**Purpose**: Keycloak is an open source identity and access management systen for modern applications and services. [Original Reference Compose File](https://github.com/JamesTurland/JimsGarage/blob/main/Keycloak/docker-compose.yaml) [Original Reference Deployment Video](https://www.youtube.com/watch?v=6ye4lP9EA2Y) ## Docker Configuration === "docker-compose.yml" ``` yaml version: '3.7' services: postgres: image: postgres:16.2 volumes: - /srv/containers/keycloak/db:/var/lib/postgresql/data environment: POSTGRES_DB: ${POSTGRES_DB} POSTGRES_USER: ${POSTGRES_USER} POSTGRES_PASSWORD: ${POSTGRES_PASSWORD} networks: docker_network: ipv4_address: 192.168.5.3 keycloak: image: quay.io/keycloak/keycloak:23.0.6 command: start environment: TZ: America/Denver # (1) KC_PROXY_ADDRESS_FORWARDING: true # (2) KC_HOSTNAME_STRICT: false KC_HOSTNAME: auth.bunny-lab.io # (3) KC_PROXY: edge # (4) KC_HTTP_ENABLED: true KC_DB: postgres # KC_DB_URL: jdbc:postgresql://postgres/${POSTGRES_DB} # (5) KC_DB_USERNAME: ${POSTGRES_USER} KC_DB_PASSWORD: ${POSTGRES_PASSWORD} KC_DB_URL_HOST: postgres KC_DB_URL_PORT: 5432 KC_DB_URL_DATABASE: ${POSTGRES_DB} KEYCLOAK_ADMIN: ${KEYCLOAK_ADMIN} KEYCLOAK_ADMIN_PASSWORD: ${KEYCLOAK_ADMIN_PASSWORD} # KC_HOSTNAME_DEBUG: true # (6) KC_HEALTH_ENABLED: true ports: - 8080:8080 restart: always depends_on: - postgres networks: docker_network: ipv4_address: 192.168.5.2 networks: default: external: name: docker_network docker_network: external: true ``` 1. This sets the timezone of the Keycloak server to your timezone. This is not really necessary according to the official documentation, however I just like to add it to all of my containers as a baseline environment variable to add 2. This assumes you are running Keycloak behind a reverse proxy, in my particular case, Traefik 3. Set this to the FQDN that you are expecting to reach the Keycloak server at behind your reverse proxy 4. This assumes you are running Keycloak behind a reverse proxy, in my particular case, Traefik 5. Official documentation says to use this, but its not really necessary. In this particular deployment method, we will just specify the parameters manually seen in the next few variables below this one 6. If this is enabled, Navigate to https://auth.bunny-lab.io/realms/master/hostname-debug to troubleshoot issues with the deployment if you experience any issues logging into the web portal or admin UI === ".env" ``` yaml POSTGRES_DB=keycloak POSTGRES_USER=keycloak POSTGRES_PASSWORD=SomethingSecure # (1) KEYCLOAK_ADMIN=admin KEYCLOAK_ADMIN_PASSWORD=SomethingSuperSecureToLoginAsAdmin # (2) ``` 1. This is used internally by Keycloak to interact with the PostgreSQL database server 2. This is used to log into the web admin portal at https://auth.bunny-lab.io ## Traefik Reverse Proxy Configuration If the container does not run on the same host as Traefik, you will need to manually add configuration to Traefik's dynamic config file, outlined below. ``` yaml http: routers: auth: entryPoints: - websecure tls: certResolver: letsencrypt http2: service: auth rule: Host(`auth.bunny-lab.io`) middlewares: - auth-headers services: auth: loadBalancer: servers: - url: http://192.168.5.2:8080 passHostHeader: true middlewares: auth-headers: headers: sslRedirect: true stsSeconds: 31536000 stsIncludeSubdomains: true stsPreload: true forceSTSHeader: true customRequestHeaders: X-Forwarded-Proto: https X-Forwarded-Port: "443" ```