diff --git a/README.md b/README.md
index 6821ea1..f762307 100644
--- a/README.md
+++ b/README.md
@@ -7,8 +7,9 @@ Needs: https://github.com/AlexanderGabriel/ansible-role-acme.sh to get certs fro
Hint: Use variables use_local_ca: yes and acme_sh_server: https://host:port/acme/acme/directory to use your own intranet step-ca or acme-compatible CA for local certs
All vars:
-* keycloak_initial_admin_password initial admin user password
-* use_local_ca: yes or no
-* acme_sh_server: url to acme-compatible ca, if not provided, use letsencrypt
-* acme_sh_email: your email-address
-
+* keycloak_postgresql_database: keycloak
+* keycloak_postgresql_username: keycloak
+* keycloak_postgresql_password: keycloak
+* keycloak_initial_admin_name: keycloak
+* keycloak_initial_admin_password: keycloak
+* keycloak_http_host: 127.0.0.1
diff --git a/defaults/main.yml b/defaults/main.yml
new file mode 100644
index 0000000..3c50535
--- /dev/null
+++ b/defaults/main.yml
@@ -0,0 +1,7 @@
+---
+keycloak_postgresql_database: keycloak
+keycloak_postgresql_username: keycloak
+keycloak_postgresql_password: keycloak
+keycloak_initial_admin_name: keycloak
+keycloak_initial_admin_password: keycloak
+keycloak_http_host: 127.0.0.1
diff --git a/tasks/main.yml b/tasks/main.yml
index c5397c5..1a88710 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -7,6 +7,31 @@
- apache2
update_cache: yes
+##install database
+- name: include role for postgresql
+ include_role:
+ name: postgresql
+ vars:
+ postgresql_database: "{{ keycloak_postgresql_database }}"
+ postgresql_username: "{{ keycloak_postgresql_username }}"
+ postgresql_password: "{{ keycloak_postgresql_password }}"
+
+- name: include role for website
+ include_role:
+ name: website
+ vars:
+ domainname: "{{ inventory_hostname }}"
+ docroot: "/var/www/html"
+ optionalDirectives: |
+ ProxyPreserveHost On
+ SSLProxyEngine On
+ SSLProxyCheckPeerCN on
+ SSLProxyCheckPeerExpire on
+ RequestHeader set X-Forwarded-Proto "https"
+ RequestHeader set X-Forwarded-Port "443"
+ ProxyPass / http://127.0.0.1:8080/
+ ProxyPassReverse / http://127.0.0.1:8080/
+
- name: create user for keycloak
user:
name: keycloak
@@ -18,23 +43,50 @@
- name: check if keycloak-dir exists
stat:
- path: /opt/keycloak/keycloak-13.0.1
+ path: /opt/keycloak/keycloak-21.0.1
register: keycloak_exists
-- name: Extract keycloak-13.0.1.tar.gz to /opt/keycloak
+- name: Extract keycloak-21.0.1.zip to /opt/keycloak
unarchive:
- src: keycloak-13.0.1.tar.gz
+ src: keycloak-21.0.1.zip
dest: /opt/keycloak
owner: keycloak
group: keycloak
when: not keycloak_exists.stat.exists or redeploy is defined
-- name: link /opt/keycloak/keycloak-13.0.1 to /opt/keycloak/current
+- name: link /opt/keycloak/keycloak-21.0.1 to /opt/keycloak/current
file:
state: link
- src: /opt/keycloak/keycloak-13.0.1
+ src: /opt/keycloak/keycloak-21.0.1
dest: /opt/keycloak/current
+##build once
+- name: check if /opt/keycloak/current/builtonce.txt exists
+ stat:
+ path: /opt/keycloak/current/builtonce.txt
+ register: builtonce_exists
+
+- name: build keycloak
+ command: sudo -u keycloak /opt/keycloak/current/bin/kc.sh build --db=postgres
+ when: not builtonce_exists.stat.exists
+
+- name: create file to track build
+ ansible.builtin.file:
+ path: /opt/keycloak/current/builtonce.txt
+ owner: keycloak
+ group: keycloak
+ mode: '0770'
+ state: touch
+ when: not builtonce_exists.stat.exists
+
+- name: set permissions correct
+ file:
+ dest: /opt/keycloak
+ owner: keycloak
+ group: keycloak
+ mode: "0770"
+ recurse: yes
+
- name: generate /etc/systemd/system/keycloak.service
