# keycloak stub — full config lands in M2.1.
# Host: vm-edge. Resource budget per INFRASTRUCTURE.md §6 co-tenant notes.
# Bootstrap exception per §8 rule 3: KC_DB_URL lives in Orca env, not Infisical (Infisical runs on same VM).

[[service]]
name = "keycloak"
image = "quay.io/keycloak/keycloak:26.0"
port = 8443
domain = "auth.breakpilot.com"
depends_on = ["pg-keycloak"]

[service.placement]
node = "vm-edge"

[service.resources]
memory = "2Gi"
cpu = 1.0

[service.env]
KC_DB = "postgres"
KC_DB_URL = "${secrets.KC_DB_URL}"
KC_HOSTNAME = "auth.breakpilot.com"
KC_PROXY_HEADERS = "xforwarded"
KC_HEALTH_ENABLED = "true"
JAVA_OPTS_APPEND = "-Xms1g -Xmx1500m"