Merge pull request 'Add docs for initial admin user setup' (#20) from docs-n-deprecations into master

Reviewed-on: #20

.drone.yml

@@ -3,10 +3,12 @@ kind: pipeline
 name: deploy to swarm-test.autonomic.zone
 steps:
   - name: deployment
-    image: decentral1se/stack-ssh-deploy:latest
+    image: git.coopcloud.tech/coop-cloud/stack-ssh-deploy:latest
     settings:
       host: swarm-test.autonomic.zone
       stack: keycloak
+      networks:
+       - proxy
       generate_secrets: true
       purge: true
       deploy_key:
@@ -23,11 +25,17 @@ trigger:
     - master
 ---
 kind: pipeline
-name: recipe release
+name: generate recipe catalogue
 steps:
   - name: release a new version
-    image: thecoopcloud/drone-abra:latest
+    image: plugins/downstream
     settings:
-      command: recipe keycloak release
-      deploy_key:
-        from_secret: abra_bot_deploy_key
+      server: https://build.coopcloud.tech
+      token:
+        from_secret: drone_abra-bot_token
+      fork: true
+      repositories:
+        - toolshed/auto-recipes-catalogue-json
+
+trigger:
+  event: tag

.env.sample

@@ -6,7 +6,13 @@ DOMAIN=keycloak.example.com
 LETS_ENCRYPT_ENV=production
 
 ADMIN_USERNAME=admin
+WELCOME_THEME=keycloak
+
+COMPOSE_FILE="compose.yml"
 
 SECRET_DB_ROOT_PASSWORD_VERSION=v1
 SECRET_DB_PASSWORD_VERSION=v1
 SECRET_ADMIN_PASSWORD_VERSION=v1
+
+# Enable persistent theme volume, if you want to apply a custom theme
+#COMPOSE_FILE="$COMPOSE_FILE:compose.theme.yml"

README.md

@@ -6,12 +6,12 @@
 
 <!-- metadata -->
 * **Category**: Apps
-* **Status**: ❷💛
-* **Image**: [`jboss/keycloak`](https://hub.docker.com/r/jboss/keycloak), ❶💚, upstream
+* **Status**: 2, beta
+* **Image**: [`jboss/keycloak`](https://hub.docker.com/r/jboss/keycloak), 4, upstream
 * **Healthcheck**: Yes
 * **Backups**: ?
-* **Email**: ❸🍎
-* **Tests**: ❷💛
+* **Email**: 1
+* **Tests**: 2
 * **SSO**: N/A
 <!-- endmetadata -->
 
@@ -20,10 +20,51 @@
 1. Set up Docker Swarm and [`abra`][abra]
 2. Deploy [`coop-cloud/traefik`][cc-traefik]
 3. `abra app new keycloak --secrets` (optionally with `--pass` if you'd like
-   to save secrets in `pass`)
-4. `abra app YOURAPPDOMAIN config` - be sure to change `$DOMAIN` to something that resolves to
+   to save secrets in `pass`). Make sure to note the `admin_password` which is needed for initial setup.
+4. `abra app config YOURAPPDOMAIN` - be sure to change `$DOMAIN` to something that resolves to
    your Docker swarm box
-5. `abra app YOURAPPDOMAIN deploy`
+5. `abra app deploy YOURAPPDOMAIN`
 
+## Replacing the temporary admin user
+
+When you first deploy Keycloak, you will login in as a temporary admin user with the username "admin" and a random password generated in step 3 above. You need to create a real admin user and delete the temp admin user, because the temp admin user has no 2FA and its password is stored in plain text on the server, which is insecure. Here's how to create the real admin user:
+
+1. Click "Users" then "Add user"
+2. For "required user actions", I recommend setting "Configure OTP" and "Update Password" to ensure 2FA is enabled.
+3. Set a username, then click "Create"
+5. Go to the "Role Mapping" tab and click "Assign role"
+6. Change the filter from "Filter by clients" to "Filter by realm roles". Select the box for "role_admin" and click "Assign". This makes the user become an admin.
+7. Go to the "Credentials" tab. Click "Set password". Set it to something random and save it for the next step. Leave "Temporary" enabled so the user has to change the password on first login.
+8. If this is an admin account for you, then log out and back in as the new admin user and complete the password change and OTP steps. If this is an admin account for someone else, securely send the initial username and password to the user. They must complete the password change and OTP setup when they first log in.
+
+Once at least one real admin user is set up, you should then delete the temporary "admin" user.
+
+## How do I setup a custom theme?
+
+Check [this approach](https://git.autonomic.zone/ruangrupa/login.lumbung.space).
+
+## How do I create another admin user?
+
+- Under the `Master` realm > `Users` > `Add user`
+- Create the user and set a temporary password
+- Under the `Role Mappings` tab, move `admin` from `Available Roles` into `Assigned Roles`
+
+## What do I do if I lost my admin account credentials?
+
+You can create a new admin account like this:
+
+```
+abra app run <domain> app -- bash -c '/opt/keycloak/bin/kc.sh bootstrap-admin user --db-password $(cat /run/secrets/db_password)'
+```
+
+Make sure to delete the temp-admin user after you finish recovering.
+
+## How do I configure Keycloak login for..
+
+- [Nextcloud][nextcloud]
+- [Peertube][peertube]
+
+[nextcloud]: https://git.coopcloud.tech/coop-cloud/nextcloud
+[peertube]: https://git.coopcloud.tech/coop-cloud/peertube
 [abra]: https://git.autonomic.zone/autonomic-cooperative/abra
 [cc-traefik]: https://git.autonomic.zone/coop-cloud/traefik

compose.theme.yml

@@ -0,0 +1,10 @@
+---
+version: "3.8"
+
+services:
+  app:
+    volumes:
+      - "themes:/opt/keycloak/themes"
+
+volumes:
+  themes:

compose.yml

@@ -3,7 +3,9 @@ version: "3.8"
 
 services:
   app:
-    image: "jboss/keycloak:15.0.2"
+    image: "keycloak/keycloak:26.2.5"
+    entrypoint: >
+      bash -c "KEYCLOAK_ADMIN_PASSWORD=\"$$(cat /run/secrets/admin_password)\" KC_DB_PASSWORD=\"$$(cat /run/secrets/db_password)\" /opt/keycloak/bin/kc.sh start"
     networks:
       - proxy
       - internal
@@ -11,20 +13,26 @@ services:
       - admin_password
       - db_password
     environment:
-      - DB_ADDR=db
-      - DB_DATABASE=keycloak
-      - DB_PASSWORD_FILE=/run/secrets/db_password
-      - DB_USER=keycloak
-      - DB_VENDOR=mariadb
-      - KEYCLOAK_PASSWORD_FILE=/run/secrets/admin_password
-      - KEYCLOAK_USER=${ADMIN_USERNAME}
-      - PROXY_ADDRESS_FORWARDING=true
-    healthcheck:
-      test: ["CMD", "curl", "-f", "http://localhost:8080"]
-      interval: 30s
-      timeout: 10s
-      retries: 10
-      start_period: 1m
+      - KC_DB=mariadb
+      - KC_DB_URL_DATABASE=keycloak
+      - KC_DB_URL_HOST=db
+      - KC_HOSTNAME=https://${DOMAIN}
+      - KC_PROXY=edge
+      - KC_SPI_CONNECTIONS_JPA_LEGACY_MIGRATION_STRATEGY=update
+      - KEYCLOAK_ADMIN=${ADMIN_USERNAME}
+      - KEYCLOAK_WELCOME_THEME=${WELCOME_THEME}
+      - KC_PROXY_HEADERS=xforwarded
+      - KC_HTTP_ENABLED=true
+    # NOTE(3wc): disabled due to missing curl binary, see
+    #   https://git.coopcloud.tech/coop-cloud/keycloak/issues/15
+    # healthcheck:
+    #   test: ["CMD", "curl", "-f", "http://localhost:8080"]
+    #   interval: 30s
+    #   timeout: 10s
+    #   retries: 10
+    #   start_period: 1m
+    volumes:
+      - "providers:/opt/keycloak/providers"
     depends_on:
       - mariadb
     deploy:
@@ -38,12 +46,15 @@ services:
         - "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure"
         - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"
         - "traefik.http.routers.${STACK_NAME}.middlewares=${STACK_NAME}-redirect"
-        - "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLForceHost=true"
-        - "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLHost=${DOMAIN}"
-        - "coop-cloud.${STACK_NAME}.version=3.0.0+15.0.2"
+        - "traefik.http.middlewares.${STACK_NAME}-redirect.redirectscheme.scheme=https"
+        - "traefik.http.middlewares.${STACK_NAME}-redirect.redirectscheme.permanent=true"
+        - "caddy=${DOMAIN}"
+        - "caddy.reverse_proxy={{upstreams 8080}}"
+        - "caddy.tls.on_demand="
+        - "coop-cloud.${STACK_NAME}.version=10.3.1+26.2.5"
 
   db:
-    image: "mariadb:10.6"
+    image: "mariadb:11.7"
     environment:
       - MYSQL_DATABASE=keycloak
       - MYSQL_USER=keycloak
@@ -56,6 +67,15 @@ services:
       - "mariadb:/var/lib/mysql"
     networks:
       - internal
+    deploy:
+      labels:
+        backupbot.backup: "true"
+        backupbot.backup.path: "/tmp/dump.sql.gz"
+        backupbot.backup.post-hook: "rm -f /tmp/dump.sql.gz"
+        backupbot.backup.pre-hook: "sh -c 'mariadb-dump -u root -p\"$$(cat /run/secrets/db_root_password)\" keycloak | gzip > /tmp/dump.sql.gz'"
+        backupbot.restore.pre-hook: "sh -c 'cd /tmp && gzip -d dump.sql.gz'"
+        backupbot.restore: "true"
+        backupbot.restore.post-hook: "sh -c 'mariadb -u root -p\"$$(cat /run/secrets/db_root_password)\" keycloak < /tmp/dump.sql && rm -f /tmp/dump.sql'"
 
 networks:
   internal:
@@ -75,3 +95,4 @@ secrets:
 
 volumes:
   mariadb:
+  providers:

release/4.0.0+16.1.0

@@ -0,0 +1,12 @@
+This major release comes with a blog post about a CVE:
+
+    https://www.keycloak.org/2021/12/cve.html
+
+Not all versions are affected but they're suggesting that people upgrade soon.
+
+As per usual, this upgrade didn't go too smoothly and I ended up having to
+undeploy and deploy the new versions. The healtcheck kept failing on the new
+instance when trying to deploy alongside the existing old version. Idk, some
+docker weirdness.
+
+No app data errors discovered after upgrade.

release/5.0.0+20.0.1

@@ -0,0 +1,9 @@
+You'll need to remove `/auth/` from your app SSO URLs, e.g.
+
+    https://foo.example.com/auth/realms/foo/protocol/openid-connect/auth
+
+Would become:
+
+    https://foo.example.com/realms/foo/protocol/openid-connect/auth
+
+-- decentral1se @ Autonomic

release/6.0.0+21.0.2

@@ -0,0 +1,2 @@
+Healthchecks are disabled, see
+https://git.coopcloud.tech/coop-cloud/keycloak/issues/15

release/7.2.0+22.0.5

@@ -0,0 +1,5 @@
+A persistent volume for themes is now optional, and not enabled by default.
+
+If you are using a custom theme, consult the recipe `.env.sample` to see the new
+variables you need to add. You can use `abra app check ...` to verify that
+they've been added correctly.