updated keycloak

defaults/main.yml

@@ -5,3 +5,4 @@ keycloak_postgresql_password: keycloak
 keycloak_initial_admin_name: keycloak
 keycloak_initial_admin_password: keycloak
 keycloak_http_host: 127.0.0.1
+keycloak_version: 26.1.0

tasks/main.yml

@@ -43,51 +43,28 @@
 
 - name: check if keycloak-dir exists
   stat:
-    path: /opt/keycloak/keycloak-21.0.1
+    path: /opt/keycloak/keycloak-{{ keycloak_version }}
   register: keycloak_exists
 
 - name: Download keycloak-zip
   ansible.builtin.get_url:
-    url: https://github.com/keycloak/keycloak/releases/download/21.1.1/keycloak-21.1.1.zip
-    dest: /opt/ansiblepackages/keycloak-21.1.1.zip
+    url: https://github.com/keycloak/keycloak/releases/download/{{ keycloak_version }}/keycloak-{{ keycloak_version }}.zip
+    dest: /opt/ansiblepackages/keycloak-{{ keycloak_version }}.zip
     mode: '0400'
 
-- name: Extract keycloak-211.1.zip to /opt/keycloak
+- name: Extract keycloak-{{ keycloak_version }}.zip to /opt/keycloak
   unarchive:
-    src: /opt/ansiblepackages/keycloak-21.1.1.zip
+    src: /opt/ansiblepackages/keycloak-{{ keycloak_version }}.zip
     dest: /opt/keycloak
     owner: keycloak
     group: keycloak
     remote_src: yes
   when: not keycloak_exists.stat.exists or redeploy is defined
 
-- name: link /opt/keycloak/keycloak-21.1.1 to /opt/keycloak/current
-  file:
-    state: link
-    owner: keycloak
-    group: keycloak
-    mode: '0770'
-    src: /opt/keycloak/keycloak-21.1.1
-    dest: /opt/keycloak/current
-
-##build once
-- name: check if /opt/keycloak/current/builtonce.txt exists
-  stat:
-    path: /opt/keycloak/current/builtonce.txt
-  register: builtonce_exists
-
-- name: build keycloak
-  command: sudo -u keycloak /opt/keycloak/current/bin/kc.sh build --db=postgres
-  when: not builtonce_exists.stat.exists
-
-- name: create file to track build
+- name: Create a directory if it does not exist
   ansible.builtin.file:
-    path: /opt/keycloak/current/builtonce.txt
-    owner: keycloak
-    group: keycloak
-    mode: '0770'
-    state: touch
-  when: not builtonce_exists.stat.exists
+    path: /opt/keycloak/data
+    state: directory
 
 - name: set permissions correct
   file:
@@ -97,6 +74,15 @@
 #    mode: "0770"
     recurse: yes
 
+- name: link /opt/keycloak/data to /opt/keycloak/keycloak-version/data
+  file:
+    state: link
+    owner: keycloak
+    group: keycloak
+    mode: '0770'
+    src: /opt/keycloak/data
+    dest: /opt/keycloak/keycloak-{{ keycloak_version }}/data
+
 - name: generate /etc/systemd/system/keycloak.service
   template:
     src: keycloak.service.j2
@@ -106,6 +92,7 @@
     mode: "0644"
   notify:
     - reload systemd
+    - restart keycloak
 
 - name: Flush handlers
   meta: flush_handlers
@@ -118,82 +105,6 @@
   notify:
     restart keycloak
 
-- name: Flush handlers
-  meta: flush_handlers
-
-##add admin user once
-- name: check if /opt/keycloak/current/adminuseradded.txt exists
-  stat:
-    path: /opt/keycloak/current/adminuseradded.txt
-  register: adminuseradded_exists
-
-- name: stop keycloak
-  ansible.builtin.service:
-    name: keycloak
-    state: stopped
-  when: not adminuseradded_exists.stat.exists
-
-- name: generate /etc/systemd/system/keycloak.service
-  template:
-    src: keycloak.service_init.j2
-    dest: /etc/systemd/system/keycloak.service
-    owner: root
-    group: root
-    mode: "0644"
-  when: not adminuseradded_exists.stat.exists
-  notify:
-    - reload systemd
-
-- name: Flush handlers
-  meta: flush_handlers
-
-- name: start keycloak
-  ansible.builtin.service:
-    name: keycloak
-    state: started
-  when: not adminuseradded_exists.stat.exists
-
-- name: Sleep 120 seconds
-  ansible.builtin.wait_for:
-    timeout: 120
-  delegate_to: localhost
-  when: not adminuseradded_exists.stat.exists
-
-- name: stop keycloak
-  ansible.builtin.service:
-    name: keycloak
-    state: stopped
-  when: not adminuseradded_exists.stat.exists
-
-- name: generate /etc/systemd/system/keycloak.service
-  template:
-    src: keycloak.service.j2
-    dest: /etc/systemd/system/keycloak.service
-    owner: root
-    group: root
-    mode: "0644"
-  when: not adminuseradded_exists.stat.exists
-  notify:
-    - reload systemd
-
-- name: Flush handlers
-  meta: flush_handlers
-
-- name: start keycloak
-  ansible.builtin.service:
-    name: keycloak
-    state: started
-  when: not adminuseradded_exists.stat.exists
-
-- name: create file to track user creation
-  ansible.builtin.file:
-    path: /opt/keycloak/current/adminuseradded.txt
-    owner: keycloak
-    group: keycloak
-    mode: '0770'
-    state: touch
-  when: not adminuseradded_exists.stat.exists
-
 - name: start keycloak
   ansible.builtin.service:
     name: keycloak

