.forgejo/workflows/container-build.yml

@@ -0,0 +1,27 @@
+---
+on:
+  push:
+  workflow_dispatch:
+
+
+jobs:
+  container_build:
+    runs-on: private-vault
+    steps:
+      - name: Fetch repo
+        uses: actions/checkout@v3
+      - name: Container build
+        run: "./build_container.sh"
+      - name: Container push
+        env:
+          REGISTRY_AUTH_FILE: ${{env.RUNNER_TEMP}}/auth.json
+        run: |
+          skopeo login -u 'user' -p "${{ secrets.DOCKER_TOKEN }}" ${GITHUB_SERVER_URL}
+          server=${GITHUB_SERVER_URL//https:/docker:}
+          for tag in latest $GITHUB_RUN_NUMBER ; do
+              echo pushing image to "${server}/${GITHUB_REPOSITORY}:${tag}"
+              skopeo copy -q -a --dest-precompute-digests dir:image "${server}/${GITHUB_REPOSITORY}:${tag}"
+          done
+      - name: Cleanup
+        run: |
+          podman image prune -f

Containerfile.in

@@ -1,34 +0,0 @@
-#ifndef SOURCE
-#define SOURCE gitea.sebastian-tobie.de/docker/keycloak:latest-orig
-#endif
-FROM SOURCE as builder
-ENV PATH="/opt/keycloak/bin:/usr/bin:/usr/local/bin"
-
-ENV KC_HEALTH_ENABLED=false
-ENV KC_DB=postgres
-ENV KC_CACHE_STACK=tcp
-ENV KC_HTTPS_CLIENT_AUTH=request
-ENV KC_FEATURES=dynamic-scopes,recovery-codes,preview
-ENV KC_DB_URL=postgresql://postgres.services.tobie:5432/keycloak
-RUN kc.sh build
-
-FROM SOURCE
-ENV PATH="/opt/keycloak/bin:/usr/bin:/usr/local/bin"
-
-COPY --from=builder /opt/keycloak/ /opt/keycloak/
-
-WORKDIR /opt/keycloak
-ENV KC_HOSTNAME_ADMIN_URL="https://admin.sso.sebastian-tobie.de"
-ENV KC_HOSTNAME_URL="https://sso.sebastian-tobie.de"
-ENV KC_DB_USERNAME=keycloak
-ENV KC_DB_PASSWORD=changeme
-ENV KC_DB_URL=postgresql://postgres.services.tobie:5432/keycloak
-
-ENV KEYCLOAK_ADMIN="admin"
-ENV KEYCLOAK_ADMIN_PASSWORD="admin"
-EXPOSE 8080
-COPY --chown=root:root tobie-ca.crt /etc/pki/ca-trust/source/anchors/tobie-ca.crt
-USER root
-RUN keytool -importcert -alias tobieca -cacerts -storepass changeit -noprompt -trustcacerts -file /etc/pki/ca-trust/source/anchors/tobie-ca.crt
-USER keycloak
-ENTRYPOINT ["kc.sh", "start", "--optimized", "--http-enabled", "true", "--proxy", "edge", "--log-console-format", "'%-5p [%c] (%t) %s%e%n'", "--hostname-strict-backchannel=true"]

build_container.sh

@@ -0,0 +1,35 @@
+#!/bin/bash
+set -e
+
+both() {
+    "$@" builder
+    "$@" final
+}
+
+source=quay.io/keycloak/keycloak:latest
+buildah from -q --name builder --pull=newer $source >/dev/null
+buildah from -q --name final $source >/dev/null
+
+buildah config -l - -e - -a - -p - final
+buildah config \
+    -e PATH="/opt/keycloak/bin:/usr/bin:/usr/local/bin" \
+    -e KC_HTTPS_CLIENT_AUTH=request \
+    builder
+buildah config \
+    -e KC_HOSTNAME_ADMIN_URL="https://admin.sso.sebastian-tobie.de" \
+    -e KC_HOSTNAME_URL="https://sso.sebastian-tobie.de" \
+    -e KC_DB_USERNAME=keycloak \
+    -e KC_DB_PASSWORD=changeme \
+    -e KC_DB_URL=postgresql://postgres.services.tobie:5432/keycloak \
+    -e KEYCLOAK_ADMIN="admin" \
+    -e KEYCLOAK_ADMIN_PASSWORD="admin" \
+    -p 8080/tcp \
+    -u keycloak:keycloak \
+    --entrypoint "[\"kc.sh\", \"start\", \"--optimized\", \"--http-enabled\", \"true\", \"--proxy\", \"edge\", \"--log-console-format\", \"'%-5p [%c] (%t) %s%e%n'\", \"--hostname-strict-backchannel=true\"]" \
+    final
+
+buildah run -- builder kc.sh build --db=postgres --metrics-enabled=true --https-client-auth request --features web-authn,passkeys,persistent-user-sessions,recovery-codes --features-disabled kerberos,docker,ciba,fips
+
+buildah copy --from builder --chown root:root final /opt/keycloak/ /opt/keycloak/
+buildah rm builder
+buildah commit --squash -q -f oci --rm final dir:image