M terraform_keycloak/keycloak.tf => terraform_keycloak/keycloak.tf +65 -0
@@ 3,3 3,68 @@ terraform {
path = "/home/xenrox/decrypted/terraform/keycloak.tfstate"
}
}
+
+data "external" "vault_keycloak" {
+ program = ["${path.module}/../misc/read-vault.py",
+ "group_vars/all/vault_keycloak.yml"]
+}
+
+data "external" "vault_email" {
+ program = ["${path.module}/../misc/read-vault.py",
+ "group_vars/all/vault_email.yml"]
+}
+
+provider "keycloak" {
+ client_id = "admin-cli"
+ username = data.external.vault_keycloak.result.vault_keycloak_admin_username
+ password = data.external.vault_keycloak.result.vault_keycloak_admin_password
+ url = "https://keycloak.xenrox.net"
+}
+
+resource "keycloak_realm" "xenrox" {
+ realm = "xenrox"
+ enabled = true
+
+ reset_password_allowed = true
+ remember_me = true
+ verify_email = true
+ login_with_email_allowed = true
+ password_policy = "length(20) and notUsername"
+
+ smtp_server {
+ host = "mail.xenrox.net"
+ port = "465"
+ from = "noreply@xenrox.net"
+ from_display_name = "xenrox Keycloak"
+ reply_to = "admin@xenrox.net"
+ reply_to_display_name = "Thorben Günther"
+ starttls = false
+ ssl = true
+
+ auth {
+ username = data.external.vault_email.result.vault_email_noreply_mail
+ password = data.external.vault_email.result.vault_email_noreply_password
+ }
+ }
+
+ security_defenses {
+ headers {
+ x_frame_options = "DENY"
+ content_security_policy = "frame-src 'self'; frame-ancestors 'self'; object-src 'none';"
+ content_security_policy_report_only = ""
+ x_content_type_options = "nosniff"
+ x_robots_tag = "none"
+ x_xss_protection = "1; mode=block"
+ strict_transport_security = "max-age=31536000; includeSubDomains"
+ }
+ brute_force_detection {
+ permanent_lockout = false
+ max_login_failures = 3
+ wait_increment_seconds = 600
+ quick_login_check_milli_seconds = 1000
+ minimum_quick_login_wait_seconds = 60
+ max_failure_wait_seconds = 9000
+ failure_reset_time_seconds = 43200
+ }
+ }
+}