DEV-601 added playbook for bdev demo setup

3 years ago · b9e48a3260
parent 959dcc6832
commit b9e48a3260
24 changed files with 460 additions and 47 deletions
--- a/group_vars/all/versions.yml
+++ b/group_vars/all/versions.yml
@ -13,7 +13,7 @@ prom_grafana_version: "9.1.5"

 harbor_version: "v2.4.1"

-keycloak_version: "14.0.0.1"
+keycloak_version: "14.0.0.2"

 pgadmin4_version: "6.14"

--- a/group_vars/stage_ext/plain.yml
+++ b/group_vars/stage_ext/plain.yml
@ -1,6 +1,8 @@
 ---

 stage: "ext"
+tenant: 'bdev'
+hetzner_networks: []

 docker_enabled: true
 docker_config_enabled: false
@ -8,9 +10,6 @@ traefik_enabled: true
 filebeat_enabled: false
 node_exporter_enabled: false

-# TODO read configuration with hetzner rest api
-shared_service_network: "10.2.0.0/16"
-
 shared_service_hosts: []

 # Note: all dollar signs in the hash need to be doubled for escaping.
@ -18,3 +17,5 @@ shared_service_hosts: []
 # echo $(htpasswd -nb user password) | sed -e s/\\$/\\$\\$/g
 traefik_admin_username: "{{ traefik_admin_username_vault }}"
 traefik_admin_password_htpasswd: "{{ traefik_admin_password_htpasswd_vault }}"
+
+shared_service_harbor_hostname: "prodnso-harbor-01.smardigo.digital"
--- a/group_vars/stage_ext/vault.yml
+++ b/group_vars/stage_ext/vault.yml
@ -1,25 +1,38 @@
 $ANSIBLE_VAULT;1.1;AES256
-32326337373064373735346334386264393032616133313664643030323966616365646138346230
-6265326531666132626636363932643331626565373636310a383435366438326462613137633466
-38626531326637306233346666343836366665343539386362613730613639396136666465313332
-3932396633323266640a323763643234346533656531343463316532383061323761306435386130
-37613136663236636133376664393039366135646562383961346361323764356135636265396464
-66616365636139343363653366613963666339303638313662653065373839373339303238366364
-61343065633233636433323138393831623533373739336461306133386637616637656334646463
-63386261383635353838323966346334636131653161613831306462346631373533333866366165
-61646534306535386464623030316132653531623638333433313330393734393634363233323838
-64333130633836396132373732663437623061666336656337303639326264613666336137666233
-38326437646636353763353435303530313835626130383063336431353732323065626431663732
-34656635643865613762333061646333313164613134313939383662323462643433336538613839
-31643536653364393461323831363564343065623839353831623165386632326539613437666365
-63343438363866346433393362353836643862343864336266633462343534393966303039373237
-63646262353038373465303339323961373532303432633932343738663665333532643234333661
-30396662313462633031313164623534393765383035376266363437613539306432386463616631
-66303563336233656533633036666266353362306634363463376238396537386561383561653437
-36306236613265343739613630343531623362323732653631653861623234306439636636363733
-33376338616463663565376538346563313332626465623134643565646632376234343438396463
-64323439616632613061333038373161366537356637373230616230306335653430613031306330
-31633337386464366431333138613334626530323733303136613562663037636536333133303564
-61656165306638666138616162383036346230353366336232313139376133356263343539323533
-35346335636130313266343133326564346266303632636361653435616236626461306431316230
-30653531633530653064
+33333066376262633237653637383134356335306635366566643965653262646262323932323466
+6561333261383931663562626166333362353932623534350a373062623534626365343035383837
+36663935633235646665373231353664666130323565633136383463333164326634366338353032
+6335343236613638660a376231336538303665343563343234323737623139666665316131333563
+66393733336333396364353833363431346633636231393936376163623961336361313231323962
+64646636363366663633633837636131663965373336323230303866373138306533393162323031
+36313765343365376661663539313739363334623561336135333565336461363132653766626239
+63666536663935643838373530653633663635313631343036373438643134313733323339386638
+63343633616438646266396434633232343831663936313966666434366462333533656362306665
+62333533633139646135336563623332643635663932623762656366383464376130643732323233
+63376433366564336533346234376662353436333736663061356662346561303838383064646538
+62326564373737633139646162663131363066376365396665396361623339666632313061353862
+30653865613263616362363532666136363738386662396537643834313862393332643966326661
+66346234323534363762663335356633363262323039613136326535363133343262613863663731
+66643565366464366433666462316332643638366536663536386434616232656265343364346537
+37636161343763343335343635656565333431376264346161313934303564656335393630353264
+36616363396231633236393663633032333537633531316539633634323834663161313137313661
+39616634303238653765643233646634323930613937663262653732326532303439343462383939
+36356163346565666331613636633836623534336465643137306238336362303637633163393666
+33353230373230393163373839633661353932336464343162643638333733393066616632386639
+38356336653135326437666536346166613064353839356166383763646236363236633566393730
+39623861373434663661623731396138333162316362323239633838336532633933363537663439
+62326265376463393862613666613132666130316537626136303137356339613063313631333130
+39343832613138333539646436363934333061386361313665643230393531383663353465376466
+66623439653036643339343666373232376231626638646339316230643439343630653634343430
+31616235393365376636326561393930326333633733303265633362633338636266343162666435
+36393337646332343264646334313162326563306234663533396465626539616663333366346232
+65626136646534306535663830613733306235643031633538303132303234373431643461373734
+35346438303930353838383737356563613034373764376465643235653562386165643261366466
+66373730333162363230666661323233336633343637653964333237306564396433303131646538
+31613865386234396165303231653862663936396436393134353339613265613734356439353937
+32616463363236613138633831326337643338613164383030646437333832316262616134616262
+31363533326632336235643432393562393562626466303162336162373835313232363933383763
+66633065336664636535393735343034613237363335393563353630363866356238383936653232
+66373939653039636436353932623439646239356661646634613865363833356365636334313437
+66326634333030613030343833346237353061313238383566343561633166613763396639616535
+38316133366539383461643035623337353866393364656135633438383534626363
--- a/host_vars/ext-bdev-demo01-01.yml
+++ b/host_vars/ext-bdev-demo01-01.yml
@ -1,5 +1,5 @@
 ---

