Prepare docker compose examples with keycloak. (#151)

Author: nmorenor

compose/.env-with-keycloak-template

@@ -0,0 +1,63 @@
+###############################################################################
+# CodeTogether – Environment Template
+# -----------------------------------------------------------------------------
+# 1.  Copy this file to `.env` in the same directory as `compose.yaml`.
+# 2.  Replace the placeholders on the right‑hand side with your real values.
+# 3.  Place all SSL certificates and Diffie‑Hellman parameters in the
+#     `nginx/ssl` directory.
+# 4.  Configure your SSO provider in the `cthq.properties` file.
+# 5.  Run `docker‑compose up -d` to start the containers.
+#
+# Variables (all required unless stated otherwise)
+# ----------------------------------------------
+# COLLAB_FQDN        Public hostname (FQDN) that end‑users hit to reach the
+#                    Collab service (e.g. collab.example.com).
+#
+# INTEL_FQDN         Public hostname (FQDN) for the Intel service
+#                    (e.g. intel.example.com).
+#
+# INTEL_SECRET       Shared secret Collab uses to authenticate when
+#                    communicating with the Intel service. Use a strong,
+#                    private value.
+#
+# SSL_COLLAB_CERT    Certificate filename that Nginx serves for the Collab
+#                    virtual host (e.g. ssl-collab.crt).
+#
+# SSL_COLLAB_KEY     Private key filename for the Collab certificate
+#                    (e.g. ssl-collab.key).
+#
+# SSL_INTEL_CERT     Certificate filename for the Intel virtual host
+#                    (e.g. ssl-intel.crt).
+#
+# SSL_INTEL_KEY      Private key filename for the Intel certificate
+#                    (e.g. ssl-intel.key).
+#
+# DHPARAM_PEM        Diffie‑Hellman parameters file (e.g. dhparam.pem).
+###############################################################################
+
+COLLAB_FQDN=collab.example.com
+INTEL_FQDN=intel.example.com
+INTEL_SECRET=super-secret-string
+
+# SSL cerfificate files should be placed in the `nginx/ssl` directory.
+SSL_COLLAB_CERT=ssl-collab.crt
+SSL_COLLAB_KEY=ssl-collab.key
+
+SSL_INTEL_CERT=ssl-intel.crt
+SSL_INTEL_KEY=ssl-intel.key
+
+DHPARAM_PEM=dhparam.pem
+
+KEYCLOAK_FQDN=keycloak.example.com
+SSL_KEYCLOAK_CERT=ssl-keycloak.crt
+SSL_KEYCLOAK_KEY=ssl-keycloak.key
+
+KEYCLOAK_DB_USERNAME=keycloak
+KEYCLOAK_DB_PASSWORD=keycloak
+
+KEYCLOAK_ADMIN_PASSWORD=keycloak
+KEYCLOAK_ADMIN=admin
+
+# Uncomment the following lines to enable AI integration with Ollama
+#CT_HQ_OLLAMA_AI_URL=http://codetogether-llm:8000
+#CT_HQ_OLLAMA_AI_MODEL_NAME=gemma3:1b

compose/keycloak/compose-keycloak-no-nginx.yaml

@@ -0,0 +1,76 @@
+# 👇 Rename `.env-template` to `.env` before running this file
+# Set the appropriate values once renamed
+services:
+  # Relational database for Keycloak (optional)
+  codetogether-mysql:
+    image: mysql:8.0
+    container_name: codetogether-mysql
+    restart: unless-stopped
+    env_file:
+      - .env
+    environment:
+      MYSQL_ROOT_PASSWORD: ${KEYCLOAK_DB_PASSWORD}
+      MYSQL_DATABASE: keycloak
+      MYSQL_USER: ${KEYCLOAK_DB_USERNAME}
+      MYSQL_PASSWORD: ${KEYCLOAK_DB_PASSWORD}
+    volumes:
+      - mysql_data:/var/lib/mysql
+    networks:
+      - codetogethernet
+    healthcheck:
+      test: ["CMD", "mysqladmin", "ping", "-h", "localhost"]
+      interval: 10s
+      timeout: 10s
+      retries: 30
+
+  # Keycloak service (optional)
+  codetogether-keycloak:
+    image: quay.io/keycloak/keycloak:latest
+    container_name: codetogether-keycloak
+    env_file:
+      - .env
+    depends_on:
+      codetogether-mysql:
+        condition: service_healthy
+    command:
+      - "start"
+    environment:
+      # Admin credentials
+      KEYCLOAK_ADMIN: ${KEYCLOAK_ADMIN}
+      KEYCLOAK_ADMIN_PASSWORD: ${KEYCLOAK_ADMIN_PASSWORD}
+
+      # Database connectivity
+      KC_DB: mysql
+      KC_DB_USERNAME: ${KEYCLOAK_DB_USERNAME:-root}
+      KC_DB_PASSWORD: ${KEYCLOAK_DB_PASSWORD}
+      KC_DB_URL_HOST: codetogether-mysql
+
+      # Feature flags & observability
+      KC_FEATURES: token-exchange
+      KC_HEALTH_ENABLED: "true"
+      KC_METRICS_ENABLED: "true"
+
+      # Reverse‑proxy / HTTP
+      KC_HTTP_ENABLED: "true"
+      KC_PROXY: edge
+      KC_PROXY_HEADERS: xforwarded
+      KC_HOSTNAME_STRICT: "false"
+      KC_HOSTNAME_STRICT_HTTPS: "false"
+      KC_HOSTNAME: ${KEYCLOAK_FQDN}
+      KC_FRONTEND_URL: https://${KEYCLOAK_FQDN}
+      KC_HTTP_PORT: 8080
+    networks:
+      - codetogethernet
+    healthcheck:
+      test: ["CMD-SHELL", "echo > /dev/tcp/localhost/8080 || exit 1"]
+      interval: 10s
+      timeout: 5s
+      retries: 5
+      start_period: 30s
+
+volumes:
+  mysql_data:
+
+networks:
+  codetogethernet:
+    driver: bridge

compose/keycloak/compose-keycloak.yaml

@@ -0,0 +1,95 @@
+# 👇 Rename `.env-template` to `.env` before running this file
+# Set the appropriate values once renamed
+services:
+  # Relational database for Keycloak (optional)
+  codetogether-mysql:
+    image: mysql:8.0
+    container_name: codetogether-mysql
+    restart: unless-stopped
+    env_file:
+      - .env
+    environment:
+      MYSQL_ROOT_PASSWORD: ${KEYCLOAK_DB_PASSWORD}
+      MYSQL_DATABASE: keycloak
+      MYSQL_USER: ${KEYCLOAK_DB_USERNAME}
+      MYSQL_PASSWORD: ${KEYCLOAK_DB_PASSWORD}
+    volumes:
+      - mysql_data:/var/lib/mysql
+    networks:
+      - codetogethernet
+    healthcheck:
+      test: ["CMD", "mysqladmin", "ping", "-h", "localhost"]
+      interval: 10s
+      timeout: 10s
+      retries: 30
+  # Nginx reverse proxy for Keycloak (optional)
+  codetogether-keycloak-nginx:
+    image: nginx:latest
+    container_name: codetogether-keycloak-nginx
+    env_file:
+      - .env
+    environment:
+      - NGINX_ENVSUBST_OUTPUT_DIR=/etc/nginx
+    ports:
+      - "443:443"
+    volumes:
+      - ./nginx/nginx.conf.template:/etc/nginx/templates/nginx.conf.template:ro
+      - ./nginx/ssl:/etc/nginx/ssl
+      - ./nginx/log:/var/log/nginx
+    networks:
+      - codetogethernet
+    depends_on:
+       codetogether-keycloak:
+        condition: service_healthy
+
+  # Keycloak service (optional)
+  codetogether-keycloak:
+    image: quay.io/keycloak/keycloak:latest
+    container_name: codetogether-keycloak
+    env_file:
+      - .env
+    depends_on:
+      codetogether-mysql:
+        condition: service_healthy
+    command:
+      - "start"
+    environment:
+      # Admin credentials
+      KEYCLOAK_ADMIN: ${KEYCLOAK_ADMIN}
+      KEYCLOAK_ADMIN_PASSWORD: ${KEYCLOAK_ADMIN_PASSWORD}
+
+      # Database connectivity
+      KC_DB: mysql
+      KC_DB_USERNAME: ${KEYCLOAK_DB_USERNAME:-root}
+      KC_DB_PASSWORD: ${KEYCLOAK_DB_PASSWORD}
+      KC_DB_URL_HOST: codetogether-mysql
+
+      # Feature flags & observability
+      KC_FEATURES: token-exchange
+      KC_HEALTH_ENABLED: "true"
+      KC_METRICS_ENABLED: "true"
+
+      # Reverse‑proxy / HTTP
+      KC_HTTP_ENABLED: "true"
+      KC_PROXY: edge
+      KC_PROXY_HEADERS: xforwarded
+      KC_HOSTNAME_STRICT: "false"
+      KC_HOSTNAME_STRICT_HTTPS: "false"
+      KC_HOSTNAME: ${KEYCLOAK_FQDN}
+      KC_FRONTEND_URL: https://${KEYCLOAK_FQDN}
+      KC_HTTP_PORT: 8080
+    networks:
+      - codetogethernet
+    healthcheck:
+      test: ["CMD-SHELL", "echo > /dev/tcp/localhost/8080 || exit 1"]
+      interval: 10s
+      timeout: 5s
+      retries: 5
+      start_period: 30s
+
+volumes:
+  mysql_data:
+
+networks:
+  codetogethernet:
+    driver: bridge

