DigitalInfinity
/
ansible-role-keycloak
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

updated to v10, add admin + build once

This commit is contained in:
Alexander Gabriel 2023-03-18 18:08:07 +01:00
parent e0d2780857
commit bead811a41
8 changed files with 166 additions and 818 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
README.md
View File

@ -7,8 +7,9 @@ Needs: https://github.com/AlexanderGabriel/ansible-role-acme.sh to get certs fro
Hint: Use variables use_local_ca: yes and acme_sh_server: https://host:port/acme/acme/directory to use your own intranet step-ca or acme-compatible CA for local certs
All vars:
* keycloak_initial_admin_password initial admin user password
* use_local_ca: yes or no
* acme_sh_server: url to acme-compatible ca, if not provided, use letsencrypt
* acme_sh_email: your email-address
* keycloak_postgresql_database: keycloak
* keycloak_postgresql_username: keycloak
* keycloak_postgresql_password: keycloak
* keycloak_initial_admin_name: keycloak
* keycloak_initial_admin_password: keycloak
* keycloak_http_host: 127.0.0.1

7
defaults/main.yml Normal file
View File

@ -0,0 +1,7 @@
---
keycloak_postgresql_database: keycloak
keycloak_postgresql_username: keycloak
keycloak_postgresql_password: keycloak
keycloak_initial_admin_name: keycloak
keycloak_initial_admin_password: keycloak
keycloak_http_host: 127.0.0.1

