~xenrox/ansible

e88dac2fac6026925ce29817635050ba1d9666ac — Thorben Günther 2 months ago b8dc81d
keycloak: Add terraform real

With configured security_defenses and email server.
1 files changed, 65 insertions(+), 0 deletions(-)

M terraform_keycloak/keycloak.tf
M terraform_keycloak/keycloak.tf => terraform_keycloak/keycloak.tf +65 -0
@@ 3,3 3,68 @@ terraform {
    path = "/home/xenrox/decrypted/terraform/keycloak.tfstate"
  }
}

data "external" "vault_keycloak" {
  program = ["${path.module}/../misc/read-vault.py",
  "group_vars/all/vault_keycloak.yml"]
}

data "external" "vault_email" {
  program = ["${path.module}/../misc/read-vault.py",
  "group_vars/all/vault_email.yml"]
}

provider "keycloak" {
  client_id = "admin-cli"
  username  = data.external.vault_keycloak.result.vault_keycloak_admin_username
  password  = data.external.vault_keycloak.result.vault_keycloak_admin_password
  url       = "https://keycloak.xenrox.net"
}

resource "keycloak_realm" "xenrox" {
  realm   = "xenrox"
  enabled = true

  reset_password_allowed   = true
  remember_me              = true
  verify_email             = true
  login_with_email_allowed = true
  password_policy          = "length(20) and notUsername"

  smtp_server {
    host                  = "mail.xenrox.net"
    port                  = "465"
    from                  = "noreply@xenrox.net"
    from_display_name     = "xenrox Keycloak"
    reply_to              = "admin@xenrox.net"
    reply_to_display_name = "Thorben Günther"
    starttls              = false
    ssl                   = true

    auth {
      username = data.external.vault_email.result.vault_email_noreply_mail
      password = data.external.vault_email.result.vault_email_noreply_password
    }
  }

  security_defenses {
    headers {
      x_frame_options                     = "DENY"
      content_security_policy             = "frame-src 'self'; frame-ancestors 'self'; object-src 'none';"
      content_security_policy_report_only = ""
      x_content_type_options              = "nosniff"
      x_robots_tag                        = "none"
      x_xss_protection                    = "1; mode=block"
      strict_transport_security           = "max-age=31536000; includeSubDomains"
    }
    brute_force_detection {
      permanent_lockout                = false
      max_login_failures               = 3
      wait_increment_seconds           = 600
      quick_login_check_milli_seconds  = 1000
      minimum_quick_login_wait_seconds = 60
      max_failure_wait_seconds         = 9000
      failure_reset_time_seconds       = 43200
    }
  }
}