gkoerk · qnap-mjolnir · Oct 6, 2019 · Oct 6, 2019 · Oct 6, 2019 · Oct 6, 2019
diff --git a/config/keycloak/forward-auth.yaml b/config/keycloak/forward-auth.yaml
@@ -0,0 +1,15 @@
+#UPDATED TRAEFIK DYNAMIC FORWARD-AUTH FILE:
+
+# Traefik Dynamic Configuration
+# Middleware: Forward Auth
+# Host Path: /share/appdata/config/traefik/dynamic/forward-auth.yaml
+# Internal Path: /etc/traefik/dynamic/forward-auth.yaml
+
+http:
+  middlewares:
+    forward-auth:
+      forwardAuth:
+        address: "http://traefik-forward-auth:4181"
+        trustForwardHeader: true
+        authResponseHeaders:
+          - "X-Forwarded-User"
diff --git a/config/keycloak/keycloak.env b/config/keycloak/keycloak.env
@@ -0,0 +1,19 @@
+#Source: https://geek-cookbook.funkypenguin.co.nz/recipes/keycloak/
+# Technically, this could be auto-detected, but we prefer to be prescriptive
+DB_VENDOR=postgres
+DB_DATABASE=keycloak
+DB_ADDR=keycloak-db
+DB_USER=keycloak
+DB_PASSWORD=password
+KEYCLOAK_USER=admin
+KEYCLOAK_PASSWORD=password
+
+# This is required to run keycloak behind traefik
+PROXY_ADDRESS_FORWARDING=true
+
+# What's our hostname?
+KEYCLOAK_HOSTNAME=keycloak.gkoerk.com
+
+# Tell Postgress what user/password to create
+POSTGRES_USER=keycloak
+POSTGRES_PASSWORD=password
diff --git a/config/keycloak/keycloak.yml b/config/keycloak/keycloak.yml
@@ -0,0 +1,60 @@
+# Keycloak Recipe
+# /share/appdata/config/keycloak/keycloak.yml
+# Initial source: https://geek-cookbook.funkypenguin.co.nz/recipes/keycloak/
+
+version: '3'
+
+services:
+  keycloak:
+    image: jboss/keycloak
+    env_file: /share/appdata/config/keycloak/keycloak.env
+    volumes:
+      - /etc/localtime:/etc/localtime:ro    
+    networks:
+      - traefik_public
+      - internal
+    deploy:
+      labels:
+        - "traefik.enable=true"
+        - "traefik.http.routers.keycloak.entrypoints=https"
+        - "traefik.http.routers.keycloak.rule=Host(`keycloak.gkoerk.com`)"
+        - "traefik.http.routers.keycloak.tls.certresolver=cloudflare"
+        - "traefik.http.services.keycloak.loadbalancer.server.port=8080"
+        - "traefik.docker.network=traefik_public"
+
+  keycloak-db:
+    env_file: /share/appdata/config/keycloak/keycloak.env
+    image: postgres:latest
+    volumes:
+      - /share/appdata/keycloak/data:/var/lib/postgresql/data
+      - /etc/localtime:/etc/localtime:ro    
+    networks:
+      - internal
+
+  keycloak-db-backup:
+    image: postgres:latest
+    env_file: /share/appdata/config/keycloak/postgres.env
+    volumes:
+      - /share/appdata/keycloak/database-dump:/dump
+      - /etc/localtime:/etc/localtime:ro
+    entrypoint: |
+      bash -c 'bash -s <<EOF
+      trap "break;exit" SIGHUP SIGINT SIGTERM
+      sleep 2m
+      while /bin/true; do
+        pg_dump -Fc > /dump/dump_\`date +%d-%m-%Y"_"%H_%M_%S\`.psql
+        (ls -t /dump/dump*.psql|head -n $$BACKUP_NUM_KEEP;ls /dump/dump*.psql)|sort|uniq -u|xargs rm -- {}
+        sleep $$BACKUP_FREQUENCY
+      done
+      EOF'
+    networks:
+      - internal
+
+networks:
+  traefik_public:
+    external: true
+  internal:
+    driver: overlay
+    ipam:
+      config:
+        - subnet: 172.16.49.0/24
diff --git a/config/keycloak/postgres.env b/config/keycloak/postgres.env
@@ -0,0 +1,5 @@
+PGHOST=keycloak-db
+PGUSER=keycloak
+PGPASSWORD=password
+BACKUP_NUM_KEEP=7
+BACKUP_FREQUENCY=1d
diff --git a/config/keycloak/traefik-forward-auth.env b/config/keycloak/traefik-forward-auth.env
@@ -0,0 +1,10 @@
+#Follow FunkyPenguin instructions for how to get the below items from Keycloak: 
+#https://geek-cookbook.funkypenguin.co.nz/recipes/keycloak/setup-oidc-provider/
+#NOTE: Traefik-forward-auth will not work until you deploy keycloak and fill in the Client_ID and Client_secret from the OIDC Issuer
+
+CLIENT_ID=my-traefik-forward-auth
+CLIENT_SECRET=<secret>
+OIDC_ISSUER=https://keycloak.gkoerk.com/auth/realms/master
+SECRET=<secret>
+AUTH_HOST=auth.gkoerk.com
+COOKIE_DOMAIN=gkoerk.com
diff --git a/config/keycloak/traefik-forward-auth.yml b/config/keycloak/traefik-forward-auth.yml
@@ -0,0 +1,17 @@
+#Substitute this container for the forward-auth in original traefik.yml
+#Source: https://geek-cookbook.funkypenguin.co.nz/ha-docker-swarm/traefik-forward-auth/keycloak/ 
+#Adapted with Traefik 2.0 labels
+
+  traefik-forward-auth:
+    image: funkypenguin/traefik-forward-auth
+    env_file: /share/appdata/config/traefik/traefik-forward-auth.env
+    networks:
+      - traefik_public
+    deploy:
+      labels:
+        - "traefik.enable=true"
+        - "traefik.http.routers.auth.entrypoints=https"
+        - "traefik.http.routers.auth.rule=Host(`auth.gkoerk.com`)"
+        - "traefik.http.routers.auth.tls.certresolver=cloudflare"
+        - "traefik.http.routers.auth.middlewares=forward-auth@file"
+        - "traefik.http.services.auth.loadbalancer.server.port=4181"