It took my quite some time to setup all these services together, so hopefully, someone else can benefit from it too.
- Traefik is used as the reverse proxy: I prefer this one over nginx, as it integrates better with docker.
- Traefik is configured to use Let's Encrypt to automatically create PKI certificates
- Keycloak is configured to run as the Identity Provider. It uses a PostgreSQL backend to store the users and is available at
/auth
. Note a few important properties - without them, Keycloak did not work properly:- KEYCLOAK_HTTP_RELATIVE_PATH=/auth
- KEYCLOAK_HOSTNAME_URL=http://${HOST} # Hostname, when running as a proxy, is over HTTP
- KEYCLOAK_PROXY=edge # Internal traffic on the Docker network is trusted
- PROXY_ADDRESS_FORWARDING="true" # It acts as a reverse proxy
- Portainer is optional, but used to inspect the running services.
- L3 is the Lessons Learned Library, a Dutch service to store lessons learned during crisis management incidents.
- Save the files
- Edit the
.env
file and replace the properties (don't forget to update the email, otherwise Let's Encrypt will not generate certificates for you). - Start the services:
docker compose up -d
- Visit the Keycloak service to setup the L3 realm. You can import the realm-export.json file, but make sure that you change the
L3app
client's endpoint URLs. It currently points tohttps://kcr2testbed.westeurope.cloudapp.azure.com/
which needs to be replaced by your domain. Also note thecontentSecurityPolicy
setting, which needed to include thehttp://kcr2testbed.westeurope.cloudapp.azure.com/
(i.e. no HTTPS but plain HTTP traffic). Otherwise, the L3 service could not show the login iframe. - Add some users in the L3 realm (and add them to the admins or editors group).
- Visit the L3 service at
https://kcr2testbed.westeurope.cloudapp.azure.com/l3/
and login.