diff --git a/.forgejo/workflows/container-build.yml b/.forgejo/workflows/container-build.yml new file mode 100644 index 0000000..c785b5a --- /dev/null +++ b/.forgejo/workflows/container-build.yml @@ -0,0 +1,27 @@ +--- +on: + push: + workflow_dispatch: + + +jobs: + container_build: + runs-on: private-vault + steps: + - name: Fetch repo + uses: actions/checkout@v3 + - name: Container build + run: "./build_container.sh" + - name: Container push + env: + REGISTRY_AUTH_FILE: ${{env.RUNNER_TEMP}}/auth.json + run: | + skopeo login -u 'user' -p "${{ secrets.DOCKER_TOKEN }}" ${GITHUB_SERVER_URL} + server=${GITHUB_SERVER_URL//https:/docker:} + for tag in latest $GITHUB_RUN_NUMBER ; do + echo pushing image to "${server}/${GITHUB_REPOSITORY}:${tag}" + skopeo copy -q -a --dest-precompute-digests dir:image "${server}/${GITHUB_REPOSITORY}:${tag}" + done + - name: Cleanup + run: | + podman image prune -f \ No newline at end of file diff --git a/Containerfile.in b/Containerfile.in deleted file mode 100644 index 8a420e0..0000000 --- a/Containerfile.in +++ /dev/null @@ -1,34 +0,0 @@ -#ifndef SOURCE -#define SOURCE gitea.sebastian-tobie.de/docker/keycloak:latest-orig -#endif -FROM SOURCE as builder -ENV PATH="/opt/keycloak/bin:/usr/bin:/usr/local/bin" - -ENV KC_HEALTH_ENABLED=false -ENV KC_DB=postgres -ENV KC_CACHE_STACK=tcp -ENV KC_HTTPS_CLIENT_AUTH=request -ENV KC_FEATURES=dynamic-scopes,recovery-codes,preview -ENV KC_DB_URL=postgresql://postgres.services.tobie:5432/keycloak -RUN kc.sh build - -FROM SOURCE -ENV PATH="/opt/keycloak/bin:/usr/bin:/usr/local/bin" - -COPY --from=builder /opt/keycloak/ /opt/keycloak/ - -WORKDIR /opt/keycloak -ENV KC_HOSTNAME_ADMIN_URL="https://admin.sso.sebastian-tobie.de" -ENV KC_HOSTNAME_URL="https://sso.sebastian-tobie.de" -ENV KC_DB_USERNAME=keycloak -ENV KC_DB_PASSWORD=changeme -ENV KC_DB_URL=postgresql://postgres.services.tobie:5432/keycloak - -ENV KEYCLOAK_ADMIN="admin" -ENV KEYCLOAK_ADMIN_PASSWORD="admin" -EXPOSE 8080 -COPY --chown=root:root tobie-ca.crt /etc/pki/ca-trust/source/anchors/tobie-ca.crt -USER root -RUN keytool -importcert -alias tobieca -cacerts -storepass changeit -noprompt -trustcacerts -file /etc/pki/ca-trust/source/anchors/tobie-ca.crt -USER keycloak -ENTRYPOINT ["kc.sh", "start", "--optimized", "--http-enabled", "true", "--proxy", "edge", "--log-console-format", "'%-5p [%c] (%t) %s%e%n'", "--hostname-strict-backchannel=true"] diff --git a/build_container.sh b/build_container.sh new file mode 100755 index 0000000..f4a191b --- /dev/null +++ b/build_container.sh @@ -0,0 +1,35 @@ +#!/bin/bash +set -e + +both() { + "$@" builder + "$@" final +} + +source=quay.io/keycloak/keycloak:latest +buildah from -q --name builder --pull=newer $source >/dev/null +buildah from -q --name final $source >/dev/null + +buildah config -l - -e - -a - -p - final +buildah config \ + -e PATH="/opt/keycloak/bin:/usr/bin:/usr/local/bin" \ + -e KC_HTTPS_CLIENT_AUTH=request \ + builder +buildah config \ + -e KC_HOSTNAME_ADMIN_URL="https://admin.sso.sebastian-tobie.de" \ + -e KC_HOSTNAME_URL="https://sso.sebastian-tobie.de" \ + -e KC_DB_USERNAME=keycloak \ + -e KC_DB_PASSWORD=changeme \ + -e KC_DB_URL=postgresql://postgres.services.tobie:5432/keycloak \ + -e KEYCLOAK_ADMIN="admin" \ + -e KEYCLOAK_ADMIN_PASSWORD="admin" \ + -p 8080/tcp \ + -u keycloak:keycloak \ + --entrypoint "[\"kc.sh\", \"start\", \"--optimized\", \"--http-enabled\", \"true\", \"--proxy\", \"edge\", \"--log-console-format\", \"'%-5p [%c] (%t) %s%e%n'\", \"--hostname-strict-backchannel=true\"]" \ + final + +buildah run -- builder kc.sh build --db=postgres --metrics-enabled=true --https-client-auth request --features web-authn,passkeys,persistent-user-sessions,recovery-codes --features-disabled kerberos,docker,ciba,fips + +buildah copy --from builder --chown root:root final /opt/keycloak/ /opt/keycloak/ +buildah rm builder +buildah commit --squash -q -f oci --rm final dir:image \ No newline at end of file