Compare commits

...

7 Commits

21 changed files with 169 additions and 0 deletions

15
.env-sample Normal file
View File

@ -0,0 +1,15 @@
###
# PostgreSQL
#
POSTGRES_DB=keycloak
POSTGRES_USER=keycloak
POSTGRES_PASSWORD=put-your-DB-password-here
###
# Keycloak
#
KEYCLOAK_HOSTNAME=acceso.txs.es
KEYCLOAK_USER=admin
KEYCLOAK_PASSWORD=put-your-Keycloak-admin-password-here

12
.gitignore vendored Normal file
View File

@ -0,0 +1,12 @@
## Ignore delicate files which may contain sensitive information
/.env
/certbot/conf/accounts/*
/certbot/conf/archive/acceso.txs.es/*
/certbot/conf/csr/*
/certbot/conf/keys/*
/certbot/conf/live/acceso.txs.es/*
/certbot/conf/renewal/*.conf
!/**/.gitkeep
!/**/README

View File

3
certbot/conf/cli.ini Normal file
View File

@ -0,0 +1,3 @@
# Because we are using logrotate for greater flexibility, disable the
# internal certbot logrotation.
max-log-backups = 0

View File

View File

14
certbot/conf/live/README Normal file
View File

@ -0,0 +1,14 @@
This directory contains your keys and certificates.
`[cert name]/privkey.pem` : the private key for your certificate.
`[cert name]/fullchain.pem`: the certificate file used in most server software.
`[cert name]/chain.pem` : used for OCSP stapling in Nginx >=1.3.7.
`[cert name]/cert.pem` : will break many server configurations, and should not be used
without reading further documentation (see link below).
WARNING: DO NOT MOVE OR RENAME THESE FILES!
Certbot expects these files to remain in this location in order
to function properly!
We recommend not moving these files. For more information, see the Certbot
User Guide at https://certbot.eff.org/docs/using.html#where-are-my-certificates.

View File

@ -0,0 +1,14 @@
This directory contains your keys and certificates.
`privkey.pem` : the private key for your certificate.
`fullchain.pem`: the certificate file used in most server software.
`chain.pem` : used for OCSP stapling in Nginx >=1.3.7.
`cert.pem` : will break many server configurations, and should not be used
without reading further documentation (see link below).
WARNING: DO NOT MOVE OR RENAME THESE FILES!
Certbot expects these files to remain in this location in order
to function properly!
We recommend not moving these files. For more information, see the Certbot
User Guide at https://certbot.eff.org/docs/using.html#where-are-my-certificates.

View File

View File

View File

@ -0,0 +1,16 @@
# renew_before_expiry = 30 days
version = 1.30.0
archive_dir = /etc/letsencrypt/archive/acceso.txs.es
cert = /etc/letsencrypt/live/acceso.txs.es/cert.pem
privkey = /etc/letsencrypt/live/acceso.txs.es/privkey.pem
chain = /etc/letsencrypt/live/acceso.txs.es/chain.pem
fullchain = /etc/letsencrypt/live/acceso.txs.es/fullchain.pem
# Options used in the renewal process
[renewalparams]
account = put-your-certbot-account-ID-here
authenticator = webroot
webroot_path = /acme,
server = https://acme-v02.api.letsencrypt.org/directory
key_type = rsa
[[webroot_map]]

0
certbot/log/.gitkeep Normal file
View File

0
certbot/var/.gitkeep Normal file
View File

57
docker-compose.yaml Normal file
View File

@ -0,0 +1,57 @@
version: '3.3'
networks:
keycloak_network:
services:
nginx_proxy:
image: nginx:1.22.0
container_name: keycloak_nginx_proxy
restart: unless-stopped
networks:
- keycloak_network
volumes:
- /opt/nginx-proxy/nginx.conf:/etc/nginx/nginx.conf
- /opt/nginx-proxy/acme:/acme:ro
- /opt/nginx-proxy/certs:/certs:ro
ports:
- 80:80
- 443:443
postgres:
image: postgres:14.5
container_name: keycloak_postgresql
restart: unless-stopped
networks:
- keycloak_network
volumes:
- /opt/volumes/postgres/data:/var/lib/postgresql/data
- /etc/localtime:/etc/localtime:ro
environment:
- POSTGRES_DB=${POSTGRES_DB}
- POSTGRES_USER=${POSTGRES_USER}
- POSTGRES_PASSWORD=${POSTGRES_PASSWORD}
keycloak:
image: quay.io/keycloak/keycloak:19.0.1
container_name: keycloak
restart: unless-stopped
networks:
- keycloak_network
depends_on:
- nginx_proxy
- postgres
command: start --optimized --hostname=${KEYCLOAK_HOSTNAME} --proxy=edge --hostname-strict-https=false
volumes:
- /etc/localtime:/etc/localtime:ro
environment:
- PROXY_ADDRESS_FORWARDING=true # Important for reverse proxy
- KEYCLOAK_ADMIN=${KEYCLOAK_USER}
- KEYCLOAK_ADMIN_PASSWORD=${KEYCLOAK_PASSWORD}
- DB_VENDOR=POSTGRES
- DB_ADDR=postgres
- DB_SCHEMA=public
- DB_DATABASE=${POSTGRES_DB}
- DB_USER=${POSTGRES_USER}
- DB_PASSWORD=${POSTGRES_PASSWORD}

0
keycloak/.gitkeep Normal file
View File

View File

View File

38
nginx-proxy/nginx.conf Normal file
View File

@ -0,0 +1,38 @@
events {
}
http {
server {
listen 80;
server_name _;
location /.well-known/acme-challenge {
root /acme;
try_files $uri $uri/ =404;
}
location / {
return 301 https://$host$request_uri;
}
}
server {
listen 443 ssl;
server_name _;
include /etc/nginx/mime.types;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_certificate /certs/keycloak-cert.pem;
ssl_certificate_key /certs/keycloak-key.pem;
proxy_set_header X-Forwarded-For $proxy_protocol_addr; # To forward the original client's IP address
proxy_set_header X-Forwarded-Proto $scheme; # To forward the original protocol (HTTP or HTTPS)
proxy_set_header Host $host; # To forward the original host requested by the client
location / {
proxy_pass http://keycloak:8080; # 'keycloak' refers to Keycloak's container name in docker-compose
}
}
}

0
volumes/.gitkeep Normal file
View File