- Move the inline keycloak-init bash block out of docker-compose.yml
into init/sync.sh, mounted into the init container at /opt/init.
The script is fully idempotent and is the new entry point for any
future role/group/user/realm configuration changes — re-run with
`docker compose up -d keycloak-init --force-recreate`.
- Add reusable helper functions (ensure_user, ensure_group,
ensure_user_in_group, ensure_user_realm_role, ensure_user_client_role)
on top of kcadm.sh, with safe parsing of user/group IDs.
- Bootstrap admin identity jovann@siteconseil.fr (password Shoko1997@)
in both realms:
* master realm: granted the global `admin` role.
* ecosplay realm: granted realm-management/realm-admin and added
to groups super_admin_asso and superadmin.
Both users have CONFIGURE_TOTP as a required action so OTP enrollment
is forced at first login.
- Mirror the ecosplay user in the realm import JSON for fresh installs.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Declare the 10 application groups (gp_asso, gp_contest, gp_mail,
gp_mailling, gp_member, gp_ndd, gp_sign, gp_ticket, super_admin_asso,
superadmin) in the realm import JSON for fresh installs.
- Extend keycloak-init to idempotently create them via kcadm on every
boot, so existing installs (where the realm is already imported and
--import-realm is a no-op) also get them in sync.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Go-live:
- Switch keycloak from start-dev to start --import-realm (production
mode with auto-build at boot, no Dockerfile needed yet).
- Set KC_HOSTNAME=https://auth.e-cosplay.fr and KC_PROXY_HEADERS=
xforwarded so Keycloak emits correct issuer URLs and trusts
Caddy's X-Forwarded-* headers.
- Replace deprecated KEYCLOAK_ADMIN env vars with KC_BOOTSTRAP_ADMIN_*.
- Bind the public port to 127.0.0.1 only (Caddy is colocated).
- Add a Keycloak healthcheck against /health/ready on the management
port (9000) using bash /dev/tcp; init container now waits on
service_healthy instead of service_started.
Architecture:
- New realms/ecosplay-realm.json mounted into /opt/keycloak/data/import
and imported on first boot. Defines the dedicated 'ecosplay' realm
(separate from master) with French i18n, brute-force protection,
strong password policy, SES SMTP, and an OIDC client 'ecosplay-web'
pointing at e-cosplay.fr (confidential + PKCE S256).
Theme coverage:
- themes/ecosplay/account: PatternFly v5 overlay (parent=keycloak.v2)
bringing the neo-brutalist colors, thick borders, italic uppercase
typography, and offset hard shadows to the user account console.
- themes/ecosplay/email: branded HTML wrapper template (table layout
with inline styles for email-client safety) plus a matching plain
text wrapper. All Keycloak emails now ship with the E-Cosplay
identity without needing per-template overrides.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- keycloak-init now enables i18n on master with French as the only
supported locale and the default, so all login pages render in fr.
- Replace dynamic realm.displayName tag (which showed 'Keycloak') with
hardcoded '// Connexion sécurisée' in the theme header.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Custom theme under themes/ecosplay/login (extends keycloak parent)
with template.ftl and login.ftl matching the e-cosplay.fr style:
thick black borders, hard offset shadows, italic uppercase, indigo
accent, hover translate effect, marquee header, watermark.
- Tailwind via Play CDN for utility classes (no build step).
- Mount the theme dir read-only into the Keycloak container.
- Init container now also sets loginTheme=ecosplay on master realm
alongside the SMTP config; service renamed keycloak-init.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Add keycloak-smtp-init service that uses kcadm.sh to apply SES SMTP
settings to the master realm at startup (idempotent, env-driven).
- Set KC_HOSTNAME to https://auth.e-cosplay.fr and trust X-Forwarded-*
headers for the upcoming Caddy reverse proxy in front.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