template:
src: keycloak.service.j2
@@ -45,27 +97,6 @@
notify:
- reload systemd
-- name: generate /opt/keycloak/current/standalone/configuration/standalone.xml
- template:
- src: standalone.xml.j2
- dest: /opt/keycloak/current/standalone/configuration/standalone.xml
- notify:
- - restart keycloak
-
-- name: enable keycloak
- systemd:
- name: keycloak
- enabled: yes
- masked: no
-
-- name: set permissions correct
- file:
- dest: /opt/keycloak
- owner: keycloak
- group: keycloak
- mode: "0770"
- recurse: yes
-
- name: Flush handlers
meta: flush_handlers
@@ -80,143 +111,80 @@
- name: Flush handlers
meta: flush_handlers
+##add admin user once
- name: check if /opt/keycloak/current/adminuseradded.txt exists
stat:
- path: /opt/keycloak/current/standalone/configuration/keycloak-add-user.json
+ path: /opt/keycloak/current/adminuseradded.txt
register: adminuseradded_exists
-- name: check if /opt/keycloak/current/standalone/configuration/keycloak-add-user.json exists
- stat:
- path: /opt/keycloak/current/standalone/configuration/keycloak-add-user.json
+- name: stop keycloak
+ ansible.builtin.service:
+ name: keycloak
+ state: stopped
when: not adminuseradded_exists.stat.exists
- register: keycloak_add_user_exists
-- name: check if user exists
- shell: "grep username /opt/keycloak/current/standalone/configuration/keycloak-add-user.json | grep admin"
- register: userexists
- when: not adminuseradded_exists.stat.exists and keycloak_add_user_exists.stat.exists
-
-- name: create initial admin user
- command: sudo -u keycloak /opt/keycloak/current/bin/add-user-keycloak.sh -u admin -p {{ keycloak_initial_admin_password }} -r master
- when: not keycloak_add_user_exists.stat.exists or userexists.stdout == ""
+- name: generate /etc/systemd/system/keycloak.service
+ template:
+ src: keycloak.service_init.j2
+ dest: /etc/systemd/system/keycloak.service
+ owner: root
+ group: root
+ mode: "0644"
+ when: not adminuseradded_exists.stat.exists
notify:
- restart keycloak
+ - reload systemd
-- name: create initial admin user
- command: sudo -u keycloak touch /opt/keycloak/current/adminuseradded.txt
- when: not keycloak_add_user_exists.stat.exists or userexists.stdout == ""
+- name: Flush handlers
+ meta: flush_handlers
+
+- name: start keycloak
+ ansible.builtin.service:
+ name: keycloak
+ state: started
+ when: not adminuseradded_exists.stat.exists
+
+- name: Sleep 60 seconds
+ ansible.builtin.wait_for:
+ timeout: 60
+ delegate_to: localhost
+ when: not adminuseradded_exists.stat.exists
+
+- name: stop keycloak
+ ansible.builtin.service:
+ name: keycloak
+ state: stopped
+ when: not adminuseradded_exists.stat.exists
+
+- name: generate /etc/systemd/system/keycloak.service
+ template:
+ src: keycloak.service.j2
+ dest: /etc/systemd/system/keycloak.service
+ owner: root
+ group: root
+ mode: "0644"
+ when: not adminuseradded_exists.stat.exists
notify:
- restart keycloak
+ - reload systemd
-- name: set permissions correct again
- file:
- dest: /opt/keycloak
+- name: Flush handlers
+ meta: flush_handlers
+
+- name: start keycloak
+ ansible.builtin.service:
+ name: keycloak
+ state: started
+ when: not adminuseradded_exists.stat.exists
+
+- name: create file to track user creation
+ ansible.builtin.file:
+ path: /opt/keycloak/current/adminuseradded.txt
owner: keycloak
group: keycloak
- mode: "0770"
- recurse: yes
-
-- name: enable apache module proxy
- command: a2enmod proxy
- args:
- creates: /etc/apache2/mods-enabled/proxy.load
- notify:
- restart apache2
-
-- name: enable apache module proxy_html
