docker-compose.yml

version: '3'

volumes:
  # (Auto-generated) secrets for...
  # ... the proxy container
  secrets-certs-proxy:
  # ... the certificate authority (private key(s) for CA)
  secrets-certs-ca-private:
  # ... the certificate authority cert(s)
  secrets-certs-ca-shared:
  # ... the ldap container
  secrets-ldap:
  # ... read-only (bind) credentials for ldap
  secrets-ldap-bind:
  # ... the keycloak container
  secrets-keycloak:
  # ... the crowd container
  secrets-crowd:
  # ... the bitbucket container
  secrets-bitbucket:
  # ... secrets shared between bitbucket and crowd containers
  secrets-crowd-bitbucket:
  # ... the jira container
  secrets-jira:
  # ... the artifactory container
  secrets-artifactory:
  # ... the cas-proxy container
  secrets-cas-proxy:

  # Keycloak server storage
  keycloak-data:
  # Keycloak storage for custom providers
  keycloak-providers:
  # Crowd server storage
  crowd-data:
  # Bitbucket server storage
  bitbucket-data:
  # Jira server storage
  jira-data:
  # Artifactory server storage
  artifactory-data:

services:

  # Container used to auto-generate secrets (any time the volumes are wiped)
  secrets:
    hostname: "secrets.${ENV_DOMAIN}"
    build: secrets
    environment:
      ENV_DOMAIN: "$ENV_DOMAIN"
    security_opt:
      # Disable SElinux for volume mounts (since we're using a host mount)
      - "label=disable"
    volumes:
      - "./ldap:/opt/ldap-init:ro"
      - "secrets-certs-ca-private:/secrets/certs/ca-private:rw"
      - "secrets-certs-ca-shared:/secrets/certs/ca-shared:rw"
      - "secrets-certs-proxy:/secrets/certs/proxy:rw"
      - "secrets-ldap:/secrets/ldap:rw"
      - "secrets-ldap-bind:/secrets/ldap-bind:rw"
      - "secrets-keycloak:/secrets/keycloak:rw"
      - "secrets-crowd:/secrets/crowd:rw"
      - "secrets-bitbucket:/secrets/bitbucket:rw"
      - "secrets-crowd-bitbucket:/secrets/crowd-bitbucket:rw"
      - "secrets-jira:/secrets/jira:rw"
      - "secrets-artifactory:/secrets/artifactory:rw"
      - "secrets-cas-proxy:/secrets/certs/cas-proxy:rw"
    networks:
      network:
        ipv4_address: "${ENV_IP_PREFIX}.6"

  proxy:
    hostname: "proxy.${ENV_DOMAIN}"
    image: haproxy:2.7.1
    environment:
      ENV_DOMAIN: "$ENV_DOMAIN"
    security_opt:
      # Disable SElinux for volume mounts (since we're using a host mount)
      - "label=disable"
    volumes:
      - ./proxy/haproxy.cfg:/usr/local/etc/haproxy/haproxy.cfg:ro
      - "secrets-certs-ca-shared:/secrets/certs/ca-shared:ro"
      - "secrets-certs-proxy:/secrets/certs/proxy:ro"
    expose:
      - "443"
    networks:
      network:
        ipv4_address: "${ENV_IP_PREFIX}.8"
        aliases:
          - ldap-ui.proxy.${ENV_DOMAIN}
          - keycloak.proxy.${ENV_DOMAIN}
          - crowd.proxy.${ENV_DOMAIN}
          - bitbucket.proxy.${ENV_DOMAIN}
    depends_on:
      secrets:
        condition: service_completed_successfully

  cas-proxy:
    hostname: "cas-proxy.${ENV_DOMAIN}"
    #image: "httpd:2.4.58"
    build: cas-proxy
    environment:
      ENV_DOMAIN: "$ENV_DOMAIN"
    entrypoint: [ "/bin/bash", "/auth-demo-entrypoint.sh" ]
    security_opt:
      # Disable SElinux for volume mounts (since we're using a host mount)
      - "label=disable"
    expose:
      - "443"
    networks:
      network:
        ipv4_address: "${ENV_IP_PREFIX}.13"
        aliases:
          - "artifactory.cas.${ENV_DOMAIN}"
    volumes:
      - "secrets-cas-proxy:/secrets/certs/secrets-cas-proxy:ro"
      - "secrets-certs-ca-shared:/secrets/certs/ca-shared:ro"
    depends_on:
      secrets:
        condition: service_completed_successfully