-hetzner_server_labels: "stage={{ stage }} service=connect tenant=bdev"
+hetzner_server_labels: "stage={{ stage }} service=connect tenant={{ tenant }}"

-hetzner_server_type: cpx21
+hetzner_server_type: 'cpx21'
--- a/host_vars/ext-bdev-mpmexec-01.yml
+++ b/host_vars/ext-bdev-mpmexec-01.yml
@ -1,5 +1,5 @@
 ---

-hetzner_server_labels: "stage={{ stage }} service=connect tenant=bdev"
+hetzner_server_labels: "stage={{ stage }} service=connect tenant={{ tenant }}"

-hetzner_server_type: cpx21
+hetzner_server_type: 'cpx21'
--- a/host_vars/ext-bdev-mpmexec-02.yml
+++ b/host_vars/ext-bdev-mpmexec-02.yml
@ -0,0 +1,10 @@
+---
+
+hetzner_server_labels: "stage={{ stage }} service=connect_simple tenant={{ tenant }}"
+
+hetzner_server_type: 'cpx31'
+
+connect_external_domain: "ext-bdev-mpmexec-connect"
+keycloak_external_domain: "ext-bdev-mpmexec-keycloak"
+
+traefik_dns_01_challenge: false
--- a/roles/ansible-role-docker/tasks/main.yml
+++ b/roles/ansible-role-docker/tasks/main.yml
@ -2,7 +2,7 @@

