-
Notifications
You must be signed in to change notification settings - Fork 11
/
Copy pathkeycloak.yml
113 lines (110 loc) · 3.67 KB
/
keycloak.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
# https://www.keycloak.org/documentation.html
# https://www.keycloak.org/docs/latest/getting_started/index.html
# https://hub.docker.com/_/postgres
# https://hub.docker.com/r/jboss/keycloak/
version: "3.7"
networks:
keycloak:
name: keycloak
traefik:
name: traefik
services:
keycloak:
image: jboss/keycloak
container_name: keycloak
domainname: ${DOMAINNAME}
# ports:
# - "8080:8080"
networks:
traefik:
keycloak:
volumes:
- /etc/localtime:/etc/localtime:ro
environment:
PUID=1000
PGID=1000
KEYCLOAK_USER: ${KEYCLOAKUSER}
KEYCLOAK_PASSWORD: ${KEYCLOAKPASS}
DB_VENDOR: postgres
DB_DATABASE: keycloak
DB_ADDR: keycloak-db
DB_USER: keycloak
DB_PASSWORD: myuberpassword
# This is required to run keycloak behind traefik
PROXY_ADDRESS_FORWARDING: "true"
KEYCLOAK_HOSTNAME: keycloak.${DOMAINNAME}
# Tell Postgress what user/password to create
POSTGRES_USER: keycloak
POSTGRES_PASSWORD: myuberpassword
labels:
traefik.enable: "true"
traefik.docker.network: traefik
traefik.backend: keycloak
traefik.protocol: http
traefik.port: 8080
traefik.frontend.rule: Host:keycloak.${DOMAINNAME},
# traefik.frontend.auth.forward.address: http://traefik-forward-auth:4181
# traefik.frontend.auth.forward.authResponseHeaders: X-Forwarded-User
# traefik.frontend.auth.forward.trustForwardHeader: "true"
traefik.frontend.passHostHeader: "true"
traefik.frontend.headers.SSLForceHost: "true"
traefik.frontend.headers.SSLHost: keycloak.${DOMAINNAME}
traefik.frontend.headers.SSLRedirect: "true"
traefik.frontend.headers.browserXSSFilter: "true"
traefik.frontend.headers.contentTypeNosniff: "true"
traefik.frontend.headers.forceSTSHeader: "true"
traefik.frontend.headers.STSSeconds: 315360000
traefik.frontend.headers.STSIncludeSubdomains: "true"
traefik.frontend.headers.STSPreload: "true"
traefik.frontend.headers.customResponseHeaders: X-Robots-Tag:noindex,nofollow,nosnippet,noarchive,notranslate,noimageindex
traefik.frontend.headers.frameDeny: "true"
traefik.frontend.headers.customFrameOptionsValue: 'allow-from https://${DOMAINNAME}'
restart: always
depends_on:
- keycloak-db
keycloak-db:
image: postgres
container_name: keycloak-db
networks:
keycloak:
volumes:
- ${USERDIR}/keycloak/database:/var/lib/postgresql/data
- /etc/localtime:/etc/localtime:ro
environment:
- DB_VENDOR=postgres
- DB_DATABASE=keycloak
- DB_ADDR=keycloak-db
- DB_USER=keycloak
- DB_PASSWORD=myuberpassword
# This is required to run keycloak behind traefik
- PROXY_ADDRESS_FORWARDING=true
- KEYCLOAK_HOSTNAME=keycloak.${DOMAINNAME}
# Tell Postgress what user/password to create
- POSTGRES_USER=keycloak
- POSTGRES_PASSWORD=myuberpassword
restart: always
keycloak-db-backup:
image: postgres
container_name: keycloak-db-backup
networks:
keycloak:
volumes:
- ${USERDIR}/keycloak/database-dump:/dump
- /etc/localtime:/etc/localtime:ro
environment:
- PGHOST=keycloak-db
- PGUSER=keycloak
- PGPASSWORD=myuberpassword
- BACKUP_NUM_KEEP=7
- BACKUP_FREQUENCY=1d
entrypoint: |
bash -c 'bash -s <<EOF
trap "break;exit" SIGHUP SIGINT SIGTERM
sleep 2m
while /bin/true; do
pg_dump -Fc > /dump/dump_\`date +%d-%m-%Y"_"%H_%M_%S\`.psql
(ls -t /dump/dump*.psql|head -n $$BACKUP_NUM_KEEP;ls /dump/dump*.psql)|sort|uniq -u|xargs rm -- {}
sleep $$BACKUP_FREQUENCY
done
EOF'
restart: always