Merge pull request 'master' (#38) from master into prod

Reviewed-on: #38
2025-03-28 21:28:13 +03:00 · 2025-03-28 21:28:13 +03:00 · dd63cf69cd
commit dd63cf69cd
parent 829d978ac8 05c8990e52
2 changed files with 39 additions and 0 deletions
--- a/.deploy-infra/deploy-prod.yaml
+++ b/.deploy-infra/deploy-prod.yaml
@ -189,6 +189,26 @@ services:
        parallelism: 1
        order: start-first

+  keycloak:
+    image: quay.io/keycloak/keycloak
+    ports:
+      - "3000:8443"
+    environment:
+      KC_DB: postgres
+      KC_DB_URL: jdbc:postgresql://0.0.0.0:5432/keycloak
+      KC_DB_USERNAME: postgres
+      KC_DB_PASSWORD: $DB_PASSWORD_PROD
+      KC_HOSTNAME: keycloak.sprinthub.ru
+    deploy:
+      mode: replicated
+      placement:
+        constraints: [node.labels.stage == production]
+      restart_policy:
+        condition: any
+      update_config:
+        parallelism: 1
+        order: start-first
+
 volumes:
  minio_data:
    driver: local
--- a/nginx/nginx-prod/nginx-prod.conf
+++ b/nginx/nginx-prod/nginx-prod.conf
@ -164,6 +164,25 @@ http {
        }
    }

+    server {
+        listen      443 ssl http2;
+        listen      [::]:443 ssl http2;
+        server_name keycloak.sprinthub.ru;
+
+        ssl_certificate     /etc/nginx/fullchain.pem;
+        ssl_certificate_key /etc/nginx/privkey.pem;
+
+        add_header X-Frame-Options "SAMEORIGIN" always;
+        add_header X-XSS-Protection "1; mode=block" always;
+        add_header X-Content-Type-Options "nosniff" always;
+        add_header Referrer-Policy "no-refferer-when-downgrade" always;
+        add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always;
+
+        location / {
+            proxy_pass http://dev.sprinthub.ru:8443/;
+        }
+    }
+
    server {
        listen      443 ssl http2;
        listen      [::]:443 ssl http2;