diff --git a/README.md b/README.md
index 39a0344..91923c5 100644
--- a/README.md
+++ b/README.md
@@ -1 +1,12 @@
-# ansible-role-keycloak
\ No newline at end of file
+# ansible-role-keycloak
+
+Use this to install keycloak.
+Needs: https://github.com/AlexanderGabriel/ansible-role-acme.sh to get certs from letsencrypt
+
+Hint: Use variables use_local_ca: yes and acme_sh_server: https://host:port/acme/acme/directory to use your own intranet step-ca or acme-compatible CA for local certs
+
+All vars:
+keycloak_initial_admin_password initial admin user password
+use_local_ca: yes or no
+acme_sh_server: url to acme-compatible ca, if not provided, use letsencrypt
+acme_sh_email: your email-address
diff --git a/files/.gitignore b/files/.gitignore
new file mode 100644
index 0000000..8bcfcc5
--- /dev/null
+++ b/files/.gitignore
@@ -0,0 +1,2 @@
+*.tar.gz
+*.zip
\ No newline at end of file
diff --git a/handlers/main.yml b/handlers/main.yml
new file mode 100644
index 0000000..7364a31
--- /dev/null
+++ b/handlers/main.yml
@@ -0,0 +1,19 @@
+---
+- name: reload systemd
+ sudo: yes
+ command: systemctl daemon-reload
+
+- name: restart keycloak
+ service:
+ name: keycloak
+ state: restarted
+
+- name: restart apache2
+ service:
+ name: apache2
+ state: restarted
+
+- name: reload apache2
+ service:
+ name: apache2
+ state: reloaded
\ No newline at end of file
diff --git a/tasks/main.yml b/tasks/main.yml
new file mode 100644
index 0000000..7d2d7ad
--- /dev/null
+++ b/tasks/main.yml
@@ -0,0 +1,193 @@
+---
+- name: install stuff
+ apt:
+ name:
+ - default-jre
+ - unzip
+ - apache2
+ update_cache: yes
+
+- name: create user for keycloak
+ user:
+ name: keycloak
+ state: present
+ shell: /bin/false
+ system: yes
+ createhome: yes
+ home: /opt/keycloak
+
+- name: Extract keycloak-13.0.1.tar.gz to /opt/keycloak
+ unarchive:
+ src: keycloak-13.0.1.tar.gz
+ dest: /opt/keycloak
+ owner: keycloak
+ group: keycloak
+
+- name: link /opt/keycloak/keycloak-13.0.1 to /opt/keycloak/current
+ file:
+ state: link
+ src: /opt/keycloak/keycloak-13.0.1
+ dest: /opt/keycloak/current
+
+- name: set permissions correct
+ file:
+ dest: /opt/keycloak
+ owner: keycloak
+ group: keycloak
+ recurse: yes
+
+- name: set permissions correct 2
+ file:
+ dest: /opt/keycloak/current/standalone/deployments
+ owner: keycloak
+ group: keycloak
+ mode: "0644"
+ recurse: yes
+
+- name: generate /etc/systemd/system/keycloak.service
+ template:
+ src: keycloak.service.j2
+ dest: /etc/systemd/system/keycloak.service
+ owner: root
+ group: root
+ mode: "0644"
+ notify:
+ - reload systemd
+
+- name: generate /opt/keycloak/current/standalone/configuration/standalone.xml
+ template:
+ src: standalone.xml.j2
+ dest: /opt/keycloak/current/standalone/configuration/standalone.xml
+ owner: keycloak
+ group: keycloak
+ mode: "0644"
+ notify:
+ - restart keycloak
+
+- name: enable keycloak
+ systemd:
+ name: keycloak
+ enabled: yes
+ masked: no
+
+- name: Flush handlers
+ meta: flush_handlers
+
+- name: enable keycloak
+ systemd:
+ name: keycloak
+ enabled: yes