templates/keycloak.service.j2

@@ -6,22 +6,28 @@ Wants=network-online.target systemd-networkd-wait-online.service
 [Service]
 User=keycloak
 Group=keycloak
-ExecStart=/opt/keycloak/current/bin/kc.sh start
-WorkingDirectory=/opt/keycloak/current
-ReadWritePaths=/opt/keycloak/current/conf /opt/keycloak/current/data /opt/keycloak/current/lib/quarkus
+ExecStart=/opt/keycloak/keycloak-{{ keycloak_version }}/bin/kc.sh start
+WorkingDirectory=/opt/keycloak/keycloak-{{ keycloak_version }}
+ReadWritePaths=/opt/keycloak/keycloak-{{ keycloak_version }}/conf
+ReadWritePaths=/opt/keycloak/keycloak-{{ keycloak_version }}/data
+ReadWritePaths=/opt/keycloak/keycloak-{{ keycloak_version }}/lib/quarkus
 SuccessExitStatus=0 143
 
 TimeoutStartSec=600
 TimeoutStopSec=600
-Environment="KC_HTTP_HOST={{ keycloak_http_host}}"
-Environment="KC_HOSTNAME={{ inventory_hostname }}"
+Environment="KC_HTTP_HOST={{ keycloak_http_host }}"
+Environment="KC_HOSTNAME=https://{{ inventory_hostname }}"
 Environment="KC_DB=postgres"
 Environment="KC_DB_USERNAME={{ keycloak_postgresql_username }}"
 Environment="KC_DB_PASSWORD={{ keycloak_postgresql_password }}"
 Environment="KC_DB_URL_DATABASE={{ keycloak_postgresql_database }}"
 Environment="KC_DB_URL_HOST=localhost"
-Environment="KC_PROXY=edge"
-Environment="KC_HTTP_RELATIVE_PATH=auth"
+#Environment="KC_HTTP_RELATIVE_PATH=auth"
+Environment="KC_HTTP_ENABLED=true"
+Environment="KC_PROXY_HEADERS=forwarded"
+Environment="KEYCLOAK_ADMIN={{ keycloak_initial_admin_name }}"
+Environment="KEYCLOAK_ADMIN_PASSWORD={{ keycloak_initial_admin_password }}"
+Environment="KC_PROXY_TRUSTED_ADDRESSES=127.0.0.0/8"
 
 # Hardening options
 CapabilityBoundingSet=

templates/keycloak.service_init.j2

@@ -1,40 +0,0 @@
-[Unit]
-Description=Keycloak server
-After=network-online.target
-Wants=network-online.target systemd-networkd-wait-online.service
-
-[Service]
-User=keycloak
-Group=keycloak
-ExecStart=/opt/keycloak/current/bin/kc.sh start
-WorkingDirectory=/opt/keycloak/current
-ReadWritePaths=/opt/keycloak/current/conf /opt/keycloak/current/data /opt/keycloak/current/lib/quarkus
-SuccessExitStatus=0 143
-TimeoutStartSec=600
-TimeoutStopSec=600
-Environment="KC_HTTP_HOST={{ keycloak_http_host}}"
-Environment="KC_HOSTNAME={{ inventory_hostname }}"
-Environment="KC_DB=postgres"
-Environment="KC_DB_USERNAME={{ keycloak_postgresql_username }}"
-Environment="KC_DB_PASSWORD={{ keycloak_postgresql_password }}"
-Environment="KC_DB_URL_DATABASE={{ keycloak_postgresql_database }}"
-Environment="KC_DB_URL_HOST=localhost"
-Environment="KC_PROXY=edge"
-Environment="KEYCLOAK_ADMIN={{ keycloak_initial_admin_name }}"
-Environment="KEYCLOAK_ADMIN_PASSWORD={{ keycloak_initial_admin_password }}"
-
-# Hardening options
-CapabilityBoundingSet=
-AmbientCapabilities=
-NoNewPrivileges=true
-ProtectHome=true
-ProtectSystem=strict
-ProtectKernelTunables=true
-ProtectKernelModules=true
-ProtectControlGroups=true
-PrivateTmp=true
-PrivateDevices=true
-LockPersonality=true
-
-[Install]
-WantedBy=multi-user.target