From f529c996de6f95d12b9e58f7d4861d7968d54b7c Mon Sep 17 00:00:00 2001 From: qnap-mjolnir <56209496+qnap-mjolnir@users.noreply.github.com> Date: Sat, 5 Oct 2019 21:08:45 -0400 Subject: [PATCH 01/10] Create keycloak.yml keycloak.yml based off Funky Penguin's recipe with updated Traefik 2.0 labels --- config/keycloak/keycloak.yml | 59 ++++++++++++++++++++++++++++++++++++ 1 file changed, 59 insertions(+) create mode 100644 config/keycloak/keycloak.yml diff --git a/config/keycloak/keycloak.yml b/config/keycloak/keycloak.yml new file mode 100644 index 0000000..aecd225 --- /dev/null +++ b/config/keycloak/keycloak.yml @@ -0,0 +1,59 @@ +# Keycloak Recipe +# /share/appdata/config/keycloak/keycloak.yml + +version: '3' + +services: + keycloak: + image: jboss/keycloak + env_file: /share/appdata/config/keycloak/keycloak.env + volumes: + - /etc/localtime:/etc/localtime:ro + networks: + - traefik_public + - internal + deploy: + labels: + - "traefik.enable=true" + - "traefik.http.routers.keycloak.entrypoints=https" + - "traefik.http.routers.keycloak.rule=Host(`keycloak.gkoerk.com`)" + - "traefik.http.routers.keycloak.tls.certresolver=cloudflare" + - "traefik.http.services.keycloak.loadbalancer.server.port=8080" + - "traefik.docker.network=traefik_public" + + keycloak-db: + env_file: /share/appdata/config/keycloak/keycloak.env + image: postgres:latest + volumes: + - /share/appdata/keycloak/data:/var/lib/postgresql/data + - /etc/localtime:/etc/localtime:ro + networks: + - internal + + keycloak-db-backup: + image: postgres:latest + env_file: /share/appdata/config/keycloak/postgres.env + volumes: + - /share/appdata/keycloak/database-dump:/dump + - /etc/localtime:/etc/localtime:ro + entrypoint: | + bash -c 'bash -s < /dump/dump_\`date +%d-%m-%Y"_"%H_%M_%S\`.psql + (ls -t /dump/dump*.psql|head -n $$BACKUP_NUM_KEEP;ls /dump/dump*.psql)|sort|uniq -u|xargs rm -- {} + sleep $$BACKUP_FREQUENCY + done + EOF' + networks: + - internal + +networks: + traefik_public: + external: true + internal: + driver: overlay + ipam: + config: + - subnet: 172.16.49.0/24 From b10996236aae8ded8365e00c838d440528cfad26 Mon Sep 17 00:00:00 2001 From: qnap-mjolnir <56209496+qnap-mjolnir@users.noreply.github.com> Date: Sat, 5 Oct 2019 21:15:07 -0400 Subject: [PATCH 02/10] Create keycloak.env --- config/keycloak/keycloak.env | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) create mode 100644 config/keycloak/keycloak.env diff --git a/config/keycloak/keycloak.env b/config/keycloak/keycloak.env new file mode 100644 index 0000000..705f6dc --- /dev/null +++ b/config/keycloak/keycloak.env @@ -0,0 +1,18 @@ +# Technically, this could be auto-detected, but we prefer to be prescriptive +DB_VENDOR=postgres +DB_DATABASE=keycloak +DB_ADDR=keycloak-db +DB_USER=keycloak +DB_PASSWORD=password +KEYCLOAK_USER=admin +KEYCLOAK_PASSWORD=password + +# This is required to run keycloak behind traefik +PROXY_ADDRESS_FORWARDING=true + +# What's our hostname? +KEYCLOAK_HOSTNAME=keycloak.gkoerk.com + +# Tell Postgress what user/password to create +POSTGRES_USER=keycloak +POSTGRES_PASSWORD=password From 936714eef3fc2c74eb5032b9db97ce58cd583bc8 Mon Sep 17 00:00:00 2001 From: qnap-mjolnir <56209496+qnap-mjolnir@users.noreply.github.com> Date: Sat, 5 Oct 2019 21:15:46 -0400 Subject: [PATCH 03/10] Create postgres.env --- config/keycloak/postgres.env | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 config/keycloak/postgres.env diff --git a/config/keycloak/postgres.env b/config/keycloak/postgres.env new file mode 100644 index 0000000..8df76a5 --- /dev/null +++ b/config/keycloak/postgres.env @@ -0,0 +1,5 @@ +PGHOST=keycloak-db +PGUSER=keycloak +PGPASSWORD=password +BACKUP_NUM_KEEP=7 +BACKUP_FREQUENCY=1d From 2af28361dfeb33d9b8f12a2250a740762c7a34cc Mon Sep 17 00:00:00 2001 From: qnap-mjolnir <56209496+qnap-mjolnir@users.noreply.github.com> Date: Sat, 5 Oct 2019 21:16:55 -0400 Subject: [PATCH 04/10] Create forward-auth.yaml --- config/keycloak/forward-auth.yaml | 15 +++++++++++++++ 1 file changed, 15 insertions(+) create mode 100644 config/keycloak/forward-auth.yaml diff --git a/config/keycloak/forward-auth.yaml b/config/keycloak/forward-auth.yaml new file mode 100644 index 0000000..25376e9 --- /dev/null +++ b/config/keycloak/forward-auth.yaml @@ -0,0 +1,15 @@ +#UPDATED TRAEFIK DYNAMIC FORWARD-AUTH FILE: + +# Traefik Dynamic Configuration +# Middleware: Forward Auth +# Host Path: /share/appdata/config/traefik/dynamic/forward-auth.yaml +# Internal Path: /etc/traefik/dynamic/forward-auth.yaml + +http: + middlewares: + forward-auth: + forwardAuth: + address: "http://traefik-forward-auth:4181" + trustForwardHeader: true + authResponseHeaders: + - "X-Forwarded-User" From 54f44130ebbda6932749993c5c935acfb8a12219 Mon Sep 17 00:00:00 2001 From: qnap-mjolnir <56209496+qnap-mjolnir@users.noreply.github.com> Date: Sat, 5 Oct 2019 21:19:23 -0400 Subject: [PATCH 05/10] Create traefik-forward-auth.yml --- config/keycloak/traefik-forward-auth.yml | 15 +++++++++++++++ 1 file changed, 15 insertions(+) create mode 100644 config/keycloak/traefik-forward-auth.yml diff --git a/config/keycloak/traefik-forward-auth.yml b/config/keycloak/traefik-forward-auth.yml new file mode 100644 index 0000000..a353d90 --- /dev/null +++ b/config/keycloak/traefik-forward-auth.yml @@ -0,0 +1,15 @@ +#Substitute this container for the forward-auth in original traefik.yml + + traefik-forward-auth: + image: funkypenguin/traefik-forward-auth + env_file: /share/appdata/config/traefik/traefik-forward-auth.env + networks: + - traefik_public + deploy: + labels: + - "traefik.enable=true" + - "traefik.http.routers.auth.entrypoints=https" + - "traefik.http.routers.auth.rule=Host(`auth.gkoerk.com`)" + - "traefik.http.routers.auth.tls.certresolver=cloudflare" + - "traefik.http.routers.auth.middlewares=forward-auth@file" + - "traefik.http.services.auth.loadbalancer.server.port=4181" From 177bf507fad74a9c7e4ba9fb46c99c0b04513d23 Mon Sep 17 00:00:00 2001 From: qnap-mjolnir <56209496+qnap-mjolnir@users.noreply.github.com> Date: Sat, 5 Oct 2019 21:21:35 -0400 Subject: [PATCH 06/10] Create traefik-forward-auth.env --- config/keycloak/traefik-forward-auth.env | 9 +++++++++ 1 file changed, 9 insertions(+) create mode 100644 config/keycloak/traefik-forward-auth.env diff --git a/config/keycloak/traefik-forward-auth.env b/config/keycloak/traefik-forward-auth.env new file mode 100644 index 0000000..c0f9dd6 --- /dev/null +++ b/config/keycloak/traefik-forward-auth.env @@ -0,0 +1,9 @@ +#Follow FunkyPenguin instructions for how to get the below items from Keycloak. +#NOTE: Traefik-forward-auth will not work until you deploy keycloak and fill