From a54a4562f176325be9e9b9886d90ee11cc342be8 Mon Sep 17 00:00:00 2001
From: v-aisac <v-aisac@digitalocean.com>
Date: Mon, 24 Jun 2024 15:57:33 +0300
Subject: [PATCH 01/10] fix db_protocol parsing

---
 .../files/var/lib/cloud/scripts/per-instance/001_onboot         | 2 +-
 lamp-18-04/scripts/011-lamp.sh                                  | 2 +-
 lamp-20-04/scripts/011-lamp.sh                                  | 2 +-
 wordpress-18-04/files/opt/digitalocean/wp_setup.sh              | 2 +-
 wordpress-20-04/files/root/wp_setup.sh                          | 2 +-
 wordpress-22-04/files/root/wp_setup.sh                          | 2 +-
 6 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/django-22-04/files/var/lib/cloud/scripts/per-instance/001_onboot b/django-22-04/files/var/lib/cloud/scripts/per-instance/001_onboot
index 61ecbaf6..f930f18b 100755
--- a/django-22-04/files/var/lib/cloud/scripts/per-instance/001_onboot
+++ b/django-22-04/files/var/lib/cloud/scripts/per-instance/001_onboot
@@ -60,7 +60,7 @@ done
 echo "${DJANGO_USER}:${DJANGO_USER_PASSWORD}" | chpasswd -
 
 # Set up postgres user and database
-if [ -f "/root/.digitalocean_dbaas_credentials" ] && [ "$(sed -n "s/^db_protocol=\"\([^:]*\):.*\"$/\1/p" /root/.digitalocean_dbaas_credentials)" = "postgresql" ]; then
+if [ -f "/root/.digitalocean_dbaas_credentials" ] && [ "$(sed -n "s/^db_protocol=\"\(.*\)\"$/\1/p" /root/.digitalocean_dbaas_credentials)" = "postgresql" ]; then
   # grab all the data from the dbaas credentials file
   DJANGO_POSTGRESS_HOST=$(sed -n "s/^db_host=\"\(.*\)\"$/\1/p" /root/.digitalocean_dbaas_credentials)
   DJANGO_POSTGRESS_PORT=$(sed -n "s/^db_port=\"\(.*\)\"$/\1/p" /root/.digitalocean_dbaas_credentials)
diff --git a/lamp-18-04/scripts/011-lamp.sh b/lamp-18-04/scripts/011-lamp.sh
index 49b65529..bc660ac5 100755
--- a/lamp-18-04/scripts/011-lamp.sh
+++ b/lamp-18-04/scripts/011-lamp.sh
@@ -6,7 +6,7 @@ chown -R www-data: /var/www
 chown -R www-data: /var/www/html
 
 # if applicable, configure lamp to use & wait for a mysql dbaas instance.
-if [ -f "/root/.digitalocean_dbaas_credentials" ] && [ "$(sed -n "s/^db_protocol=\"\([^:]*\):.*\"$/\1/p" /root/.digitalocean_dbaas_credentials)" = "mysql" ]; then
+if [ -f "/root/.digitalocean_dbaas_credentials" ] && [ "$(sed -n "s/^db_protocol=\"\(.*\)\"$/\1/p" /root/.digitalocean_dbaas_credentials)" = "mysql" ]; then
   # grab host & port to block until database connection is ready
   host=$(sed -n "s/^db_host=\"\(.*\)\"$/\1/p" /root/.digitalocean_dbaas_credentials)
   port=$(sed -n "s/^db_port=\"\(.*\)\"$/\1/p" /root/.digitalocean_dbaas_credentials)
diff --git a/lamp-20-04/scripts/011-lamp.sh b/lamp-20-04/scripts/011-lamp.sh
index 49b65529..bc660ac5 100755
--- a/lamp-20-04/scripts/011-lamp.sh
+++ b/lamp-20-04/scripts/011-lamp.sh
@@ -6,7 +6,7 @@ chown -R www-data: /var/www
 chown -R www-data: /var/www/html
 
 # if applicable, configure lamp to use & wait for a mysql dbaas instance.
-if [ -f "/root/.digitalocean_dbaas_credentials" ] && [ "$(sed -n "s/^db_protocol=\"\([^:]*\):.*\"$/\1/p" /root/.digitalocean_dbaas_credentials)" = "mysql" ]; then
+if [ -f "/root/.digitalocean_dbaas_credentials" ] && [ "$(sed -n "s/^db_protocol=\"\(.*\)\"$/\1/p" /root/.digitalocean_dbaas_credentials)" = "mysql" ]; then
   # grab host & port to block until database connection is ready
   host=$(sed -n "s/^db_host=\"\(.*\)\"$/\1/p" /root/.digitalocean_dbaas_credentials)
   port=$(sed -n "s/^db_port=\"\(.*\)\"$/\1/p" /root/.digitalocean_dbaas_credentials)
diff --git a/wordpress-18-04/files/opt/digitalocean/wp_setup.sh b/wordpress-18-04/files/opt/digitalocean/wp_setup.sh
index 2c91781c..b184e0af 100755
--- a/wordpress-18-04/files/opt/digitalocean/wp_setup.sh
+++ b/wordpress-18-04/files/opt/digitalocean/wp_setup.sh
@@ -15,7 +15,7 @@ fi
 chown -Rf www-data:www-data /var/www/html
 
 # if applicable, configure wordpress to use mysql dbaas
-if [ -f "/root/.digitalocean_dbaas_credentials" ] && [ "$(sed -n "s/^db_protocol=\"\([^:]*\):.*\"$/\1/p" /root/.digitalocean_dbaas_credentials)" = "mysql" ]; then
+if [ -f "/root/.digitalocean_dbaas_credentials" ] && [ "$(sed -n "s/^db_protocol=\"\(.*\)\"$/\1/p" /root/.digitalocean_dbaas_credentials)" = "mysql" ]; then
   # grab all the data from the password file
   username=$(sed -n "s/^db_username=\"\(.*\)\"$/\1/p" /root/.digitalocean_dbaas_credentials)
   password=$(sed -n "s/^db_password=\"\(.*\)\"$/\1/p" /root/.digitalocean_dbaas_credentials)
diff --git a/wordpress-20-04/files/root/wp_setup.sh b/wordpress-20-04/files/root/wp_setup.sh
index e4b5421c..e9d38fbb 100755
--- a/wordpress-20-04/files/root/wp_setup.sh
+++ b/wordpress-20-04/files/root/wp_setup.sh
@@ -15,7 +15,7 @@ fi
 chown -Rf www-data:www-data /var/www/html
 
 # if applicable, configure wordpress to use mysql dbaas
-if [ -f "/root/.digitalocean_dbaas_credentials" ] && [ "$(sed -n "s/^db_protocol=\"\([^:]*\):.*\"$/\1/p" /root/.digitalocean_dbaas_credentials)" = "mysql" ]; then
+if [ -f "/root/.digitalocean_dbaas_credentials" ] && [ "$(sed -n "s/^db_protocol=\"\(.*\)\"$/\1/p" /root/.digitalocean_dbaas_credentials)" = "mysql" ]; then
   # grab all the data from the password file
   username=$(sed -n "s/^db_username=\"\(.*\)\"$/\1/p" /root/.digitalocean_dbaas_credentials)
   password=$(sed -n "s/^db_password=\"\(.*\)\"$/\1/p" /root/.digitalocean_dbaas_credentials)
diff --git a/wordpress-22-04/files/root/wp_setup.sh b/wordpress-22-04/files/root/wp_setup.sh
index e4b5421c..e9d38fbb 100755
--- a/wordpress-22-04/files/root/wp_setup.sh
+++ b/wordpress-22-04/files/root/wp_setup.sh
@@ -15,7 +15,7 @@ fi
 chown -Rf www-data:www-data /var/www/html
 
 # if applicable, configure wordpress to use mysql dbaas
-if [ -f "/root/.digitalocean_dbaas_credentials" ] && [ "$(sed -n "s/^db_protocol=\"\([^:]*\):.*\"$/\1/p" /root/.digitalocean_dbaas_credentials)" = "mysql" ]; then
+if [ -f "/root/.digitalocean_dbaas_credentials" ] && [ "$(sed -n "s/^db_protocol=\"\(.*\)\"$/\1/p" /root/.digitalocean_dbaas_credentials)" = "mysql" ]; then
   # grab all the data from the password file
   username=$(sed -n "s/^db_username=\"\(.*\)\"$/\1/p" /root/.digitalocean_dbaas_credentials)
   password=$(sed -n "s/^db_password=\"\(.*\)\"$/\1/p" /root/.digitalocean_dbaas_credentials)

From dae6f571ae80bc1332da32627255c45b85b99d05 Mon Sep 17 00:00:00 2001
From: v-aisac <v-aisac@digitalocean.com>
Date: Thu, 13 Jun 2024 17:57:06 +0300
Subject: [PATCH 02/10] finally working keycloak

---
 .../files/etc/nginx/sites-available/keycloak  | 33 ++++++++
 .../files/etc/update-motd.d/99-one-click      | 48 +++++++++++
 .../files/var/digitalocean/Dockerfile         | 23 +++++
 .../lib/cloud/scripts/per-instance/001_onboot | 84 +++++++++++++++++++
 keycloak-22-04/scripts/01-keycloak.sh         | 13 +++
 keycloak-22-04/template.json                  | 79 +++++++++++++++++
 6 files changed, 280 insertions(+)
 create mode 100644 keycloak-22-04/files/etc/nginx/sites-available/keycloak
 create mode 100755 keycloak-22-04/files/etc/update-motd.d/99-one-click
 create mode 100644 keycloak-22-04/files/var/digitalocean/Dockerfile
 create mode 100755 keycloak-22-04/files/var/lib/cloud/scripts/per-instance/001_onboot
 create mode 100644 keycloak-22-04/scripts/01-keycloak.sh
 create mode 100644 keycloak-22-04/template.json

diff --git a/keycloak-22-04/files/etc/nginx/sites-available/keycloak b/keycloak-22-04/files/etc/nginx/sites-available/keycloak
new file mode 100644
index 00000000..208cb22d
--- /dev/null
+++ b/keycloak-22-04/files/etc/nginx/sites-available/keycloak
@@ -0,0 +1,33 @@
+server {
+    listen 80;
+    server_name _;
+
+    location ~ /.well-known {
+        allow all;
+    }
+
+    location / {
+        proxy_pass https://localhost:8443;
+        proxy_set_header Host $host:8443;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+    }
+}
+
+server {
+    listen 9001;
+    server_name _;
+
+    location ~ /.well-known {
+        allow all;
+    }
+
+    location / {
+        proxy_pass https://localhost:9000;
+        proxy_set_header Host $host:9000;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+    }
+}
diff --git a/keycloak-22-04/files/etc/update-motd.d/99-one-click b/keycloak-22-04/files/etc/update-motd.d/99-one-click
new file mode 100755
index 00000000..5e7ec02e
--- /dev/null
+++ b/keycloak-22-04/files/etc/update-motd.d/99-one-click
@@ -0,0 +1,48 @@
+#!/bin/sh
+#
+# Configured as part of the DigitalOcean 1-Click Image build process
+
+# Read in the passwords....
+. /root/.digitalocean_passwords
+
+dbaas_text=""
+if [ -f "/root/.digitalocean_dbaas_credentials" ]; then
+    . /root/.digitalocean_dbaas_credentials
+    dbaas_text="Keycloak is configured to use managed database. Use the following credentials to manage the database:
+    Database: keycloak
+    Host:     ${db_host}
+    Port:     ${db_port}
+    User:     keycloak
+    Pass:     ${KEYCLOAK_DATABASE_PASSWORD}"
+else
+    dbaas_text="Keycloak is configured to use local Postgres as its database. Use the following credentials to manage the database:
+    Database: keycloak
+    User:     keycloak
+    Pass:     ${KEYCLOAK_DATABASE_PASSWORD}"
+fi
+
+myip=$(hostname -I | awk '{print$1}')
+cat <<EOF
+********************************************************************************
+
+Welcome to DigitalOcean's 1-Click Keycloak Droplet.
+To keep this Droplet secure, the UFW firewall is enabled.
+All ports are BLOCKED except 22 (SSH), 80 (HTTP), 443 (HTTPS), 8443 and 9000 (Keycloak ports).
+
+Access the Keycloak dashboard
+    URL: https://${myip}
+    User: admin
+    Pass: ${KEYCLOAK_ADMIN_PASSWORD}
+
+${dbaas_text}
+
+On the server:
+  * The Keycloak application is served as Docker container
+  * To check Keycloak logs use:
+    $ docker logs keycloak
+  * The Keycloak admin and database passwords are saved in /root/.digitalocean_passwords
+  * Certbot is preinstalled. Run it to configure HTTPS.
+
+********************************************************************************
+To delete this message of the day: rm -rf $(readlink -f ${0})
+EOF
diff --git a/keycloak-22-04/files/var/digitalocean/Dockerfile b/keycloak-22-04/files/var/digitalocean/Dockerfile
new file mode 100644
index 00000000..7cc39d3f
--- /dev/null
+++ b/keycloak-22-04/files/var/digitalocean/Dockerfile
@@ -0,0 +1,23 @@
+FROM quay.io/keycloak/keycloak:latest as builder
+
+# Enable health and metrics support
+ENV KC_HEALTH_ENABLED=true
+ENV KC_METRICS_ENABLED=true
+
+# Configure a database vendor
+ENV KC_DB=postgres
+
+ARG STORE_PASS
+
+WORKDIR /opt/keycloak
+
+RUN keytool -genkeypair -storepass $STORE_PASS -storetype PKCS12 -keyalg RSA -keysize 2048 -dname "CN=server" -alias server -ext "SAN:c=DNS:localhost,IP:127.0.0.1" -keystore conf/server.keystore
+
+RUN /opt/keycloak/bin/kc.sh build
+
+FROM quay.io/keycloak/keycloak:latest
+COPY --from=builder /opt/keycloak/ /opt/keycloak/
+
+ENV KC_DB=postgres
+
+ENTRYPOINT ["/opt/keycloak/bin/kc.sh"]
\ No newline at end of file
diff --git a/keycloak-22-04/files/var/lib/cloud/scripts/per-instance/001_onboot b/keycloak-22-04/files/var/lib/cloud/scripts/per-instance/001_onboot
new file mode 100755
index 00000000..92f17a97
--- /dev/null
+++ b/keycloak-22-04/files/var/lib/cloud/scripts/per-instance/001_onboot
@@ -0,0 +1,84 @@
+#!/bin/bash
+
+DB_USER=keycloak
+DB_TYPE=postgres
+DB_HOST=localhost
+DB_PORT=5432
+
+KEYSTORE_PASSWORD=$(openssl rand -hex 16)
+KEYCLOAK_ADMIN_PASSWD=$(openssl rand -hex 16)
+DB_PASS=$(openssl rand -hex 16)
+
+cat > /root/.digitalocean_passwords <<EOM
+KEYCLOAK_ADMIN_PASSWORD=${KEYCLOAK_ADMIN_PASSWD}
+KEYCLOAK_DATABASE_PASSWORD=${DB_PASS}
+KEYSTORE_PASSWORD=${KEYSTORE_PASSWORD}
+EOM
+
+DROPLET_IP=$(hostname -I | awk '{print$1}')
+
+if [ -f "/root/.digitalocean_dbaas_credentials" ]; then
+  DB_HOST=$(sed -n "s/^db_host=\"\(.*\)\"$/\1/p" /root/.digitalocean_dbaas_credentials)
+  DB_PORT=$(sed -n "s/^db_port=\"\(.*\)\"$/\1/p" /root/.digitalocean_dbaas_credentials)
+  DB_TYPE=$(sed -n "s/^db_protocol=\"\([^:]*\):.*\"$/\1/p" /root/.digitalocean_dbaas_credentials)
+  DBAAS_DB_USER=$(sed -n "s/^db_username=\"\(.*\)\"$/\1/p" /root/.digitalocean_dbaas_credentials)
+  DBAAS_DB_NAME=$(sed -n "s/^db_database=\"\(.*\)\"$/\1/p" /root/.digitalocean_dbaas_credentials)
+  DBAAS_DB_PASS=$(sed -n "s/^db_password=\"\(.*\)\"$/\1/p" /root/.digitalocean_dbaas_credentials)
+
+  # Convert postgresql into postgres
+  if [ "$(sed -n "s/^db_protocol=\"\([^:]*\):.*\"$/\1/p" /root/.digitalocean_dbaas_credentials)" = "postgresql" ]; then
+    DB_TYPE=postgres
+  fi
+
+  # Wait for db to become available
+  while ! pg_isready -h "$DB_HOST" -p "$DB_PORT"; do
+     printf .
+     sleep 2
+  done
+
+  PGPASSWORD=${DBAAS_DB_PASS} psql -h ${DB_HOST} -p ${DB_PORT} -U ${DBAAS_DB_USER} -d ${DBAAS_DB_NAME} -c "CREATE USER keycloak PASSWORD '${DB_PASS}';" --set=sslmode=require
+  PGPASSWORD=${DBAAS_DB_PASS} psql -h ${DB_HOST} -p ${DB_PORT} -U ${DBAAS_DB_USER} -d ${DBAAS_DB_NAME} -c "CREATE DATABASE keycloak;" --set=sslmode=require
+  PGPASSWORD=${DBAAS_DB_PASS} psql -h ${DB_HOST} -p ${DB_PORT} -U ${DBAAS_DB_USER} -d ${DBAAS_DB_NAME} -c "GRANT ALL PRIVILEGES ON DATABASE keycloak TO keycloak;" --set=sslmode=require
+  PGPASSWORD=${DBAAS_DB_PASS} psql -h ${DB_HOST} -p ${DB_PORT} -U ${DBAAS_DB_USER} -d keycloak -c "GRANT ALL ON SCHEMA public TO keycloak;" --set=sslmode=require
+
+  systemctl stop postgresql.service
+  systemctl disable postgresql.service
+  rm -rf /etc/postgresql
+
+else
+  setuid postgres psql -U postgres -d postgres -c "CREATE USER keycloak PASSWORD '${DB_PASS}';"
+  setuid postgres createdb keycloak
+  setuid postgres psql -U postgres -d postgres -c "GRANT ALL PRIVILEGES ON DATABASE keycloak TO keycloak;"
+  setuid postgres psql -U postgres -d keycloak -c "GRANT ALL ON SCHEMA public TO keycloak;"
+fi
+
+# Build keycloak image with randomized keystore password
+docker build --build-arg="STORE_PASS=${KEYSTORE_PASSWORD}" /var/digitalocean/. -t local-keycloak >> /var/temp.log
+
+# Run keycloak image with network mode set to host,