- command: a2enmod proxy_html
- args:
- creates: /etc/apache2/mods-enabled/proxy_html.load
- notify:
- restart apache2
-
-- name: enable apache module proxy_http
- command: a2enmod proxy_http
- args:
- creates: /etc/apache2/mods-enabled/proxy_http.load
- notify:
- restart apache2
-
-- name: enable apache module proxy_http2
- command: a2enmod proxy_http2
- args:
- creates: /etc/apache2/mods-enabled/proxy_http2.load
- notify:
- restart apache2
-
-- name: enable apache module ssl
- command: a2enmod ssl
- args:
- creates: /etc/apache2/mods-enabled/ssl.load
- notify:
- restart apache2
-
-- name: enable apache module headers
- command: a2enmod headers
- args:
- creates: /etc/apache2/mods-enabled/headers.load
- notify:
- restart apache2
-
-- name: enable apache module rewrite
- command: a2enmod rewrite
- args:
- creates: /etc/apache2/mods-enabled/rewrite.load
- notify:
- restart apache2
-
-- name: install acme.sh
- include_role:
- name: acmesh
-
-- name: set amce server url
- set_fact:
- acmeshserver: "--server {{ acme_sh_server }} --insecure --force --days 1"
- when: acme_sh_server is defined
-
-- name: set amce server url
- set_fact:
- acmeshserver: ""
- when: not acme_sh_server is defined
-
-- name: get certificates
- command: /root/.acme.sh/acme.sh --issue --apache {{ acmeshserver }} -d {{ inventory_hostname }} --email {{ acme_sh_email }} --key-file /etc/ssl/private/{{ inventory_hostname }}.key --fullchain-file /etc/ssl/certs/{{ inventory_hostname }}.pem --reloadcmd "service apache2 reload"
- args:
- creates: /etc/ssl/private/{{ inventory_hostname }}.key
-
-- name: generate /etc/apache2/sites-available/{{ inventory_hostname }}.conf
- template:
- src: apache.conf.j2
- dest: /etc/apache2/sites-available/{{ inventory_hostname }}.conf
- owner: root
- group: root
- mode: "0644"
- notify:
- - reload apache2
-
-- name: generate /etc/apache2/sites-available/{{ inventory_hostname }}-ssl.conf
- template:
- src: apache-ssl.conf.j2
- dest: /etc/apache2/sites-available/{{ inventory_hostname }}-ssl.conf
- owner: root
- group: root
- mode: "0644"
- notify:
- - reload apache2
-
-- name: activate /etc/apache2/sites-available/{{ inventory_hostname }}.conf
- file:
- state: link
- src: /etc/apache2/sites-available/{{ inventory_hostname }}.conf
- dest: /etc/apache2/sites-enabled/{{ inventory_hostname }}.conf
- notify:
- - reload apache2
-
-- name: activate /etc/apache2/sites-available/{{ inventory_hostname }}-ssl.conf
- file:
- state: link
- src: /etc/apache2/sites-available/{{ inventory_hostname }}-ssl.conf
- dest: /etc/apache2/sites-enabled/{{ inventory_hostname }}-ssl.conf
- notify:
- - reload apache2
+ mode: '0770'
+ state: touch
+ when: not adminuseradded_exists.stat.exists
+- name: start keycloak
+ ansible.builtin.service:
+ name: keycloak
+ state: started
diff --git a/templates/apache-ssl.conf.j2 b/templates/apache-ssl.conf.j2
deleted file mode 100644
index 05382d3..0000000
--- a/templates/apache-ssl.conf.j2
+++ /dev/null
@@ -1,31 +0,0 @@
-
-
- ServerName {{ inventory_hostname }}
- ServerAdmin webmaster@{{ inventory_hostname }}
-
- DocumentRoot /var/www/html
-
- ErrorLog ${APACHE_LOG_DIR}/{{ inventory_hostname }}.error.log
- CustomLog ${APACHE_LOG_DIR}/{{ inventory_hostname }}.access.log combined
-
- SSLEngine on
- SSLCertificateFile /etc/ssl/certs/{{ inventory_hostname }}.pem
- SSLCertificateKeyFile /etc/ssl/private/{{ inventory_hostname }}.key
-
-
- SSLOptions +StdEnvVars
-
-
- SSLOptions +StdEnvVars
-
- ProxyPreserveHost On
- SSLProxyEngine On
- SSLProxyCheckPeerCN on
- SSLProxyCheckPeerExpire on
- RequestHeader set X-Forwarded-Proto "https"
- RequestHeader set X-Forwarded-Port "443"
- ProxyPass / http://127.0.0.1:8080/
- ProxyPassReverse / http://127.0.0.1:8080/
-
-
-
diff --git a/templates/apache.conf.j2 b/templates/apache.conf.j2
deleted file mode 100644
index c93f206..0000000
--- a/templates/apache.conf.j2
+++ /dev/null
@@ -1,14 +0,0 @@
-
- ServerName {{ inventory_hostname }}
-
- ServerAdmin webmaster@{{ inventory_hostname }}
- DocumentRoot /var/www/html
-
- ErrorLog ${APACHE_LOG_DIR}/{{ inventory_hostname }}.error.log
- CustomLog ${APACHE_LOG_DIR}/{{ inventory_hostname }}.access.log combined
-
- #rewrite transparent to https, keep uri
- RewriteEngine On
- RewriteCond %{HTTPS} off
- RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R,L]
-
diff --git a/templates/keycloak.service.j2 b/templates/keycloak.service.j2
index b958045..8a12893 100644
--- a/templates/keycloak.service.j2
+++ b/templates/keycloak.service.j2
@@ -6,9 +6,16 @@ After=network.target
Type=idle
User=keycloak
Group=keycloak
-ExecStart=/opt/keycloak/current/bin/standalone.sh
+ExecStart=/opt/keycloak/current/bin/kc.sh start
TimeoutStartSec=600
TimeoutStopSec=600
+Environment="KC_HTTP_HOST={{ keycloak_http_host}}"
+Environment="KC_HOSTNAME={{ inventory_hostname }}"
+Environment="KC_DB_USERNAME={{ keycloak_postgresql_username }}"
+Environment="KC_DB_PASSWORD={{ keycloak_postgresql_password }}"
+Environment="KC_DB_URL_DATABASE={{ keycloak_postgresql_database }}"
+Environment="KC_DB_URL_HOST={{ inventory_hostname }}"
+Environment="KC_PROXY=edge"
[Install]
-WantedBy=multi-user.target
\ No newline at end of file
+WantedBy=multi-user.target
diff --git a/templates/keycloak.service_init.j2 b/templates/keycloak.service_init.j2
new file mode 100644
index 0000000..e64c3d1
--- /dev/null
+++ b/templates/keycloak.service_init.j2
@@ -0,0 +1,23 @@
+[Unit]
+Description=Keycloak
+After=network.target
+
+[Service]
+Type=idle
+User=keycloak
+Group=keycloak
+ExecStart=/opt/keycloak/current/bin/kc.sh start
+TimeoutStartSec=600
+TimeoutStopSec=600
+Environment="KC_HTTP_HOST={{ keycloak_http_host}}"
+Environment="KC_HOSTNAME={{ inventory_hostname }}"
+Environment="KC_DB_USERNAME={{ keycloak_postgresql_username }}"
+Environment="KC_DB_PASSWORD={{ keycloak_postgresql_password }}"
+Environment="KC_DB_URL_DATABASE={{ keycloak_postgresql_database }}"
+Environment="KC_DB_URL_HOST={{ inventory_hostname }}"
+Environment="KC_PROXY=edge"
+Environment="KEYCLOAK_ADMIN={{ keycloak_initial_admin_name }}"
+Environment="KEYCLOAK_ADMIN_PASSWORD={{ keycloak_initial_admin_password }}"
+
+[Install]
+WantedBy=multi-user.target
diff --git a/templates/standalone.xml.j2 b/templates/standalone.xml.j2
deleted file mode 100644
index c50fd33..0000000
--- a/templates/standalone.xml.j2
+++ /dev/null
@@ -1,613 +0,0 @@
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- false
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- auth
-
- classpath:${jboss.home.dir}/providers/*
-
- master
- 900
-
- 2592000
- true
- true
- ${jboss.home.dir}/themes
-
-
-
-
-
-
-
-
-
-
-
-
- jpa
-
-
- basic
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- default
-
-
-
-
-
-
-
- ${keycloak.jta.lookup.provider:jboss}
-
-
-
-
-
-
-
-
-
-
- ${keycloak.x509cert.lookup.provider:default}
-
-
-
- default
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- jdbc:h2:mem:test;DB_CLOSE_DELAY=-1;DB_CLOSE_ON_EXIT=FALSE
- h2
-
- sa
- sa
-
-
-
- jdbc:h2:${jboss.server.data.dir}/keycloak;AUTO_SERVER=TRUE
- h2
-
- sa
- sa
-
-
-
-
- org.h2.jdbcx.JdbcDataSource
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-