dfg

traefik:
    external: true

docker-compose/keycloak/docker-compose.yml.j2

@@ -0,0 +1,59 @@
+version: '3'
+services:
+  Keycloak:
+    image: quay.io/keycloak/keycloak:23.0.2
+    command: ['start-dev']
+    environment:
+      KC_DB_PASSWORD: password
+      KC_DB_URL_HOST: keycloak-db
+      KC_DB_USERNAME: keycloak
+
+      KEYCLOAK_ADMIN: admin
+      KEYCLOAK_ADMIN_PASSWORD: password
+
+      KC_HOSTNAME: docker10.mgrote.net
+    ports:
+      - "8089:8080" # Externe-Portnummer:Interne-Portnummer
+    depends_on:
+      - keycloak-db
+    container_name: keycloak-app
+    volumes:
+      - keycloak:/opt/keycloak/data
+    networks:
+      - intern
+      - auth
+      - traefik
+
+  keycloak-db:
+    image: "postgres:16.2"
+    container_name: keycloak-db
+    environment:
+      POSTGRES_DB: keycloak
+      POSTGRES_USER: keycloak
+      POSTGRES_PASSWORD: password
+    volumes:
+      - db16:/var/lib/postgresql/data
+    healthcheck:
+      test: ["CMD", "pg_isready", "-U", "keycloak"]
+      interval: 10s
+      start_period: 30s
+    networks:
+      - intern
+
+######## Volumes ########
+volumes:
+  db16:
+  keycloak:
+######## Networks ########
+networks:
+  traefik:
+    external: true
+  auth:
+    external: true
+  intern:
+# todo
+# prufen ob dier uzielcontsainer alle netwzwerke rbaucht
+# healtchecks
+# verison gesetzt
+# dashbaord
+# start-dev umstellen

docker-compose/lldap/docker-compose.yml.j2

@@ -2,7 +2,7 @@ version: "3"
 services:
 ######## App ########
   lldap:
-    image: nitnelave/lldap:stable
+    image: nitnelave/lldap:v0.5.0
     container_name: lldap-app
     restart: always
     ports:
@@ -37,9 +37,7 @@ services:
       LLDAP_SMTP_OPTIONS__PORT: 25
       LLDAP_SMTP_OPTIONS__SMTP_ENCRYPTION: NONE
       LLDAP_SMTP_OPTIONS__USER: info@mgrote.net
-    labels:
-      - com.centurylinklabs.watchtower.enable=true
-      - com.centurylinklabs.watchtower.depends-on=lldap-db
+
 ######## DB ########
   lldap-db:
     image: mariadb:10.6.14
@@ -57,8 +55,6 @@ services:
       - MYSQL_INITDB_SKIP_TZINFO=1
     networks:
       - intern
-    labels:
-      - com.centurylinklabs.watchtower.enable=true
 
 ######## Volumes ########
 volumes:
@@ -71,3 +67,11 @@ networks:
     external: true
   mail-relay:
     external: true
+  auth:
+    external: true
+# ToDo
+# Secrets
+# db heraltcheck
+# https://github.com/lldap/lldap/blob/main/example_configs/keycloak.md
+# secrets in ekycloak anapssen
+# dashbaord

docker-compose/traefik/docker-compose.yml.j2

@@ -52,6 +52,8 @@ services:
 networks:
   traefik:
     external: true
+  whoami: {}
+  oauth2-proxy: {}
 ######## Volumes ########
 volumes:
   acme_data:

docker-compose/whoami/docker-compose.yml.j2

@@ -0,0 +1,46 @@
+version: "3"
+services:
+  whoami:
+    image: traefik/whoami
+    container_name: whoami-app
+    restart: always
+    ports:
+      - "4421:80"
+    networks:
+      auth:
+
+# This docker-compose file can be used to bring up an example instance of oauth2-proxy
+# for manual testing and exploration of features.
+# Alongside OAuth2-Proxy, this file also starts Keycloak to act as the identity provider,
+# whoami as an example upstream.
+#
+# This can either be created using docker-compose
+#    docker-compose -f docker-compose-keycloak.yaml <command>
+# Or:
+#    make keycloak-<command> (eg. make keycloak-up, make keycloak-down)
+#
+# Access http://oauth2-proxy.localtest.me:4180 to initiate a login cycle using user=admin@example.com, password=password
+# Access http://keycloak.localtest.me:9080 with the same credentials to check out the settings
+  oauth2-proxy: # dashbaord
+    container_name: oauth2-proxy
+    image: quay.io/oauth2-proxy/oauth2-proxy:v7.6.0
+    command: --config /oauth2-proxy.cfg
+    hostname: oauth2-proxy
+    volumes:
+      - "./oauth2-proxy-keycloak.cfg:/oauth2-proxy.cfg"
+    restart: unless-stopped
+    ports:
+      - 4180:4180/tcp
+    networks:
+      auth:
+######## Networks ########
+networks:
+  traefik:
+    external: true
+  auth:
+    external: true
+
+# todo
+# prufen ob dier uzielcontsainer alle netwzwerke rbaucht
+# healtchecks
+# verison gesetzt

