Add Keycloak #35
|
@ -15,6 +15,7 @@ homelab.
|
||||||
* NGINX
|
* NGINX
|
||||||
* Jellyfin
|
* Jellyfin
|
||||||
* PostgreSQL
|
* PostgreSQL
|
||||||
|
* Keycloak
|
||||||
|
|
||||||
=== Testing
|
=== Testing
|
||||||
To run locally, specify the inventory file with `-i hosts`.
|
To run locally, specify the inventory file with `-i hosts`.
|
||||||
|
|
|
@ -6,6 +6,7 @@
|
||||||
- jellyfin
|
- jellyfin
|
||||||
- openldap
|
- openldap
|
||||||
- postgres
|
- postgres
|
||||||
|
- keycloak
|
||||||
vars_files:
|
vars_files:
|
||||||
- vault/certs/{{ base_domain }}.yml
|
- vault/certs/{{ base_domain }}.yml
|
||||||
- vault/passwords.yml
|
- vault/passwords.yml
|
||||||
|
|
|
@ -0,0 +1,25 @@
|
||||||
|
- name: run container
|
||||||
|
docker_container:
|
||||||
|
name: "keycloak"
|
||||||
|
image: "quay.io/keycloak/keycloak"
|
||||||
|
ports:
|
||||||
|
- "8080:8080"
|
||||||
|
networks:
|
||||||
|
- name: postgres
|
||||||
|
- name: nginx-internal
|
||||||
|
env:
|
||||||
|
"KEYCLOAK_USER": "{{ vault_keycloak_user }}"
|
||||||
|
"KEYCLOAK_PASSWORD": "{{ vault_keycloak_password }}"
|
||||||
|
"DB_VENDOR": POSTGRES
|
||||||
|
"DB_ADDR": postgres
|
||||||
|
"DB_DATABASE": keycloak
|
||||||
|
"DB_USER": keycloak
|
||||||
|
"DB_SCHEMA": public
|
||||||
|
"DB_PASSWORD": "{{ vault_postgres_keycloak_user_password }}"
|
||||||
|
"PROXY_ADDRESS_FORWARDING": "true"
|
||||||
|
- name: copy nginx conf
|
||||||
|
template:
|
||||||
|
src: "keycloak.conf.j2"
|
||||||
|
dest: "{{ data_folder }}/nginx/conf.d/{{ role_name}}.{{ base_domain }}.conf"
|
||||||
|
mode: "755"
|
||||||
|
notify: reload nginx
|
|
@ -0,0 +1,26 @@
|
||||||
|
server {
|
||||||
|
listen 80;
|
||||||
|
return 301 https://$host$request_uri;
|
||||||
|
}
|
||||||
|
|
||||||
|
server {
|
||||||
|
listen 443 ssl http2;
|
||||||
|
server_name "keycloak.{{ base_domain }}";
|
||||||
|
set $keycloak keycloak;
|
||||||
|
|
||||||
|
# Security/XSS Mitigation Headers
|
||||||
|
add_header X-Frame-Options "SAMEORIGIN";
|
||||||
|
add_header X-XSS-Protection "1; mode=block";
|
||||||
|
add_header X-Content-Type-Options "nosniff";
|
||||||
|
|
||||||
|
location / {
|
||||||
|
proxy_pass http://$keycloak:8080;
|
||||||
|
proxy_set_header Host $host;
|
||||||
|
proxy_set_header X-Real-IP $remote_addr;
|
||||||
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||||
|
proxy_set_header X-Forwarded-Proto $scheme;
|
||||||
|
proxy_set_header X-Forwarded-Protocol $scheme;
|
||||||
|
proxy_set_header X-Forwarded-Host $http_host;
|
||||||
|
proxy_buffering off;
|
||||||
|
}
|
||||||
|
}
|
|
@ -0,0 +1,3 @@
|
||||||
|
CREATE USER keycloak WITH PASSWORD '{{ vault_postgres_keycloak_user_password }}';
|
||||||
|
CREATE DATABASE keycloak;
|
||||||
|
GRANT ALL PRIVILEGES ON DATABASE keycloak TO keycloak;
|
Loading…
Reference in New Issue