keycloak bump version

Re: coop-cloud/recipes-catalogue-json#4

.drone.yml

@@ -1,33 +0,0 @@
----
-kind: pipeline
-name: deploy to swarm-test.autonomic.zone
-steps:
-  - name: deployment
-    image: decentral1se/stack-ssh-deploy:latest
-    settings:
-      host: swarm-test.autonomic.zone
-      stack: keycloak
-      generate_secrets: true
-      purge: true
-      deploy_key:
-        from_secret: drone_ssh_swarm_test
-    environment:
-      DOMAIN: keycloak.swarm-test.autonomic.zone
-      STACK_NAME: keycloak
-      LETS_ENCRYPT_ENV: production
-      SECRET_ADMIN_PASSWORD_VERSION: v1
-      SECRET_DB_PASSWORD_VERSION: v1
-      SECRET_DB_ROOT_PASSWORD_VERSION: v1
-trigger:
-  branch:
-    - master
----
-kind: pipeline
-name: recipe release
-steps:
-  - name: release a new version
-    image: thecoopcloud/drone-abra:latest
-    settings:
-      command: recipe keycloak release
-      deploy_key:
-        from_secret: abra_bot_deploy_key

.env.sample

@@ -1,12 +0,0 @@
-TYPE=keycloak
-
-DOMAIN=keycloak.example.com
-## Domain aliases
-#EXTRA_DOMAINS=', `www.keycloak.example.com`'
-LETS_ENCRYPT_ENV=production
-
-ADMIN_USERNAME=admin
-
-SECRET_DB_ROOT_PASSWORD_VERSION=v1
-SECRET_DB_PASSWORD_VERSION=v1
-SECRET_ADMIN_PASSWORD_VERSION=v1

.gitignore

@@ -0,0 +1 @@
+.env

README.md

@@ -1,46 +1,24 @@
-# keycloak
+# Keycloak
 
-[![Build Status](https://drone.autonomic.zone/api/badges/coop-cloud/keycloak/status.svg)](https://drone.autonomic.zone/coop-cloud/keycloak)
+Wiki Cafe's configuration for a Keycloak deployment. Originally slimmed down from an `abra` [recipe](https://git.coopcloud.tech/coop-cloud/keycloak) by [Co-op Cloud](https://coopcloud.tech/).
 
-[Keycloak](https://www.keycloak.org) + Coöp Cloud.
 
-<!-- metadata -->
-* **Category**: Apps
-* **Status**: 2, beta
-* **Image**: [`jboss/keycloak`](https://hub.docker.com/r/jboss/keycloak), 4, upstream
-* **Healthcheck**: Yes
-* **Backups**: ?
-* **Email**: 1
-* **Tests**: 2
-* **SSO**: N/A
-<!-- endmetadata -->
+## Deploying the app with Docker Swarm
 
-## Basic usage
+Set the environment variables from the .env file during the shell session.
 
-1. Set up Docker Swarm and [`abra`][abra]
-2. Deploy [`coop-cloud/traefik`][cc-traefik]
-3. `abra app new keycloak --secrets` (optionally with `--pass` if you'd like
-   to save secrets in `pass`)
-4. `abra app YOURAPPDOMAIN config` - be sure to change `$DOMAIN` to something that resolves to
-   your Docker swarm box
-5. `abra app YOURAPPDOMAIN deploy`
+```
+set -a && source .env && set +a
+```
 
-## How do I setup a custom theme?
+Set the secrets.
 
-Check [this approach](https://git.autonomic.zone/ruangrupa/login.lumbung.space).
+```
+printf "SECRET_HERE" | docker secret create SECRET_NAME -
+```
 
-## How do I create another admin user?
+Deploy using the `-c` flag to specify one or multiple compose files.
 
-- Under the `Master` realm > `Users` > `Add user`
-- Create the user and set a temporary password
-- Under the `Role Mappings` tab, move `admin` from `Available Roles` into `Assigned Roles`
-
-## How do I configure Keycloak login for..
-
-- [Nextcloud][nextcloud]
-- [Peertube][peertube]
-
-[nextcloud]: https://git.coopcloud.tech/coop-cloud/nextcloud
-[peertube]: https://git.coopcloud.tech/coop-cloud/peertube
-[abra]: https://git.autonomic.zone/autonomic-cooperative/abra
-[cc-traefik]: https://git.autonomic.zone/coop-cloud/traefik
+```
+docker stack deploy keycloak -c compose.yaml
+```

