infra/stacks/jenkins/compose.yml

# jenkins — CI/CD (cloud only)
# Networks: app
# Auth: SSO via Keycloak (wbd realm, jenkins client) configured by JCasC.

services:
  jenkins:
    build:
      context: .                # custom image: upstream + configuration-as-code + oic-auth plugins
      dockerfile: Dockerfile
    image: cloud-jenkins:lts-jdk17
    restart: unless-stopped
    networks: [app]
    environment:
      TZ: ${TZ:-Europe/Amsterdam}
      JENKINS_OPTS: --httpPort=8080
      JAVA_OPTS: -Djenkins.install.runSetupWizard=false
      CASC_JENKINS_CONFIG: /var/jenkins_home/casc/jenkins.yaml
      # Keycloak OIDC (wbd realm, jenkins client) — read by JCasC at startup.
      JENKINS_OAUTH_CLIENT_ID: ${JENKINS_OAUTH_CLIENT_ID:-jenkins}
      JENKINS_OAUTH_CLIENT_SECRET: ${JENKINS_OAUTH_CLIENT_SECRET}
    volumes:
      - jenkins-home:/var/jenkins_home
      - ./config:/var/jenkins_home/casc:ro
    # TODO: agent strategy (docker-in-docker vs ssh agents vs k8s agents)

networks:
  app:

volumes:
  jenkins-home: