Fichero de ejemplo para la parametrización de docker-compose

.env-sample

@@ -0,0 +1,15 @@
+###
+# PostgreSQL
+#
+
+POSTGRES_DB=keycloak
+POSTGRES_USER=keycloak
+POSTGRES_PASSWORD=put-your-DB-password-here
+
+###
+# Keycloak
+#
+
+KEYCLOAK_HOSTNAME=acceso.txs.es
+KEYCLOAK_USER=admin
+KEYCLOAK_PASSWORD=put-your-Keycloak-admin-password-here

.gitignore

@@ -0,0 +1,12 @@
+## Ignore delicate files which may contain sensitive information
+
+/.env
+/certbot/conf/accounts/*
+/certbot/conf/archive/acceso.txs.es/*
+/certbot/conf/csr/*
+/certbot/conf/keys/*
+/certbot/conf/live/acceso.txs.es/*
+/certbot/conf/renewal/*.conf
+
+!/**/.gitkeep
+!/**/README

certbot/conf/cli.ini

@@ -0,0 +1,3 @@
+# Because we are using logrotate for greater flexibility, disable the
+# internal certbot logrotation.
+max-log-backups = 0

certbot/conf/live/README

@@ -0,0 +1,14 @@
+This directory contains your keys and certificates.
+
+`[cert name]/privkey.pem`  : the private key for your certificate.
+`[cert name]/fullchain.pem`: the certificate file used in most server software.
+`[cert name]/chain.pem`    : used for OCSP stapling in Nginx >=1.3.7.
+`[cert name]/cert.pem`     : will break many server configurations, and should not be used
+                 without reading further documentation (see link below).
+
+WARNING: DO NOT MOVE OR RENAME THESE FILES!
+         Certbot expects these files to remain in this location in order
+         to function properly!
+
+We recommend not moving these files. For more information, see the Certbot
+User Guide at https://certbot.eff.org/docs/using.html#where-are-my-certificates.

certbot/conf/live/acceso.txs.es/README

@@ -0,0 +1,14 @@
+This directory contains your keys and certificates.
+
+`privkey.pem`  : the private key for your certificate.
+`fullchain.pem`: the certificate file used in most server software.
+`chain.pem`    : used for OCSP stapling in Nginx >=1.3.7.
+`cert.pem`     : will break many server configurations, and should not be used
+                 without reading further documentation (see link below).
+
+WARNING: DO NOT MOVE OR RENAME THESE FILES!
+         Certbot expects these files to remain in this location in order
+         to function properly!
+
+We recommend not moving these files. For more information, see the Certbot
+User Guide at https://certbot.eff.org/docs/using.html#where-are-my-certificates.

certbot/conf/renewal/acceso.txs.es.conf-sample

@@ -0,0 +1,16 @@
+# renew_before_expiry = 30 days
+version = 1.30.0
+archive_dir = /etc/letsencrypt/archive/acceso.txs.es
+cert = /etc/letsencrypt/live/acceso.txs.es/cert.pem
+privkey = /etc/letsencrypt/live/acceso.txs.es/privkey.pem
+chain = /etc/letsencrypt/live/acceso.txs.es/chain.pem
+fullchain = /etc/letsencrypt/live/acceso.txs.es/fullchain.pem
+
+# Options used in the renewal process
+[renewalparams]
+account = put-your-certbot-account-ID-here
+authenticator = webroot
+webroot_path = /acme,
+server = https://acme-v02.api.letsencrypt.org/directory
+key_type = rsa
+[[webroot_map]]

docker-compose.yaml

@@ -0,0 +1,57 @@
+version: '3.3'
+
+networks:
+  keycloak_network:
+
+services:
+  nginx_proxy:
+    image: nginx:1.22.0
+    container_name: keycloak_nginx_proxy
+    restart: unless-stopped
+    networks:
+      - keycloak_network
+    volumes:
+      - /opt/nginx-proxy/nginx.conf:/etc/nginx/nginx.conf
+      - /opt/nginx-proxy/acme:/acme:ro
+      - /opt/nginx-proxy/certs:/certs:ro
+    ports:
+      - 80:80
+      - 443:443
+
+  postgres:
+    image: postgres:14.5
+    container_name: keycloak_postgresql
+    restart: unless-stopped
+    networks:
+      - keycloak_network
+    volumes:
+      - /opt/volumes/postgres/data:/var/lib/postgresql/data
+      - /etc/localtime:/etc/localtime:ro
+    environment:
+      - POSTGRES_DB=${POSTGRES_DB}
+      - POSTGRES_USER=${POSTGRES_USER}
+      - POSTGRES_PASSWORD=${POSTGRES_PASSWORD}
+
+  keycloak:
+    image: quay.io/keycloak/keycloak:19.0.1
+    container_name: keycloak
+    restart: unless-stopped
+    networks:
+      - keycloak_network
+    depends_on:
+      - nginx_proxy
+      - postgres
+    command: start --optimized --hostname=${KEYCLOAK_HOSTNAME} --proxy=edge --hostname-strict-https=false
+    volumes:
+      - /etc/localtime:/etc/localtime:ro
+    environment:
+      - PROXY_ADDRESS_FORWARDING=true           # Important for reverse proxy
+      - KEYCLOAK_ADMIN=${KEYCLOAK_USER}
+      - KEYCLOAK_ADMIN_PASSWORD=${KEYCLOAK_PASSWORD}
+      - DB_VENDOR=POSTGRES
+      - DB_ADDR=postgres
+      - DB_SCHEMA=public
+      - DB_DATABASE=${POSTGRES_DB}
+      - DB_USER=${POSTGRES_USER}
+      - DB_PASSWORD=${POSTGRES_PASSWORD}
+

nginx-proxy/nginx.conf

@@ -0,0 +1,38 @@
+events {
+}
+
+http {
+
+  server {
+    listen 80;
+    server_name _;
+
+    location /.well-known/acme-challenge {
+      root /acme;
+      try_files $uri $uri/ =404;
+    }
+
+    location / {
+      return 301 https://$host$request_uri;
+    }
+  }
+
+  server {
+    listen 443 ssl;
+    server_name _;
+
+    include       /etc/nginx/mime.types;
+
+    ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_certificate     /certs/keycloak-cert.pem;
+    ssl_certificate_key /certs/keycloak-key.pem;
+
+    proxy_set_header X-Forwarded-For $proxy_protocol_addr; # To forward the original client's IP address
+    proxy_set_header X-Forwarded-Proto $scheme;            # To forward the  original protocol (HTTP or HTTPS)
+    proxy_set_header Host $host;                           # To forward the original host requested by the client
+
+    location / {
+      proxy_pass http://keycloak:8080;       # 'keycloak' refers to Keycloak's container name in docker-compose
+    }
+  }
+}