+# so Keycloak connects to the Postgres as localhost, not docker internal host
+docker run -d --network=host \
+  --name keycloak \
+  -e KEYCLOAK_ADMIN=admin \
+  -e KEYCLOAK_ADMIN_PASSWORD=${KEYCLOAK_ADMIN_PASSWD} \
+  -e KC_DB=${DB_TYPE} \
+  -e KC_DB_URL=jdbc:postgresql://${DB_HOST}:${DB_PORT}/keycloak \
+  -e KC_DB_USERNAME=${DB_USER} \
+  -e KC_DB_PASSWORD=${DB_PASS} \
+  -e KC_HOSTNAME=${DROPLET_IP} \
+  local-keycloak \
+  start \
+  --https-key-store-password=${KEYSTORE_PASSWORD} \
+  --optimized >> /var/temp.log
+
+
+# Allow ports used by keycloak for redirecting
+ufw allow 8443
+ufw allow 9000
+
+# Remove the ssh force logout command
+sed -e '/Match User root/d' \
+    -e '/.*ForceCommand.*droplet.*/d' \
+    -i /etc/ssh/sshd_config
+
+systemctl restart ssh
\ No newline at end of file
diff --git a/keycloak-22-04/scripts/01-keycloak.sh b/keycloak-22-04/scripts/01-keycloak.sh
new file mode 100644
index 00000000..d0449efd
--- /dev/null
+++ b/keycloak-22-04/scripts/01-keycloak.sh
@@ -0,0 +1,13 @@
+#!/bin/bash
+
+# non-interactive install
+export DEBIAN_FRONTEND=noninteractive
+
+sudo apt -y install postgresql docker.io docker-compose super
+systemctl start docker
+systemctl enable docker
+
+# Set up nginx
+ln -s /etc/nginx/sites-available/keycloak /etc/nginx/sites-enabled/keycloak
+unlink /etc/nginx/sites-enabled/default
+service nginx restart
diff --git a/keycloak-22-04/template.json b/keycloak-22-04/template.json
new file mode 100644
index 00000000..9832b1e7
--- /dev/null
+++ b/keycloak-22-04/template.json
@@ -0,0 +1,79 @@
+{
+  "variables": {
+    "do_api_token": "{{env `DIGITALOCEAN_API_TOKEN`}}",
+    "image_name": "keycloak-22-04-snapshot-{{timestamp}}",
+    "apt_packages": "postgresql docker.io docker-compose super nginx python3 python3-certbot python3-certbot-nginx",
+    "application_name": "Keycloak",
+    "application_version": "TODO"
+  },
+  "sensitive-variables": [
+    "do_api_token"
+  ],
+  "builders": [
+    {
+      "type": "digitalocean",
+      "api_token": "{{user `do_api_token`}}",
+      "image": "ubuntu-22-04-x64",
+      "region": "nyc3",
+      "size": "s-1vcpu-1gb",
+      "ssh_username": "root",
+      "snapshot_name": "{{user `image_name`}}"
+    }
+  ],
+  "provisioners": [
+    {
+      "type": "shell",
+      "inline": [
+        "cloud-init status --wait"
+      ]
+    },
+    {
+      "type": "file",
+      "source": "common/files/var/",
+      "destination": "/var/"
+    },
+    {
+      "type": "file",
+      "source": "keycloak-22-04/files/etc/",
+      "destination": "/etc/"
+    },
+    {
+      "type": "file",
+      "source": "keycloak-22-04/files/var/",
+      "destination": "/var/"
+    },
+    {
+      "type": "shell",
+      "environment_vars": [
+        "DEBIAN_FRONTEND=noninteractive",
+        "LC_ALL=C",
+        "LANG=en_US.UTF-8",
+        "LC_CTYPE=en_US.UTF-8"
+      ],
+      "inline": [
+        "apt -qqy update",
+        "apt -qqy -o Dpkg::Options::='--force-confdef' -o Dpkg::Options::='--force-confold' full-upgrade",
+        "apt -qqy -o Dpkg::Options::='--force-confdef' -o Dpkg::Options::='--force-confold' install {{user `apt_packages`}}",
+        "apt-get -qqy clean"
+      ]
+    },
+    {
+      "type": "shell",
+      "environment_vars": [
+        "application_name={{user `application_name`}}",
+        "application_version={{user `application_version`}}",
+        "DEBIAN_FRONTEND=noninteractive",
+        "LC_ALL=C",
+        "LANG=en_US.UTF-8",
+        "LC_CTYPE=en_US.UTF-8"
+      ],
+      "scripts": [
+        "keycloak-22-04/scripts/01-keycloak.sh",
+        "common/scripts/018-force-ssh-logout.sh",
+        "common/scripts/014-ufw-nginx.sh",
+        "common/scripts/020-application-tag.sh",
+        "common/scripts/900-cleanup.sh"
+      ]
+    }
+  ]
+}

From 4bd6713303c165bc02b231e0e758b89994afde4c Mon Sep 17 00:00:00 2001
From: v-aisac <v-aisac@digitalocean.com>
Date: Thu, 13 Jun 2024 18:07:17 +0300
Subject: [PATCH 03/10] add missing newlines

---
 keycloak-22-04/files/var/digitalocean/Dockerfile                | 2 +-
 .../files/var/lib/cloud/scripts/per-instance/001_onboot         | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/keycloak-22-04/files/var/digitalocean/Dockerfile b/keycloak-22-04/files/var/digitalocean/Dockerfile
index 7cc39d3f..a394e7ba 100644
--- a/keycloak-22-04/files/var/digitalocean/Dockerfile
+++ b/keycloak-22-04/files/var/digitalocean/Dockerfile
@@ -20,4 +20,4 @@ COPY --from=builder /opt/keycloak/ /opt/keycloak/
 
 ENV KC_DB=postgres
 
-ENTRYPOINT ["/opt/keycloak/bin/kc.sh"]
\ No newline at end of file
+ENTRYPOINT ["/opt/keycloak/bin/kc.sh"]
diff --git a/keycloak-22-04/files/var/lib/cloud/scripts/per-instance/001_onboot b/keycloak-22-04/files/var/lib/cloud/scripts/per-instance/001_onboot
index 92f17a97..922907fb 100755
--- a/keycloak-22-04/files/var/lib/cloud/scripts/per-instance/001_onboot
+++ b/keycloak-22-04/files/var/lib/cloud/scripts/per-instance/001_onboot
@@ -81,4 +81,4 @@ sed -e '/Match User root/d' \
     -e '/.*ForceCommand.*droplet.*/d' \
     -i /etc/ssh/sshd_config
 
-systemctl restart ssh
\ No newline at end of file
+systemctl restart ssh

From 79870ef6dc9f18583518d47eab37c8f8c390f8db Mon Sep 17 00:00:00 2001
From: v-aisac <v-aisac@digitalocean.com>
Date: Thu, 13 Jun 2024 18:08:54 +0300
Subject: [PATCH 04/10] fix application version

---
 keycloak-22-04/template.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/keycloak-22-04/template.json b/keycloak-22-04/template.json
index 9832b1e7..c89aa965 100644
--- a/keycloak-22-04/template.json
+++ b/keycloak-22-04/template.json
@@ -4,7 +4,7 @@
     "image_name": "keycloak-22-04-snapshot-{{timestamp}}",
     "apt_packages": "postgresql docker.io docker-compose super nginx python3 python3-certbot python3-certbot-nginx",
     "application_name": "Keycloak",
-    "application_version": "TODO"
+    "application_version": "latest"
   },
   "sensitive-variables": [
     "do_api_token"

From 32d1b1c4ea387467c8ee558335d4ca7c9feee6b6 Mon Sep 17 00:00:00 2001
From: v-aisac <v-aisac@digitalocean.com>
Date: Mon, 24 Jun 2024 14:02:12 +0300
Subject: [PATCH 05/10] use fixed version for container

---
 keycloak-22-04/files/var/digitalocean/Dockerfile | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/keycloak-22-04/files/var/digitalocean/Dockerfile b/keycloak-22-04/files/var/digitalocean/Dockerfile
index a394e7ba..c7b94ee3 100644
--- a/keycloak-22-04/files/var/digitalocean/Dockerfile
+++ b/keycloak-22-04/files/var/digitalocean/Dockerfile
@@ -1,4 +1,4 @@
-FROM quay.io/keycloak/keycloak:latest as builder
+FROM quay.io/keycloak/keycloak:25.0 as builder
 
