oauthkeycloakdb:
    image: docker.io/library/postgres:16-alpine
    container_name: oauthkeycloakdb
    environment:
      POSTGRES_DB: keycloak
      POSTGRES_USER: keycloak
      POSTGRES_PASSWORD: password
    volumes:
      - ./docker/blocks/auth/jwt_proxy/cloak.sql:/docker-entrypoint-initdb.d/cloak.sql
    restart: unless-stopped

  oauthkeycloak:
    image: quay.io/keycloak/keycloak:23.0
    container_name: oauthkeycloak
    command: start-dev
    environment:
      KC_DB: postgres
      KC_DB_URL: jdbc:postgresql://oauthkeycloakdb/keycloak
      KC_DB_USERNAME: keycloak
      KC_DB_PASSWORD: password
      KEYCLOAK_ADMIN: admin
      KEYCLOAK_ADMIN_PASSWORD: admin
      PROXY_ADDRESS_FORWARDING: "true"
    ports:
      - 8087:8080
    depends_on:
      - oauthkeycloakdb
    links:
      - "oauthkeycloakdb:oauthkeycloakdb"
    restart: unless-stopped

  oauthproxy:
    image: docker.io/bitnami/oauth2-proxy:7.4.0
    container_name: oauthproxy
    command: [
      "--cookie-secret=yI-CWT5s4sBR2Zd0DDJJlTYc0aQ3jwGH15jYA18ZAQA=",
      "--upstream=http://env.grafana.local:3000",
      "--provider=keycloak",
      "--client-id=grafana-oauth",
      "--client-secret=d17b9ea9-bcb1-43d2-b132-d339e55872a8",
      "--login-url=http://env.grafana.local:8087/realms/grafana/protocol/openid-connect/auth",
      "--redeem-url=http://env.grafana.local:8087/realms/grafana/protocol/openid-connect/token",
      "--profile-url=http://env.grafana.local:8087/realms/grafana/protocol/openid-connect/userinfo",
      "--validate-url=http://env.grafana.local:8087/realms/grafana/protocol/openid-connect/userinfo",
      "--cookie-secure=false",
      "--http-address=0.0.0.0:8088",
      "--redirect-url=http://env.grafana.local:8088/oauth2/callback",
      "--pass-access-token=true",
      "--email-domain=*",
    ]
    depends_on:
      - oauthkeycloak
    extra_hosts:
      - "env.grafana.local:host-gateway"
    ports:
      - 8088:8088
    restart: unless-stopped