From f7a993c8a4bacbe62a7129adbada9c600df37e0d Mon Sep 17 00:00:00 2001
From: Egor Matveev <e.matveev@hh.ru>
Date: Fri, 28 Mar 2025 21:26:52 +0300
Subject: [PATCH 1/2] keycloak

---
 .deploy-infra/deploy-prod.yaml   | 18 ++++++++++++++++++
 nginx/nginx-prod/nginx-prod.conf | 19 +++++++++++++++++++
 2 files changed, 37 insertions(+)

diff --git a/.deploy-infra/deploy-prod.yaml b/.deploy-infra/deploy-prod.yaml
index b34eaec..90f56ad 100644
--- a/.deploy-infra/deploy-prod.yaml
+++ b/.deploy-infra/deploy-prod.yaml
@@ -189,6 +189,24 @@ services:
         parallelism: 1
         order: start-first
 
+  keycloak:
+    image: quay.io/keycloak/keycloak
+    ports:
+      - "3000:8443"
+    environment:
+      KC_DB: postgres
+      KC_DB_URL: jdbc:postgresql://0.0.0.0:5432/keycloak
+      KC_DB_USERNAME: postgres
+      KC_DB_PASSWORD: $DB_PASSWORD_PROD
+      KC_HOSTNAME: keycloak.sprinthub.ru
+    deploy:
+      mode: replicated
+      restart_policy:
+        condition: any
+      update_config:
+        parallelism: 1
+        order: start-first
+
 volumes:
   minio_data:
     driver: local
diff --git a/nginx/nginx-prod/nginx-prod.conf b/nginx/nginx-prod/nginx-prod.conf
index 27e5175..91852d0 100644
--- a/nginx/nginx-prod/nginx-prod.conf
+++ b/nginx/nginx-prod/nginx-prod.conf
@@ -164,6 +164,25 @@ http {
         }
     }
 
+    server {
+        listen      443 ssl http2;
+        listen      [::]:443 ssl http2;
+        server_name keycloak.sprinthub.ru;
+
+        ssl_certificate     /etc/nginx/fullchain.pem;
+        ssl_certificate_key /etc/nginx/privkey.pem;
+
+        add_header X-Frame-Options "SAMEORIGIN" always;
+        add_header X-XSS-Protection "1; mode=block" always;
+        add_header X-Content-Type-Options "nosniff" always;
+        add_header Referrer-Policy "no-refferer-when-downgrade" always;
+        add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always;
+
+        location / {
+            proxy_pass http://dev.sprinthub.ru:8443/;
+        }
+    }
+
     server {
         listen      443 ssl http2;
         listen      [::]:443 ssl http2;
-- 
2.45.2


From 05c8990e52a8a5a62b4fbd07fd7c7396d7275739 Mon Sep 17 00:00:00 2001
From: Egor Matveev <e.matveev@hh.ru>
Date: Fri, 28 Mar 2025 21:27:56 +0300
Subject: [PATCH 2/2] keycloak

---
 .deploy-infra/deploy-prod.yaml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.deploy-infra/deploy-prod.yaml b/.deploy-infra/deploy-prod.yaml
index 90f56ad..7b49710 100644
--- a/.deploy-infra/deploy-prod.yaml
+++ b/.deploy-infra/deploy-prod.yaml
@@ -201,6 +201,8 @@ services:
       KC_HOSTNAME: keycloak.sprinthub.ru
     deploy:
       mode: replicated
+      placement:
+        constraints: [node.labels.stage == production]
       restart_policy:
         condition: any
       update_config:
-- 
2.45.2