 - name: "Install docker via include_role"
  include_role:
-    name: geerlingguy.docker 
+    name: geerlingguy.docker

 - name: "Create crontab entry to remove unused docker objects"
  ansible.builtin.cron:
--- a/roles/connect/tasks/main.yml
+++ b/roles/connect/tasks/main.yml
@ -3,8 +3,6 @@
 ### tags:
 ###   update_certs
 ###   update_deployment
-###   update_connections
-###   update_configuration

 - name: "Setup DNS configuration for <{{ connect_id }}> to <{{ stage_server_ip }}>"
  include_role:
--- a/roles/connect_compact/defaults/main.yml
+++ b/roles/connect_compact/defaults/main.yml
@ -0,0 +1,19 @@
+---
+
+connect_id: "{{ inventory_hostname }}-connect"
+connect_admin_username: "connect-admin"
+connect_admin_password: "{{ connect_admin_password_vault }}"
+connect_postgres_username: "connect-postgres-username"
+connect_postgres_password: "{{ connect_postgres_password_vault }}"
+connect_image_name: "{{ shared_service_harbor_hostname }}/smardigo/connect-whitelabel-app"
+
+keycloak_id: "{{ inventory_hostname }}-keycloak"
+keycloak_admin_username: "keycloak-admin"
+keycloak_admin_password: "{{ keycloak_admin_password_vault }}"
+keycloak_postgres_username: "keycloak_postgres"
+keycloak_postgres_password: "{{ keycloak_postgres_password_vault }}"
+keycloak_image_name: "{{ shared_service_harbor_hostname }}/smardigo/keycloak"
+
+elasticsearch_id: "{{ inventory_hostname }}-elastic"
+elasticsearch_username: "elastic"
+elasticsearch_password: "{{ elasticsearch_password_vault }}"
--- a/roles/connect_compact/tasks/main.yml
+++ b/roles/connect_compact/tasks/main.yml
@ -0,0 +1,46 @@
+---
+
+- name: "Setup DNS configuration for <{{ connect_id }}> to <{{ stage_server_ip }}>"
+  include_role:
+    name: sma_digitalocean
+    tasks_from: domain
+  vars:
+    record_data: "{{ stage_server_ip }}"
+    record_name: "{{ connect_id }}"
+
+- name: "Setup DNS configuration for <{{ connect_external_domain }}> to <{{ stage_server_ip }}>"
+  include_role:
+    name: sma_digitalocean
+    tasks_from: domain
+  vars:
+    record_data: "{{ stage_server_ip }}"
+    record_name: "{{ connect_external_domain }}"
+  when: connect_external_domain is defined
+
+- name: "Check if {{ connect_id }}/docker-compose.yml exists"
+  stat:
+    path: '{{ service_base_path }}/{{ connect_id }}/docker-compose.yml'
+  register: check_docker_compose_file_connect
+
+- name: "Stop {{ connect_id }}"
+  community.docker.docker_compose:
+    project_src: '{{ service_base_path }}/{{ connect_id }}'
+    state: absent
+  when: check_docker_compose_file_connect.stat.exists
+
+- name: "Deploy docker templates for {{ connect_id }}"
+  include_role:
+    name: sma_deploy
+    tasks_from: templates
+  vars:
+    current_config: "connect-compact"
+    current_base_path: "{{ service_base_path }}"
+    current_destination: "{{ connect_id }}"
+    current_owner: "{{ docker_owner }}"
+    current_group: "{{ docker_group }}"
+
+- name: "Restart {{ connect_id }}"
+  community.docker.docker_compose:
+    project_src: '{{ service_base_path }}/{{ connect_id }}'
+    restarted: yes
+    build: no
--- a/roles/hcloud/defaults/main.yml
+++ b/roles/hcloud/defaults/main.yml
@ -3,3 +3,7 @@
 server_state: "present"
 max_retries: 15
 retry_delay: 60
+
+hetzner_networks:
+  - name: "{{ stage }}"
+    label_selector: "stage={{ stage }}"
--- a/roles/hcloud/tasks/main.yml
+++ b/roles/hcloud/tasks/main.yml
@ -63,18 +63,13 @@
 #  tags:
 #    - update_networks

- name: "Checking present state for networks"
+- name: "Checking present state for networks: {{ hetzner_networks }}"
  include_tasks: configure-network.yml
  vars:
    current_network_name: '{{ current_network.name }}'
    current_network_labels: 'stage={{ stage }}'
    current_server_label_selector: '{{ current_network.label_selector }}'
-  with_items: [
-    {
-      "name": "{{ stage }}",
-      "label_selector": "stage={{ stage }}",
-    }
-  ]
+  loop: "{{ hetzner_networks }}"
  loop_control:
    loop_var: current_network
  tags:
--- a/roles/keycloak/tasks/_authenticate.yml
+++ b/roles/keycloak/tasks/_authenticate.yml
@ -6,7 +6,6 @@
    body_format: form-urlencoded
    body: 'username={{ keycloak_admin_username }}&password={{ keycloak_admin_password }}&client_id=admin-cli&grant_type=password'
  register: keycloak_authentication
-  delegate_to: 127.0.0.1
  become: false
  retries: 5
  delay: 5
@ -18,7 +17,6 @@
 - name: "Printing access_token for keycloak server"
  debug:
    msg: "{{ access_token }}"
-  delegate_to: 127.0.0.1
  become: false
  when:
   - debug
--- a/roles/keycloak/tasks/_configure_realm.yml
+++ b/roles/keycloak/tasks/_configure_realm.yml
@ -4,7 +4,7 @@
    enabled: true
    id: "{{ current_realm_name }}"
    realm: "{{ current_realm_name }}"
-    display_name: "{{ current_realm_display_name }}"
+    display_name: "{{ current_realm_display_name | default(current_realm_name) }}"
    auth_realm: "master"
    auth_client_id: "admin-cli"
    auth_username: "{{ keycloak_admin_username }}"
--- a/roles/keycloak/tasks/main.yml
+++ b/roles/keycloak/tasks/main.yml
@ -63,7 +63,7 @@
    keycloak_server_url: "http://localhost:{{ service_port_keycloak_external }}"
  when: "'keycloak' in group_names"

- name: "Wait for <localhost:{{ keycloak_server_url }}>"
+- name: "Wait for <localhost:{{ service_port_keycloak_external }}>"
  wait_for:
    host: "localhost"
    port: '{{ service_port_keycloak_external }}'
--- a/roles/keycloak_compact/defaults/main.yml
+++ b/roles/keycloak_compact/defaults/main.yml
@ -0,0 +1,31 @@
+---
+
+keycloak_id: "{{ inventory_hostname }}-keycloak"
+keycloak_admin_username: "keycloak-admin"
+keycloak_admin_password: "{{ keycloak_admin_password_vault }}"
+keycloak_postgres_username: "keycloak_postgres"
+keycloak_postgres_password: "{{ keycloak_postgres_password_vault }}"
+keycloak_image_name: "{{ shared_service_harbor_hostname }}/smardigo/keycloak"
+
+shared_service_mail_hostname: "not_available"
+
+connect_client_id: connect
+current_realm_name: connect
+
+current_realm_clients: [
+  {
+    name: '{{ connect_client_id }}',
+    clientId: "{{ connect_client_id }}",
+    admin_url: '',
+    root_url: '',
+    redirect_uris: [
+      "{{ http_s }}://{{ connect_base_url }}/*",
+      "{{ http_s }}://{{ connect_external_domain }}.{{ domain }}/*"
+    ],
+    secret: '{{ connect_client_id }}',
+    web_origins: [
+        "{{ http_s }}://{{ connect_base_url }}",
+        "{{ http_s }}://{{ connect_external_domain }}.{{ domain }}"
+    ]
+  }
+]
--- a/roles/keycloak_compact/tasks/main.yml
+++ b/roles/keycloak_compact/tasks/main.yml
@ -0,0 +1,87 @@
+---
+
+### tags:
+###   configure_realm
+
+- name: "Setup DNS configuration for <{{ keycloak_id }}> to <{{ stage_server_ip }}>"
+  include_role:
+    name: sma_digitalocean
+    tasks_from: domain
+  vars:
+    record_data: "{{ stage_server_ip }}"
+    record_name: "{{ keycloak_id }}"
+
+- name: "Setup DNS configuration for <{{ keycloak_external_domain }}> to <{{ stage_server_ip }}>"
+  include_role:
+    name: sma_digitalocean
+    tasks_from: domain
+  vars:
+    record_data: "{{ stage_server_ip }}"
+    record_name: "{{ keycloak_external_domain }}"
+  when: keycloak_external_domain is defined
+
+- name: "Check if {{ keycloak_id }}/docker-compose.yml exists"
+  stat:
+    path: '{{ service_base_path }}/{{ keycloak_id }}/docker-compose.yml'
+  register: check_docker_compose_file
+
+- name: "Stop {{ keycloak_id }}"
+  community.docker.docker_compose:
+    project_src: '{{ service_base_path }}/{{ keycloak_id }}'
+    state: absent
+  when: check_docker_compose_file.stat.exists
+
+- name: "Deploy docker templates for {{ keycloak_id }}"
+  include_role:
+    name: sma_deploy
+    tasks_from: templates
+  vars:
+    current_config: "keycloak-compact"
+    current_base_path: "{{ service_base_path }}"
+    current_destination: "{{ keycloak_id }}"
+    current_owner: "{{ docker_owner }}"
+    current_group: "{{ docker_group }}"
+
+# TODO DEV-XXX check why docker-compose up works and the comnuity role not... -> postgres/keycloak
+- name: "Start {{ keycloak_id }}" # noqa command-instead-of-shell no-changed-when
+  shell: docker-compose up -d
+  args:
+    chdir: '{{ service_base_path }}/{{ keycloak_id }}'
+
+#- name: "Restart {{ keycloak_id }}"
+#  community.docker.docker_compose:
+#    project_src: '{{ service_base_path }}/{{ keycloak_id }}'
+#    restarted: yes
+#    build: no
+
+- name: "Setting local keycloak url"
+  set_fact:  
+    keycloak_server_url: "http://localhost:{{ service_port_keycloak_external }}"
+  tags:
+    - configure_realm
+
+- name: "Wait for <localhost:{{ service_port_keycloak_external }}>"
+  wait_for:
+    host: "localhost"
+    port: '{{ service_port_keycloak_external }}'
+    delay: 60
+
+- name: "Setup realm for {{ inventory_hostname }}"
+  include_role:
+    name: keycloak
+    tasks_from: _authenticate
+    apply:
+        tags:
+          - configure_realm
+  tags:
+    - configure_realm
+
+- name: "Setup realm for {{ inventory_hostname }}"
+  include_role:
+    name: keycloak
+    tasks_from: _configure_realm
+    apply:
+        tags:
+          - configure_realm
+  tags:
+    - configure_realm
--- a/roles/traefik/defaults/main.yml
+++ b/roles/traefik/defaults/main.yml
@ -1,3 +1,4 @@
 ---

 traefik_image_name: "traefik"
+traefik_dns_01_challenge: true
--- a/roles/traefik/vars/main.yml
+++ b/roles/traefik/vars/main.yml
@ -15,7 +15,7 @@ traefik_docker: {
      image_name: "{{ traefik_image_name }}",
      image_version: "{{ traefik_version }}",
      environment: [
-        'DO_AUTH_TOKEN: "{{ digitalocean_authentication_token }}"',
+        'DO_AUTH_TOKEN: "{% if traefik_dns_01_challenge %}{{ digitalocean_authentication_token }}{% else %}{% endif %}"',
      ],
      volumes: [
        '"./acme.json:/acme.json"',
--- a/smardigo.yml
+++ b/smardigo.yml
@ -75,6 +75,12 @@
    - role: backup
      when: "'backup' in group_names"

+    - role: keycloak_compact
+      when: "'keycloak_compact' in group_names"
+
+    - role: connect_compact
+      when: "'connect_compact' in group_names"
+
 # just for certificate updates - do not run without -t update_certs
 #    - role: connect
 #      when: "'connect' in group_names"
--- a/9
+++ b/9
@ -1,9 +1,18 @@
 [bdev]
 ext-bdev-demo01-01
 ext-bdev-mpmexec-01
+ext-bdev-mpmexec-02
+
+[connect_compact]
+ext-bdev-mpmexec-02
+
+[keycloak_compact]
+ext-bdev-mpmexec-02

 [stage_ext:children]
 bdev
+connect_compact
+keycloak_compact

 [all:children]
 stage_ext
--- a/templates/connect-compact/config/elasticsearch/elasticsearch.yml.j2
+++ b/templates/connect-compact/config/elasticsearch/elasticsearch.yml.j2
@ -0,0 +1,10 @@
+---
+
+cluster.name: "{{ elasticsearch_id }}"
+network.host: 0.0.0.0
+
+discovery.type: single-node
+
+xpack.security.enabled: true
+xpack.license.self_generated.type: basic
+xpack.monitoring.collection.enabled: true
--- a/templates/connect-compact/docker-compose.yml.j2
+++ b/templates/connect-compact/docker-compose.yml.j2
@ -0,0 +1,125 @@
+version: '3.7'
+
+networks:
+  back-tier:
+    external: True
+  front-tier:
+    external: True
+
+volumes:
+  {{ connect_id }}-postgres-data: {}
+  {{ elasticsearch_id }}-data: {}
+
+services:
+  {{ connect_id }}:
+    image: "{{ connect_image_name }}:{{ connect_version }}"
+    container_name: "{{ connect_id }}"
+    restart: always
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.{{ connect_id }}.service={{ connect_id }}"
+      - "traefik.http.routers.{{ connect_id }}.rule=Host(`{{ connect_id }}.smardigo.digital`)"
+      - "traefik.http.routers.{{ connect_id }}.entrypoints=websecure"
+      - "traefik.http.routers.{{ connect_id }}.tls=true"
+      - "traefik.http.routers.{{ connect_id }}.tls.certresolver=letsencrypt-http"
+      - "traefik.http.services.{{ connect_id }}.loadbalancer.server.port=8080"
+{% if
+  connect_external_domain is defined
+%}
+      - "traefik.http.routers.{{ connect_id }}-extern.service={{ connect_id }}-extern"
+      - "traefik.http.routers.{{ connect_id }}-extern.rule=Host(`{{ connect_external_domain }}.smardigo.digital`)"
+      - "traefik.http.routers.{{ connect_id }}-extern.entrypoints=websecure"
+      - "traefik.http.routers.{{ connect_id }}-extern.tls=true"
+      - "traefik.http.routers.{{ connect_id }}-extern.tls.certresolver=letsencrypt-http"
+      - "traefik.http.services.{{ connect_id }}-extern.loadbalancer.server.port=8080"
+{% endif %}
+    environment:
+      TENANT_ID: "connect"
+      ADMIN_LOGIN: "{{ connect_admin_username }}"
+      ADMIN_PASSWORD: "{{ connect_admin_password }}"
+
+      DATASOURCE_URL: "jdbc:postgresql://{{ connect_id }}-postgres:5432/connect-postgres"
+      DATASOURCE_USERNAME: "{{ connect_postgres_username }}"
