Add Keycloak integration, SSL setup script, and NGINX reverse proxy

- Configured Keycloak for centralized user management across services
- Implemented NGINX as a reverse proxy for subdomains (e.g., auth, cloud, time, automate)
- Added `generate_ssl_certificate.sh` script to create self-signed wildcard SSL certificates
- Updated project structure to organize configuration, certs, and persistent data
- Revised README.md with setup, usage, and SSL instructions

.gitignore

@@ -1,3 +1,4 @@
 data/
 logs/
+src/configs
 .env

README.md

@@ -8,18 +8,18 @@ and reporting through open-source, on-premise tools.
 ## Project Structure
 - **docs/**: Documentation for setup, usage, and maintenance.
 - **src/**: Main codebase, including Docker configuration and automation scripts.
-  - **src/docker/**: Docker Compose configuration files and individual Dockerfile(s).
-  - **src/scripts/**: Custom scripts (e.g., for installation or automation).
-  - **src/configs/**: Configuration files for different services.
+  - **configs/**: Configuration files for different services.
+    - **configs/nginx**: Configuration files for the NGINX reverse proxy.
+  - **docker/**: Docker Compose configuration files.
+  - **scripts/**: Custom scripts (e.g., for installation, SSL certificate generation).
 - **data/**: Persistent data storage (e.g., databases).
 - **logs/**: Application logs.
 
-
 ## Environment Variables
 
 Create a `.env` file in the project root with the following placeholders (to be replaced with actual values):
 
-'''bash
+```bash
 # Paperless-ngx Configuration
 PAPERLESS_DB_USER=myuser
 PAPERLESS_DB_PASSWORD=randomGeneratedPassword
@@ -36,54 +36,91 @@ MYSQL_USER=nextcloud
 MYSQL_PASSWORD=randomGeneratedPassword
 
 # Kimai Database Configuration
-KIMAI_DATABASE=kimai
-KIMAI_USER=kimai_user
-KIMAI_PASSWORD=randomGeneratedPassword
-KIMAI_ROOT_PASSWORD=randomGeneratedPassword
+KIMAI_DB_DATABASE=kimai
+KIMAI_DB_USER=kimai_user
+KIMAI_DB_PASSWORD=randomGeneratedPassword
+KIMAI_DB_ROOT_PASSWORD=randomGeneratedPassword
 
 # Kimai Admin User Configuration
 KIMAI_ADMIN_USER=kiami_admin_user  
 KIMAI_ADMIN_PASSWORD=randomGeneratedPassword
 KIMAI_ADMIN_EMAIL=kiami@admin.email
-'''
 
+# Keycloak Configuration
+KEYCLOAK_ADMIN_USER=admin
+KEYCLOAK_ADMIN_PASSWORD=randomGeneratedPassword
+KEYCLOAK_DB=keycloak
+KEYCLOAK_DB_USERNAME=keycloak_user
+KEYCLOAK_DB_PASSWORD=randomGeneratedPassword
+
+# N8N Configuration
+N8N_USER=n8n_user
+N8N_PASSWORD=randomGeneratedPassword
+```
 ## Installation
 
 ### Step 1: Install Docker
 
 To install Docker on a new system, you can use the provided installation script. Run the following commands in the `src/scripts` directory:
 
-'''bash
+```bash
 cd ~/AutoMate/src/scripts
 ./install_docker.sh
-'''
-
+```
 This script will install Docker and add the current user to the Docker group. **Note:** You will need to log out and log back in for the group permissions to take effect.
 
 ### Step 2: Docker Compose Setup
 
 1. **Navigate to the Docker Config Directory**:
 
-   '''bash
+   ```bash
    cd ~/AutoMate/src/docker
-   '''
+   ```
 
 2. **Start Docker Compose**:
 
    Use Docker Compose to start all configured services.
 
-   '''bash
+   ```bash
    docker-compose up -d
-   '''
+   ```
 
 3. **Check Status**:
 
    To confirm that all services are running, use:
 
-   '''bash
+   ```bash
    docker-compose ps
-   '''
+   ```
+
+## SSL Certificate Setup
+
+The project includes a script to generate self-signed SSL certificates for local development. 
+
+1. **Run the SSL Generation Script**:
+
+   ```bash
+   cd ~/AutoMate/src/scripts
+   ./generate_ssl_certificate.sh -d "mrx8086.com" -o "../configs/certs" -t 365 -p "yourPfxPassword"
+   ```
+
+2. **Generated Files**:
+   - `.crt` and `.key` files for NGINX in `configs/certs`.
+   - `.pfx` file for importing into Windows to prevent SSL errors.
+
+## NGINX Reverse Proxy
 
+NGINX is used as a reverse proxy to route traffic to different services via subdomains (e.g., `auth.mrx8086.com` for Keycloak).
+
+### Configuration
+The NGINX configuration is stored in `src/configs/nginx/nginx.conf`. It is set up to handle:
+- **Keycloak** at `auth.mrx8086.com`
+- **Nextcloud** at `cloud.mrx8086.com`
+- **Paperless** at `docs.mrx8086.com`
+- **Kimai** at `time.mrx8086.com`
+- **n8n** at `automate.mrx8086.com`
+
+Make sure to add these subdomains to your hosts file for local testing.
 
 ## Creating an Admin User for Paperless-ngx
 
@@ -91,9 +128,9 @@ After starting the Paperless-ngx service for the first time, you need to create
 
 1. **Run the following command in your project directory to enter the Paperless-ngx container**:
 
-   $$$
+   ```bash
    docker-compose exec paperless python3 manage.py createsuperuser
-   $$$
+   ```
 
 2. **Provide the Required Information**:
    - Enter a **username** for the admin account.
@@ -101,32 +138,40 @@ After starting the Paperless-ngx service for the first time, you need to create
    - Set a **password**.
 
 3. **Log In to Paperless-ngx**:
-   - Open your web browser and go to `http://localhost:8000`.
+   - Open your web browser and go to `http://docs.mrx8086.com`.
    - Use the username and password you just created to log in as the admin.
 
-This setup step is necessary only for the first-time setup or if you need to create additional admin users.
-
 ## Setting Up Kimai (Time Tracking)
 
-After configuring the environment variables, you can start Kimai for time tracking and management.
-
-1. **Start Kimai**:
-   - Run the following command to start the Kimai service along with its database:
-
-     $$$
-     docker-compose up -d
-     $$$
-
-2. **Access Kimai**:
-   - Open your web browser and go to `http://localhost:8081`.
+1. **Access Kimai**:
+   - Open your web browser and go to `http://time.mrx8086.com`.
    - Log in with the `KIMAI_ADMIN_USER` and `KIMAI_ADMIN_PASSWORD` values you set in `.env`.
 
-3. **Using Kimai**:
-   - After logging in, you can set up projects, track time, and generate reports for your tasks. Kimai provides a comprehensive interface for managing billable time and clients.
+## Keycloak Setup
+
+1. **Run Keycloak**:
+   - Start Keycloak by running `docker-compose up -d keycloak`.
+   - Access the Keycloak admin console at [http://auth.mrx8086.com](http://auth.mrx8086.com) with the credentials set in `.env`.
 
-This setup provides you with a time tracking tool that can work alongside Paperless-ngx and Nextcloud in the AutoMate system.
+2. **Create a Realm and Clients**:
+   - Create a new realm for centralized user management.
+   - Set up clients for Nextcloud, Kimai, and Paperless if they support it.
 
+3. **Connecting Applications**:
+   - Configure Nextcloud, Kimai, and other tools to authenticate via Keycloak by setting them as clients in Keycloak.
+   - Follow Keycloak documentation for setting up clients with OpenID Connect.
 
