⚙️ DTaaS Configuration
This document outlines the configuration needed for the docker compose file. The configuration can be divided into pre and post-install parts. The pre-install configuration tasks must be completed before bringing up the docker compose services, while the post-install configuration tasks must be completed after bringing up the docker compose services.
Pre-install Configuration Tasks:
Post-install Configuration Tasks:
🌍 Environment
The compose commands used in the setup guides sets the environment
with an environment file. An example of this file can be found at
.env.example.
Create a copy of this example file without the example suffix:
🌐 Domain
Decide whether the deployment is local or remote.
From now on whenever <DOMAIN_NAME> or intocps.org appears
in this guide, replace it with the domain name of the remote machine.
Ensure that the remote machine has a domain name and that it is
accessible from the internet.
Open .env and replace the current value of
the SERVER_DNS variable with the domain name:
🔒 TLS Certificates
Ensure that valid TLS certificates are present on the machine and
that they are properly located. The fullchain.pem and privkey.pem
secrets should be located in the certs/ directory.
There are multiple ways to set up TLS certificates. If hosting on a webserver, Certbot from Let's Encrypt may be used:
👥 Usernames
The usernames of the main users for the workspaces can be changed in
the environment variable file .env.
Change the default values (user1 and user2) to the desired usernames:
NOTE: These usernames must match the names of the keycloak users used in the forward auth.
🚪 Traefik Forward Auth Configuration
The config/forward-auth-conf.example file contains
example configuration for the forward-auth service.
Create a copy of this example file without the example suffix:
Then update the traefik forward auth configuration file with the usernames
and emails of the Keycloak users that correspond to user1 and user2
respectively.
NOTE: Ensure that the usernames set in the Usernames configuration step are the same as those set in the Traefik Forward Auth configuration file.
🎯 Keycloak Integration
The default configuration for docker-compose.yml now uses Keycloak
for authentication via OIDC (OpenID Connect). Keycloak provides a robust,
enterprise-grade identity and access management solution.
The traefik-forward-auth and the DTaaS client docker services use
Keycloak for authentication and authorisation. An OAuth2 application
must be configured for each, using the integrated Keycloak service.
For detailed Keycloak setup instructions, see keycloak-setup.md
Configure Environment Variables
- For Keycloak (default), edit
.envand fill in the Keycloak credentials:
🖥️ DTaaS Web Client Config
The DTaaS Web Client can be configured with a small javascript file,
an example of which can be found at
config/client.js.example.
Create a copy of this example file without the example suffix:
Then, edit the new DTaaS Web Client config file, updating the following values:
🔑🖥️ Client OAuth2 Setup
The DTaaS web client is a React SPA that authenticates via Keycloak using
the Authorization Code flow with PKCE. Follow the
Create OAuth2 Client for DTaaS Client Service
instructions in keycloak-setup.md
to create the public PKCE client in
Keycloak, then update config/client.js:
openid and profile are standard OIDC scopes provided by Keycloak by default.
openid is required for OIDC authentication and issues the ID token.
profile triggers the profile claim mapper configured on the Keycloak client,
which returns a URL of the form https://<DOMAIN_NAME>/<username> set as a
user attribute in Keycloak. The DTaaS web client extracts the username from
the last path segment of this URL.
The variable is named REACT_APP_GITLAB_SCOPES for legacy reasons;
it now carries the Keycloak OIDC scopes.
Replace <DOMAIN_NAME> with the value set in the
Domain section and dtaas with the Keycloak realm name
if a different one was chosen.