Merge pull request 'Add docs for initial admin user setup' (#20) from docs-n-deprecations into master

Reviewed-on: #20

.drone.yml

@@ -35,7 +35,7 @@ steps:
         from_secret: drone_abra-bot_token
       fork: true
       repositories:
-        - coop-cloud/auto-recipes-catalogue-json
+        - toolshed/auto-recipes-catalogue-json
 
 trigger:
   event: tag

.env.sample

@@ -8,6 +8,11 @@ LETS_ENCRYPT_ENV=production
 ADMIN_USERNAME=admin
 WELCOME_THEME=keycloak
 
+COMPOSE_FILE="compose.yml"
+
 SECRET_DB_ROOT_PASSWORD_VERSION=v1
 SECRET_DB_PASSWORD_VERSION=v1
 SECRET_ADMIN_PASSWORD_VERSION=v1
+
+# Enable persistent theme volume, if you want to apply a custom theme
+#COMPOSE_FILE="$COMPOSE_FILE:compose.theme.yml"

README.md

@@ -20,11 +20,25 @@
 1. Set up Docker Swarm and [`abra`][abra]
 2. Deploy [`coop-cloud/traefik`][cc-traefik]
 3. `abra app new keycloak --secrets` (optionally with `--pass` if you'd like
-   to save secrets in `pass`)
+   to save secrets in `pass`). Make sure to note the `admin_password` which is needed for initial setup.
 4. `abra app config YOURAPPDOMAIN` - be sure to change `$DOMAIN` to something that resolves to
    your Docker swarm box
 5. `abra app deploy YOURAPPDOMAIN`
 
+## Replacing the temporary admin user
+
+When you first deploy Keycloak, you will login in as a temporary admin user with the username "admin" and a random password generated in step 3 above. You need to create a real admin user and delete the temp admin user, because the temp admin user has no 2FA and its password is stored in plain text on the server, which is insecure. Here's how to create the real admin user:
+
+1. Click "Users" then "Add user"
+2. For "required user actions", I recommend setting "Configure OTP" and "Update Password" to ensure 2FA is enabled.
+3. Set a username, then click "Create"
+5. Go to the "Role Mapping" tab and click "Assign role"
+6. Change the filter from "Filter by clients" to "Filter by realm roles". Select the box for "role_admin" and click "Assign". This makes the user become an admin.
+7. Go to the "Credentials" tab. Click "Set password". Set it to something random and save it for the next step. Leave "Temporary" enabled so the user has to change the password on first login.
+8. If this is an admin account for you, then log out and back in as the new admin user and complete the password change and OTP steps. If this is an admin account for someone else, securely send the initial username and password to the user. They must complete the password change and OTP setup when they first log in.
+
+Once at least one real admin user is set up, you should then delete the temporary "admin" user.
+
 ## How do I setup a custom theme?
 
 Check [this approach](https://git.autonomic.zone/ruangrupa/login.lumbung.space).
@@ -35,6 +49,16 @@ Check [this approach](https://git.autonomic.zone/ruangrupa/login.lumbung.space).
 - Create the user and set a temporary password
 - Under the `Role Mappings` tab, move `admin` from `Available Roles` into `Assigned Roles`
 
+## What do I do if I lost my admin account credentials?
+
+You can create a new admin account like this:
+
+```
+abra app run <domain> app -- bash -c '/opt/keycloak/bin/kc.sh bootstrap-admin user --db-password $(cat /run/secrets/db_password)'
+```
+
+Make sure to delete the temp-admin user after you finish recovering.
+
 ## How do I configure Keycloak login for..
 
 - [Nextcloud][nextcloud]

compose.theme.yml

@@ -0,0 +1,10 @@
+---
+version: "3.8"
+
+services:
+  app:
+    volumes:
+      - "themes:/opt/keycloak/themes"
+
+volumes:
+  themes:

compose.yml

@@ -3,7 +3,7 @@ version: "3.8"
 
 services:
   app:
-    image: "keycloak/keycloak:22.0.4"
+    image: "keycloak/keycloak:26.2.5"
     entrypoint: >
       bash -c "KEYCLOAK_ADMIN_PASSWORD=\"$$(cat /run/secrets/admin_password)\" KC_DB_PASSWORD=\"$$(cat /run/secrets/db_password)\" /opt/keycloak/bin/kc.sh start"
     networks:
@@ -16,11 +16,13 @@ services:
       - KC_DB=mariadb
       - KC_DB_URL_DATABASE=keycloak
       - KC_DB_URL_HOST=db
-      - KC_HOSTNAME=${DOMAIN}
+      - KC_HOSTNAME=https://${DOMAIN}
       - KC_PROXY=edge
       - KC_SPI_CONNECTIONS_JPA_LEGACY_MIGRATION_STRATEGY=update
       - KEYCLOAK_ADMIN=${ADMIN_USERNAME}
       - KEYCLOAK_WELCOME_THEME=${WELCOME_THEME}
+      - KC_PROXY_HEADERS=xforwarded
+      - KC_HTTP_ENABLED=true
     # NOTE(3wc): disabled due to missing curl binary, see
     #   https://git.coopcloud.tech/coop-cloud/keycloak/issues/15
     # healthcheck:
@@ -30,7 +32,7 @@ services:
     #   retries: 10
     #   start_period: 1m
     volumes:
-      - "themes:/opt/keycloak/themes"
+      - "providers:/opt/keycloak/providers"
     depends_on:
       - mariadb
     deploy:
@@ -44,12 +46,15 @@ services:
         - "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure"
         - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"
         - "traefik.http.routers.${STACK_NAME}.middlewares=${STACK_NAME}-redirect"
-        - "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLForceHost=true"
-        - "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLHost=${DOMAIN}"
-        - "coop-cloud.${STACK_NAME}.version=7.0.1+22.0.4"
+        - "traefik.http.middlewares.${STACK_NAME}-redirect.redirectscheme.scheme=https"
+        - "traefik.http.middlewares.${STACK_NAME}-redirect.redirectscheme.permanent=true"
+        - "caddy=${DOMAIN}"
+        - "caddy.reverse_proxy={{upstreams 8080}}"
+        - "caddy.tls.on_demand="
+        - "coop-cloud.${STACK_NAME}.version=10.3.1+26.2.5"
 
   db:
-    image: "mariadb:10.11"
+    image: "mariadb:11.7"
     environment:
       - MYSQL_DATABASE=keycloak
       - MYSQL_USER=keycloak
@@ -67,10 +72,10 @@ services:
         backupbot.backup: "true"
         backupbot.backup.path: "/tmp/dump.sql.gz"
         backupbot.backup.post-hook: "rm -f /tmp/dump.sql.gz"
-        backupbot.backup.pre-hook: "sh -c 'mysqldump -u root -p\"$$(cat /run/secrets/db_root_password)\" keycloak | gzip > /tmp/dump.sql.gz'"
-        backupbot.restore.pre-hook: "sh -c 'cd /tmp && gzip -d dump.sql.gz'" 
+        backupbot.backup.pre-hook: "sh -c 'mariadb-dump -u root -p\"$$(cat /run/secrets/db_root_password)\" keycloak | gzip > /tmp/dump.sql.gz'"
+        backupbot.restore.pre-hook: "sh -c 'cd /tmp && gzip -d dump.sql.gz'"
         backupbot.restore: "true"
-        backupbot.restore.post-hook: "sh -c 'mysql -u root -p\"$$(cat /run/secrets/db_root_password)\" keycloak < /tmp/dump.sql && rm -f /tmp/dump.sql'"
+        backupbot.restore.post-hook: "sh -c 'mariadb -u root -p\"$$(cat /run/secrets/db_root_password)\" keycloak < /tmp/dump.sql && rm -f /tmp/dump.sql'"
 
 networks:
   internal:
@@ -90,4 +95,4 @@ secrets:
 
 volumes:
   mariadb:
-  themes:
+  providers:

release/7.2.0+22.0.5

@@ -0,0 +1,5 @@
+A persistent volume for themes is now optional, and not enabled by default.
+
+If you are using a custom theme, consult the recipe `.env.sample` to see the new
+variables you need to add. You can use `abra app check ...` to verify that
+they've been added correctly.