274
tasks/main.yml
View File

@ -7,6 +7,31 @@
- apache2
update_cache: yes
##install database
- name: include role for postgresql
include_role:
name: postgresql
vars:
postgresql_database: "{{ keycloak_postgresql_database }}"
postgresql_username: "{{ keycloak_postgresql_username }}"
postgresql_password: "{{ keycloak_postgresql_password }}"
- name: include role for website
include_role:
name: website
vars:
domainname: "{{ inventory_hostname }}"
docroot: "/var/www/html"
optionalDirectives: |
ProxyPreserveHost On
SSLProxyEngine On
SSLProxyCheckPeerCN on
SSLProxyCheckPeerExpire on
RequestHeader set X-Forwarded-Proto "https"
RequestHeader set X-Forwarded-Port "443"
ProxyPass / http://127.0.0.1:8080/
ProxyPassReverse / http://127.0.0.1:8080/
- name: create user for keycloak
user:
name: keycloak
@ -18,23 +43,50 @@
- name: check if keycloak-dir exists
stat:
path: /opt/keycloak/keycloak-13.0.1
path: /opt/keycloak/keycloak-21.0.1
register: keycloak_exists
- name: Extract keycloak-13.0.1.tar.gz to /opt/keycloak
- name: Extract keycloak-21.0.1.zip to /opt/keycloak
unarchive:
src: keycloak-13.0.1.tar.gz
src: keycloak-21.0.1.zip
dest: /opt/keycloak
owner: keycloak
group: keycloak
when: not keycloak_exists.stat.exists or redeploy is defined
- name: link /opt/keycloak/keycloak-13.0.1 to /opt/keycloak/current
- name: link /opt/keycloak/keycloak-21.0.1 to /opt/keycloak/current
file:
state: link
src: /opt/keycloak/keycloak-13.0.1
src: /opt/keycloak/keycloak-21.0.1
dest: /opt/keycloak/current
##build once
- name: check if /opt/keycloak/current/builtonce.txt exists
stat:
path: /opt/keycloak/current/builtonce.txt
register: builtonce_exists
- name: build keycloak
command: sudo -u keycloak /opt/keycloak/current/bin/kc.sh build --db=postgres
when: not builtonce_exists.stat.exists
- name: create file to track build
ansible.builtin.file:
path: /opt/keycloak/current/builtonce.txt
owner: keycloak
group: keycloak
mode: '0770'
state: touch
when: not builtonce_exists.stat.exists
- name: set permissions correct
file:
dest: /opt/keycloak
owner: keycloak
group: keycloak
mode: "0770"
recurse: yes
- name: generate /etc/systemd/system/keycloak.service
template:
src: keycloak.service.j2
@ -45,27 +97,6 @@
notify:
- reload systemd
- name: generate /opt/keycloak/current/standalone/configuration/standalone.xml
template:
src: standalone.xml.j2
dest: /opt/keycloak/current/standalone/configuration/standalone.xml
notify:
- restart keycloak
- name: enable keycloak
systemd:
name: keycloak
enabled: yes
masked: no
- name: set permissions correct
file:
dest: /opt/keycloak
owner: keycloak
group: keycloak
mode: "0770"
recurse: yes
- name: Flush handlers
meta: flush_handlers
@ -80,143 +111,80 @@
- name: Flush handlers
meta: flush_handlers
##add admin user once
- name: check if /opt/keycloak/current/adminuseradded.txt exists
stat:
path: /opt/keycloak/current/standalone/configuration/keycloak-add-user.json
path: /opt/keycloak/current/adminuseradded.txt
register: adminuseradded_exists
- name: check if /opt/keycloak/current/standalone/configuration/keycloak-add-user.json exists
stat:
path: /opt/keycloak/current/standalone/configuration/keycloak-add-user.json
- name: stop keycloak
ansible.builtin.service:
name: keycloak
state: stopped
when: not adminuseradded_exists.stat.exists
register: keycloak_add_user_exists
- name: check if user exists
shell: "grep username /opt/keycloak/current/standalone/configuration/keycloak-add-user.json | grep admin"
register: userexists
when: not adminuseradded_exists.stat.exists and keycloak_add_user_exists.stat.exists
- name: create initial admin user
command: sudo -u keycloak /opt/keycloak/current/bin/add-user-keycloak.sh -u admin -p {{ keycloak_initial_admin_password }} -r master
when: not keycloak_add_user_exists.stat.exists or userexists.stdout == ""
- name: generate /etc/systemd/system/keycloak.service
template:
src: keycloak.service_init.j2
dest: /etc/systemd/system/keycloak.service
owner: root
group: root
mode: "0644"
when: not adminuseradded_exists.stat.exists
notify:
restart keycloak
- reload systemd
- name: create initial admin user
command: sudo -u keycloak touch /opt/keycloak/current/adminuseradded.txt
when: not keycloak_add_user_exists.stat.exists or userexists.stdout == ""
- name: Flush handlers
meta: flush_handlers
- name: start keycloak
ansible.builtin.service:
name: keycloak
state: started
when: not adminuseradded_exists.stat.exists
- name: Sleep 60 seconds
ansible.builtin.wait_for:
timeout: 60
delegate_to: localhost
when: not adminuseradded_exists.stat.exists
- name: stop keycloak
ansible.builtin.service:
name: keycloak
state: stopped
when: not adminuseradded_exists.stat.exists
- name: generate /etc/systemd/system/keycloak.service
template:
src: keycloak.service.j2
dest: /etc/systemd/system/keycloak.service
owner: root
group: root
mode: "0644"
when: not adminuseradded_exists.stat.exists
notify:
restart keycloak
- reload systemd
- name: set permissions correct again
file:
dest: /opt/keycloak
- name: Flush handlers
meta: flush_handlers
- name: start keycloak
ansible.builtin.service:
name: keycloak
state: started
when: not adminuseradded_exists.stat.exists
- name: create file to track user creation
ansible.builtin.file:
path: /opt/keycloak/current/adminuseradded.txt
owner: keycloak
group: keycloak
mode: "0770"
recurse: yes
- name: enable apache module proxy
command: a2enmod proxy
args:
creates: /etc/apache2/mods-enabled/proxy.load
notify:
restart apache2
- name: enable apache module proxy_html
command: a2enmod proxy_html
args:
creates: /etc/apache2/mods-enabled/proxy_html.load
notify:
restart apache2
- name: enable apache module proxy_http
command: a2enmod proxy_http
args:
creates: /etc/apache2/mods-enabled/proxy_http.load
notify:
restart apache2
- name: enable apache module proxy_http2
command: a2enmod proxy_http2
args:
creates: /etc/apache2/mods-enabled/proxy_http2.load
notify:
restart apache2
- name: enable apache module ssl
command: a2enmod ssl
args:
creates: /etc/apache2/mods-enabled/ssl.load
notify:
restart apache2
- name: enable apache module headers
command: a2enmod headers
args:
creates: /etc/apache2/mods-enabled/headers.load
notify:
restart apache2
- name: enable apache module rewrite
command: a2enmod rewrite
args:
creates: /etc/apache2/mods-enabled/rewrite.load
notify:
restart apache2
- name: install acme.sh
include_role:
name: acmesh
- name: set amce server url
set_fact:
acmeshserver: "--server {{ acme_sh_server }} --insecure --force --days 1"
when: acme_sh_server is defined
- name: set amce server url
set_fact:
acmeshserver: ""
when: not acme_sh_server is defined
- name: get certificates
command: /root/.acme.sh/acme.sh --issue --apache {{ acmeshserver }} -d {{ inventory_hostname }} --email {{ acme_sh_email }} --key-file /etc/ssl/private/{{ inventory_hostname }}.key --fullchain-file /etc/ssl/certs/{{ inventory_hostname }}.pem --reloadcmd "service apache2 reload"
args:
creates: /etc/ssl/private/{{ inventory_hostname }}.key
- name: generate /etc/apache2/sites-available/{{ inventory_hostname }}.conf
template:
src: apache.conf.j2
dest: /etc/apache2/sites-available/{{ inventory_hostname }}.conf
owner: root
group: root
mode: "0644"
notify:
- reload apache2
- name: generate /etc/apache2/sites-available/{{ inventory_hostname }}-ssl.conf
template:
src: apache-ssl.conf.j2
dest: /etc/apache2/sites-available/{{ inventory_hostname }}-ssl.conf
owner: root
group: root
mode: "0644"
notify:
- reload apache2
- name: activate /etc/apache2/sites-available/{{ inventory_hostname }}.conf
file:
state: link
src: /etc/apache2/sites-available/{{ inventory_hostname }}.conf
dest: /etc/apache2/sites-enabled/{{ inventory_hostname }}.conf
notify:
- reload apache2
- name: activate /etc/apache2/sites-available/{{ inventory_hostname }}-ssl.conf
file:
state: link
src: /etc/apache2/sites-available/{{ inventory_hostname }}-ssl.conf
dest: /etc/apache2/sites-enabled/{{ inventory_hostname }}-ssl.conf
notify:
- reload apache2
mode: '0770'
state: touch
when: not adminuseradded_exists.stat.exists
- name: start keycloak
ansible.builtin.service:
name: keycloak
state: started

31
templates/apache-ssl.conf.j2
View File

@ -1,31 +0,0 @@
<IfModule mod_ssl.c>
<VirtualHost _default_:443>
ServerName {{ inventory_hostname }}
ServerAdmin webmaster@{{ inventory_hostname }}
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/{{ inventory_hostname }}.error.log
CustomLog ${APACHE_LOG_DIR}/{{ inventory_hostname }}.access.log combined
SSLEngine on
SSLCertificateFile /etc/ssl/certs/{{ inventory_hostname }}.pem
SSLCertificateKeyFile /etc/ssl/private/{{ inventory_hostname }}.key
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
ProxyPreserveHost On
SSLProxyEngine On
SSLProxyCheckPeerCN on
SSLProxyCheckPeerExpire on
RequestHeader set X-Forwarded-Proto "https"
RequestHeader set X-Forwarded-Port "443"
ProxyPass / http://127.0.0.1:8080/
ProxyPassReverse / http://127.0.0.1:8080/
</VirtualHost>
</IfModule>

14
templates/apache.conf.j2
View File

@ -1,14 +0,0 @@
<VirtualHost *:80>
ServerName {{ inventory_hostname }}
ServerAdmin webmaster@{{ inventory_hostname }}
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/{{ inventory_hostname }}.error.log
CustomLog ${APACHE_LOG_DIR}/{{ inventory_hostname }}.access.log combined
#rewrite transparent to https, keep uri
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R,L]
</VirtualHost>

11
templates/keycloak.service.j2
View File

@ -6,9 +6,16 @@ After=network.target
Type=idle
User=keycloak
Group=keycloak
ExecStart=/opt/keycloak/current/bin/standalone.sh
ExecStart=/opt/keycloak/current/bin/kc.sh start
TimeoutStartSec=600
TimeoutStopSec=600
Environment="KC_HTTP_HOST={{ keycloak_http_host}}"
Environment="KC_HOSTNAME={{ inventory_hostname }}"
Environment="KC_DB_USERNAME={{ keycloak_postgresql_username }}"
Environment="KC_DB_PASSWORD={{ keycloak_postgresql_password }}"
Environment="KC_DB_URL_DATABASE={{ keycloak_postgresql_database }}"
Environment="KC_DB_URL_HOST={{ inventory_hostname }}"
Environment="KC_PROXY=edge"
[Install]
WantedBy=multi-user.target
WantedBy=multi-user.target

23
templates/keycloak.service_init.j2 Normal file
View File

@ -0,0 +1,23 @@
[Unit]
Description=Keycloak
After=network.target
[Service]
Type=idle
User=keycloak
Group=keycloak
ExecStart=/opt/keycloak/current/bin/kc.sh start
TimeoutStartSec=600
TimeoutStopSec=600
Environment="KC_HTTP_HOST={{ keycloak_http_host}}"
Environment="KC_HOSTNAME={{ inventory_hostname }}"
Environment="KC_DB_USERNAME={{ keycloak_postgresql_username }}"
Environment="KC_DB_PASSWORD={{ keycloak_postgresql_password }}"
Environment="KC_DB_URL_DATABASE={{ keycloak_postgresql_database }}"
Environment="KC_DB_URL_HOST={{ inventory_hostname }}"
Environment="KC_PROXY=edge"
Environment="KEYCLOAK_ADMIN={{ keycloak_initial_admin_name }}"
Environment="KEYCLOAK_ADMIN_PASSWORD={{ keycloak_initial_admin_password }}"
[Install]
WantedBy=multi-user.target

613
templates/standalone.xml.j2
View File

@ -1,613 +0,0 @@
<?xml version='1.0' encoding='UTF-8'?>
<server xmlns="urn:jboss:domain:16.0">
<extensions>
<extension module="org.jboss.as.clustering.infinispan"/>
<extension module="org.jboss.as.connector"/>
<extension module="org.jboss.as.deployment-scanner"/>
<extension module="org.jboss.as.ee"/>
<extension module="org.jboss.as.ejb3"/>
<extension module="org.jboss.as.jaxrs"/>
<extension module="org.jboss.as.jmx"/>
<extension module="org.jboss.as.jpa"/>
<extension module="org.jboss.as.logging"/>
<extension module="org.jboss.as.mail"/>
<extension module="org.jboss.as.naming"/>
<extension module="org.jboss.as.remoting"/>
<extension module="org.jboss.as.security"/>
<extension module="org.jboss.as.transactions"/>
<extension module="org.jboss.as.weld"/>
<extension module="org.keycloak.keycloak-server-subsystem"/>
<extension module="org.wildfly.extension.bean-validation"/>
<extension module="org.wildfly.extension.core-management"/>
<extension module="org.wildfly.extension.elytron"/>
<extension module="org.wildfly.extension.health"/>
<extension module="org.wildfly.extension.io"/>
<extension module="org.wildfly.extension.metrics"/>
<extension module="org.wildfly.extension.request-controller"/>
<extension module="org.wildfly.extension.security.manager"/>
<extension module="org.wildfly.extension.undertow"/>
</extensions>
<management>
<security-realms>
<security-realm name="ManagementRealm">
<authentication>
<local default-user="$local" skip-group-loading="true"/>
<properties path="mgmt-users.properties" relative-to="jboss.server.config.dir"/>
</authentication>
<authorization map-groups-to-roles="false">
<properties path="mgmt-groups.properties" relative-to="jboss.server.config.dir"/>
</authorization>
</security-realm>
<security-realm name="ApplicationRealm">
<server-identities>
<ssl>
<keystore path="application.keystore" relative-to="jboss.server.config.dir" keystore-password="password" alias="server" key-password="password" generate-self-signed-certificate-host="localhost"/>
</ssl>
</server-identities>
<authentication>
<local default-user="$local" allowed-users="*" skip-group-loading="true"/>
<properties path="application-users.properties" relative-to="jboss.server.config.dir"/>
</authentication>
<authorization>
<properties path="application-roles.properties" relative-to="jboss.server.config.dir"/>
</authorization>
</security-realm>
</security-realms>
<audit-log>
<formatters>
<json-formatter name="json-formatter"/>
</formatters>
<handlers>
<file-handler name="file" formatter="json-formatter" path="audit-log.log" relative-to="jboss.server.data.dir"/>
</handlers>
<logger log-boot="true" log-read-only="false" enabled="false">
<handlers>
<handler name="file"/>
</handlers>
</logger>
</audit-log>
<management-interfaces>
<http-interface security-realm="ManagementRealm">
<http-upgrade enabled="true"/>
<socket-binding http="management-http"/>
</http-interface>
</management-interfaces>
<access-control provider="simple">
<role-mapping>
<role name="SuperUser">
<include>
<user name="$local"/>
</include>
</role>
</role-mapping>
</access-control>
</management>
<profile>
<subsystem xmlns="urn:jboss:domain:bean-validation:1.0"/>
<subsystem xmlns="urn:jboss:domain:core-management:1.0"/>
<subsystem xmlns="urn:jboss:domain:deployment-scanner:2.0">
<deployment-scanner path="deployments" relative-to="jboss.server.base.dir" scan-interval="5000" runtime-failure-causes-rollback="${jboss.deployment.scanner.rollback.on.failure:false}"/>
</subsystem>
<subsystem xmlns="urn:jboss:domain:ee:6.0">
<spec-descriptor-property-replacement>false</spec-descriptor-property-replacement>
<concurrent>
<context-services>
<context-service name="default" jndi-name="java:jboss/ee/concurrency/context/default" use-transaction-setup-provider="true"/>
</context-services>
<managed-thread-factories>
<managed-thread-factory name="default" jndi-name="java:jboss/ee/concurrency/factory/default" context-service="default"/>
</managed-thread-factories>
<managed-executor-services>
<managed-executor-service name="default" jndi-name="java:jboss/ee/concurrency/executor/default" context-service="default" hung-task-termination-period="0" hung-task-threshold="60000" keepalive-time="5000"/>
</managed-executor-services>
<managed-scheduled-executor-services>
<managed-scheduled-executor-service name="default" jndi-name="java:jboss/ee/concurrency/scheduler/default" context-service="default" hung-task-termination-period="0" hung-task-threshold="60000" keepalive-time="3000"/>
</managed-scheduled-executor-services>
</concurrent>
<default-bindings context-service="java:jboss/ee/concurrency/context/default" datasource="java:jboss/datasources/ExampleDS" managed-executor-service="java:jboss/ee/concurrency/executor/default" managed-scheduled-executor-service="java:jboss/ee/concurrency/scheduler/default" managed-thread-factory="java:jboss/ee/concurrency/factory/default"/>
