switch to postgres

[ci skip]

README.md

@@ -6,12 +6,12 @@
 
 <!-- metadata -->
 * **Category**: Apps
-* **Status**: ❷💛
-* **Image**: [`jboss/keycloak`](https://hub.docker.com/r/jboss/keycloak), ❶💚, upstream
+* **Status**: 2, beta
+* **Image**: [`jboss/keycloak`](https://hub.docker.com/r/jboss/keycloak), 4, upstream
 * **Healthcheck**: Yes
 * **Backups**: ?
-* **Email**: ❸🍎
-* **Tests**: ❷💛
+* **Email**: 1
+* **Tests**: 2
 * **SSO**: N/A
 <!-- endmetadata -->
 
@@ -25,5 +25,22 @@
    your Docker swarm box
 5. `abra app YOURAPPDOMAIN deploy`
 
+## How do I setup a custom theme?
+
+Check [this approach](https://git.autonomic.zone/ruangrupa/login.lumbung.space).
+
+## How do I create another admin user?
+
+- Under the `Master` realm > `Users` > `Add user`
+- Create the user and set a temporary password
+- Under the `Role Mappings` tab, move `admin` from `Available Roles` into `Assigned Roles`
+
+## How do I configure Keycloak login for..
+
+- [Nextcloud][nextcloud]
+- [Peertube][peertube]
+
+[nextcloud]: https://git.coopcloud.tech/coop-cloud/nextcloud
+[peertube]: https://git.coopcloud.tech/coop-cloud/peertube
 [abra]: https://git.autonomic.zone/autonomic-cooperative/abra
 [cc-traefik]: https://git.autonomic.zone/coop-cloud/traefik

compose.mariadb.yml

@@ -0,0 +1,81 @@
+---
+version: "3.8"
+
+services:
+  app:
+    image: "jboss/keycloak:16.1.1"
+    networks:
+      - proxy
+      - internal
+    secrets:
+      - admin_password
+      - db_password
+    environment:
+      - DB_ADDR=db
+      - JBDC_PARAMS="useSSL=false"
+      - DB_DATABASE=keycloak
+      - DB_PASSWORD_FILE=/run/secrets/db_password
+      - DB_USER=keycloak
+      - DB_VENDOR=mariadb
+      - KEYCLOAK_PASSWORD_FILE=/run/secrets/admin_password
+      - KEYCLOAK_USER=${ADMIN_USERNAME}
+      - PROXY_ADDRESS_FORWARDING=true
+    healthcheck:
+      test: ["CMD", "curl", "-f", "http://localhost:8080"]
+      interval: 30s
+      timeout: 10s
+      retries: 10
+      start_period: 1m
+    volumes:
+      - "themes:/opt/jboss/keycloak/themes"
+    depends_on:
+      - mariadb
+    deploy:
+      update_config:
+        failure_action: rollback
+        order: start-first
+      labels:
+        - "traefik.enable=true"
+        - "traefik.http.services.${STACK_NAME}.loadbalancer.server.port=8080"
+        - "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}`${EXTRA_DOMAINS})"
+        - "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure"
+        - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"
+        - "traefik.http.routers.${STACK_NAME}.middlewares=${STACK_NAME}-redirect"
+        - "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLForceHost=true"
+        - "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLHost=${DOMAIN}"
+        - "coop-cloud.${STACK_NAME}.version=4.0.1+16.1.1"
+
+  db:
+    image: "mariadb:10.8"
+    environment:
+      - MYSQL_DATABASE=keycloak
+      - MYSQL_USER=keycloak
+      - MYSQL_PASSWORD_FILE=/run/secrets/db_password
+      - MYSQL_ROOT_PASSWORD_FILE=/run/secrets/db_root_password
+    secrets:
+      - db_password
+      - db_root_password
+    volumes:
+      - "mariadb:/var/lib/mysql"
+    networks:
+      - internal
+
+networks:
+  internal:
+  proxy:
+    external: true
+
+secrets:
+  admin_password:
+    name: ${STACK_NAME}_admin_password_${SECRET_ADMIN_PASSWORD_VERSION}
+    external: true
+  db_password:
+    name: ${STACK_NAME}_db_password_${SECRET_DB_PASSWORD_VERSION}
+    external: true
+  db_root_password:
+    name: ${STACK_NAME}_db_root_password_${SECRET_DB_ROOT_PASSWORD_VERSION}
+    external: true
+
+volumes:
+  mariadb:
+  themes:

compose.yml

@@ -3,7 +3,7 @@ version: "3.8"
 
 services:
   app:
-    image: "jboss/keycloak:14.0.0"
+    image: "jboss/keycloak:16.1.1"
     networks:
       - proxy
       - internal
@@ -12,10 +12,11 @@ services:
       - db_password
     environment:
       - DB_ADDR=db
+      - JBDC_PARAMS="useSSL=false"
       - DB_DATABASE=keycloak
       - DB_PASSWORD_FILE=/run/secrets/db_password
       - DB_USER=keycloak
-      - DB_VENDOR=mariadb
+      - DB_VENDOR=postgres
       - KEYCLOAK_PASSWORD_FILE=/run/secrets/admin_password
       - KEYCLOAK_USER=${ADMIN_USERNAME}
       - PROXY_ADDRESS_FORWARDING=true
@@ -25,6 +26,8 @@ services:
       timeout: 10s
       retries: 10
       start_period: 1m
+    volumes:
+      - "themes:/opt/jboss/keycloak/themes"
     depends_on:
       - mariadb
     deploy:
@@ -40,20 +43,23 @@ services:
         - "traefik.http.routers.${STACK_NAME}.middlewares=${STACK_NAME}-redirect"
         - "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLForceHost=true"
         - "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLHost=${DOMAIN}"
-        - "coop-cloud.${STACK_NAME}.version=2.0.0+14.0.0"
+        - "coop-cloud.${STACK_NAME}.version=4.0.1+16.1.1"
+
 
   db:
-    image: "mariadb:10.6"
-    environment:
-      - MYSQL_DATABASE=keycloak
-      - MYSQL_USER=keycloak
-      - MYSQL_PASSWORD_FILE=/run/secrets/db_password
-      - MYSQL_ROOT_PASSWORD_FILE=/run/secrets/db_root_password
+    image: postgres:11
+    networks:
+      - backend
+    secrets:
+      - db_password
+    environment:
+      POSTGRES_DB: keycloak
+      POSTGRES_USER: keycloak
+      POSTGRES_PASSWORD_FILE: /run/secrets/db_password
     secrets:
       - db_password
-      - db_root_password
     volumes:
-      - "mariadb:/var/lib/mysql"
+      - "postgres_data:/var/lib/postgresql/data"
     networks:
       - internal
 
@@ -75,3 +81,5 @@ secrets:
 
 volumes:
   mariadb:
+  themes:
+  postgres_data:

release/4.0.0+16.1.0

@@ -0,0 +1,12 @@
+This major release comes with a blog post about a CVE:
+
+    https://www.keycloak.org/2021/12/cve.html
+
+Not all versions are affected but they're suggesting that people upgrade soon.
+
+As per usual, this upgrade didn't go too smoothly and I ended up having to
+undeploy and deploy the new versions. The healtcheck kept failing on the new
+instance when trying to deploy alongside the existing old version. Idk, some
+docker weirdness.
+
+No app data errors discovered after upgrade.