openproject/docker/dev/keycloak/docker-compose.yml

services:
  db-keycloak:
    image: postgres:17
    restart: unless-stopped
    networks:
      - external
    volumes:
      - "pgdata:/var/lib/postgresql/data"
    environment:
      - POSTGRES_DB=keycloak
      - POSTGRES_USER=keycloak
      - POSTGRES_PASSWORD=keycloak

  keycloak:
    image: quay.io/keycloak/keycloak:26.2
    command:
    - "start-dev"
    - "--proxy-headers"
    - "xforwarded"
    - "--spi-connections-http-client-default-disable-trust-manager=true"
    # Uncomment the lines below to make changes to the Keycloak theme, this will ensure that changes become immediately visible.
    # - "--spi-theme-static-max-age=-1"
    # - "--spi-theme-cache-themes=false"
    # - "--spi-theme-cache-templates=false"
    restart: unless-stopped
    networks:
      - external
    extra_hosts:
      - "openproject.local:host-gateway"
    environment:
      - KC_DB=postgres
      - KC_DB_USERNAME=keycloak
      - KC_DB_PASSWORD=keycloak
      - KC_DB_URL=jdbc:postgresql://db-keycloak:5432/keycloak
      - KEYCLOAK_ADMIN=admin
      - KEYCLOAK_ADMIN_PASSWORD=admin
      - KC_DB_SCHEMA=public
      - KC_HOSTNAME=keycloak.${OPENPROJECT_DOCKER_DEV_TLD}
      - KC_TRANSACTION_XA_ENABLED=false
    volumes:
      - /etc/ssl/certs/ca-certificates.crt:/etc/ssl/certs/ca-certificates.crt:ro
      - keycloak-data:/opt/keycloak/data/
      - ./themes/:/opt/keycloak/themes/
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.keycloak-sub-secure.rule=Host(`keycloak.${OPENPROJECT_DOCKER_DEV_TLD}`)"
      - "traefik.http.routers.keycloak-sub-secure.entrypoints=websecure"
    depends_on:
      - db-keycloak

volumes:
  keycloak-data:
  pgdata:

networks:
  external:
    name: gateway
    external: true