docker-compose/whoami/oauth2-proxy-keycloak.cfg

@@ -0,0 +1,18 @@
+http_address="0.0.0.0:4180"
+cookie_secret="OQINaROshtE9TcZkNAm-5Zs2Pv3xaWytBmc5W7sPX7w="
+email_domains="example.com"
+cookie_secure="false"
+upstreams="http://whoami.localtest.me:8080"
+cookie_domains=[".localtest.me"] # Required so cookie can be read on all subdomains.
+whitelist_domains=[".localtest.me"] # Required to allow redirection back to original requested target.
+
+# keycloak provider
+client_secret="72341b6d-7065-4518-a0e4-50ee15025608"
+client_id="oauth2-proxy"
+redirect_url="http://oauth2-proxy.localtest.me:4180/oauth2/callback"
+
+# in this case oauth2-proxy is going to visit
+# http://keycloak.localtest.me:9080/auth/realms/master/.well-known/openid-configuration for configuration
+oidc_issuer_url="http://keycloak.localtest.me:9080/auth/realms/master"
+provider="oidc"
+provider_display_name="Keycloak"

friedhof/lldap/docker-compose0.yml.j2

@@ -1,40 +0,0 @@
-version: '3'
-services:
-  wiki-webserver:
-    container_name: wiki-webserver
-    image: httpd:2.4@sha256:ba846154ade27292d216cce2d21f1c7e589f3b66a4a643bff0cdd348efd17aa3
-    restart: always
-    networks:
-      - traefik
-    ports:
-      - 8087:80
-    volumes:
-      - /docker/wiki/site:/usr/local/apache2/htdocs/
-      # /docker/wiki/site ist ein lokales Verzeichnis auf docker10
-      # dieser Verzeichnis wird direkt in der wiki ci gemountet
-      # und die daten werden dort reingeschrieben
-    labels:
-      traefik.http.routers.wiki.rule: Host(`wiki2.mgrote.net`)
-      traefik.enable: true
-      traefik.http.routers.wiki.tls: true
-      traefik.http.routers.wiki.tls.certresolver: resolver_letsencrypt
-      traefik.http.routers.wiki.entrypoints: entry_https
-      traefik.http.services.wiki.loadbalancer.server.port: 80
-
-      traefik.http.routers.wiki.middlewares: nforwardauth
-#      traefik.http.routers.wiki.middlewares: ldap_auth
-#
-#    # ldapAuth Options
-#      traefik.http.middlewares.ldap_auth.plugin.ldapAuth.enabled: true
-#      traefik.http.middlewares.ldap_auth.plugin.ldapAuth.logLevel: DEBUG
-#      traefik.http.middlewares.ldap_auth.plugin.ldapAuth.url: ldap://lldap-app
-#      traefik.http.middlewares.ldap_auth.plugin.ldapAuth.port: 3890
-#      traefik.http.middlewares.ldap_auth.plugin.ldapAuth.baseDN: "ou=people,dc=grote,dc=lan"
-#      traefik.http.middlewares.ldap_auth.plugin.ldapAuth.attribute: uid
-
-      com.centurylinklabs.watchtower.enable: true
-
-######## Networks ########
-networks:
-  traefik:
-    external: true

host_vars/docker10.mgrote.net.yml

@@ -59,8 +59,6 @@ compose_files:
   - name: navidrome
     state: present
     network: traefik
-  - name: watchtower
-    state: absent
   - name: routeros-config-export
     state: present
   - name: mail-relay
@@ -72,9 +70,14 @@ compose_files:
   - name: wiki
     state: present
     network: traefik
-  - name: statping-ng
-    state: absent
-
+  - name: lldap
+    state: present
+  - name: whoami
+    state: present
+    network: auth
+  - name: keycloak
+    state: present
+    network: auth
 ### oefenweb.ufw
 ufw_rules:
   - rule: allow