</subsystem>
<subsystem xmlns="urn:jboss:domain:ejb3:9.0">
<session-bean>
<stateless>
<bean-instance-pool-ref pool-name="slsb-strict-max-pool"/>
</stateless>
<stateful default-access-timeout="5000" cache-ref="simple" passivation-disabled-cache-ref="simple"/>
<singleton default-access-timeout="5000"/>
</session-bean>
<pools>
<bean-instance-pools>
<strict-max-pool name="mdb-strict-max-pool" derive-size="from-cpu-count" instance-acquisition-timeout="5" instance-acquisition-timeout-unit="MINUTES"/>
<strict-max-pool name="slsb-strict-max-pool" derive-size="from-worker-pools" instance-acquisition-timeout="5" instance-acquisition-timeout-unit="MINUTES"/>
</bean-instance-pools>
</pools>
<caches>
<cache name="simple"/>
<cache name="distributable" passivation-store-ref="infinispan" aliases="passivating clustered"/>
</caches>
<passivation-stores>
<passivation-store name="infinispan" cache-container="ejb" max-size="10000"/>
</passivation-stores>
<async thread-pool-name="default"/>
<timer-service thread-pool-name="default" default-data-store="default-file-store">
<data-stores>
<file-data-store name="default-file-store" path="timer-service-data" relative-to="jboss.server.data.dir"/>
</data-stores>
</timer-service>
<remote cluster="ejb" connectors="http-remoting-connector" thread-pool-name="default">
<channel-creation-options>
<option name="MAX_OUTBOUND_MESSAGES" value="1234" type="remoting"/>
</channel-creation-options>
</remote>
<thread-pools>
<thread-pool name="default">
<max-threads count="10"/>
<keepalive-time time="60" unit="seconds"/>
</thread-pool>
</thread-pools>
<default-security-domain value="other"/>
<default-missing-method-permissions-deny-access value="true"/>
<statistics enabled="${wildfly.ejb3.statistics-enabled:${wildfly.statistics-enabled:false}}"/>
<log-system-exceptions value="true"/>
</subsystem>
<subsystem xmlns="urn:wildfly:health:1.0" security-enabled="false"/>
<subsystem xmlns="urn:jboss:domain:io:3.0">
<worker name="default"/>
<buffer-pool name="default"/>
</subsystem>
<subsystem xmlns="urn:jboss:domain:jaxrs:2.0"/>
<subsystem xmlns="urn:jboss:domain:jca:5.0">
<archive-validation enabled="true" fail-on-error="true" fail-on-warn="false"/>
<bean-validation enabled="true"/>
<default-workmanager>
<short-running-threads>
<core-threads count="50"/>
<queue-length count="50"/>
<max-threads count="50"/>
<keepalive-time time="10" unit="seconds"/>
</short-running-threads>
<long-running-threads>
<core-threads count="50"/>
<queue-length count="50"/>
<max-threads count="50"/>
<keepalive-time time="10" unit="seconds"/>
</long-running-threads>
</default-workmanager>
<cached-connection-manager/>
</subsystem>
<subsystem xmlns="urn:jboss:domain:jmx:1.3">
<expose-resolved-model/>
<expose-expression-model/>
<remoting-connector/>
</subsystem>
<subsystem xmlns="urn:jboss:domain:jpa:1.1">
<jpa default-extended-persistence-inheritance="DEEP"/>
</subsystem>
<subsystem xmlns="urn:jboss:domain:infinispan:12.0">
<cache-container name="keycloak" modules="org.keycloak.keycloak-model-infinispan">
<local-cache name="realms">
<heap-memory size="10000"/>
</local-cache>
<local-cache name="users">
<heap-memory size="10000"/>
</local-cache>
<local-cache name="sessions"/>
<local-cache name="authenticationSessions"/>
<local-cache name="offlineSessions"/>
<local-cache name="clientSessions"/>
<local-cache name="offlineClientSessions"/>
<local-cache name="loginFailures"/>
<local-cache name="work"/>
<local-cache name="authorization">
<heap-memory size="10000"/>
</local-cache>
<local-cache name="keys">
<heap-memory size="1000"/>
<expiration max-idle="3600000"/>
</local-cache>
<local-cache name="actionTokens">
<heap-memory size="-1"/>
<expiration max-idle="-1" interval="300000"/>
</local-cache>
</cache-container>
<cache-container name="server" default-cache="default" modules="org.wildfly.clustering.server">
<local-cache name="default">
<transaction mode="BATCH"/>
</local-cache>
</cache-container>
<cache-container name="web" default-cache="passivation" modules="org.wildfly.clustering.web.infinispan">
<local-cache name="passivation">
<locking isolation="REPEATABLE_READ"/>
<transaction mode="BATCH"/>
<file-store passivation="true" purge="false"/>
</local-cache>
<local-cache name="sso">
<locking isolation="REPEATABLE_READ"/>
<transaction mode="BATCH"/>
</local-cache>
<local-cache name="routing"/>
</cache-container>
<cache-container name="ejb" aliases="sfsb" default-cache="passivation" modules="org.wildfly.clustering.ejb.infinispan">
<local-cache name="passivation">
<locking isolation="REPEATABLE_READ"/>
<transaction mode="BATCH"/>
<file-store passivation="true" purge="false"/>
</local-cache>
</cache-container>
<cache-container name="hibernate" modules="org.infinispan.hibernate-cache">
