47 lines
1.5 KiB
Django/Jinja
47 lines
1.5 KiB
Django/Jinja
[Unit]
|
|
Description=Keycloak server
|
|
After=network-online.target
|
|
Wants=network-online.target systemd-networkd-wait-online.service
|
|
|
|
[Service]
|
|
User=keycloak
|
|
Group=keycloak
|
|
ExecStart=/opt/keycloak/keycloak-{{ keycloak_version }}/bin/kc.sh start
|
|
WorkingDirectory=/opt/keycloak/keycloak-{{ keycloak_version }}
|
|
ReadWritePaths=/opt/keycloak/keycloak-{{ keycloak_version }}/conf
|
|
ReadWritePaths=/opt/keycloak/keycloak-{{ keycloak_version }}/data
|
|
ReadWritePaths=/opt/keycloak/keycloak-{{ keycloak_version }}/lib/quarkus
|
|
SuccessExitStatus=0 143
|
|
|
|
TimeoutStartSec=600
|
|
TimeoutStopSec=600
|
|
Environment="KC_HTTP_HOST={{ keycloak_http_host }}"
|
|
Environment="KC_HOSTNAME=https://{{ inventory_hostname }}"
|
|
Environment="KC_DB=postgres"
|
|
Environment="KC_DB_USERNAME={{ keycloak_postgresql_username }}"
|
|
Environment="KC_DB_PASSWORD={{ keycloak_postgresql_password }}"
|
|
Environment="KC_DB_URL_DATABASE={{ keycloak_postgresql_database }}"
|
|
Environment="KC_DB_URL_HOST=localhost"
|
|
#Environment="KC_HTTP_RELATIVE_PATH=auth"
|
|
Environment="KC_HTTP_ENABLED=true"
|
|
Environment="KC_PROXY_HEADERS=forwarded"
|
|
Environment="KEYCLOAK_ADMIN={{ keycloak_initial_admin_name }}"
|
|
Environment="KEYCLOAK_ADMIN_PASSWORD={{ keycloak_initial_admin_password }}"
|
|
Environment="KC_PROXY_TRUSTED_ADDRESSES=127.0.0.0/8"
|
|
|
|
# Hardening options
|
|
CapabilityBoundingSet=
|
|
AmbientCapabilities=
|
|
NoNewPrivileges=true
|
|
ProtectHome=true
|
|
ProtectSystem=strict
|
|
ProtectKernelTunables=true
|
|
ProtectKernelModules=true
|
|
ProtectControlGroups=true
|
|
PrivateTmp=true
|
|
PrivateDevices=true
|
|
LockPersonality=true
|
|
|
|
[Install]
|
|
WantedBy=multi-user.target
|