+## Accessing Services
 
+Each service can be accessed using the following URLs:
+- **Paperless-ngx**: [http://docs.mrx8086.com](http://docs.mrx8086.com)
+- **Nextcloud**: [http://cloud.mrx8086.com](http://cloud.mrx8086.com)
+- **Kimai**: [http://time.mrx8086.com](http://time.mrx8086.com)
+- **n8n**: [http://automate.mrx8086.com](http://automate.mrx8086.com)
+- **Keycloak**: [http://auth.mrx8086.com](http://auth.mrx8086.com)
 
+## Contributing
 
+Please ensure any modifications are tested locally before pushing changes to the repository. 
+All environment variables should be stored in `.env` and sensitive information should not be committed to the repository.
+```

src/docker/docker-compose.yml

@@ -9,10 +9,14 @@ services:
     volumes:
       - ../data/paperless:/usr/src/paperless/data
     environment:
+      - PAPERLESS_DEBUG=false
       - PAPERLESS_REDIS=redis://redis:6379
       - PAPERLESS_SECRET_KEY=${PAPERLESS_SECRET_KEY}
       - PAPERLESS_DB_USER=${PAPERLESS_DB_USER}
       - PAPERLESS_DB_PASSWORD=${PAPERLESS_DB_PASSWORD}
+      - ALLOWED_HOSTS=docs.mrx8086.com,localhost,127.0.0.1
+      - PAPERLESS_CSRF_COOKIE_SECURE=True
+      - PAPERLESS_CSRF_TRUSTED_ORIGINS=https://docs.mrx8086.com
     depends_on:
       - redis
 
@@ -77,8 +81,90 @@ services:
       - "DATABASE_URL=mysql://${KIMAI_DB_USER}:${KIMAI_DB_PASSWORD}@kimai_db/${KIMAI_DB_DATABASE}?charset=utf8mb4&serverVersion=8.3.0"
     restart: unless-stopped
 
+  n8n:
+    image: n8nio/n8n
+    container_name: n8n
+    environment:
+      - N8N_BASIC_AUTH_ACTIVE=true
+      - N8N_BASIC_AUTH_USER=${N8N_USER}
+      - N8N_BASIC_AUTH_PASSWORD=${N8N_PASSWORD}
+      - N8N_HOST=n8n
+      - N8N_PORT=5678
+      - N8N_PROTOCOL=http
+      - WEBHOOK_URL=http://localhost:5678/
+    ports:
+      - "5678:5678"
+    volumes:
+      - ../data/n8n:/root/.n8n
+    depends_on:
+      - kimai
+      - nextcloud
+      - paperless
+
+  keycloak:
+    image: quay.io/keycloak/keycloak:latest
+    container_name: keycloak
+    environment:
+      - KEYCLOAK_ADMIN=${KEYCLOAK_ADMIN_USER}
+      - KEYCLOAK_ADMIN_PASSWORD=${KEYCLOAK_ADMIN_PASSWORD}
+      - KC_DB=postgres
+      - KC_DB_URL=jdbc:postgresql://keycloak_db:5432/${KEYCLOAK_DB}
+      - KC_DB_USERNAME=${KEYCLOAK_DB_USERNAME}
+      - KC_DB_PASSWORD=${KEYCLOAK_DB_PASSWORD}
+      - KC_HOSTNAME=auth.mrx8086.com
+      - KC_HTTPS_CERTIFICATE_FILE=/etc/x509/https/tls.crt   # Path to SSL cert
+      - KC_HTTPS_CERTIFICATE_KEY_FILE=/etc/x509/https/tls.key  # Path to SSL key
+      - KC_HOSTNAME_STRICT_HTTPS=true
+      - KC_PROXY=edge
+    ports:
+      - "8443:8443"  # Map Keycloak’s HTTPS port to the public port
+    volumes:
+      - ../configs/certs/mrx8086.com.crt:/etc/x509/https/tls.crt  # Mount the SSL certificate
+      - ../configs/certs/mrx8086.com.key:/etc/x509/https/tls.key  # Mount the SSL key
+    depends_on:
+      - keycloak_db
+    command: start-dev
+
+
+  keycloak_db:
+    image: postgres:latest
+    container_name: keycloak_db
+    environment:
+      - POSTGRES_DB=${KEYCLOAK_DB}
+      - POSTGRES_USER=${KEYCLOAK_DB_USERNAME}
+      - POSTGRES_PASSWORD=${KEYCLOAK_DB_PASSWORD}
+    volumes:
+      - ../data/keycloak_db:/var/lib/postgresql/data
+
+  npm:
+    image: jc21/nginx-proxy-manager
+    ports:
+      - "80:80"
+      - "81:81"  # Port für die GUI
+      - "443:443"
+    environment:
+      DB_SQLITE_FILE: "/data/database.sqlite"
+    volumes:
+      - ../data/npm:/data
+      - ../data/npm_letsencrypt:/etc/letsencrypt
+
+#  nginx:
+#    image: nginx:latest
+#    container_name: nginx
+#    ports:
+#      - "80:80"
+#      - "443:443"  # Enables HTTPS
+#    volumes:
+#      - ../configs/nginx/nginx.conf:/etc/nginx/nginx.conf:ro
+#      - ../configs/certs:/etc/nginx/certs:ro  # SSL certificates
+#    depends_on:
+#      - paperless
+#      - nextcloud
+#      - kimai
+#      - n8n
+#      - keycloak
+
 volumes:
   data:
   mysql:
   plugins:
-