<local-cache name="entity">
<heap-memory size="10000"/>
<expiration max-idle="100000"/>
</local-cache>
<local-cache name="local-query">
<heap-memory size="10000"/>
<expiration max-idle="100000"/>
</local-cache>
<local-cache name="timestamps"/>
</cache-container>
</subsystem>
<subsystem xmlns="urn:jboss:domain:keycloak-server:1.1">
<web-context>auth</web-context>
<providers>
<provider>classpath:${jboss.home.dir}/providers/*</provider>
</providers>
<master-realm-name>master</master-realm-name>
<scheduled-task-interval>900</scheduled-task-interval>
<theme>
<staticMaxAge>2592000</staticMaxAge>
<cacheThemes>true</cacheThemes>
<cacheTemplates>true</cacheTemplates>
<dir>${jboss.home.dir}/themes</dir>
</theme>
<spi name="eventsStore">
<provider name="jpa" enabled="true">
<properties>
<property name="exclude-events" value="[&quot;REFRESH_TOKEN&quot;]"/>
</properties>
</provider>
</spi>
<spi name="userCache">
<provider name="default" enabled="true"/>
</spi>
<spi name="userSessionPersister">
<default-provider>jpa</default-provider>
</spi>
<spi name="timer">
<default-provider>basic</default-provider>
</spi>
<spi name="connectionsHttpClient">
<provider name="default" enabled="true"/>
</spi>
<spi name="connectionsJpa">
<provider name="default" enabled="true">
<properties>
<property name="dataSource" value="java:jboss/datasources/KeycloakDS"/>
<property name="initializeEmpty" value="true"/>
<property name="migrationStrategy" value="update"/>
<property name="migrationExport" value="${jboss.home.dir}/keycloak-database-update.sql"/>
</properties>
</provider>
</spi>
<spi name="realmCache">
<provider name="default" enabled="true"/>
</spi>
<spi name="connectionsInfinispan">
<default-provider>default</default-provider>
<provider name="default" enabled="true">
<properties>
<property name="cacheContainer" value="java:jboss/infinispan/container/keycloak"/>
</properties>
</provider>
</spi>
<spi name="jta-lookup">
<default-provider>${keycloak.jta.lookup.provider:jboss}</default-provider>
<provider name="jboss" enabled="true"/>
</spi>
<spi name="publicKeyStorage">
<provider name="infinispan" enabled="true">
<properties>
<property name="minTimeBetweenRequests" value="10"/>
</properties>
</provider>
</spi>
<spi name="x509cert-lookup">
<default-provider>${keycloak.x509cert.lookup.provider:default}</default-provider>
<provider name="default" enabled="true"/>
</spi>
<spi name="hostname">
<default-provider>default</default-provider>
<provider name="default" enabled="true">
<properties>
<property name="frontendUrl" value="${keycloak.frontendUrl:}"/>
<property name="forceBackendUrlToFrontendUrl" value="false"/>
</properties>
</provider>
</spi>
</subsystem>
<subsystem xmlns="urn:jboss:domain:undertow:12.0" default-server="default-server" default-virtual-host="default-host" default-servlet-container="default" default-security-domain="other" statistics-enabled="${wildfly.undertow.statistics-enabled:${wildfly.statistics-enabled:false}}">
<buffer-cache name="default"/>
<server name="default-server">
<http-listener name="default" socket-binding="http" enable-http2="true" proxy-address-forwarding="true" redirect-socket="proxy-https"/>
<https-listener name="https" socket-binding="https" security-realm="ApplicationRealm" enable-http2="true"/>
<host name="default-host" alias="localhost">
<location name="/" handler="welcome-content"/>
<http-invoker security-realm="ApplicationRealm"/>
</host>
</server>
<servlet-container name="default">
<jsp-config/>
<websockets/>
</servlet-container>
<handlers>
<file name="welcome-content" path="${jboss.home.dir}/welcome-content"/>
</handlers>
</subsystem>
<subsystem xmlns="urn:jboss:domain:logging:8.0">
<console-handler name="CONSOLE">
<level name="INFO"/>
<formatter>
<named-formatter name="COLOR-PATTERN"/>
</formatter>
</console-handler>
<periodic-rotating-file-handler name="FILE" autoflush="true">
<formatter>
<named-formatter name="PATTERN"/>
</formatter>
<file relative-to="jboss.server.log.dir" path="server.log"/>
<suffix value=".yyyy-MM-dd"/>
<append value="true"/>
</periodic-rotating-file-handler>
<logger category="com.arjuna">
<level name="WARN"/>
</logger>
<logger category="io.jaegertracing.Configuration">
<level name="WARN"/>
</logger>
<logger category="org.jboss.as.config">
<level name="DEBUG"/>
</logger>
<logger category="sun.rmi">
<level name="WARN"/>
</logger>
<root-logger>
<level name="INFO"/>
<handlers>
<handler name="CONSOLE"/>
<handler name="FILE"/>
</handlers>
</root-logger>
<formatter name="PATTERN">
<pattern-formatter pattern="%d{yyyy-MM-dd HH:mm:ss,SSS} %-5p [%c] (%t) %s%e%n"/>
</formatter>
<formatter name="COLOR-PATTERN">
<pattern-formatter pattern="%K{level}%d{HH:mm:ss,SSS} %-5p [%c] (%t) %s%e%n"/>
</formatter>
</subsystem>
<subsystem xmlns="urn:jboss:domain:mail:4.0">
<mail-session name="default" jndi-name="java:jboss/mail/Default">
