloak.{{ base_domain }}";
set $keycloak keycloak;
# Security/XSS Mitigation Headers
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
add_header X-Content-Type-Options "nosniff";
location / {
proxy_pass http://$keycloak:8080;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Protocol $scheme;
proxy_set_header X-Forwarded-Host $http_host;
proxy_buffering off;
}
}

View File

@ -0,0 +1,3 @@
CREATE USER keycloak WITH PASSWORD '{{ vault_postgres_keycloak_user_password }}';
CREATE DATABASE keycloak;
GRANT ALL PRIVILEGES ON DATABASE keycloak TO keycloak;