diff --git a/defaults/main.yml b/defaults/main.yml index 3c50535..8044b35 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -5,3 +5,4 @@ keycloak_postgresql_password: keycloak keycloak_initial_admin_name: keycloak keycloak_initial_admin_password: keycloak keycloak_http_host: 127.0.0.1 +keycloak_version: 26.1.0 \ No newline at end of file diff --git a/tasks/main.yml b/tasks/main.yml index ed2a6fd..200504c 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -43,51 +43,28 @@ - name: check if keycloak-dir exists stat: - path: /opt/keycloak/keycloak-21.0.1 + path: /opt/keycloak/keycloak-{{ keycloak_version }} register: keycloak_exists - name: Download keycloak-zip ansible.builtin.get_url: - url: https://github.com/keycloak/keycloak/releases/download/21.1.1/keycloak-21.1.1.zip - dest: /opt/ansiblepackages/keycloak-21.1.1.zip + url: https://github.com/keycloak/keycloak/releases/download/{{ keycloak_version }}/keycloak-{{ keycloak_version }}.zip + dest: /opt/ansiblepackages/keycloak-{{ keycloak_version }}.zip mode: '0400' -- name: Extract keycloak-211.1.zip to /opt/keycloak +- name: Extract keycloak-{{ keycloak_version }}.zip to /opt/keycloak unarchive: - src: /opt/ansiblepackages/keycloak-21.1.1.zip + src: /opt/ansiblepackages/keycloak-{{ keycloak_version }}.zip dest: /opt/keycloak owner: keycloak group: keycloak remote_src: yes when: not keycloak_exists.stat.exists or redeploy is defined -- name: link /opt/keycloak/keycloak-21.1.1 to /opt/keycloak/current - file: - state: link - owner: keycloak - group: keycloak - mode: '0770' - src: /opt/keycloak/keycloak-21.1.1 - dest: /opt/keycloak/current - -##build once -- name: check if /opt/keycloak/current/builtonce.txt exists - stat: - path: /opt/keycloak/current/builtonce.txt - register: builtonce_exists - -- name: build keycloak - command: sudo -u keycloak /opt/keycloak/current/bin/kc.sh build --db=postgres - when: not builtonce_exists.stat.exists - -- name: create file to track build +- name: Create a directory if it does not exist ansible.builtin.file: - path: /opt/keycloak/current/builtonce.txt - owner: keycloak - group: keycloak - mode: '0770' - state: touch - when: not builtonce_exists.stat.exists + path: /opt/keycloak/data + state: directory - name: set permissions correct file: @@ -97,6 +74,15 @@ # mode: "0770" recurse: yes +- name: link /opt/keycloak/data to /opt/keycloak/keycloak-version/data + file: + state: link + owner: keycloak + group: keycloak + mode: '0770' + src: /opt/keycloak/data + dest: /opt/keycloak/keycloak-{{ keycloak_version }}/data + - name: generate /etc/systemd/system/keycloak.service template: src: keycloak.service.j2 @@ -106,6 +92,7 @@ mode: "0644" notify: - reload systemd + - restart keycloak - name: Flush handlers meta: flush_handlers @@ -118,82 +105,6 @@ notify: restart keycloak -- name: Flush handlers - meta: flush_handlers - -##add admin user once -- name: check if /opt/keycloak/current/adminuseradded.txt exists - stat: - path: /opt/keycloak/current/adminuseradded.txt - register: adminuseradded_exists - -- name: stop keycloak - ansible.builtin.service: - name: keycloak - state: stopped - when: not adminuseradded_exists.stat.exists - -- name: generate /etc/systemd/system/keycloak.service - template: - src: keycloak.service_init.j2 - dest: /etc/systemd/system/keycloak.service - owner: root - group: root - mode: "0644" - when: not adminuseradded_exists.stat.exists - notify: - - reload systemd - -- name: Flush handlers - meta: flush_handlers - -- name: start keycloak - ansible.builtin.service: - name: keycloak - state: started - when: not adminuseradded_exists.stat.exists - -- name: Sleep 120 seconds - ansible.builtin.wait_for: - timeout: 120 - delegate_to: localhost - when: not adminuseradded_exists.stat.exists - -- name: stop keycloak - ansible.builtin.service: - name: keycloak - state: stopped - when: not adminuseradded_exists.stat.exists - -- name: generate /etc/systemd/system/keycloak.service - template: - src: keycloak.service.j2 - dest: /etc/systemd/system/keycloak.service - owner: root - group: root - mode: "0644" - when: not adminuseradded_exists.stat.exists - notify: - - reload systemd - -- name: Flush handlers - meta: flush_handlers - -- name: start keycloak - ansible.builtin.service: - name: keycloak - state: started - when: not adminuseradded_exists.stat.exists - -- name: create file to track user creation - ansible.builtin.file: - path: /opt/keycloak/current/adminuseradded.txt - owner: keycloak - group: keycloak - mode: '0770' - state: touch - when: not adminuseradded_exists.stat.exists - - name: start keycloak ansible.builtin.service: name: keycloak diff --git a/templates/keycloak.service.j2 b/templates/keycloak.service.j2 index d5c4381..b506e64 100644 --- a/templates/keycloak.service.j2 +++ b/templates/keycloak.service.j2 @@ -6,22 +6,28 @@ Wants=network-online.target systemd-networkd-wait-online.service [Service] User=keycloak Group=keycloak -ExecStart=/opt/keycloak/current/bin/kc.sh start -WorkingDirectory=/opt/keycloak/current -ReadWritePaths=/opt/keycloak/current/conf /opt/keycloak/current/data /opt/keycloak/current/lib/quarkus +ExecStart=/opt/keycloak/keycloak-{{ keycloak_version }}/bin/kc.sh start +WorkingDirectory=/opt/keycloak/keycloak-{{ keycloak_version }} +ReadWritePaths=/opt/keycloak/keycloak-{{ keycloak_version }}/conf +ReadWritePaths=/opt/keycloak/keycloak-{{ keycloak_version }}/data +ReadWritePaths=/opt/keycloak/keycloak-{{ keycloak_version }}/lib/quarkus SuccessExitStatus=0 143 TimeoutStartSec=600 TimeoutStopSec=600 -Environment="KC_HTTP_HOST={{ keycloak_http_host}}" -Environment="KC_HOSTNAME={{ inventory_hostname }}" +Environment="KC_HTTP_HOST={{ keycloak_http_host }}" +Environment="KC_HOSTNAME=https://{{ inventory_hostname }}" Environment="KC_DB=postgres" Environment="KC_DB_USERNAME={{ keycloak_postgresql_username }}" Environment="KC_DB_PASSWORD={{ keycloak_postgresql_password }}" Environment="KC_DB_URL_DATABASE={{ keycloak_postgresql_database }}" Environment="KC_DB_URL_HOST=localhost" -Environment="KC_PROXY=edge" -Environment="KC_HTTP_RELATIVE_PATH=auth" +#Environment="KC_HTTP_RELATIVE_PATH=auth" +Environment="KC_HTTP_ENABLED=true" +Environment="KC_PROXY_HEADERS=forwarded" +Environment="KEYCLOAK_ADMIN={{ keycloak_initial_admin_name }}" +Environment="KEYCLOAK_ADMIN_PASSWORD={{ keycloak_initial_admin_password }}" +Environment="KC_PROXY_TRUSTED_ADDRESSES=127.0.0.0/8" # Hardening options CapabilityBoundingSet= diff --git a/templates/keycloak.service_init.j2 b/templates/keycloak.service_init.j2 deleted file mode 100644 index 7fc0336..0000000 --- a/templates/keycloak.service_init.j2 +++ /dev/null @@ -1,40 +0,0 @@ -[Unit] -Description=Keycloak server -After=network-online.target -Wants=network-online.target systemd-networkd-wait-online.service - -[Service] -User=keycloak -Group=keycloak -ExecStart=/opt/keycloak/current/bin/kc.sh start -WorkingDirectory=/opt/keycloak/current -ReadWritePaths=/opt/keycloak/current/conf /opt/keycloak/current/data /opt/keycloak/current/lib/quarkus -SuccessExitStatus=0 143 -TimeoutStartSec=600 -TimeoutStopSec=600 -Environment="KC_HTTP_HOST={{ keycloak_http_host}}" -Environment="KC_HOSTNAME={{ inventory_hostname }}" -Environment="KC_DB=postgres" -Environment="KC_DB_USERNAME={{ keycloak_postgresql_username }}" -Environment="KC_DB_PASSWORD={{ keycloak_postgresql_password }}" -Environment="KC_DB_URL_DATABASE={{ keycloak_postgresql_database }}" -Environment="KC_DB_URL_HOST=localhost" -Environment="KC_PROXY=edge" -Environment="KEYCLOAK_ADMIN={{ keycloak_initial_admin_name }}" -Environment="KEYCLOAK_ADMIN_PASSWORD={{ keycloak_initial_admin_password }}" - -# Hardening options -CapabilityBoundingSet= -AmbientCapabilities= -NoNewPrivileges=true -ProtectHome=true -ProtectSystem=strict -ProtectKernelTunables=true -ProtectKernelModules=true -ProtectControlGroups=true -PrivateTmp=true -PrivateDevices=true -LockPersonality=true - -[Install] -WantedBy=multi-user.target