+ masked: no
+ notify:
+ restart keycloak
+
+- name: Flush handlers
+ meta: flush_handlers
+
+- name: check if /opt/keycloak/current/standalone/configuration/keycloak-add-user.json exists
+ stat:
+ path: /opt/keycloak/current/standalone/configuration/keycloak-add-user.json
+ register: file_exists
+
+- name: check if user exists
+ shell: "grep username /opt/keycloak/current/standalone/configuration/keycloak-add-user.json | grep admin"
+ register: userexists
+ when: file_exists.stat.exists
+
+- name: create initial admin user
+ command: /opt/keycloak/current/bin/add-user-keycloak.sh -u admin -p {{ keycloak_initial_admin_password }} -r master
+ when: file_exists.stat.exists and userexists.stdout == ""
+
+- name: enable apache module proxy
+ command: a2enmod proxy
+ args:
+ creates: /etc/apache2/mods-enabled/proxy.load
+ notify:
+ restart apache2
+
+- name: enable apache module proxy_html
+ command: a2enmod proxy_html
+ args:
+ creates: /etc/apache2/mods-enabled/proxy_html.load
+ notify:
+ restart apache2
+
+- name: enable apache module proxy_http
+ command: a2enmod proxy_http
+ args:
+ creates: /etc/apache2/mods-enabled/proxy_http.load
+ notify:
+ restart apache2
+
+- name: enable apache module proxy_http2
+ command: a2enmod proxy_http2
+ args:
+ creates: /etc/apache2/mods-enabled/proxy_http2.load
+ notify:
+ restart apache2
+
+- name: enable apache module ssl
+ command: a2enmod ssl
+ args:
+ creates: /etc/apache2/mods-enabled/ssl.load
+ notify:
+ restart apache2
+
+- name: enable apache module headers
+ command: a2enmod headers
+ args:
+ creates: /etc/apache2/mods-enabled/headers.load
+ notify:
+ restart apache2
+
+- name: install acme.sh
+ include_role:
+ name: acme.sh
+
+- name: set amce server url
+ set_fact:
+ acmeshserver: "--server {{ acme_sh_server }} --insecure --force"
+ when: acme_sh_server is defined
+
+- name: set amce server url
+ set_fact:
+ acmeshserver: ""
+ when: not acme_sh_server is defined
+
+- name: get certificates
+ command: /root/.acme.sh/acme.sh --issue --apache {{ acmeshserver }} -d {{ inventory_hostname }} --email {{ acme_sh_email }} --key-file /etc/ssl/private/{{ inventory_hostname }}.key --fullchain-file /etc/ssl/certs/{{ inventory_hostname }}.pem --reloadcmd "service apache2 reload"
+ args:
+ creates: /etc/ssl/private/sso.speedport.ip.key
+
+- name: generate /etc/apache2/sites-available/{{ inventory_hostname }}.conf
+ template:
+ src: apache.conf.j2
+ dest: /etc/apache2/sites-available/{{ inventory_hostname }}.conf
+ owner: root
+ group: root
+ mode: "0644"
+
+- name: generate /etc/apache2/sites-available/{{ inventory_hostname }}-ssl.conf
+ template:
+ src: apache-ssl.conf.j2
+ dest: /etc/apache2/sites-available/{{ inventory_hostname }}-ssl.conf
+ owner: root
+ group: root
+ mode: "0644"
+
+- name: activate /etc/apache2/sites-available/{{ inventory_hostname }}.conf
+ file:
+ state: link
+ src: /etc/apache2/sites-available/{{ inventory_hostname }}.conf
+ dest: /etc/apache2/sites-enabled/{{ inventory_hostname }}.conf
+ notify:
+ - reload apache2
+
