keycloak/compose.yml

---
version: "3.8"

services:
  app:
    image: "keycloak/keycloak:23.0.6"
    entrypoint: >
      bash -c "KEYCLOAK_ADMIN_PASSWORD=\"$$(cat /run/secrets/admin_password)\" KC_DB_PASSWORD=\"$$(cat /run/secrets/db_password)\" /opt/keycloak/bin/kc.sh start"      
    networks:
      - proxy
      - internal
    secrets:
      - admin_password
      - db_password
    environment:
      - KC_DB=mariadb
      - KC_DB_URL_DATABASE=keycloak
      - KC_DB_URL_HOST=db
      - KC_HOSTNAME=${DOMAIN}
      - KC_PROXY=edge
      - KC_SPI_CONNECTIONS_JPA_LEGACY_MIGRATION_STRATEGY=update
      - KEYCLOAK_ADMIN=${ADMIN_USERNAME}
      - KEYCLOAK_WELCOME_THEME=${WELCOME_THEME}
    # NOTE(3wc): disabled due to missing curl binary, see
    #   https://git.coopcloud.tech/coop-cloud/keycloak/issues/15
    # healthcheck:
    #   test: ["CMD", "curl", "-f", "http://localhost:8080"]
    #   interval: 30s
    #   timeout: 10s
    #   retries: 10
    #   start_period: 1m
    volumes:
      - "providers:/opt/keycloak/providers"
    depends_on:
      - mariadb
    deploy:
      update_config:
        failure_action: rollback
        order: start-first
      labels:
        - "traefik.enable=true"
        - "traefik.http.services.${STACK_NAME}.loadbalancer.server.port=8080"
        - "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}`${EXTRA_DOMAINS})"
        - "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure"
        - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"
        - "traefik.http.routers.${STACK_NAME}.middlewares=${STACK_NAME}-redirect"
        - "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLForceHost=true"
        - "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLHost=${DOMAIN}"
        - "coop-cloud.${STACK_NAME}.version=8.0.1+23.0.6"

  db:
    image: "mariadb:11.2"
    environment:
      - MYSQL_DATABASE=keycloak
      - MYSQL_USER=keycloak
      - MYSQL_PASSWORD_FILE=/run/secrets/db_password
      - MYSQL_ROOT_PASSWORD_FILE=/run/secrets/db_root_password
    secrets:
      - db_password
      - db_root_password
    volumes:
      - "mariadb:/var/lib/mysql"
    networks:
      - internal
    deploy:
      labels:
        backupbot.backup: "true"
        backupbot.backup.path: "/tmp/dump.sql.gz"
        backupbot.backup.post-hook: "rm -f /tmp/dump.sql.gz"
        backupbot.backup.pre-hook: "sh -c 'mysqldump -u root -p\"$$(cat /run/secrets/db_root_password)\" keycloak | gzip > /tmp/dump.sql.gz'"
        backupbot.restore.pre-hook: "sh -c 'cd /tmp && gzip -d dump.sql.gz'" 
        backupbot.restore: "true"
        backupbot.restore.post-hook: "sh -c 'mysql -u root -p\"$$(cat /run/secrets/db_root_password)\" keycloak < /tmp/dump.sql && rm -f /tmp/dump.sql'"

networks:
  internal:
  proxy:
    external: true

secrets:
  admin_password:
    name: ${STACK_NAME}_admin_password_${SECRET_ADMIN_PASSWORD_VERSION}
    external: true
  db_password:
    name: ${STACK_NAME}_db_password_${SECRET_DB_PASSWORD_VERSION}
    external: true
  db_root_password:
    name: ${STACK_NAME}_db_root_password_${SECRET_DB_ROOT_PASSWORD_VERSION}
    external: true

volumes:
  mariadb:
  providers: