switch to postgres

.drone.yml

@@ -3,12 +3,10 @@ kind: pipeline
 name: deploy to swarm-test.autonomic.zone
 steps:
   - name: deployment
-    image: git.coopcloud.tech/coop-cloud/stack-ssh-deploy:latest
+    image: decentral1se/stack-ssh-deploy:latest
     settings:
       host: swarm-test.autonomic.zone
       stack: keycloak
-      networks:
-       - proxy
       generate_secrets: true
       purge: true
       deploy_key:
@@ -25,17 +23,11 @@ trigger:
     - master
 ---
 kind: pipeline
-name: generate recipe catalogue
+name: recipe release
 steps:
   - name: release a new version
-    image: plugins/downstream
+    image: thecoopcloud/drone-abra:latest
     settings:
-      server: https://build.coopcloud.tech
+      command: recipe keycloak release
-      token:
+      deploy_key:
-        from_secret: drone_abra-bot_token
+        from_secret: abra_bot_deploy_key
-      fork: true
-      repositories:
-        - toolshed/auto-recipes-catalogue-json
-
-trigger:
-  event: tag

.env.sample

@@ -6,13 +6,7 @@ DOMAIN=keycloak.example.com
 LETS_ENCRYPT_ENV=production
 
 ADMIN_USERNAME=admin
-WELCOME_THEME=keycloak
-
-COMPOSE_FILE="compose.yml"
 
 SECRET_DB_ROOT_PASSWORD_VERSION=v1
 SECRET_DB_PASSWORD_VERSION=v1
 SECRET_ADMIN_PASSWORD_VERSION=v1
-
-# Enable persistent theme volume, if you want to apply a custom theme
-#COMPOSE_FILE="$COMPOSE_FILE:compose.theme.yml"

README.md

@@ -20,24 +20,10 @@
 1. Set up Docker Swarm and [`abra`][abra]
 2. Deploy [`coop-cloud/traefik`][cc-traefik]
 3. `abra app new keycloak --secrets` (optionally with `--pass` if you'd like
-   to save secrets in `pass`). Make sure to note the `admin_password` which is needed for initial setup.
+   to save secrets in `pass`)
-4. `abra app config YOURAPPDOMAIN` - be sure to change `$DOMAIN` to something that resolves to
+4. `abra app YOURAPPDOMAIN config` - be sure to change `$DOMAIN` to something that resolves to
    your Docker swarm box
-5. `abra app deploy YOURAPPDOMAIN`
+5. `abra app YOURAPPDOMAIN deploy`
-
-## Replacing the temporary admin user
-
-When you first deploy Keycloak, you will login in as a temporary admin user with the username "admin" and a random password generated in step 3 above. You need to create a real admin user and delete the temp admin user, because the temp admin user has no 2FA and its password is stored in plain text on the server, which is insecure. Here's how to create the real admin user:
-
-1. Click "Users" then "Add user"
-2. For "required user actions", I recommend setting "Configure OTP" and "Update Password" to ensure 2FA is enabled.
-3. Set a username, then click "Create"
-5. Go to the "Role Mapping" tab and click "Assign role"
-6. Change the filter from "Filter by clients" to "Filter by realm roles". Select the box for "role_admin" and click "Assign". This makes the user become an admin.
-7. Go to the "Credentials" tab. Click "Set password". Set it to something random and save it for the next step. Leave "Temporary" enabled so the user has to change the password on first login.
-8. If this is an admin account for you, then log out and back in as the new admin user and complete the password change and OTP steps. If this is an admin account for someone else, securely send the initial username and password to the user. They must complete the password change and OTP setup when they first log in.
-
-Once at least one real admin user is set up, you should then delete the temporary "admin" user.
 
 ## How do I setup a custom theme?
 
@@ -49,16 +35,6 @@ Check [this approach](https://git.autonomic.zone/ruangrupa/login.lumbung.space).
 - Create the user and set a temporary password
 - Under the `Role Mappings` tab, move `admin` from `Available Roles` into `Assigned Roles`
 
-## What do I do if I lost my admin account credentials?
-
-You can create a new admin account like this:
-
-```
-abra app run <domain> app -- bash -c '/opt/keycloak/bin/kc.sh bootstrap-admin user --db-password $(cat /run/secrets/db_password)'
-```
-
-Make sure to delete the temp-admin user after you finish recovering.
-
 ## How do I configure Keycloak login for..
 
 - [Nextcloud][nextcloud]

compose.mariadb.yml

@@ -0,0 +1,81 @@
+---
+version: "3.8"
+
+services:
+  app:
+    image: "jboss/keycloak:16.1.1"
+    networks:
+      - proxy
+      - internal
+    secrets:
+      - admin_password
+      - db_password
+    environment:
+      - DB_ADDR=db
+      - JBDC_PARAMS="useSSL=false"
+      - DB_DATABASE=keycloak
+      - DB_PASSWORD_FILE=/run/secrets/db_password
+      - DB_USER=keycloak
+      - DB_VENDOR=mariadb
+      - KEYCLOAK_PASSWORD_FILE=/run/secrets/admin_password
+      - KEYCLOAK_USER=${ADMIN_USERNAME}
+      - PROXY_ADDRESS_FORWARDING=true
+    healthcheck:
+      test: ["CMD", "curl", "-f", "http://localhost:8080"]
+      interval: 30s
+      timeout: 10s
+      retries: 10
+      start_period: 1m
+    volumes:
+      - "themes:/opt/jboss/keycloak/themes"
+    depends_on:
+      - mariadb
+    deploy:
+      update_config:
+        failure_action: rollback
+        order: start-first
+      labels:
+        - "traefik.enable=true"
+        - "traefik.http.services.${STACK_NAME}.loadbalancer.server.port=8080"
+        - "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}`${EXTRA_DOMAINS})"
+        - "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure"
+        - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"
+        - "traefik.http.routers.${STACK_NAME}.middlewares=${STACK_NAME}-redirect"
+        - "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLForceHost=true"
+        - "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLHost=${DOMAIN}"
+        - "coop-cloud.${STACK_NAME}.version=4.0.1+16.1.1"
+
+  db:
+    image: "mariadb:10.8"
+    environment:
+      - MYSQL_DATABASE=keycloak
+      - MYSQL_USER=keycloak
+      - MYSQL_PASSWORD_FILE=/run/secrets/db_password
+      - MYSQL_ROOT_PASSWORD_FILE=/run/secrets/db_root_password
+    secrets:
+      - db_password
+      - db_root_password
+    volumes:
+      - "mariadb:/var/lib/mysql"
+    networks:
+      - internal
+
+networks:
+  internal:
+  proxy:
+    external: true
+
+secrets:
+  admin_password:
+    name: ${STACK_NAME}_admin_password_${SECRET_ADMIN_PASSWORD_VERSION}
+    external: true
+  db_password:
+    name: ${STACK_NAME}_db_password_${SECRET_DB_PASSWORD_VERSION}
+    external: true
+  db_root_password:
+    name: ${STACK_NAME}_db_root_password_${SECRET_DB_ROOT_PASSWORD_VERSION}
+    external: true
+
+volumes:
+  mariadb:
+  themes:

compose.theme.yml

@@ -1,10 +0,0 @@
----
-version: "3.8"
-
-services:
-  app:
-    volumes:
-      - "themes:/opt/keycloak/themes"
-
-volumes:
-  themes:

compose.yml

@@ -3,9 +3,7 @@ version: "3.8"
 