+- name: activate /etc/apache2/sites-available/{{ inventory_hostname }}-ssl.conf
+ file:
+ state: link
+ src: /etc/apache2/sites-available/{{ inventory_hostname }}-ssl.conf
+ dest: /etc/apache2/sites-enabled/{{ inventory_hostname }}-ssl.conf
+ notify:
+ - reload apache2
+
diff --git a/templates/apache-ssl.conf.j2 b/templates/apache-ssl.conf.j2
new file mode 100644
index 0000000..3bbc4c7
--- /dev/null
+++ b/templates/apache-ssl.conf.j2
@@ -0,0 +1,31 @@
+
+
+ ServerName {{ inventory_hostname }}
+ ServerAdmin webmaster@{{ inventory_hostname }}
+
+ DocumentRoot /var/www/html
+
+ ErrorLog ${APACHE_LOG_DIR}/{{ inventory_hostname }}.error.log
+ CustomLog ${APACHE_LOG_DIR}/{{ inventory_hostname }}.access.log combined
+
+ SSLEngine on
+ SSLCertificateFile /etc/ssl/certs/{{ inventory_hostname }}.pem
+ SSLCertificateKeyFile /etc/ssl/private/{{ inventory_hostname }}.key
+
+
+ SSLOptions +StdEnvVars
+
+
+ SSLOptions +StdEnvVars
+
+ ProxyPreserveHost On
+ SSLProxyEngine On
+ SSLProxyCheckPeerCN on
+ SSLProxyCheckPeerExpire on
+ RequestHeader set X-Forwarded-Proto "https"
+ RequestHeader set X-Forwarded-Port "443"
+ ProxyPass / http://127.0.0.1:8080/
+ ProxyPassReverse / http://127.0.0.1:8080/
+
+
+
diff --git a/templates/apache.conf.j2 b/templates/apache.conf.j2
new file mode 100644
index 0000000..7be5072
--- /dev/null
+++ b/templates/apache.conf.j2
@@ -0,0 +1,9 @@
+
+ ServerName {{ inventory_hostname }}
+
+ ServerAdmin webmaster@{{ inventory_hostname }}
+ DocumentRoot /var/www/html
+
+ ErrorLog ${APACHE_LOG_DIR}/{{ inventory_hostname }}.error.log
+ CustomLog ${APACHE_LOG_DIR}/{{ inventory_hostname }}.access.log combined
+
diff --git a/templates/keycloak.service.j2 b/templates/keycloak.service.j2
new file mode 100644
index 0000000..b958045
--- /dev/null
+++ b/templates/keycloak.service.j2
@@ -0,0 +1,14 @@
+[Unit]
+Description=Keycloak
+After=network.target
+
+[Service]
+Type=idle
+User=keycloak
+Group=keycloak
+ExecStart=/opt/keycloak/current/bin/standalone.sh
+TimeoutStartSec=600
+TimeoutStopSec=600
+
+[Install]
+WantedBy=multi-user.target
\ No newline at end of file
diff --git a/templates/standalone.xml.j2 b/templates/standalone.xml.j2
new file mode 100644
index 0000000..c50fd33
--- /dev/null
+++ b/templates/standalone.xml.j2
@@ -0,0 +1,613 @@
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ false
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ auth
+
+ classpath:${jboss.home.dir}/providers/*
+
+ master
+ 900
+
+ 2592000
+ true
+ true
+ ${jboss.home.dir}/themes
+
+
+
+
+
+
+
+
+
+
+
+
+ jpa
+
+
+ basic
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ default
+
+
+
+
+
+
+
+ ${keycloak.jta.lookup.provider:jboss}
+
+
+
+
+
+
+
+
+
+
+ ${keycloak.x509cert.lookup.provider:default}
+
+
+
+ default
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ jdbc:h2:mem:test;DB_CLOSE_DELAY=-1;DB_CLOSE_ON_EXIT=FALSE
+ h2
+
+ sa
+ sa
+
+
+
+ jdbc:h2:${jboss.server.data.dir}/keycloak;AUTO_SERVER=TRUE
+ h2
+
+ sa
+ sa
+
+
+
+
+ org.h2.jdbcx.JdbcDataSource
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+