src/scripts/generate_ssl_certificate.sh

@@ -0,0 +1,74 @@
+#!/bin/bash
+
+# Set default values
+DOMAIN="example.com"
+OUTPUT_DIR="../src/configs/certs"
+DAYS=365
+PFX_PASSWORD=""
+
+# Function to display help
+function show_help {
+  echo "Usage: ./generate_ssl_certificate.sh -d DOMAIN -o OUTPUT_DIR -t DAYS -p PFX_PASSWORD"
+  echo
+  echo "Options:"
+  echo "  -d DOMAIN          The domain name for the certificate (e.g., mrx8086.com)"
+  echo "  -o OUTPUT_DIR      The directory to save the certificate files (default: ../src/configs/certs)"
+  echo "  -t DAYS            The number of days the certificate will be valid (default: 365)"
+  echo "  -p PFX_PASSWORD    The password for the .pfx file (leave empty for no password)"
+  echo "  -h                 Show this help message"
+}
+
+# Parse input arguments
+while getopts ":d:o:t:p:h" opt; do
+  case $opt in
+    d) DOMAIN="$OPTARG"
+    ;;
+    o) OUTPUT_DIR="$OPTARG"
+    ;;
+    t) DAYS="$OPTARG"
+    ;;
+    p) PFX_PASSWORD="$OPTARG"
+    ;;
+    h) show_help
+       exit 0
+    ;;
+    \?) echo "Invalid option -$OPTARG" >&2
+        show_help
+        exit 1
+    ;;
+  esac
+done
+
+# Create the output directory if it does not exist
+mkdir -p "$OUTPUT_DIR"
+
+# Generate the wildcard SSL certificate for the domain
+echo "Generating SSL certificate for *.$DOMAIN in $OUTPUT_DIR"
+
+openssl req -x509 -nodes -newkey rsa:2048 \
+  -keyout "$OUTPUT_DIR/$DOMAIN.key" \
+  -out "$OUTPUT_DIR/$DOMAIN.crt" \
+  -days "$DAYS" \
+  -subj "/C=US/ST=State/L=City/O=Organization/OU=Department/CN=*.$DOMAIN"
+
+# Generate .pfx file
+echo "Generating .pfx file for Windows import"
+
+if [ -z "$PFX_PASSWORD" ]; then
+  openssl pkcs12 -export -out "$OUTPUT_DIR/$DOMAIN.pfx" \
+    -inkey "$OUTPUT_DIR/$DOMAIN.key" \
+    -in "$OUTPUT_DIR/$DOMAIN.crt" \
+    -name "*.$DOMAIN" \
+    -passout pass:
+else
+  openssl pkcs12 -export -out "$OUTPUT_DIR/$DOMAIN.pfx" \
+    -inkey "$OUTPUT_DIR/$DOMAIN.key" \
+    -in "$OUTPUT_DIR/$DOMAIN.crt" \
+    -name "*.$DOMAIN" \
+    -passout pass:"$PFX_PASSWORD"
+fi
+
+echo "Certificate generated successfully:"
+echo "  Private Key: $OUTPUT_DIR/$DOMAIN.key"
+echo "  Certificate: $OUTPUT_DIR/$DOMAIN.crt"
+echo "  PFX (Windows): $OUTPUT_DIR/$DOMAIN.pfx"