Traefik with OID Keycloak
version: '2'
networks:
traefik:
name: traefik
volumes:
docker_networking_keycloak_postgresdata:
external: true
docker_networking_traefik_acme:
external: true
docker_networking_traefik_rules:
external: true
docker_networking_traefik_logs:
external: true
docker_networking_keycloak_postgresbackup:
external: true
services:
traefik:
image: traefik
restart: always
networks:
- traefik
command:
- --pilot.token=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
- --entrypoints.web.address=:80
- --entrypoints.websecure.address=:443
- --entryPoints.ws.address=:8081
- --entryPoints.wss.address=:8083
- --providers.docker
- --providers.docker.exposedByDefault=false
- --providers.file.directory=/config/
- --api
- --log.filePath=logs/log.txt
- --log.format=json
- --log.level=DEBUG
- --accesslog=true
- --accesslog.filepath=/logs/access.log
- --certificatesresolvers.leresolver.acme.email=xxxxxxxxxxxxxx@mail.com
- --certificatesresolvers.leresolver.acme.storage=/acme/acme.json
- --certificatesresolvers.leresolver.acme.dnschallenge=true
- --certificatesresolvers.leresolver.acme.dnschallenge.provider=namedotcom
- --certificatesresolvers.leresolver.acme.dnschallenge.resolvers=163.114.216.17
environment:
- NAMECOM_USERNAME=xxxxxxxxxxxxxx
- NAMECOM_API_TOKEN=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
- NAMECOM_SERVER=api.name.com
ports:
- "80:80"
- "443:443"
- "8081:8081"
- "8083:8083"
volumes:
- "/var/run/docker.sock:/var/run/docker.sock:ro"
- docker_networking_traefik_logs:/logs/
- docker_networking_traefik_acme:/acme/
- docker_networking_traefik_rules:/config/
labels:
# Dashboard
- "traefik.enable=true"
- "traefik.http.routers.traefik.rule=Host(`traefik.domain.com`)"
- "traefik.http.routers.traefik.service=api@internal"
- "traefik.http.routers.traefik.entrypoints=websecure"
- "traefik.http.routers.traefik.middlewares=traefik-forward-auth"
- "traefik.http.routers.traefik.tls=true"
# global redirect to https
- "traefik.http.routers.http-catchall.rule=hostregexp(`{host:.+}`)"
- "traefik.http.routers.http-catchall.entrypoints=web"
- "traefik.http.routers.http-catchall.middlewares=redirect-to-https"
# middleware redirect
- "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
# traefik network
- "traefik.docker.network=traefik"
# global wildcard certificates
- 'traefik.http.routers.wildcard-certs.tls.certresolver=leresolver'
- 'traefik.http.routers.wildcard-certs.tls.domains[0].main=domain.com'
- 'traefik.http.routers.wildcard-certs.tls.domains[0].sans=*.domain.com'
extra_hosts:
- host.docker.internal:172.1.1.1
keycloak:
image: mihaibob/keycloak:15.0.1
restart: always
labels:
- "traefik.enable=true"
- "traefik.http.routers.keycloak.rule=Host(`keycloak.domain.com`)"
- "traefik.http.routers.keycloak.entrypoints=websecure"
- "traefik.http.routers.keycloak.tls=true"
- "traefik.http.services.keycloak.loadBalancer.server.port=8080"
- "traefik.docker.network=traefik"
networks:
- traefik
environment:
- KEYCLOAK_USER=admin
- KEYCLOAK_PASSWORD=xxxxxxxxxxxxxxxxxxxxxxxxxxxx
- PROXY_ADDRESS_FORWARDING=true
- KEYCLOAK_HOSTNAME=keycloak.domain.com
- DB_VENDOR=POSTGRES
- DB_ADDR=postgres
- DB_DATABASE=keycloak
- DB_USER=keycloak
- DB_SCHEMA=public
- DB_PASSWORD=xxxxxxxxxxxxxxxxxxxxxxxxxxxx
depends_on:
- postgres
postgres:
user: "65534:100"
image: postgres:13.4
restart: unless-stopped
volumes:
- docker_networking_keycloak_postgresdata:/var/lib/postgresql/data
environment:
- PGDATA=/var/lib/postgresql/data/keycloak
- POSTGRES_DB=keycloak
- POSTGRES_USER=keycloak
- POSTGRES_PASSWORD=xxxxxxxxxxxxxxxxxxxxxxxxxxxx
networks:
- traefik
#-----------------------------------------------------------------------Keycloak-Postgres-Backup------------------------------------------------
pgbackups:
image: prodrigestivill/postgres-backup-local
restart: always
volumes:
- docker_networking_keycloak_postgresbackup:/backups
links:
- postgres
depends_on:
- postgres
environment:
- POSTGRES_HOST=postgres
- POSTGRES_DB=keycloak
- POSTGRES_USER=keycloak
- POSTGRES_PASSWORD=xxxxxxxxxxxxxxxxxxxxxxxxxxxx
- SCHEDULE=@daily
- BACKUP_KEEP_DAYS=7
- BACKUP_KEEP_WEEKS=4
- BACKUP_KEEP_MONTHS=6
- HEALTHCHECK_PORT=8080
networks:
- traefik
healthcheck:
test: curl --fail http://localhost:8080 || exit 1
interval: 5m
retries: 5
start_period: 20s
timeout: 10s
traefik-forward-auth:
image: thomseddon/traefik-forward-auth:2-arm64
restart: unless-stopped
command:
- "--default-provider=oidc"
- "--providers.oidc.issuer-url=https://keycloak.domain.com/auth/realms/master"
- "--providers.oidc.client-id=traefik-forward-auth"
- "--providers.oidc.client-secret=xxxxxxxxxxxxxxxxxxxxxxxxxxxx"
- "--secret=xxxxxxxxxxxxxxxxxxxxxxxxxxxx"
- "--insecure-cookie"
- "--cookie-domain=domain.com"
- "--auth-host=auth.domain.com"
- "--log-level=debug"
labels:
- "traefik.enable=true"
- "traefik.http.routers.traefik-forward-auth.rule=Host(`auth.domain.com`)"
- "traefik.http.services.traefik-forward-auth.loadbalancer.server.port=4181"
- "traefik.http.routers.traefik-forward-auth.entrypoints=websecure"
- "traefik.http.routers.traefik-forward-auth.tls=true"
- "traefik.docker.network=traefik"
- "traefik.http.routers.traefik-forward-auth.middlewares=traefik-forward-auth"
- "traefik.http.middlewares.traefik-forward-auth.forwardauth.address=http://traefik-forward-auth:4181"
- "traefik.http.middlewares.traefik-forward-auth.forwardauth.authResponseHeaders=X-Forwarded-User"
- "traefik.http.middlewares.traefik-forward-auth.forwardauth.trustForwardHeader=true"
networks:
- traefik
depends_on:
- keycloak