compose/nginx/ssl/nginx-with-keycloak.conf.template

@@ -0,0 +1,143 @@
+### To use this file rename it to nginx.conf.template so it is picked up by the compose.yml file.
+events {
+    worker_connections  1024;
+}
+
+http {
+    include       mime.types;
+    default_type  application/octet-stream;
+    sendfile        on;
+    keepalive_timeout  65;
+    server {
+        listen       443 ssl http2;
+        server_name  ${COLLAB_FQDN};
+        proxy_buffer_size 128k;
+        proxy_buffers 4 256k;
+        ssl_certificate /etc/nginx/ssl/${SSL_COLLAB_CERT};
+        ssl_certificate_key /etc/nginx/ssl/${SSL_COLLAB_KEY};
+        ssl_dhparam /etc/nginx/ssl/${DHPARAM_PEM};
+        ssl_prefer_server_ciphers on;
+        ssl_protocols TLSv1.2;
+        ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
+        location / {
+            # Similar proxy logic for headers
+            set $realIP $remote_addr;
+            set $forwardTo $proxy_add_x_forwarded_for;
+            set $reqHost $http_host;
+            if ($http_x_real_ip != '') {
+                set $realIP $http_x_real_ip;
+            }
+            if ($http_x_forwarded_for != '') {
+                set $forwardTo $http_x_forwarded_for;
+            }
+            add_header C-Real-IP $realIP;
+            add_header C-Forwarded-For $forwardTo;
+            add_header C-Request-Host $reqHost;
+            proxy_set_header X-Real-IP $realIP;
+            proxy_set_header X-Forwarded-For $forwardTo;
+            proxy_set_header Host $reqHost;
+            proxy_set_header X-NginX-Proxy true;
+            proxy_http_version 1.1;
+            proxy_redirect off;
+            proxy_pass http://codetogether-collab:1080;
+            proxy_set_header Upgrade $http_upgrade;
+            proxy_set_header Connection "upgrade";
+            proxy_read_timeout 360;
+            proxy_connect_timeout 360;
+            proxy_send_timeout 360;
+        }
+    }
+    server {
+        server_name          ${INTEL_FQDN};
+        listen               443 ssl http2;
+
+        # configure proxy buffer sizes
+        proxy_buffer_size    128k;
+        proxy_buffers        4 256k;
+
+        # setup the SSL certificate
+        ssl_certificate /etc/nginx/ssl/${SSL_INTEL_CERT};
+        ssl_certificate_key /etc/nginx/ssl/${SSL_INTEL_KEY};
+        ssl_dhparam /etc/nginx/ssl/${DHPARAM_PEM};
+        ssl_prefer_server_ciphers on;
+        ssl_protocols        TLSv1.2;
+        ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
+
+        # create the passthrough to the CodeTogether Intel container
+        location / {
+
+            # set passthru parameters for the CodeTogether Intel container
+            set $realIP      $remote_addr;
+            set $forwardTo   $proxy_add_x_forwarded_for;
+            set $reqHost     $http_host;
+            client_max_body_size 32M;
+            if ($http_x_real_ip != '') {
+                set $realIP  $http_x_real_ip;
+            }
+            if ($http_x_forwarded_for != '') {
+                set $forwardTo $http_x_forwarded_for;
+            }
+            proxy_set_header X-Real-IP $realIP;
+            proxy_set_header X-Forwarded-For $forwardTo;
+            proxy_set_header Host $reqHost;
+
+            # setup the backend to service the HQ requests
+            proxy_pass            http://codetogether-intel:1080;
+            proxy_set_header      X-NginX-Proxy true;
+            proxy_http_version    1.1;
+            proxy_redirect        off;
+            proxy_set_header      Upgrade $http_upgrade;
+            proxy_set_header      Connection "upgrade";
+            proxy_read_timeout    360;
+            proxy_connect_timeout 360;
+            proxy_send_timeout    360;
+        }
+    }
+    server {
+        server_name          ${KEYCLOAK_FQDN};
+        listen               443 ssl http2;
+
+        # configure proxy buffer sizes
+        proxy_buffer_size    128k;
+        proxy_buffers        4 256k;
+
+        # setup the SSL certificate
+        ssl_certificate /etc/nginx/ssl/${SSL_KEYCLOAK_CERT};
+        ssl_certificate_key /etc/nginx/ssl/${SSL_KEYCLOAK_KEY};
+        # ssl_dhparam /etc/nginx/ssl/${DHPARAM_PEM};
+        ssl_prefer_server_ciphers on;
+        ssl_protocols        TLSv1.2;
+        ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
+
+        # create the passthrough to the CodeTogether Intel container
+        location / {
+
+            # set passthru parameters for the CodeTogether Intel container
+            set $realIP      $remote_addr;
+            set $forwardTo   $proxy_add_x_forwarded_for;
+            set $reqHost     $http_host;
+            client_max_body_size 32M;
+            if ($http_x_real_ip != '') {
+                set $realIP  $http_x_real_ip;
+            }
+            if ($http_x_forwarded_for != '') {
+                set $forwardTo $http_x_forwarded_for;
+            }
+            proxy_set_header X-Real-IP $realIP;
+            proxy_set_header X-Forwarded-For $forwardTo;
+            proxy_set_header Host $reqHost;
+            proxy_set_header X-Forwarded-Proto https;
+
+            # setup the backend to service the HQ requests
+            proxy_pass            http://codetogether-keycloak:8080;
+            proxy_set_header      X-NginX-Proxy true;
+            proxy_http_version    1.1;
+            proxy_redirect        off;
+            proxy_set_header      Upgrade $http_upgrade;
+            proxy_set_header      Connection "upgrade";
+            proxy_read_timeout    360;
+            proxy_connect_timeout 360;
+            proxy_send_timeout    360;
+        }
+    }
+}