  ldap:
    hostname: "ldap.${ENV_DOMAIN}"
    image: osixia/openldap:1.5.0
    environment:
      LDAP_ORGANISATION: "Example Inc."
      LDAP_DOMAIN: "example.com"
      LDAP_BASE_DN: "dc=example,dc=com"
      LDAP_SEED_INTERNAL_LDIF_PATH: "/secrets/ldap/ldap-init.ldif"
    security_opt:
      # Disable SElinux for volume mounts (since we're using a host mount)
      - "label=disable"
    volumes:
      - "./ldap:/opt/ldap-init:ro"
      # Load my-secrets.yaml as an environment file
      - "secrets-ldap:/container/environment/01-custom:ro"
      - "secrets-ldap:/secrets/ldap:ro"
    healthcheck:
      test: ["CMD", "ldapwhoami", "-D", "cn=admin,dc=example,dc=com", "-y", "/secrets/ldap/admin_password", "-H", "ldap://ldap:389"]
      interval: 15s
      timeout: 5s
      retries: 4
      start_period: 10s
    networks:
      network:
        ipv4_address: "${ENV_IP_PREFIX}.2"
    depends_on:
      secrets:
        condition: service_completed_successfully

  ldap-ui:
    hostname: "ldap-ui.${ENV_DOMAIN}"
    # NOTE: There isn't a tagged version near as new as ":latest", so I'm leaving it as ":latest".
    #       That being said, this base image looks like abandonware (2 years old).
    image: osixia/phpldapadmin:latest
    environment:
      PHPLDAPADMIN_LDAP_HOSTS: "ldap.${ENV_DOMAIN}"
    networks:
      network:
        ipv4_address: "${ENV_IP_PREFIX}.5"
    depends_on:
      secrets:
        condition: service_completed_successfully

  # NOTE: This container is only necessary because we are installing the CAS provider for Keycloak
  keycloak-init:
    hostname: "keycloak-init.${ENV_DOMAIN}"
    build: keycloak-init
    environment:
      # NOTE: This version must be in sync with the keycloak container
      KEYCLOAK_VERSION: "23.0.6"
      KEYCLOAK_PROVIDERS_DIR: "/keycloak-providers"
    volumes:
      - "keycloak-providers:/keycloak-providers:rw"
    networks:
      network:
        ipv4_address: "${ENV_IP_PREFIX}.12"

  keycloak:
    hostname: "keycloak.${ENV_DOMAIN}"
    # NOTE: This version must be in sync with the keycloak-init container
    image: keycloak/keycloak:23.0.6
    environment:
      # NOTE: After upgrading from Keycloak v16 to v23, we have to explicitly
      #       navigate to /auth/ to access the KeyCloak pages.
      #       The default configuration variables also do not behave as expected.
      #       See discussions:
      #       * https://github.com/keycloak/keycloak/issues/14666
      #       * https://github.com/keycloak/keycloak/discussions/10274
      # NOTE: We upgraded Keycloak from v16 to v23 in order to support the CAS provider.
      KC_HTTP_RELATIVE_PATH: "/auth"
      KC_HOSTNAME_URL: "https://keycloak.proxy.${ENV_DOMAIN}/auth/"
      KC_HOSTNAME_STRICT:  "false"
      KC_HOSTNAME_ADMIN_URL: "https://keycloak.proxy.${ENV_DOMAIN}/auth/"
      KC_PROXY: "edge"
    entrypoint: [ "/bin/bash", "/auth-demo-entrypoint.sh" ]
    security_opt:
      # Disable SElinux for volume mounts (since we're using a host mount)
      - "label=disable"
    volumes:
      - "./keycloak/entrypoint.sh:/auth-demo-entrypoint.sh:ro"
      - "secrets-keycloak:/secrets/keycloak:ro"
      - "keycloak-data:/opt/keycloak/data:rw"
      - "keycloak-providers:/opt/keycloak/providers:rw"
    networks:
      network:
        ipv4_address: "${ENV_IP_PREFIX}.7"
    depends_on:
      secrets:
        condition: service_completed_successfully
      keycloak-init:
        condition: service_completed_successfully