+      DATASOURCE_PASSWORD: "{{ connect_postgres_password }}"
+
+      MAIL_PROTOCOL: "smtp"
+      MAIL_HOST: "smtp.web.de"
+      MAIL_PORT: "587"
+      MAIL_USER: "smardigo.email@web.de"
+      MAIL_PASSWORD: "MUqzILYtspSYGmw0k34F"
+      MAIL_PROPERTIES_SIMULATION: "false"
+      MAIL_PROPERTIES_BASE_URL: "https://{{ connect_id }}.smardigo.digital"
+      MAIL_PROPERTIES_BASE_URL_EXTERN: "https://{{ connect_id }}.smardigo.digital"
+      MAIL_PROPERTIES_SENDER: "smardigo.email@web.de"
+      MAIL_PROPERTIES_SENDER_ALIAS: "noreply-connect"
+      MAIL_PROPERTIES_SMTP_AUTH: "true"
+      MAIL_PROPERTIES_SMTP_STARTTLS_ENABLE: "true"
+      MAIL_PROPERTIES_SMTP_STARTTLS_REQUIRED: "true"
+
+      AUTH_MODULE: "oidc"
+      OIDC_CLIENT_ID: "connect"
+      OIDC_CLIENT_SECRET: "connect"
+      OIDC_REGISTRATION_ID: "connect"
+      OIDC_ISSUER_URI: "https://{{ keycloak_external_domain }}.smardigo.digital/auth/realms/connect"
+      PASSWORD_CHANGE_URL: ""
+      USER_MANAGEMENT_URL: ""
+
+      IAM_MODULE: "embedded"
+      IAM_CLIENT_ENABLED: "false"
+
+      PROCESS_SEARCH_MODULE: "embedded"
+      ELASTIC_HOST: "{{ elasticsearch_id }}"
+      ELASTIC_PREFIX: "{{ connect_id }}"
+      ELASTIC_USERNAME: "{{ elasticsearch_username }}"
+      ELASTIC_PASSWORD:  "{{ elasticsearch_password }}"
+      ELASTIC_SEARCH_INDEX: "search"
+      ELASTIC_MESSAGE_INDEX: "message"
+      ELASTIC_ANALYSIS_INDEX: "analysis"
+
+      SPRINGDOC_SERVER_URL: "https://{{ connect_id }}.smardigo.digital"
+      SMA_CORS_ORIGINS: "https://{{ connect_id }}.smardigo.digital"
+      SMA_CORS_ALLOWED_METHODS: "*"
+      SMA_CORS_ALLOWED_HEADERS: "*"
+      SMA_CORS_PATH_PATTERN: "/**"
+
+      RESUBMISSION_ENABLED: "true"
+      ELEMENT_TEMPLATE_ENABLED: "true"
+      CONFIG_DELETE_SCOPE_ENABLED: "true"
+      EXTERNAL_TASK_SCRIPT_WORKER_ENABLED: "false"
+      CONFIG_DELETE_SCOPE_ENABLED: "true"
+      CONFIG_LOCAL_IMPORT_ENABLED: "true"
+      SMA_WORKFLOW_HEATMAP_ENABLED: "true"
+
+      LOG_LEVEL_CAMUNDA: "OFF"
+      LOG_LEVEL_JASYPT: "ERROR"
+      LOG_LEVEL_MESSAGE_QUEUE: "INFO"
+      LOG_LEVEL_DOCUMENT_INDEX: "INFO"
+      LOG_LEVEL_WORKFLOW_INDEX: "INFO"
+      LOG_LEVEL_WORKFLOW_ANALYSIS: "INFO"
+    networks:
+      - "back-tier"
+      - "front-tier"
+  {{ connect_id }}-postgres:
+    image: "postgres:12"
+    container_name: "{{ connect_id }}-postgres"
+    restart: always
+    environment:
+      POSTGRES_DB: "connect-postgres"
+      POSTGRES_USER: "{{ connect_postgres_username }}"
+      POSTGRES_PASSWORD: "{{ connect_postgres_password }}"
+    volumes:
+      - "{{ connect_id }}-postgres-data:/var/lib/postgresql/data"
+    networks:
+      - "back-tier"
+  {{ elasticsearch_id }}:
+    image: "docker.elastic.co/elasticsearch/elasticsearch:7.16.3"
+    container_name: "{{ elasticsearch_id }}"
