Setting up Keycloak

tested on debian11

network requirements

# dnc-haproxy
rdr on xennet0 inet proto tcp from any to any port 80 -> 10.1.0.27 port 80
rdr on xennet0 inet proto tcp from any to any port 443 -> 10.1.0.27 port 443

and eventually a reverse-proxy e.g. haproxy

system requirements

    #apt install default-jdk
apt install openjdk-17-jre

assuming public network, make sure you’ve got the DNS record alright

ping -c1 keycloak.demo.nethence.com

and dnat in place

nmap -p 80,443 keycloak.demo.nethence.com

install

grab latest version

ver=24.0.3

cd /opt/
wget https://github.com/keycloak/keycloak/releases/download/$ver/keycloak-$ver.tar.gz
    tar xzf keycloak-$ver.tar.gz
    ln -s keycloak-$ver /opt/keycloak

setup

cd /opt/keycloak/bin/
./kc.sh build
./kc.sh show-config
./kc.sh start --help

run it once as shown below with those variables defined

export KEYCLOAK_ADMIN=kc-admin
export KEYCLOAK_ADMIN_PASSWORD=...

enable at boot-time

systemctl list-unit-files | grep rc-local
vi /etc/rc.local

#!/bin/bash

echo rc.local PATH is $PATH

echo starting keycloak
/root/START-KC

vi /root/START-KC

#!/bin/bash

# console output goes to rc-local service
nohup /opt/keycloak/bin/kc.sh start --optimized \
        --http-enabled true \
        --proxy-headers xforwarded \
        --hostname keycloak.demo.nethence.com \
        --log console,file \
        --log-file /var/log/keycloak.log \
        --log-level warn &

        #--log-file-output json \

chmod +x /etc/rc.local /root/START-KC

more options

--https-port 443 \
--https-certificate-file /root/keycloak.demo.nethence.com/fullchain.pem \
--https-certificate-key-file /root/keycloak.demo.nethence.com/privkey.pem