 # Enable health and metrics support
 ENV KC_HEALTH_ENABLED=true
@@ -15,7 +15,10 @@ RUN keytool -genkeypair -storepass $STORE_PASS -storetype PKCS12 -keyalg RSA -ke
 
 RUN /opt/keycloak/bin/kc.sh build
 
-FROM quay.io/keycloak/keycloak:latest
+
+
+FROM quay.io/keycloak/keycloak:25.0
+
 COPY --from=builder /opt/keycloak/ /opt/keycloak/
 
 ENV KC_DB=postgres

From 521088cc25666d40188e0eb703c871c27c609cdd Mon Sep 17 00:00:00 2001
From: v-aisac <v-aisac@digitalocean.com>
Date: Mon, 24 Jun 2024 14:03:15 +0300
Subject: [PATCH 06/10] add utf8 database encoding

---
 .../files/var/lib/cloud/scripts/per-instance/001_onboot         | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/keycloak-22-04/files/var/lib/cloud/scripts/per-instance/001_onboot b/keycloak-22-04/files/var/lib/cloud/scripts/per-instance/001_onboot
index 922907fb..1b644192 100755
--- a/keycloak-22-04/files/var/lib/cloud/scripts/per-instance/001_onboot
+++ b/keycloak-22-04/files/var/lib/cloud/scripts/per-instance/001_onboot
@@ -37,7 +37,7 @@ if [ -f "/root/.digitalocean_dbaas_credentials" ]; then
   done
 
   PGPASSWORD=${DBAAS_DB_PASS} psql -h ${DB_HOST} -p ${DB_PORT} -U ${DBAAS_DB_USER} -d ${DBAAS_DB_NAME} -c "CREATE USER keycloak PASSWORD '${DB_PASS}';" --set=sslmode=require
-  PGPASSWORD=${DBAAS_DB_PASS} psql -h ${DB_HOST} -p ${DB_PORT} -U ${DBAAS_DB_USER} -d ${DBAAS_DB_NAME} -c "CREATE DATABASE keycloak;" --set=sslmode=require
+  PGPASSWORD=${DBAAS_DB_PASS} psql -h ${DB_HOST} -p ${DB_PORT} -U ${DBAAS_DB_USER} -d ${DBAAS_DB_NAME} -c "CREATE DATABASE keycloak WITH ENCODING 'UTF8';" --set=sslmode=require
   PGPASSWORD=${DBAAS_DB_PASS} psql -h ${DB_HOST} -p ${DB_PORT} -U ${DBAAS_DB_USER} -d ${DBAAS_DB_NAME} -c "GRANT ALL PRIVILEGES ON DATABASE keycloak TO keycloak;" --set=sslmode=require
   PGPASSWORD=${DBAAS_DB_PASS} psql -h ${DB_HOST} -p ${DB_PORT} -U ${DBAAS_DB_USER} -d keycloak -c "GRANT ALL ON SCHEMA public TO keycloak;" --set=sslmode=require
 

From 42f86008e9f42fc48dab0e13e7d807caef2c6c2a Mon Sep 17 00:00:00 2001
From: v-aisac <v-aisac@digitalocean.com>
Date: Mon, 24 Jun 2024 14:03:27 +0300
Subject: [PATCH 07/10] install fixed version of postgres

---
 keycloak-22-04/template.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/keycloak-22-04/template.json b/keycloak-22-04/template.json
index c89aa965..061abae7 100644
--- a/keycloak-22-04/template.json
+++ b/keycloak-22-04/template.json
@@ -2,7 +2,7 @@
   "variables": {
     "do_api_token": "{{env `DIGITALOCEAN_API_TOKEN`}}",
     "image_name": "keycloak-22-04-snapshot-{{timestamp}}",
-    "apt_packages": "postgresql docker.io docker-compose super nginx python3 python3-certbot python3-certbot-nginx",
+    "apt_packages": "postgresql-16 docker.io docker-compose super nginx python3 python3-certbot python3-certbot-nginx",
     "application_name": "Keycloak",
     "application_version": "latest"
   },

From 1c37d3579ced5baf79cef3b4b4b1fd8ba19aad0c Mon Sep 17 00:00:00 2001
From: v-aisac <v-aisac@digitalocean.com>
Date: Mon, 24 Jun 2024 14:38:10 +0300
Subject: [PATCH 08/10] add postgresql 16 keys

