# keycloak — identity / SSO
# Networks: app (apps reach the realm endpoints) + mgmt (admin console)

services:
  keycloak:
    image: quay.io/keycloak/keycloak:26.0
    restart: unless-stopped
    command: ["start", "--optimized"]
    networks: [app, mgmt]
    environment:
      KC_BOOTSTRAP_ADMIN_USERNAME: ${KEYCLOAK_ADMIN}
      KC_BOOTSTRAP_ADMIN_PASSWORD: ${KEYCLOAK_ADMIN_PASSWORD}
      KC_HOSTNAME: ${KEYCLOAK_HOSTNAME:-}
      KC_PROXY_HEADERS: xforwarded
      KC_HTTP_ENABLED: "true"
      # TODO: external DB (KC_DB=postgres) once sql stack lands
    volumes:
      - keycloak-data:/opt/keycloak/data

networks:
  app:
  mgmt:

volumes:
  keycloak-data: