From 07f51712c3861be4f26f6c388b475ea844005858 Mon Sep 17 00:00:00 2001
From: Alexander Gabriel <alexander.gabriel@digital-infinity.de>
Date: Sat, 8 Jul 2023 20:31:47 +0200
Subject: [PATCH] updated config

---
 templates/keycloak.service.j2      | 25 +++++++++++++++++++++----
 templates/keycloak.service_init.j2 | 24 ++++++++++++++++++++----
 2 files changed, 41 insertions(+), 8 deletions(-)

diff --git a/templates/keycloak.service.j2 b/templates/keycloak.service.j2
index 5c4ccf4..8b5acd1 100644
--- a/templates/keycloak.service.j2
+++ b/templates/keycloak.service.j2
@@ -1,12 +1,16 @@
 [Unit]
-Description=Keycloak
-After=network.target
+Description=Keycloak server
+After=network-online.target
+Wants=network-online.target systemd-networkd-wait-online.service
 
 [Service]
-Type=idle
 User=keycloak
 Group=keycloak
-ExecStart=/opt/keycloak/current/bin/kc.sh start
+ExecStart=/opt/keycloak/current/bin/kc.sh start --auto-build
+WorkingDirectory=/opt/keycloak/current
+ReadWritePaths=/opt/keycloak/current/conf /opt/keycloak/current/data /opt/keycloak/current/lib/quarkus
+SuccessExitStatus=0 143
+
 TimeoutStartSec=600
 TimeoutStopSec=600
 Environment="KC_HTTP_HOST={{ keycloak_http_host}}"
@@ -18,5 +22,18 @@ Environment="KC_DB_URL_DATABASE={{ keycloak_postgresql_database }}"
 Environment="KC_DB_URL_HOST=localhost"
 Environment="KC_PROXY=edge"
 
+# Hardening options
+CapabilityBoundingSet=
+AmbientCapabilities=
+NoNewPrivileges=true
+ProtectHome=true
+ProtectSystem=strict
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectControlGroups=true
+PrivateTmp=true
+PrivateDevices=true
+LockPersonality=true
+
 [Install]
 WantedBy=multi-user.target
diff --git a/templates/keycloak.service_init.j2 b/templates/keycloak.service_init.j2
index 7dacc51..fabf520 100644
--- a/templates/keycloak.service_init.j2
+++ b/templates/keycloak.service_init.j2
@@ -1,12 +1,15 @@
 [Unit]
-Description=Keycloak
-After=network.target
+Description=Keycloak server
+After=network-online.target
+Wants=network-online.target systemd-networkd-wait-online.service
 
 [Service]
-Type=idle
 User=keycloak
 Group=keycloak
-ExecStart=/opt/keycloak/current/bin/kc.sh start
+ExecStart=/opt/keycloak/current/bin/kc.sh start --auto-build
+WorkingDirectory=/opt/keycloak/current
+ReadWritePaths=/opt/keycloak/current/conf /opt/keycloak/current/data /opt/keycloak/current/lib/quarkus
+SuccessExitStatus=0 143
 TimeoutStartSec=600
 TimeoutStopSec=600
 Environment="KC_HTTP_HOST={{ keycloak_http_host}}"
@@ -20,5 +23,18 @@ Environment="KC_PROXY=edge"
 Environment="KEYCLOAK_ADMIN={{ keycloak_initial_admin_name }}"
 Environment="KEYCLOAK_ADMIN_PASSWORD={{ keycloak_initial_admin_password }}"
 
+# Hardening options
+CapabilityBoundingSet=
+AmbientCapabilities=
+NoNewPrivileges=true
+ProtectHome=true
+ProtectSystem=strict
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectControlGroups=true
+PrivateTmp=true
+PrivateDevices=true
+LockPersonality=true
+
 [Install]
 WantedBy=multi-user.target