---
 keycloak-22-04/template.json | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/keycloak-22-04/template.json b/keycloak-22-04/template.json
index 061abae7..0295cdff 100644
--- a/keycloak-22-04/template.json
+++ b/keycloak-22-04/template.json
@@ -51,6 +51,8 @@
         "LC_CTYPE=en_US.UTF-8"
       ],
       "inline": [
+        "sh -c 'echo \"deb https://apt.postgresql.org/pub/repos/apt $(lsb_release -cs)-pgdg main\" > /etc/apt/sources.list.d/pgdg.list'",
+        "wget --quiet -O - https://www.postgresql.org/media/keys/ACCC4CF8.asc | sudo apt-key add -",
         "apt -qqy update",
         "apt -qqy -o Dpkg::Options::='--force-confdef' -o Dpkg::Options::='--force-confold' full-upgrade",
         "apt -qqy -o Dpkg::Options::='--force-confdef' -o Dpkg::Options::='--force-confold' install {{user `apt_packages`}}",

From 62774e6e39c4e14cdca6786efa17d44a9edb9b8e Mon Sep 17 00:00:00 2001
From: v-aisac <v-aisac@digitalocean.com>
Date: Mon, 24 Jun 2024 15:28:45 +0300
Subject: [PATCH 09/10] fixed db type parsing

---
 .../files/var/lib/cloud/scripts/per-instance/001_onboot      | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/keycloak-22-04/files/var/lib/cloud/scripts/per-instance/001_onboot b/keycloak-22-04/files/var/lib/cloud/scripts/per-instance/001_onboot
index 1b644192..f8b3a782 100755
--- a/keycloak-22-04/files/var/lib/cloud/scripts/per-instance/001_onboot
+++ b/keycloak-22-04/files/var/lib/cloud/scripts/per-instance/001_onboot
@@ -20,13 +20,14 @@ DROPLET_IP=$(hostname -I | awk '{print$1}')
 if [ -f "/root/.digitalocean_dbaas_credentials" ]; then
   DB_HOST=$(sed -n "s/^db_host=\"\(.*\)\"$/\1/p" /root/.digitalocean_dbaas_credentials)
   DB_PORT=$(sed -n "s/^db_port=\"\(.*\)\"$/\1/p" /root/.digitalocean_dbaas_credentials)
-  DB_TYPE=$(sed -n "s/^db_protocol=\"\([^:]*\):.*\"$/\1/p" /root/.digitalocean_dbaas_credentials)
+  DB_TYPE=$(sed -n "s/^db_protocol=\"\(.*\)\"$/\1/p" /root/.digitalocean_dbaas_credentials)
+
   DBAAS_DB_USER=$(sed -n "s/^db_username=\"\(.*\)\"$/\1/p" /root/.digitalocean_dbaas_credentials)
   DBAAS_DB_NAME=$(sed -n "s/^db_database=\"\(.*\)\"$/\1/p" /root/.digitalocean_dbaas_credentials)
   DBAAS_DB_PASS=$(sed -n "s/^db_password=\"\(.*\)\"$/\1/p" /root/.digitalocean_dbaas_credentials)
 
   # Convert postgresql into postgres
-  if [ "$(sed -n "s/^db_protocol=\"\([^:]*\):.*\"$/\1/p" /root/.digitalocean_dbaas_credentials)" = "postgresql" ]; then
+  if [ "${DB_TYPE}" == "postgresql" ]; then
     DB_TYPE=postgres
   fi
 

From bb25f9d9eff31dd07617470343db8a0a1006b5db Mon Sep 17 00:00:00 2001
From: v-aisac <v-aisac@digitalocean.com>
Date: Tue, 2 Jul 2024 13:11:37 +0300
Subject: [PATCH 10/10] fix wordpress template

---
 wordpress-22-04/template.json | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/wordpress-22-04/template.json b/wordpress-22-04/template.json
index 020037f4..681a3dc5 100644
--- a/wordpress-22-04/template.json
+++ b/wordpress-22-04/template.json
@@ -56,6 +56,8 @@
         "LC_CTYPE=en_US.UTF-8"
       ],
       "inline": [
+        "gpg --keyserver keyserver.ubuntu.com --recv B7B3B788A8D3785C",
+        "gpg --export --armor B7B3B788A8D3785C | apt-key add -",
         "add-apt-repository -y ppa:ondrej/php",
         "wget -c https://dev.mysql.com/get/mysql-apt-config_0.8.22-1_all.deb",
         "dpkg -i mysql-apt-config_0.8.22-1_all.deb",