# keycloak — identity / SSO
# Hostname: auth.wbd-rd.nl (reverse-proxied via nginx-proxy on port 8080)
# Networks: app (relying-party endpoints) + mgmt (admin console traffic) + data (postgres backend)

services:
  keycloak:
    image: quay.io/keycloak/keycloak:26.0
    restart: unless-stopped
    command: ["start"]
    networks: [app, mgmt, data]
    environment:
      # Master admin bootstrap (first start only — change password after first login)
      KC_BOOTSTRAP_ADMIN_USERNAME: ${KEYCLOAK_ADMIN}
      KC_BOOTSTRAP_ADMIN_PASSWORD: ${KEYCLOAK_ADMIN_PASSWORD}
      # Reverse-proxy posture
      KC_HOSTNAME: ${KEYCLOAK_HOSTNAME}
      KC_HOSTNAME_STRICT: "true"
      KC_PROXY_HEADERS: xforwarded
      KC_HTTP_ENABLED: "true"
      # Postgres backend (DB + role provisioned by sql/config/init.d/01-databases.sh)
      KC_DB: postgres
      KC_DB_URL: jdbc:postgresql://sql:5432/keycloak
      KC_DB_USERNAME: keycloak
      KC_DB_PASSWORD: ${KEYCLOAK_DB_PASSWORD}
      # Misc
      KC_HEALTH_ENABLED: "true"
      KC_METRICS_ENABLED: "true"
      TZ: ${TZ:-Europe/Amsterdam}
    volumes:
      - keycloak-data:/opt/keycloak/data
      - ./config/realms:/opt/keycloak/data/import:ro

networks:
  app:
  mgmt:
  data:

volumes:
  keycloak-data: