From 8074f8d407a1db39f4a8875c117421f7d95e6cbe Mon Sep 17 00:00:00 2001
From: Sven-Hendrik Haase <svenstaro@gmail.com>
Date: Tue, 19 May 2020 12:55:25 +0200
Subject: [PATCH] Set basic password policy and add bruteforce protection

---
 tf-stage2/keycloak.tf | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/tf-stage2/keycloak.tf b/tf-stage2/keycloak.tf
index ecc09f030..95c309a24 100644
--- a/tf-stage2/keycloak.tf
+++ b/tf-stage2/keycloak.tf
@@ -43,6 +43,7 @@ resource "keycloak_realm" "archlinux" {
   reset_password_allowed = true
   verify_email = true
   login_with_email_allowed = true
+  password_policy = "length(8) and notUsername"
 
   smtp_server {
     host = "mail.archlinux.org"
@@ -57,6 +58,18 @@ resource "keycloak_realm" "archlinux" {
       password = data.external.keycloak_smtp_password.result.vault_keycloak_smtp_password
     }
   }
+
+  security_defenses {
+    brute_force_detection {
+      permanent_lockout                 = false
+      max_login_failures                = 30
+      wait_increment_seconds            = 60
+      quick_login_check_milli_seconds   = 1000
+      minimum_quick_login_wait_seconds  = 60
+      max_failure_wait_seconds          = 900
+      failure_reset_time_seconds        = 43200
+    }
+  }
 }
 
 resource "keycloak_saml_client" "saml_gitlab" {
-- 
GitLab