+    restart: always
+    environment:
+      ES_JAVA_OPTS: "-Xmx2G -Xms2G"
+      ELASTIC_PASSWORD: "{{ elasticsearch_password }}"
+    volumes:
+      - "./config/elasticsearch/elasticsearch.yml:/usr/share/elasticsearch/config/elasticsearch.yml:ro"
+      - "{{ elasticsearch_id }}-data:/usr/share/elasticsearch/data"
+    networks:
+      - "back-tier"
--- a/templates/keycloak-compact/docker-compose.yml.j2
+++ b/templates/keycloak-compact/docker-compose.yml.j2
@ -0,0 +1,60 @@
+version: '3.7'
+
+networks:
+  back-tier:
+    external: True
+  front-tier:
+    external: True
+
+volumes:
+  {{ keycloak_id }}-postgres-data: {}
+
+services:
+  {{ keycloak_id }}:
+    image: "{{ keycloak_image_name }}:{{ keycloak_version }}"
+    container_name: "{{ keycloak_id }}"
+    restart: always
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.{{ keycloak_id }}.service={{ keycloak_id }}"
+      - "traefik.http.routers.{{ keycloak_id }}.rule=Host(`{{ keycloak_id }}.smardigo.digital`)"
+      - "traefik.http.routers.{{ keycloak_id }}.entrypoints=websecure"
+      - "traefik.http.routers.{{ keycloak_id }}.tls=true"
+      - "traefik.http.routers.{{ keycloak_id }}.tls.certresolver=letsencrypt-http"
+      - "traefik.http.services.{{ keycloak_id }}.loadbalancer.server.port=8080"
+{% if
+  keycloak_external_domain is defined
+%}
+      - "traefik.http.routers.{{ keycloak_id }}-extern.service={{ keycloak_id }}-extern"
+      - "traefik.http.routers.{{ keycloak_id }}-extern.rule=Host(`{{ keycloak_external_domain }}.smardigo.digital`)"
+      - "traefik.http.routers.{{ keycloak_id }}-extern.entrypoints=websecure"
+      - "traefik.http.routers.{{ keycloak_id }}-extern.tls=true"
+      - "traefik.http.routers.{{ keycloak_id }}-extern.tls.certresolver=letsencrypt-http"
+      - "traefik.http.services.{{ keycloak_id }}-extern.loadbalancer.server.port=8080"
+{% endif %}
+    environment:
+      KEYCLOAK_USER: "{{ keycloak_admin_username }}"
+      KEYCLOAK_PASSWORD: "{{ keycloak_admin_password }}"
+      PROXY_ADDRESS_FORWARDING: "true"
+      DB_VENDOR: postgres
+      DB_DATABASE: "keycloak-postgres"
+      DB_USER: "{{ keycloak_postgres_username }}"
+      DB_PASSWORD: "{{ keycloak_postgres_password }}"
+      DB_ADDR: "{{ keycloak_id }}-postgres"
+    networks:
+      - "back-tier"
+      - "front-tier"
+    ports:
+      - "8110:8080"
+  {{ keycloak_id }}-postgres:
+    image: "postgres:12"
+    container_name: "{{ keycloak_id }}-postgres"
+    restart: always
+    environment:
+      POSTGRES_DB: "keycloak-postgres"
+      POSTGRES_USER: "{{ keycloak_postgres_username }}"
+      POSTGRES_PASSWORD: "{{ keycloak_postgres_password }}"
+    volumes:
+      - "{{ keycloak_id }}-postgres-data:/var/lib/postgresql/data"
+    networks:
+      - "back-tier"