DigitalInfinity/ansible-role-keycloak
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

updated keycloak

Browse Source
This commit is contained in:
Alexander Gabriel 2025-01-24 19:11:15 +01:00
parent 973b52c98f
commit 56e1187614
4 changed files with 32 additions and 154 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
defaults/main.yml
View File

@ -5,3 +5,4 @@ keycloak_postgresql_password: keycloak
keycloak_initial_admin_name: keycloak keycloak_initial_admin_name: keycloak
keycloak_initial_admin_password: keycloak keycloak_initial_admin_password: keycloak
keycloak_http_host: 127.0.0.1 keycloak_http_host: 127.0.0.1
keycloak_version: 26.1.0

125
tasks/main.yml
View File

@ -43,51 +43,28 @@
- name: check if keycloak-dir exists - name: check if keycloak-dir exists
stat: stat:
path: /opt/keycloak/keycloak-21.0.1 path: /opt/keycloak/keycloak-{{ keycloak_version }}
register: keycloak_exists register: keycloak_exists
- name: Download keycloak-zip - name: Download keycloak-zip
ansible.builtin.get_url: ansible.builtin.get_url:
url: https://github.com/keycloak/keycloak/releases/download/21.1.1/keycloak-21.1.1.zip url: https://github.com/keycloak/keycloak/releases/download/{{ keycloak_version }}/keycloak-{{ keycloak_version }}.zip
dest: /opt/ansiblepackages/keycloak-21.1.1.zip dest: /opt/ansiblepackages/keycloak-{{ keycloak_version }}.zip
mode: '0400' mode: '0400'
- name: Extract keycloak-211.1.zip to /opt/keycloak - name: Extract keycloak-{{ keycloak_version }}.zip to /opt/keycloak
unarchive: unarchive:
src: /opt/ansiblepackages/keycloak-21.1.1.zip src: /opt/ansiblepackages/keycloak-{{ keycloak_version }}.zip
dest: /opt/keycloak dest: /opt/keycloak
owner: keycloak owner: keycloak
group: keycloak group: keycloak
remote_src: yes remote_src: yes
when: not keycloak_exists.stat.exists or redeploy is defined when: not keycloak_exists.stat.exists or redeploy is defined
- name: link /opt/keycloak/keycloak-21.1.1 to /opt/keycloak/current - name: Create a directory if it does not exist
file:
state: link
owner: keycloak
group: keycloak
mode: '0770'
src: /opt/keycloak/keycloak-21.1.1
dest: /opt/keycloak/current
##build once
- name: check if /opt/keycloak/current/builtonce.txt exists
stat:
path: /opt/keycloak/current/builtonce.txt
register: builtonce_exists
- name: build keycloak
command: sudo -u keycloak /opt/keycloak/current/bin/kc.sh build --db=postgres
when: not builtonce_exists.stat.exists
- name: create file to track build
ansible.builtin.file: ansible.builtin.file:
path: /opt/keycloak/current/builtonce.txt path: /opt/keycloak/data
owner: keycloak state: directory
group: keycloak
mode: '0770'
state: touch
when: not builtonce_exists.stat.exists
- name: set permissions correct - name: set permissions correct
file: file:
@ -97,6 +74,15 @@
# mode: "0770" # mode: "0770"
recurse: yes recurse: yes
- name: link /opt/keycloak/data to /opt/keycloak/keycloak-version/data
file:
state: link
owner: keycloak
group: keycloak
mode: '0770'
src: /opt/keycloak/data
dest: /opt/keycloak/keycloak-{{ keycloak_version }}/data
- name: generate /etc/systemd/system/keycloak.service - name: generate /etc/systemd/system/keycloak.service
template: template:
src: keycloak.service.j2 src: keycloak.service.j2
@ -106,6 +92,7 @@
mode: "0644" mode: "0644"
notify: notify:
- reload systemd - reload systemd
- restart keycloak
- name: Flush handlers - name: Flush handlers
meta: flush_handlers meta: flush_handlers
@ -118,82 +105,6 @@
notify: notify:
restart keycloak restart keycloak
- name: Flush handlers
meta: flush_handlers
##add admin user once
- name: check if /opt/keycloak/current/adminuseradded.txt exists
stat:
path: /opt/keycloak/current/adminuseradded.txt
register: adminuseradded_exists
- name: stop keycloak
ansible.builtin.service:
name: keycloak
state: stopped
when: not adminuseradded_exists.stat.exists
- name: generate /etc/systemd/system/keycloak.service
template:
src: keycloak.service_init.j2
dest: /etc/systemd/system/keycloak.service
owner: root
group: root
mode: "0644"
when: not adminuseradded_exists.stat.exists
notify:
- reload systemd
- name: Flush handlers
meta: flush_handlers
- name: start keycloak
ansible.builtin.service:
name: keycloak
state: started
when: not adminuseradded_exists.stat.exists
- name: Sleep 120 seconds
ansible.builtin.wait_for:
timeout: 120
delegate_to: localhost
when: not adminuseradded_exists.stat.exists
- name: stop keycloak
ansible.builtin.service:
name: keycloak
state: stopped
when: not adminuseradded_exists.stat.exists
- name: generate /etc/systemd/system/keycloak.service
template:
src: keycloak.service.j2
dest: /etc/systemd/system/keycloak.service
owner: root
group: root
mode: "0644"
when: not adminuseradded_exists.stat.exists
notify:
- reload systemd
- name: Flush handlers
meta: flush_handlers
- name: start keycloak
ansible.builtin.service:
name: keycloak
state: started
when: not adminuseradded_exists.stat.exists
- name: create file to track user creation
ansible.builtin.file:
path: /opt/keycloak/current/adminuseradded.txt
owner: keycloak
group: keycloak
mode: '0770'
state: touch
when: not adminuseradded_exists.stat.exists
- name: start keycloak - name: start keycloak
ansible.builtin.service: ansible.builtin.service:
name: keycloak name: keycloak

20
templates/keycloak.service.j2
View File

@ -6,22 +6,28 @@ Wants=network-online.target systemd-networkd-wait-online.service
[Service] [Service]
User=keycloak User=keycloak
Group=keycloak Group=keycloak
ExecStart=/opt/keycloak/current/bin/kc.sh start ExecStart=/opt/keycloak/keycloak-{{ keycloak_version }}/bin/kc.sh start
WorkingDirectory=/opt/keycloak/current WorkingDirectory=/opt/keycloak/keycloak-{{ keycloak_version }}
ReadWritePaths=/opt/keycloak/current/conf /opt/keycloak/current/data /opt/keycloak/current/lib/quarkus ReadWritePaths=/opt/keycloak/keycloak-{{ keycloak_version }}/conf
ReadWritePaths=/opt/keycloak/keycloak-{{ keycloak_version }}/data
ReadWritePaths=/opt/keycloak/keycloak-{{ keycloak_version }}/lib/quarkus
SuccessExitStatus=0 143 SuccessExitStatus=0 143
TimeoutStartSec=600 TimeoutStartSec=600
TimeoutStopSec=600 TimeoutStopSec=600
Environment="KC_HTTP_HOST={{ keycloak_http_host}}" Environment="KC_HTTP_HOST={{ keycloak_http_host }}"
Environment="KC_HOSTNAME={{ inventory_hostname }}" Environment="KC_HOSTNAME=https://{{ inventory_hostname }}"
Environment="KC_DB=postgres" Environment="KC_DB=postgres"
Environment="KC_DB_USERNAME={{ keycloak_postgresql_username }}" Environment="KC_DB_USERNAME={{ keycloak_postgresql_username }}"
Environment="KC_DB_PASSWORD={{ keycloak_postgresql_password }}" Environment="KC_DB_PASSWORD={{ keycloak_postgresql_password }}"
Environment="KC_DB_URL_DATABASE={{ keycloak_postgresql_database }}" Environment="KC_DB_URL_DATABASE={{ keycloak_postgresql_database }}"
Environment="KC_DB_URL_HOST=localhost" Environment="KC_DB_URL_HOST=localhost"
Environment="KC_PROXY=edge" #Environment="KC_HTTP_RELATIVE_PATH=auth"
Environment="KC_HTTP_RELATIVE_PATH=auth" Environment="KC_HTTP_ENABLED=true"
Environment="KC_PROXY_HEADERS=forwarded"
Environment="KEYCLOAK_ADMIN={{ keycloak_initial_admin_name }}"
Environment="KEYCLOAK_ADMIN_PASSWORD={{ keycloak_initial_admin_password }}"
Environment="KC_PROXY_TRUSTED_ADDRESSES=127.0.0.0/8"
# Hardening options # Hardening options
CapabilityBoundingSet= CapabilityBoundingSet=

40
templates/keycloak.service_init.j2
View File

@ -1,40 +0,0 @@
[Unit]
Description=Keycloak server
After=network-online.target
Wants=network-online.target systemd-networkd-wait-online.service
[Service]
User=keycloak
Group=keycloak
ExecStart=/opt/keycloak/current/bin/kc.sh start
WorkingDirectory=/opt/keycloak/current
ReadWritePaths=/opt/keycloak/current/conf /opt/keycloak/current/data /opt/keycloak/current/lib/quarkus
SuccessExitStatus=0 143
TimeoutStartSec=600
TimeoutStopSec=600
Environment="KC_HTTP_HOST={{ keycloak_http_host}}"
Environment="KC_HOSTNAME={{ inventory_hostname }}"
Environment="KC_DB=postgres"
Environment="KC_DB_USERNAME={{ keycloak_postgresql_username }}"
Environment="KC_DB_PASSWORD={{ keycloak_postgresql_password }}"
Environment="KC_DB_URL_DATABASE={{ keycloak_postgresql_database }}"
Environment="KC_DB_URL_HOST=localhost"
Environment="KC_PROXY=edge"
Environment="KEYCLOAK_ADMIN={{ keycloak_initial_admin_name }}"
Environment="KEYCLOAK_ADMIN_PASSWORD={{ keycloak_initial_admin_password }}"
# Hardening options
CapabilityBoundingSet=
AmbientCapabilities=
NoNewPrivileges=true
ProtectHome=true
ProtectSystem=strict
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectControlGroups=true
PrivateTmp=true
PrivateDevices=true
LockPersonality=true
[Install]
WantedBy=multi-user.target