docker-compose.yml

version: "3.4"

x-default-deploy:
  &default-deploy
  restart_policy:
    condition: on-failure
    max_attempts: 3
x-default-logging:
  &default-logging
  driver: json-file
  options:
    max-size: "1m"
    max-file: "1"
  # TODO: Add gliderlabs/logspout as a global service in a separate stack so we can pipe logs to an external service (eg: papertrail)

services:
  # Keycloak (authentication) setup (should maybe go into an external deployment)
  # TODO: move secrets into docker secrets
  keycloak:
    image: jboss/keycloak:4.5.0.Final
    ports:
      - 8080:8080
    environment:
      KEYCLOAK_USER: keycloak
      KEYCLOAK_PASSWORD: $KEYCLOAK_PASSWORD
      DB_VENDOR: POSTGRES
      DB_PASSWORD: $KEYCLOAK_PASSWORD
      PROXY_ADDRESS_FORWARDING: "true"
    logging: *default-logging
    deploy: *default-deploy

  postgres:
    image: postgres:9-alpine
    environment:
      POSTGRES_DB: keycloak
      POSTGRES_USER: keycloak
      POSTGRES_PASSWORD: $KEYCLOAK_PASSWORD
    volumes:
      - keycloakdb:/var/lib/postgresql/data
    logging: *default-logging
    deploy:
      placement:
        constraints:
          - node.labels.type == master-1
      restart_policy:
        condition: on-failure
        max_attempts: 3

  keycloak-init:
    image: registry-special.tenforce.com/special/keycloak-initializer:all-redirect-uris-allowed
    environment:
      KEYCLOAK_ENDPOINT: http://keycloak:8080/auth
      KEYCLOAK_CLIENT_SECRET: $KEYCLOAK_CLIENT_SECRET
      KEYCLOAK_PASSWORD: $KEYCLOAK_PASSWORD
      KEYCLOAK_GENERATOR_PASSWORD: $KEYCLOAK_GENERATOR_PASSWORD
    logging: *default-logging
    deploy:
      restart_policy:
        condition: none

volumes:
  caddycert: {}
  keycloakdb:
    driver: local

networks:
  default:
    external:
      name: special-demonstrator