traefik-SSO.yml

version: '3.7'

networks:
  traefik:
    name: traefik
  keycloak:
    name: keycloak

services:
  traefik:
    image: traefik:latest
    container_name: traefik
    command: 
#      - "--accesslog"
#      - "--accesslog.filepath=/traefik.log"
      - "--logLevel=WARN"
      - "--ping=false"
#      - "--ping.entrypoint=pingport"
      - "--api"
      - "--api.entrypoint=apiport"
      - "--defaultentrypoints=http,https"
      - "--entrypoints=Name:http Address::80 Redirect.EntryPoint:https"
      - "--entrypoints=Name:https Address::443 TLS TLS.SniStrict:true TLS.MinVersion:VersionTLS12 CipherSuites:TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256"
      - "--entrypoints=Name:apiport Address::8080"
#      - "--entrypoints=Name:pingport Address::8081"
      - "--acme"
#      - "--acme.acmelogging" 
      - "--acme.storage=/etc/traefik/acme/acme.json"
      - "--acme.entryPoint=https"
#      - "--acme.TLS-ALPN-01"
      - "--acme.dnsChallenge=true"
      - "--acme.dnsChallenge.provider=godaddy"
      - "--acme.dnsChallenge.delayBeforeCheck=60"
      - "--acme.dnsChallenge.resolvers=1.1.1.1,1.0.0.1"
      - "--acme.onHostRule=true"
      - "--acme.email=${EMAIL}"
      - "--acme.acmeLogging=true"
      - "--acme.domains=${DOMAINNAME},*.${DOMAINNAME},"
      - "--acme.KeyType=RSA4096"
# Let's Encrypt's staging server
#     - "--acme.caServer=https://acme-staging-v02.api.letsencrypt.org/directory"
      - "--docker"
#      - "--docker.swarmMode"
      - "--docker.domain=${DOMAINNAME}"
      - "--docker.watch"
      - "--docker.exposedbydefault=false"
      - "--retry"
#      - "--file"
      - "resolvers=[192.168.1.1:53,1.1.1.1:53,]"
    environment:
      TZ: ${TZ}
#      CLOUDFLARE_EMAIL: ${EMAIL}
#      CLOUDFLARE_API_KEY: ${CFKEY}
      GODADDY_API_SECRET: ${GODADDYSECRET}
      GODADDY_API_KEY: ${GODADDYKEY}
    ports:
      - target: 80
        published: 80
      - target: 443
        published: 443
      - target: 8080
        published: 8080
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ${USERDIR}/traefik/acme.json:/etc/traefik/acme/acme.json
#      - ${USERDIR}/traefik/traefik.log:/traefik.log
#      - ${USERDIR}/traefik/file.toml:/file.toml
    networks:
      - traefik
    labels:
      traefik.enable: "true"
      traefik.docker.network: traefik
      traefik.backend: traefik
      traefik.protocol: http
      traefik.port: 8080
      traefik.frontend.rule: Host:traefik.${DOMAINNAME},
      traefik.frontend.auth.forward.address: http://traefik-forward-auth:4181
      traefik.frontend.auth.forward.authResponseHeaders: X-Forwarded-User
      traefik.frontend.auth.forward.trustForwardHeader: "true"
# These are not necessarily required, however recommended. Do not trust auth to be your only means of defense.
# https://www.acunetix.com/blog/articles/a-fresh-look-on-reverse-proxy-related-attacks/
      traefik.frontend.passHostHeader: "true"
      traefik.frontend.headers.SSLForceHost: "true"
      traefik.frontend.headers.SSLHost: traefik.${DOMAINNAME}
      traefik.frontend.headers.SSLRedirect: "true"
      traefik.frontend.headers.browserXSSFilter: "true"
      traefik.frontend.headers.contentTypeNosniff: "true"
      traefik.frontend.headers.forceSTSHeader: "true"
      traefik.frontend.headers.STSSeconds: 315360000
      traefik.frontend.headers.STSIncludeSubdomains: "true"
      traefik.frontend.headers.STSPreload: "true"
      traefik.frontend.headers.customResponseHeaders: X-Robots-Tag:noindex,nofollow,nosnippet,noarchive,notranslate,noimageindex
      traefik.frontend.headers.frameDeny: "true"
      traefik.frontend.headers.customFrameOptionsValue: 'allow-from https:${DOMAINNAME}'
    restart: always

# The auth gate for SSO
# https://geek-cookbook.funkypenguin.co.nz/ha-docker-swarm/traefik-forward-auth/
  traefik-forward-auth:
# thomseddeon's image doesnt support OIDC_ISSUER yet
#    image: thomseddon/traefik-forward-auth
    image: funkypenguin/traefik-forward-auth
    container_name: traefik-forward-auth
    networks:
      traefik:
    environment:
      CLIENT_ID: ${AUTHCLIENTID}
      CLIENT_SECRET: ${AUTHCLIENTSECRET}
# This is based on using the Master realm. Create a new client, this will go into your CLIENT_ID, CLIENT_SECRET details.
      OIDC_ISSUER: https://keycloak.${DOMAINNAME}/auth/realms/master
      SECRET: THISISASECRET
      AUTH_HOST: auth.${DOMAINNAME}
      COOKIE_DOMAINS: ${DOMAINNAME}
# https://github.com/thomseddon/traefik-forward-auth#user-restriction
#      WHITELIST: ${EMAIL}
      COOKIE_SECURE: "true"
      LIFETIME: "2592000" 
    restart: always
    labels:
      traefik.enable: "true"
      traefik.port: 4181
      traefik.frontend.rule: Host:traefik-forward-auth.${DOMAINNAME},
      traefik.backend: traefik-forward-auth
      traefik.docker.network: traefik
      traefik.frontend.auth.forward.address: http://traefik-forward-auth:4181
      traefik.frontend.auth.forward.trustForwardHeader: "true"
      traefik.frontend.auth.forward.authResponseHeaders: X-Forwarded-User
    depends_on:
      - keycloak
      - traefik

# https://www.keycloak.org/documentation.html
# https://www.keycloak.org/docs/latest/getting_started/index.html
# https://hub.docker.com/r/jboss/keycloak/
# https://geek-cookbook.funkypenguin.co.nz/recipes/keycloak/
  keycloak:
    image: jboss/keycloak
    container_name: keycloak
    domainname: ${DOMAINNAME}
#    ports:
#      - "8080:8080"
    networks:
      keycloak:
      traefik:
    volumes:
#      - ${USERDIR}/keycloak/config.json:/config.json
      - /etc/localtime:/etc/localtime:ro
    environment:
      - PUID=1000
      - PGID=1000
# https://geek-cookbook.funkypenguin.co.nz/recipes/keycloak/setup-oidc-provider/
      - KEYCLOAK_USER=${KEYCLOAKUSER}
      - KEYCLOAK_PASSWORD=${KEYCLOAKPASS}
#      - KEYCLOAK_IMPORT=/config.json
      - DB_VENDOR=postgres
      - DB_DATABASE=keycloak
      - DB_ADDR=keycloak-db
      - DB_USER=keycloak
      - DB_PASSWORD=myuberpassword
# This is required to run keycloak behind traefik
      - PROXY_ADDRESS_FORWARDING=true
      - KEYCLOAK_HOSTNAME=keycloak.${DOMAINNAME}
# Tell Postgress what user/password to create
      - POSTGRES_USER=keycloak
      - POSTGRES_PASSWORD=myuberpassword
    labels:
      traefik.enable: "true"
      traefik.docker.network: traefik
      traefik.backend: keycloak
      traefik.frontend.rule: Host:keycloak.${DOMAINNAME}
      traefik.port: 8080
# I tried placing keycloak behind the auth wall and using the internal DNS for the OIDC_ISSUER, it had issues so I removed it. 
    restart: always
    depends_on:
      - keycloak-db

# https://hub.docker.com/_/postgres
  keycloak-db:
    image: postgres
    container_name: keycloak-db
    networks:
      keycloak:
    volumes:
      - ${USERDIR}/keycloak/database:/var/lib/postgresql/data
      - /etc/localtime:/etc/localtime:ro    
    environment:
      - DB_VENDOR=postgres
      - DB_DATABASE=keycloak
      - DB_ADDR=keycloak-db
      - DB_USER=keycloak
      - DB_PASSWORD=myuberpassword
# This is required to run keycloak behind traefik
      - PROXY_ADDRESS_FORWARDING=true
      - KEYCLOAK_HOSTNAME=keycloak.${DOMAINNAME}
# Tell Postgress what user/password to create
      - POSTGRES_USER=keycloak
      - POSTGRES_PASSWORD=myuberpassword
    restart: always

  keycloak-db-backup:
    image: postgres
    container_name: keycloak-db-backup
    networks:
      keycloak:
    volumes:
      - ${USERDIR}/keycloak/database-dump:/dump
      - /etc/localtime:/etc/localtime:ro
    environment:
      - PGHOST=keycloak-db
      - PGUSER=keycloak
      - PGPASSWORD=myuberpassword
      - BACKUP_NUM_KEEP=7
      - BACKUP_FREQUENCY=1d
    entrypoint: |
      bash -c 'bash -s <<EOF
      trap "break;exit" SIGHUP SIGINT SIGTERM
      sleep 2m
      while /bin/true; do
        pg_dump -Fc > /dump/dump_\`date +%d-%m-%Y"_"%H_%M_%S\`.psql
        (ls -t /dump/dump*.psql|head -n $$BACKUP_NUM_KEEP;ls /dump/dump*.psql)|sort|uniq -u|xargs rm -- {} 
        sleep $$BACKUP_FREQUENCY
      done
      EOF'
    restart: always
    depends_on:
      - keycloak-db

#  foo:
#    image: bar
#    container_name: foo
#    networks:
#      traefik:
#    labels:
#      traefik.enable: "true"
#      traefik.backend: foo
#      traefik.frontend.rule: Host:foo.${DOMAINNAME},
#      traefik.port: 80
# Labels needed to use auth on a container
#      traefik.frontend.auth.forward.address: http://traefik-forward-auth:4181
#      traefik.frontend.auth.forward.authResponseHeaders: X-Forwarded-User
#      traefik.frontend.auth.forward.trustForwardHeader: "true"