feat(cloud): short function-based subdomains + harden keycloak with postgres
Subdomain rename (Versio side keeps original tool-named hostnames)
- nginx vhosts updated:
grafana -> dash.wbd-rd.nl
gitea -> git.wbd-rd.nl
keycloak -> auth.wbd-rd.nl
node-red -> flow.wbd-rd.nl
mlflow -> ml.wbd-rd.nl
jupyter -> hub.wbd-rd.nl
portainer -> ops.wbd-rd.nl
rabbitmq -> mq.wbd-rd.nl
jenkins -> ci.wbd-rd.nl
mqtt -> mqtt.wbd-rd.nl (no Versio conflict assumed)
- nginx-proxy README: bootstrap cert -d list + DNS A-record prereqs updated
- cloud/.env.example: GITEA_ROOT_URL, GRAFANA_ROOT_URL, KEYCLOAK_HOSTNAME
Function-based names are tool-agnostic (a Grafana -> Kibana swap leaves
dash.wbd-rd.nl meaningful) and avoid one-off "*2" suffixes.
Keycloak hardening
- Switch backend from bundled file storage to postgres (keycloak DB
already provisioned by sql/config/init.d/01-databases.sh).
- KC_HOSTNAME=auth.wbd-rd.nl, KC_PROXY_HEADERS=xforwarded for nginx
reverse-proxy posture; KC_HTTP_ENABLED=true since nginx terminates TLS.
- Added KC_HOSTNAME_STRICT, KC_HEALTH_ENABLED, KC_METRICS_ENABLED.
- Service joins app + mgmt + data networks (data needed for postgres).
- Mounted config/realms/ for realm-as-code (kc.sh import) — TODO to
populate once realm + clients are designed.
- README documents the recommended realm structure (wbd realm, one
client per app with redirect URIs) and the oauth2-proxy approach
for apps without native OIDC (mlflow, portainer-CE).
cloud
- Uncomment keycloak include in cloud/compose.yml.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
znetsixe
@@ -17,7 +17,7 @@ WG_SERVER_PUBLIC_HOST=
|
||||
# Keycloak (admin bootstrap + DB)
|
||||
KEYCLOAK_ADMIN=admin
|
||||
KEYCLOAK_ADMIN_PASSWORD=
|
||||
KEYCLOAK_HOSTNAME=keycloak.wbd-rd.nl
|
||||
KEYCLOAK_HOSTNAME=auth.wbd-rd.nl
|
||||
KEYCLOAK_DB_PASSWORD=
|
||||
|
||||
# InfluxDB
|
||||
@@ -30,7 +30,7 @@ INFLUX_BUCKET=telemetry
|
||||
# Grafana
|
||||
GRAFANA_ADMIN_USER=admin
|
||||
GRAFANA_ADMIN_PASSWORD=
|
||||
GRAFANA_ROOT_URL=https://grafana.wbd-rd.nl
|
||||
GRAFANA_ROOT_URL=https://dash.wbd-rd.nl
|
||||
|
||||
# SQL (postgres — single point of config)
|
||||
SQL_DB=config
|
||||
@@ -47,7 +47,7 @@ POSTFIX_RELAYHOST=
|
||||
POSTFIX_FROM_DOMAIN=wbd-rd.nl
|
||||
|
||||
# Gitea (HTTPS-only; uses sql backend)
|
||||
GITEA_ROOT_URL=https://gitea.wbd-rd.nl
|
||||
GITEA_ROOT_URL=https://git.wbd-rd.nl
|
||||
GITEA_DB_HOST=sql:5432
|
||||
GITEA_DB_NAME=gitea
|
||||
GITEA_DB_USER=gitea
|
||||
|
||||
Reference in New Issue
Block a user