compose.yaml

@@ -0,0 +1,83 @@
+services:
+  app:
+    image: "keycloak/keycloak:22.0.3"
+    entrypoint: >
+      bash -c "KEYCLOAK_ADMIN_PASSWORD=\"$$(cat /run/secrets/admin_password)\" KC_DB_PASSWORD=\"$$(cat /run/secrets/db_password)\" /opt/keycloak/bin/kc.sh start"
+    networks:
+      - proxy
+      - internal
+    secrets:
+      - admin_password
+      - db_password
+    environment:
+      - KC_DB=mariadb
+      - KC_DB_URL_DATABASE=keycloak
+      - KC_DB_URL_HOST=db
+      - KC_HOSTNAME=${DOMAIN}
+      - KC_PROXY=edge
+      - KEYCLOAK_ADMIN=${ADMIN_USERNAME}
+      - KEYCLOAK_WELCOME_THEME=${WELCOME_THEME}
+    # healthcheck:
+    # https://www.keycloak.org/server/health
+    # Use external health checks
+    volumes:
+      - "themes:/opt/keycloak/themes"
+    depends_on:
+      - mariadb
+    deploy:
+      update_config:
+        failure_action: rollback
+        order: start-first
+      labels:
+        - "traefik.enable=true"
+        - "traefik.http.services.keycloak.loadbalancer.server.port=8080"
+        - "traefik.http.routers.keycloak.rule=Host(`${DOMAIN}`${EXTRA_DOMAINS})"
+        - "traefik.http.routers.keycloak.entrypoints=web-secure"
+        - "traefik.http.routers.keycloak.tls.certresolver=${LETS_ENCRYPT_ENV}"
+        - "traefik.http.routers.keycloak.middlewares=keycloak-redirect"
+        - "traefik.http.middlewares.keycloak-redirect.headers.SSLForceHost=true"
+        - "traefik.http.middlewares.keycloak-redirect.headers.SSLHost=${DOMAIN}"
+
+  db:
+    image: "mariadb:10.11"
+    environment:
+      - MYSQL_DATABASE=keycloak
+      - MYSQL_USER=keycloak
+      - MYSQL_PASSWORD_FILE=/run/secrets/db_password
+      - MYSQL_ROOT_PASSWORD_FILE=/run/secrets/db_root_password
+    secrets:
+      - db_password
+      - db_root_password
+    volumes:
+      - "mariadb:/var/lib/mysql"
+    networks:
+      - internal
+    deploy:
+      labels:
+        backupbot.backup: "true"
+        backupbot.backup.path: "/tmp/dump.sql.gz"
+        backupbot.backup.post-hook: "rm -f /tmp/dump.sql.gz"
+        backupbot.backup.pre-hook: "sh -c 'mysqldump -u root -p\"$$(cat /run/secrets/db_root_password)\" keycloak | gzip > /tmp/dump.sql.gz'"
+        backupbot.restore.pre-hook: "sh -c 'cd /tmp && gzip -d dump.sql.gz'" 
+        backupbot.restore: "true"
+        backupbot.restore.post-hook: "sh -c 'mysql -u root -p\"$$(cat /run/secrets/db_root_password)\" keycloak < /tmp/dump.sql && rm -f /tmp/dump.sql'"
+
+networks:
+  internal:
+  proxy:
+    external: true
+
+secrets:
+  admin_password:
+    name: keycloak_admin_password
+    external: true
+  db_password:
+    name: keycloak_db_password
+    external: true
+  db_root_password:
+    name: keycloak_db_root_password
+    external: true
+
+volumes:
+  mariadb:
+  themes:

compose.yml

@@ -1,80 +0,0 @@
----
-version: "3.8"
-
-services:
-  app:
-    image: "jboss/keycloak:16.1.1"
-    networks:
-      - proxy
-      - internal
-    secrets:
-      - admin_password
-      - db_password
-    environment:
-      - DB_ADDR=db
-      - DB_DATABASE=keycloak
-      - DB_PASSWORD_FILE=/run/secrets/db_password
-      - DB_USER=keycloak
-      - DB_VENDOR=mariadb
-      - KEYCLOAK_PASSWORD_FILE=/run/secrets/admin_password
-      - KEYCLOAK_USER=${ADMIN_USERNAME}
-      - PROXY_ADDRESS_FORWARDING=true
-    healthcheck:
-      test: ["CMD", "curl", "-f", "http://localhost:8080"]
-      interval: 30s
-      timeout: 10s
-      retries: 10
-      start_period: 1m
-    volumes:
-      - "themes:/opt/jboss/keycloak/themes"
-    depends_on:
-      - mariadb
-    deploy:
-      update_config:
-        failure_action: rollback
-        order: start-first
-      labels:
-        - "traefik.enable=true"
-        - "traefik.http.services.${STACK_NAME}.loadbalancer.server.port=8080"
-        - "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}`${EXTRA_DOMAINS})"
-        - "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure"
-        - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"
-        - "traefik.http.routers.${STACK_NAME}.middlewares=${STACK_NAME}-redirect"
-        - "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLForceHost=true"
-        - "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLHost=${DOMAIN}"
-        - "coop-cloud.${STACK_NAME}.version=4.0.1+16.1.1"
-
-  db:
-    image: "mariadb:10.6"
-    environment:
-      - MYSQL_DATABASE=keycloak
-      - MYSQL_USER=keycloak
-      - MYSQL_PASSWORD_FILE=/run/secrets/db_password
-      - MYSQL_ROOT_PASSWORD_FILE=/run/secrets/db_root_password
-    secrets:
-      - db_password
-      - db_root_password
-    volumes:
-      - "mariadb:/var/lib/mysql"
-    networks:
-      - internal
-
-networks:
-  internal:
-  proxy:
-    external: true
-
-secrets:
-  admin_password:
-    name: ${STACK_NAME}_admin_password_${SECRET_ADMIN_PASSWORD_VERSION}
-    external: true
-  db_password:
-    name: ${STACK_NAME}_db_password_${SECRET_DB_PASSWORD_VERSION}
-    external: true
-  db_root_password:
-    name: ${STACK_NAME}_db_root_password_${SECRET_DB_ROOT_PASSWORD_VERSION}
-    external: true
-
-volumes:
-  mariadb:
-  themes:

release/4.0.0+16.1.0

@@ -1,12 +0,0 @@
-This major release comes with a blog post about a CVE:
-
-    https://www.keycloak.org/2021/12/cve.html
-
-Not all versions are affected but they're suggesting that people upgrade soon.
-
-As per usual, this upgrade didn't go too smoothly and I ended up having to
-undeploy and deploy the new versions. The healtcheck kept failing on the new
-instance when trying to deploy alongside the existing old version. Idk, some
-docker weirdness.
-
-No app data errors discovered after upgrade.

renovate.json

@@ -1,6 +0,0 @@
-{
-  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
-  "extends": [
-    "config:base"
-  ]
-}