  crowd:
    hostname: "crowd.${ENV_DOMAIN}"
    image: atlassian/crowd:5.1.1
    environment:
      CROWD_DB_URL: jdbc:postgresql://crowd-db:5432/crowd
      CROWD_DB_USER: postgres
      CROWD_DB_PASSWORD: password
    security_opt:
      # Disable SElinux for volume mounts (since we're using a host mount)
      - "label=disable"
    volumes:
      - crowd-data:/var/atlassian/application-data/crowd
      # This adds trust of the reverse proxy
      - ./crowd/server.xml:/opt/atlassian/crowd/apache-tomcat/conf/server.xml:ro
    networks:
      network:
        ipv4_address: "${ENV_IP_PREFIX}.4"
    depends_on:
      secrets:
        condition: service_completed_successfully

  bitbucket:
    hostname: "bitbucket.${ENV_DOMAIN}"
    image: atlassian/bitbucket:8.7.0
    environment:
      SERVER_PROXY_NAME: "bitbucket.proxy.${ENV_DOMAIN}"
      SERVER_PROXY_PORT: "443"
      SERVER_SCHEME: "https"
      SERVER_SECURE: "true"
      # "javax.net.ssl.trustStore":
      #   Enable trust of our our self-signed CA
      #   (not technically necessary at the time of this writing)
      JVM_SUPPORT_RECOMMENDED_ARGS: >-
        -Djavax.net.ssl.trustStore=/secrets/certs/ca-shared/cacerts.jks
        -Djavax.net.ssl.trustStorePassword=changeit
    security_opt:
      # Disable SElinux for volume mounts (since we're using a host mount)
      - "label=disable"
    volumes:
      - "bitbucket-data:/var/atlassian/application-data/bitbucket:rw"
      - "secrets-certs-ca-shared:/secrets/certs/ca-shared:ro"
    networks:
      network:
        ipv4_address: "${ENV_IP_PREFIX}.3"
    depends_on:
      secrets:
        condition: service_completed_successfully

  jira:
    hostname: "jira.${ENV_DOMAIN}"
    image: atlassian/jira-software:9.3.2
    environment:
      ATL_PROXY_NAME: "jira.proxy.${ENV_DOMAIN}"
      ATL_PROXY_PORT: "443"
      ATL_TOMCAT_SCHEME: "https"
      ATL_TOMCAT_SECURE: "true"
    security_opt:
      # Disable SElinux for volume mounts (since we're using a host mount)
      - "label=disable"
    volumes:
      - "jira-data:/var/atlassian/application-data/jira:rw"
    networks:
      network:
        ipv4_address: "${ENV_IP_PREFIX}.9"
    depends_on:
      secrets:
        condition: service_completed_successfully

  artifactory:
    hostname: "artifactory.${ENV_DOMAIN}"
    # The "Pro" version is required for SAML/OAuth support
    image: releases-docker.jfrog.io/jfrog/artifactory-pro:7.49.6
    security_opt:
      # Disable SElinux for volume mounts (since we're using a host mount)
      - "label=disable"
    volumes:
      - "artifactory-data:/var/opt/jfrog/artifactory:rw"
    networks:
      network:
        ipv4_address: "${ENV_IP_PREFIX}.10"
    depends_on:
      secrets:
        condition: service_completed_successfully

networks:
  network:
    driver: bridge
    ipam:
      config:
        # NOTE: We set static IPs because Crowd depends upon an IP whitelist.
        #       Otherwise we would have to re-set the whitelist on every restart.
        - subnet: "${ENV_IP_PREFIX}.0/16"
          gateway: "${ENV_IP_PREFIX}.1"