in the Client_ID and Client_secret from the OIDC Issuer + +CLIENT_ID=my-traefik-forward-auth +CLIENT_SECRET= +OIDC_ISSUER=https://keycloak.gkoerk.com/auth/realms/master +SECRET= +AUTH_HOST=auth.gkoerk.com +COOKIE_DOMAIN=gkoerk.com From d6c88b9552884cc5cc93410d2a8282861be76fa8 Mon Sep 17 00:00:00 2001 From: qnap-mjolnir <56209496+qnap-mjolnir@users.noreply.github.com> Date: Sat, 5 Oct 2019 21:25:26 -0400 Subject: [PATCH 07/10] Update keycloak.env --- config/keycloak/keycloak.env | 1 + 1 file changed, 1 insertion(+) diff --git a/config/keycloak/keycloak.env b/config/keycloak/keycloak.env index 705f6dc..2cc419d 100644 --- a/config/keycloak/keycloak.env +++ b/config/keycloak/keycloak.env @@ -1,3 +1,4 @@ +#Source: https://geek-cookbook.funkypenguin.co.nz/recipes/keycloak/ # Technically, this could be auto-detected, but we prefer to be prescriptive DB_VENDOR=postgres DB_DATABASE=keycloak From e883d4c91a3054d3bcca4e01f92e9137c40cc37b Mon Sep 17 00:00:00 2001 From: qnap-mjolnir <56209496+qnap-mjolnir@users.noreply.github.com> Date: Sat, 5 Oct 2019 21:26:25 -0400 Subject: [PATCH 08/10] Update traefik-forward-auth.env --- config/keycloak/traefik-forward-auth.env | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/config/keycloak/traefik-forward-auth.env b/config/keycloak/traefik-forward-auth.env index c0f9dd6..552f04f 100644 --- a/config/keycloak/traefik-forward-auth.env +++ b/config/keycloak/traefik-forward-auth.env @@ -1,4 +1,5 @@ -#Follow FunkyPenguin instructions for how to get the below items from Keycloak. +#Follow FunkyPenguin instructions for how to get the below items from Keycloak: +#https://geek-cookbook.funkypenguin.co.nz/recipes/keycloak/setup-oidc-provider/ #NOTE: Traefik-forward-auth will not work until you deploy keycloak and fill in the Client_ID and Client_secret from the OIDC Issuer CLIENT_ID=my-traefik-forward-auth From 90a47a2c99b418312c4509489ced59b1dba75e8e Mon Sep 17 00:00:00 2001 From: qnap-mjolnir <56209496+qnap-mjolnir@users.noreply.github.com> Date: Sat, 5 Oct 2019 21:27:06 -0400 Subject: [PATCH 09/10] Update keycloak.yml --- config/keycloak/keycloak.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/config/keycloak/keycloak.yml b/config/keycloak/keycloak.yml index aecd225..ee9b508 100644 --- a/config/keycloak/keycloak.yml +++ b/config/keycloak/keycloak.yml @@ -1,5 +1,6 @@ # Keycloak Recipe # /share/appdata/config/keycloak/keycloak.yml +# Initial source: https://geek-cookbook.funkypenguin.co.nz/recipes/keycloak/ version: '3' From fce724f9d67089f4f9d2e69563188dcb8c0e05c0 Mon Sep 17 00:00:00 2001 From: qnap-mjolnir <56209496+qnap-mjolnir@users.noreply.github.com> Date: Sat, 5 Oct 2019 21:28:41 -0400 Subject: [PATCH 10/10] Update traefik-forward-auth.yml --- config/keycloak/traefik-forward-auth.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/config/keycloak/traefik-forward-auth.yml b/config/keycloak/traefik-forward-auth.yml index a353d90..754c71f 100644 --- a/config/keycloak/traefik-forward-auth.yml +++ b/config/keycloak/traefik-forward-auth.yml @@ -1,4 +1,6 @@ #Substitute this container for the forward-auth in original traefik.yml +#Source: https://geek-cookbook.funkypenguin.co.nz/ha-docker-swarm/traefik-forward-auth/keycloak/ +#Adapted with Traefik 2.0 labels traefik-forward-auth: image: funkypenguin/traefik-forward-auth