Merge branch 'chore/keycloak-config' into hotfix/0.2.1

2025-04-25 00:01:52 +02:00 · 2025-04-25 00:01:52 +02:00 · 026194367e
commit 026194367e
parent 28367e9c94 a2ec9ef738
2 changed files with 29 additions and 4 deletions
--- a/compose.production.yml
+++ b/compose.production.yml
@ -42,28 +42,54 @@ services:
        networks:
            - dwengo-1

+    keycloak-db:
+        image: postgres:latest
+        ports:
+            - '5442:5432'  # Port numbers 10 higher than normal postgres ports
+        restart: unless-stopped
+        volumes:
+            - dwengo_postgres_keycloak:/var/lib/postgresql/keycloak
+        environment:
+            POSTGRES_USER: keycloak
+            POSTGRES_PASSWORD: ChangeMe
+            POSTGRES_DB: keycloak
+
+        networks:
+            - dwengo-1
+
    idp:
        extends:
            file: ./compose.yml
            service: idp
        # TODO Replace with proper production command
-        command: ['start-dev', '--http-port', '7080', '--https-port', '7443', '--import-realm']
+        command: ['start', '--http-port', '7080', '--https-port', '7443', '--import-realm']
        networks:
            - dwengo-1
+        depends_on:
+            - keycloak-db
        labels:
            - 'traefik.enable=true'
            - 'traefik.http.routers.idp.rule=PathPrefix(`/idp`)'
            - 'traefik.http.services.idp.loadbalancer.server.port=7080'
            - 'traefik.http.routers.block-admin.rule=PathPrefix(`/idp/admin`)'
            - 'traefik.http.routers.block-admin.service=web'
+            - "traefik.tcp.routers.idp.tls.passthrough=true"  # Keycloak expects TLS in production mode, so it can't be terminated by the reverse proxy
+        volumes:
+            - /etc/keycloak:/keycloak
        env_file:
            - ./config/idp/.env
        environment:
            KC_HOSTNAME: 'sel2-1.ugent.be'
            PROXY_ADDRESS_FORWARDING: 'true'
            KC_PROXY_HEADERS: 'xforwarded'
-            KC_HTTP_ENABLED: 'true'
            KC_HTTP_RELATIVE_PATH: '/idp'
+            KC_HTTPS_CERTIFICATE_FILE: '/keycloak/cert.pem'
+            KC_HTTPS_CERTIFICATE_KEY_FILE: '/keycloak/key.pem'
+            KC_HTTP_MAX_QUEUED_REQUESTS: 30  # Prevent overload situations by limiting number of requests
+            KC_DB: 'postgres'
+            KC_DB_USERNAME: 'keycloak'
+            KC_DB_PASSWORD: 'ChangeMe'
+            KC_DB_URL: 'jdbc:postgresql://keycloak-db:5432/keycloak'

    reverse-proxy:
        image: traefik:v3.3
@ -123,6 +149,7 @@ volumes:
    dwengo_grafana_data:
    dwengo_letsencrypt:
    dwengo_loki_data:
+    dwengo_postgres_keycloak:

 networks:
    dwengo-1:
--- a/compose.yml
+++ b/compose.yml
@ -25,8 +25,6 @@ services:
        restart: unless-stopped
        volumes:
            - ./config/idp:/opt/keycloak/data/import
-        depends_on:
-            - db
        environment:
            KC_HOSTNAME: localhost
            KC_HOSTNAME_PORT: 7080