 services:
   app:
-    image: "keycloak/keycloak:26.3.1"
+    image: "jboss/keycloak:16.1.1"
-    entrypoint: >
-      bash -c "KEYCLOAK_ADMIN_PASSWORD=\"$$(cat /run/secrets/admin_password)\" KC_DB_PASSWORD=\"$$(cat /run/secrets/db_password)\" /opt/keycloak/bin/kc.sh start"
     networks:
       - proxy
       - internal
@@ -13,26 +11,23 @@ services:
       - admin_password
       - db_password
     environment:
-      - KC_DB=mariadb
+      - DB_ADDR=db
-      - KC_DB_URL_DATABASE=keycloak
+      - JBDC_PARAMS="useSSL=false"
-      - KC_DB_URL_HOST=db
+      - DB_DATABASE=keycloak
-      - KC_HOSTNAME=https://${DOMAIN}
+      - DB_PASSWORD_FILE=/run/secrets/db_password
-      - KC_PROXY=edge
+      - DB_USER=keycloak
-      - KC_SPI_CONNECTIONS_JPA_LEGACY_MIGRATION_STRATEGY=update
+      - DB_VENDOR=postgres
-      - KEYCLOAK_ADMIN=${ADMIN_USERNAME}
+      - KEYCLOAK_PASSWORD_FILE=/run/secrets/admin_password
-      - KEYCLOAK_WELCOME_THEME=${WELCOME_THEME}
+      - KEYCLOAK_USER=${ADMIN_USERNAME}
-      - KC_PROXY_HEADERS=xforwarded
+      - PROXY_ADDRESS_FORWARDING=true
-      - KC_HTTP_ENABLED=true
+    healthcheck:
-    # NOTE(3wc): disabled due to missing curl binary, see
+      test: ["CMD", "curl", "-f", "http://localhost:8080"]
-    #   https://git.coopcloud.tech/coop-cloud/keycloak/issues/15
+      interval: 30s
-    # healthcheck:
+      timeout: 10s
-    #   test: ["CMD", "curl", "-f", "http://localhost:8080"]
+      retries: 10
-    #   interval: 30s
+      start_period: 1m
-    #   timeout: 10s
-    #   retries: 10
-    #   start_period: 1m
     volumes:
-      - "providers:/opt/keycloak/providers"
+      - "themes:/opt/jboss/keycloak/themes"
     depends_on:
       - mariadb
     deploy:
@@ -46,36 +41,27 @@ services:
         - "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure"
         - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"
         - "traefik.http.routers.${STACK_NAME}.middlewares=${STACK_NAME}-redirect"
-        - "traefik.http.middlewares.${STACK_NAME}-redirect.redirectscheme.scheme=https"
+        - "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLForceHost=true"
-        - "traefik.http.middlewares.${STACK_NAME}-redirect.redirectscheme.permanent=true"
+        - "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLHost=${DOMAIN}"
-        - "caddy=${DOMAIN}"
+        - "coop-cloud.${STACK_NAME}.version=4.0.1+16.1.1"
-        - "caddy.reverse_proxy={{upstreams 8080}}"
+
-        - "caddy.tls.on_demand="
-        - "coop-cloud.${STACK_NAME}.version=10.4.0+26.3.1"
 
   db:
-    image: "mariadb:11.8"
+    image: postgres:11
-    environment:
+    networks:
-      - MYSQL_DATABASE=keycloak
+      - backend
-      - MYSQL_USER=keycloak
+    secrets:
-      - MYSQL_PASSWORD_FILE=/run/secrets/db_password
+      - db_password
-      - MYSQL_ROOT_PASSWORD_FILE=/run/secrets/db_root_password
+    environment:
+      POSTGRES_DB: keycloak
+      POSTGRES_USER: keycloak
+      POSTGRES_PASSWORD_FILE: /run/secrets/db_password
     secrets:
       - db_password
-      - db_root_password
     volumes:
-      - "mariadb:/var/lib/mysql"
+      - "postgres_data:/var/lib/postgresql/data"
     networks:
       - internal
-    deploy:
-      labels:
-        backupbot.backup: "true"
-        backupbot.backup.path: "/tmp/dump.sql.gz"
-        backupbot.backup.post-hook: "rm -f /tmp/dump.sql.gz"
-        backupbot.backup.pre-hook: "sh -c 'mariadb-dump -u root -p\"$$(cat /run/secrets/db_root_password)\" keycloak | gzip > /tmp/dump.sql.gz'"
-        backupbot.restore.pre-hook: "sh -c 'cd /tmp && gzip -d dump.sql.gz'"
-        backupbot.restore: "true"
-        backupbot.restore.post-hook: "sh -c 'mariadb -u root -p\"$$(cat /run/secrets/db_root_password)\" keycloak < /tmp/dump.sql && rm -f /tmp/dump.sql'"
 
 networks:
   internal:
@@ -95,4 +81,5 @@ secrets:
 
 volumes:
   mariadb:
-  providers:
+  themes:
+  postgres_data:

release/5.0.0+20.0.1

@@ -1,9 +0,0 @@
-You'll need to remove `/auth/` from your app SSO URLs, e.g.
-
-    https://foo.example.com/auth/realms/foo/protocol/openid-connect/auth
-
-Would become:
-
-    https://foo.example.com/realms/foo/protocol/openid-connect/auth
-
--- decentral1se @ Autonomic

release/6.0.0+21.0.2

@@ -1,2 +0,0 @@
-Healthchecks are disabled, see
-https://git.coopcloud.tech/coop-cloud/keycloak/issues/15

release/7.2.0+22.0.5

@@ -1,5 +0,0 @@
-A persistent volume for themes is now optional, and not enabled by default.
-
-If you are using a custom theme, consult the recipe `.env.sample` to see the new
-variables you need to add. You can use `abra app check ...` to verify that
-they've been added correctly.