---
version: "3.8"

services:
  keycloak:
    image: "jboss/keycloak:9.0.3"
    networks:
      - proxy
      - internal
    secrets:
      - admin_passwd
      - db_passwd
    environment:
      - DB_ADDR=mariadb
      - DB_DATABASE=keycloak
      - DB_PASSWORD_FILE=/run/secrets/db_passwd
      - DB_USER=keycloak
      - DB_VENDOR=mariadb
      - KEYCLOAK_PASSWORD_FILE=/run/secrets/admin_passwd
      - KEYCLOAK_USER=autonomic
      - PROXY_ADDRESS_FORWARDING=true
    depends_on:
      - mariadb
    healthcheck:
      test: ["CMD", "curl", "-f", "http://localhost:8080"]
      interval: 30s
      timeout: 10s
      retries: 10
      start_period: 1m
    deploy:
      update_config:
        failure_action: rollback
        order: start-first
      labels:
        - "traefik.enable=true"
        - "traefik.http.routers.keycloak.rule=Host(`id.autonomic.zone`)"
        - "traefik.http.routers.keycloak.entrypoints=web-secure"
        - "traefik.http.services.keycloak.loadbalancer.server.port=8080"
        - "traefik.http.routers.keycloak.tls.certresolver=production"

  mariadb:
    image: "mariadb:10.5"
    environment:
      - MYSQL_DATABASE=keycloak
      - MYSQL_USER=keycloak
      - MYSQL_PASSWORD_FILE=/run/secrets/db_passwd
      - MYSQL_ROOT_PASSWORD_FILE=/run/secrets/db_root_passwd
    secrets:
      - db_passwd
      - db_root_passwd
    volumes:
      - "mariadb:/var/lib/mysql"
    networks:
      - internal

networks:
  internal:
  proxy:
    external: true

secrets:
  admin_passwd:
    name: keycloak_admin_passwd_v1
    external: true
  db_passwd:
    name: keycloak_db_passwd_v1
    external: true
  db_root_passwd:
    name: keycloak_db_root_passwd_v1
    external: true

volumes:
  mariadb: