---
version: "3.8"

# WARNING: Requires your own Keycloak and is a work-around for the server pro
#          restrictions for SSO integration. This is experimental. Please speak
#          to washnote.com folks if you need support, it is being used there.

services:
  app:
    configs:
      - source: pam_exec_oauth2_yaml
        target: /opt/pam-exec-oauth2/pam-exec-oauth2.yaml
        mode: 0600
      - source: pam_script_auth_sh
        target: /usr/share/libpam-script/pam_script_auth
        mode: 0555
    environment:
      - KEYCLOAK_ENABLED
      - KEYCLOAK_CLIENT_ID
      - KEYCLOAK_TOKEN_URL
    secrets:
      - keycloak_client_secret

configs:
  pam_exec_oauth2_yaml:
    name: ${STACK_NAME}_pam_exec_oauth2_yaml_${PAM_EXEC_OAUTH2_YAML_VERSION}
    file: pam-exec-oauth2.yaml.tmpl
    template_driver: golang
  pam_script_auth_sh:
    name: ${STACK_NAME}_pam_script_auth_sh_${PAM_SCRIPT_AUTH_VERSION}
    file: pam_script_auth.sh

secrets:
  keycloak_client_secret:
    name: ${STACK_NAME}_keycloak_client_secret_${SECRET_KEYCLOAK_CLIENT_SECRET_VERSION}
    external: true