<smtp-server outbound-socket-binding-ref="mail-smtp"/>
</mail-session>
</subsystem>
<subsystem xmlns="urn:wildfly:metrics:1.0" security-enabled="false" exposed-subsystems="*" prefix="${wildfly.metrics.prefix:wildfly}"/>
<subsystem xmlns="urn:jboss:domain:naming:2.0">
<remote-naming/>
</subsystem>
<subsystem xmlns="urn:jboss:domain:remoting:4.0">
<http-connector name="http-remoting-connector" connector-ref="default" security-realm="ApplicationRealm"/>
</subsystem>
<subsystem xmlns="urn:jboss:domain:request-controller:1.0"/>
<subsystem xmlns="urn:jboss:domain:security-manager:1.0">
<deployment-permissions>
<maximum-set>
<permission class="java.security.AllPermission"/>
</maximum-set>
</deployment-permissions>
</subsystem>
<subsystem xmlns="urn:jboss:domain:security:2.0">
<security-domains>
<security-domain name="other" cache-type="default">
<authentication>
<login-module code="Remoting" flag="optional">
<module-option name="password-stacking" value="useFirstPass"/>
</login-module>
<login-module code="RealmDirect" flag="required">
<module-option name="password-stacking" value="useFirstPass"/>
</login-module>
</authentication>
</security-domain>
<security-domain name="jboss-web-policy" cache-type="default">
<authorization>
<policy-module code="Delegating" flag="required"/>
</authorization>
</security-domain>
<security-domain name="jaspitest" cache-type="default">
<authentication-jaspi>
<login-module-stack name="dummy">
<login-module code="Dummy" flag="optional"/>
</login-module-stack>
<auth-module code="Dummy"/>
</authentication-jaspi>
</security-domain>
<security-domain name="jboss-ejb-policy" cache-type="default">
<authorization>
<policy-module code="Delegating" flag="required"/>
</authorization>
</security-domain>
</security-domains>
</subsystem>
<subsystem xmlns="urn:jboss:domain:datasources:6.0">
<datasources>
<datasource jndi-name="java:jboss/datasources/ExampleDS" pool-name="ExampleDS" enabled="true" use-java-context="true" statistics-enabled="${wildfly.datasources.statistics-enabled:${wildfly.statistics-enabled:false}}">
<connection-url>jdbc:h2:mem:test;DB_CLOSE_DELAY=-1;DB_CLOSE_ON_EXIT=FALSE</connection-url>
<driver>h2</driver>
<security>
<user-name>sa</user-name>
<password>sa</password>
</security>
</datasource>
<datasource jndi-name="java:jboss/datasources/KeycloakDS" pool-name="KeycloakDS" enabled="true" use-java-context="true" statistics-enabled="${wildfly.datasources.statistics-enabled:${wildfly.statistics-enabled:false}}">
<connection-url>jdbc:h2:${jboss.server.data.dir}/keycloak;AUTO_SERVER=TRUE</connection-url>
<driver>h2</driver>
<security>
<user-name>sa</user-name>
<password>sa</password>
</security>
</datasource>
<drivers>
<driver name="h2" module="com.h2database.h2">
<xa-datasource-class>org.h2.jdbcx.JdbcDataSource</xa-datasource-class>
</driver>
</drivers>
</datasources>
</subsystem>
<subsystem xmlns="urn:wildfly:elytron:13.0" final-providers="combined-providers" disallowed-providers="OracleUcrypto">
<providers>
<aggregate-providers name="combined-providers">
<providers name="elytron"/>
<providers name="openssl"/>
</aggregate-providers>
<provider-loader name="elytron" module="org.wildfly.security.elytron"/>
<provider-loader name="openssl" module="org.wildfly.openssl"/>
</providers>
<audit-logging>
<file-audit-log name="local-audit" path="audit.log" relative-to="jboss.server.log.dir" format="JSON"/>
</audit-logging>
<security-domains>
<security-domain name="ApplicationDomain" default-realm="ApplicationRealm" permission-mapper="default-permission-mapper">
<realm name="ApplicationRealm" role-decoder="groups-to-roles"/>
<realm name="local"/>
</security-domain>
<security-domain name="ManagementDomain" default-realm="ManagementRealm" permission-mapper="default-permission-mapper">
<realm name="ManagementRealm" role-decoder="groups-to-roles"/>
<realm name="local" role-mapper="super-user-mapper"/>
</security-domain>
</security-domains>
<security-realms>
<identity-realm name="local" identity="$local"/>
<properties-realm name="ApplicationRealm">
<users-properties path="application-users.properties" relative-to="jboss.server.config.dir" digest-realm-name="ApplicationRealm"/>
<groups-properties path="application-roles.properties" relative-to="jboss.server.config.dir"/>
</properties-realm>
<properties-realm name="ManagementRealm">
<users-properties path="mgmt-users.properties" relative-to="jboss.server.config.dir" digest-realm-name="ManagementRealm"/>
<groups-properties path="mgmt-groups.properties" relative-to="jboss.server.config.dir"/>
</properties-realm>
</security-realms>
<mappers>
<simple-permission-mapper name="default-permission-mapper" mapping-mode="first">
<permission-mapping>
<principal name="anonymous"/>
<permission-set name="default-permissions"/>
</permission-mapping>
<permission-mapping match-all="true">
<permission-set name="login-permission"/>
<permission-set name="default-permissions"/>
</permission-mapping>
</simple-permission-mapper>
<constant-realm-mapper name="local" realm-name="local"/>
<simple-role-decoder name="groups-to-roles" attribute="groups"/>
<constant-role-mapper name="super-user-mapper">
<role name="SuperUser"/>
</constant-role-mapper>
</mappers>
<permission-sets>
<permission-set name="login-permission">
<permission class-name="org.wildfly.security.auth.permission.LoginPermission"/>
</permission-set>
<permission-set name="default-permissions">
<permission class-name="org.wildfly.extension.batch.jberet.deployment.BatchPermission" module="org.wildfly.extension.batch.jberet" target-name="*"/>
<permission class-name="org.wildfly.transaction.client.RemoteTransactionPermission" module="org.wildfly.transaction.client"/>
<permission class-name="org.jboss.ejb.client.RemoteEJBPermission" module="org.jboss.ejb-client"/>
</permission-set>
</permission-sets>
<http>
<http-authentication-factory name="management-http-authentication" security-domain="ManagementDomain" http-server-mechanism-factory="global">
<mechanism-configuration>
<mechanism mechanism-name="DIGEST">
<mechanism-realm realm-name="ManagementRealm"/>
</mechanism>
</mechanism-configuration>
</http-authentication-factory>
<provider-http-server-mechanism-factory name="global"/>
</http>
<sasl>
<sasl-authentication-factory name="application-sasl-authentication" sasl-server-factory="configured" security-domain="ApplicationDomain">
<mechanism-configuration>
<mechanism mechanism-name="JBOSS-LOCAL-USER" realm-mapper="local"/>
<mechanism mechanism-name="DIGEST-MD5">
<mechanism-realm realm-name="ApplicationRealm"/>
</mechanism>
</mechanism-configuration>
</sasl-authentication-factory>
<sasl-authentication-factory name="management-sasl-authentication" sasl-server-factory="configured" security-domain="ManagementDomain">
<mechanism-configuration>
<mechanism mechanism-name="JBOSS-LOCAL-USER" realm-mapper="local"/>
<mechanism mechanism-name="DIGEST-MD5">
<mechanism-realm realm-name="ManagementRealm"/>
</mechanism>
</mechanism-configuration>
</sasl-authentication-factory>
<configurable-sasl-server-factory name="configured" sasl-server-factory="elytron">
<properties>
<property name="wildfly.sasl.local-user.default-user" value="$local"/>
</properties>
</configurable-sasl-server-factory>
<mechanism-provider-filtering-sasl-server-factory name="elytron" sasl-server-factory="global">
<filters>
<filter provider-name="WildFlyElytron"/>
</filters>
</mechanism-provider-filtering-sasl-server-factory>
<provider-sasl-server-factory name="global"/>
</sasl>
<tls>
<key-stores>
<key-store name="applicationKS">
<credential-reference clear-text="password"/>
<implementation type="JKS"/>
<file path="application.keystore" relative-to="jboss.server.config.dir"/>
</key-store>
</key-stores>
<key-managers>
<key-manager name="applicationKM" key-store="applicationKS" generate-self-signed-certificate-host="localhost">
<credential-reference clear-text="password"/>
</key-manager>
</key-managers>
<server-ssl-contexts>
<server-ssl-context name="applicationSSC" key-manager="applicationKM"/>
</server-ssl-contexts>
</tls>
</subsystem>
<subsystem xmlns="urn:jboss:domain:transactions:6.0">
<core-environment node-identifier="${jboss.tx.node.id:1}">
<process-id>
<uuid/>
</process-id>
</core-environment>
<recovery-environment socket-binding="txn-recovery-environment" status-socket-binding="txn-status-manager"/>
<coordinator-environment statistics-enabled="${wildfly.transactions.statistics-enabled:${wildfly.statistics-enabled:false}}"/>
<object-store path="tx-object-store" relative-to="jboss.server.data.dir"/>
</subsystem>
<subsystem xmlns="urn:jboss:domain:weld:4.0"/>
</profile>
<interfaces>
<interface name="management">
<inet-address value="${jboss.bind.address.management:127.0.0.1}"/>
</interface>
<interface name="public">
<inet-address value="${jboss.bind.address:127.0.0.1}"/>
</interface>
</interfaces>
<socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:0}">
<socket-binding name="proxy-https" port="443"/>
<socket-binding name="ajp" port="${jboss.ajp.port:8009}"/>
<socket-binding name="http" port="${jboss.http.port:8080}"/>
<socket-binding name="https" port="${jboss.https.port:8443}"/>
<socket-binding name="management-http" interface="management" port="${jboss.management.http.port:9990}"/>
<socket-binding name="management-https" interface="management" port="${jboss.management.https.port:9993}"/>
<socket-binding name="txn-recovery-environment" port="4712"/>
<socket-binding name="txn-status-manager" port="4713"/>
<outbound-socket-binding name="mail-smtp">
<remote-destination host="${jboss.mail.server.host:localhost}" port="${jboss.mail.server.port:25}"/>
</outbound-socket-binding>
</socket-binding-group>
</server>