version: '3'
services:
  postgresql:
    image: postgres:16
    security_opt:
      - apparmor:unconfined
    environment:
      - POSTGRES_USER=${POSTGRES_USER}
      - POSTGRES_DB=keycloak
      - POSTGRES_PASSWORD=${POSTGRES_PASSWORD}
    volumes:
      - /docker/appdata/keycloak/postgresql_data:/var/lib/postgresql/data
    networks:
      keycloak:

  keycloak:
    image: quay.io/keycloak/keycloak:22.0.3
    security_opt:
      - apparmor:unconfined
    restart: always
    command: start
    depends_on:
      - postgresql
    environment:
      - KC_PROXY_ADDRESS_FORWARDING=true
      - KC_HOSTNAME_STRICT=false
      - KC_HOSTNAME=keycloak.yourdomain.com # Change this to your domain
      - KC_PROXY=edge
      - KC_HTTP_ENABLED=true
      - KC_DB=postgres
      - KC_DB_USERNAME=${POSTGRES_USER}
      - KC_DB_PASSWORD=${POSTGRES_PASSWORD}
      - KC_DB_URL_HOST=postgres
      - KC_DB_URL_PORT=5432
      - KC_DB_URL_DATABASE=keycloak
      - KEYCLOAK_ADMIN=${KEYCLOAK_ADMIN}
      - KEYCLOAK_ADMIN_PASSWORD=${KEYCLOAK_ADMIN_PASSWORD}
    ports:
      - 8085:8080
    networks:
      frontend:
      keycloak:
    labels:
      - traefik.enable=true
      - traefik.http.routers.keycloak.entrypoints=web
      - traefik.http.routers.keycloak.rule=Host(`keycloak.yourdomain.com`) # Change this to your domain
      - traefik.http.middlewares.keycloak-https-redirect.redirectscheme.scheme=websecure
      - traefik.http.routers.keycloak.middlewares=keycloak-https-redirect
      - traefik.http.routers.keycloak-secure.entrypoints=websecure
      - traefik.http.routers.keycloak-secure.rule=Host(`keycloak.yourdomain.com`) # Change this to your domain
      - traefik.http.routers.keycloak-secure.tls=true
      - traefik.http.routers.keycloak-secure.service=keycloak
      - traefik.http.services.keycloak.loadbalancer.server.port=8080
      - traefik.docker.network=frontend

networks:
  frontend:
    external: true
  keycloak: