Switch to external SSO

compose.yml

@@ -31,20 +31,20 @@ x-common-env: &common-env
   AWS_S3_SECRET_ACCESS_KEY: password
   MEDIA_BASE_URL: https://${DOMAIN}
   AWS_STORAGE_BUCKET_NAME: docs-media-storage
-  # OIDC
-  OIDC_OP_JWKS_ENDPOINT: https://auth.${DOMAIN}/realms/impress/protocol/openid-connect/certs
-  OIDC_OP_AUTHORIZATION_ENDPOINT: https://auth.${DOMAIN}/realms/impress/protocol/openid-connect/auth
-  OIDC_OP_TOKEN_ENDPOINT: https://auth.${DOMAIN}/realms/impress/protocol/openid-connect/token
-  OIDC_OP_USER_ENDPOINT: https://auth.${DOMAIN}/realms/impress/protocol/openid-connect/userinfo
-  OIDC_RP_CLIENT_ID: impress
+  # OIDC - settings from .env, see .env.sample
+  OIDC_OP_JWKS_ENDPOINT:
+  OIDC_OP_AUTHORIZATION_ENDPOINT:
+  OIDC_OP_TOKEN_ENDPOINT:
+  OIDC_OP_USER_ENDPOINT:
+  OIDC_RP_CLIENT_ID:
   OIDC_RP_CLIENT_SECRET:
-  OIDC_RP_SIGN_ALGO: RS256
-  OIDC_RP_SCOPES: "openid email"
-  LOGIN_REDIRECT_URL: https://${DOMAIN}
-  LOGIN_REDIRECT_URL_FAILURE: https://${DOMAIN}
-  LOGOUT_REDIRECT_URL: https://${DOMAIN}
-  OIDC_REDIRECT_ALLOWED_HOSTS: '["https://auth.${DOMAIN}", "https://${DOMAIN}"]'
-  OIDC_AUTH_REQUEST_EXTRA_PARAMS: "{'acr_values': 'eidas1'}"
+  OIDC_RP_SIGN_ALGO:
+  OIDC_RP_SCOPES:
+  LOGIN_REDIRECT_URL:
+  LOGIN_REDIRECT_URL_FAILURE:
+  LOGOUT_REDIRECT_URL:
+  OIDC_REDIRECT_ALLOWED_HOSTS:
+  OIDC_AUTH_REQUEST_EXTRA_PARAMS:
   # AI
   AI_FEATURE_ENABLED: "false"
   AI_BASE_URL: https://openaiendpoint.com
@@ -81,31 +81,6 @@ x-minio-env: &minio-env
   # FIXME: Move to docker secret
   MINIO_ROOT_PASSWORD: password
 
-x-keycloak-env: &kc-keycloak-env
-  KC_BOOTSTRAP_ADMIN_USERNAME: admin
-  # FIXME: Move to docker secret
-  KC_BOOTSTRAP_ADMIN_PASSWORD: admin
-  KC_DB: postgres
-  KC_DB_URL_HOST: kc_postgresql
-  KC_DB_SCHEMA: public
-  PROXY_ADDRESS_FORWARDING: 'true'
-  KC_HOSTNAME: https://auth.${DOMAIN}
-  KC_HTTP_ENABLED: "true"
-  # KC_HTTPS_CERTIFICATE_FILE: /etc/ssl/certs/docs.crt
-  # KC_HTTPS_CERTIFICATE_KEY_FILE: /etc/ssl/private/docs.key`
-
-x-kc-postgres-env: &kc-postgres-env
-  # Postgresql db container configuration
-  POSTGRES_DB: keycloak
-  POSTGRES_USER: keycloak
-  # FIXME: Move to docker secret
-  POSTGRES_PASSWORD: keycloak
-  # Keycloak database configuration
-  KC_DB_URL_DATABASE: keycloak
-  KC_DB_USERNAME: keycloak
-  # FIXME: Move to docker secret
-  KC_DB_PASSWORD: keycloak
-
 services:
   app:
     image: lasuite/impress-frontend:v3.3.0
@@ -223,42 +198,6 @@ services:
         - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"
         - "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure"
 
-  # FIXME: remove
-  kc_postgresql:
-    image: postgres:16
-    networks:
-      - backend
-    healthcheck:
-      test: ["CMD", "pg_isready", "-q", "-U", "keycloak", "-d", "keycloak"]
-      interval: 1s
-      timeout: 2s
-      retries: 300    
-    environment:
-      <<: *kc-postgres-env
-      PGDATA: var/lib/postgresql/data/pgdata
-    volumes:
-      - postgres_keycloak:/var/lib/postgresql/data/pgdata
-
-  keycloak:
-    image: quay.io/keycloak/keycloak:26.1.0
-    command: ["start"]
-    networks:
-      - proxy
-      - backend
-    environment:
-      <<: [*kc-keycloak-env, *kc-postgres-env]
-    # volumes:
-    #   - certs:/etc/ssl/certs:ro
-    deploy:
-      labels:
-        - "traefik.enable=true"
-        - "traefik.docker.network=proxy"
-        - "traefik.http.routers.${STACK_NAME}-keycloak.tls=true"
-        - "traefik.http.services.${STACK_NAME}-keycloak.loadbalancer.server.port=8080"
-        - "traefik.http.routers.${STACK_NAME}-keycloak.rule=Host(`auth.${DOMAIN}`)"
-        - "traefik.http.routers.${STACK_NAME}-keycloak.tls.certresolver=${LETS_ENCRYPT_ENV}"
-        - "traefik.http.routers.${STACK_NAME}-keycloak.entrypoints=web-secure"
-
 networks:
   proxy:
     external: true
@@ -267,9 +206,6 @@ networks:
 volumes:
   postgres:
   minio:
-  # FIXME: remove this
-  postgres_keycloak:
-  # certs:
 
 configs:
   nginx_conf: