terraform { backend "local" { path = "/home/xenrox/decrypted/terraform/keycloak.tfstate" } } data "external" "vault_keycloak" { program = ["${path.module}/../misc/read-vault.py", "group_vars/all/vault_keycloak.yml"] } data "external" "vault_email" { program = ["${path.module}/../misc/read-vault.py", "group_vars/all/vault_email.yml"] } provider "keycloak" { client_id = "admin-cli" username = data.external.vault_keycloak.result.vault_keycloak_admin_username password = data.external.vault_keycloak.result.vault_keycloak_admin_password url = "https://keycloak.xenrox.net" } resource "keycloak_realm" "xenrox" { realm = "xenrox" enabled = true reset_password_allowed = true remember_me = true verify_email = true login_with_email_allowed = true password_policy = "length(20) and notUsername" smtp_server { host = "mail.xenrox.net" port = "465" from = "noreply@xenrox.net" from_display_name = "xenrox Keycloak" reply_to = "admin@xenrox.net" reply_to_display_name = "Thorben Günther" starttls = false ssl = true auth { username = data.external.vault_email.result.vault_email_noreply_mail password = data.external.vault_email.result.vault_email_noreply_password } } security_defenses { headers { x_frame_options = "DENY" content_security_policy = "frame-src 'self'; frame-ancestors 'self'; object-src 'none';" content_security_policy_report_only = "" x_content_type_options = "nosniff" x_robots_tag = "none" x_xss_protection = "1; mode=block" strict_transport_security = "max-age=31536000; includeSubDomains" } brute_force_detection { permanent_lockout = false max_login_failures = 3 wait_increment_seconds = 600 quick_login_check_milli_seconds = 1000 minimum_quick_login_wait_seconds = 60 max_failure_wait_seconds = 9000 failure_reset_time_seconds = 43200 } } }