194 lines
4.8 KiB
YAML
194 lines
4.8 KiB
YAML
---
|
|
- name: install stuff
|
|
apt:
|
|
name:
|
|
- default-jre
|
|
- unzip
|
|
- apache2
|
|
update_cache: yes
|
|
|
|
- name: create user for keycloak
|
|
user:
|
|
name: keycloak
|
|
state: present
|
|
shell: /bin/false
|
|
system: yes
|
|
createhome: yes
|
|
home: /opt/keycloak
|
|
|
|
- name: Extract keycloak-13.0.1.tar.gz to /opt/keycloak
|
|
unarchive:
|
|
src: keycloak-13.0.1.tar.gz
|
|
dest: /opt/keycloak
|
|
owner: keycloak
|
|
group: keycloak
|
|
|
|
- name: link /opt/keycloak/keycloak-13.0.1 to /opt/keycloak/current
|
|
file:
|
|
state: link
|
|
src: /opt/keycloak/keycloak-13.0.1
|
|
dest: /opt/keycloak/current
|
|
|
|
- name: set permissions correct
|
|
file:
|
|
dest: /opt/keycloak
|
|
owner: keycloak
|
|
group: keycloak
|
|
recurse: yes
|
|
|
|
- name: set permissions correct 2
|
|
file:
|
|
dest: /opt/keycloak/current/standalone/deployments
|
|
owner: keycloak
|
|
group: keycloak
|
|
mode: "0644"
|
|
recurse: yes
|
|
|
|
- name: generate /etc/systemd/system/keycloak.service
|
|
template:
|
|
src: keycloak.service.j2
|
|
dest: /etc/systemd/system/keycloak.service
|
|
owner: root
|
|
group: root
|
|
mode: "0644"
|
|
notify:
|
|
- reload systemd
|
|
|
|
- name: generate /opt/keycloak/current/standalone/configuration/standalone.xml
|
|
template:
|
|
src: standalone.xml.j2
|
|
dest: /opt/keycloak/current/standalone/configuration/standalone.xml
|
|
owner: keycloak
|
|
group: keycloak
|
|
mode: "0644"
|
|
notify:
|
|
- restart keycloak
|
|
|
|
- name: enable keycloak
|
|
systemd:
|
|
name: keycloak
|
|
enabled: yes
|
|
masked: no
|
|
|
|
- name: Flush handlers
|
|
meta: flush_handlers
|
|
|
|
- name: enable keycloak
|
|
systemd:
|
|
name: keycloak
|
|
enabled: yes
|
|
masked: no
|
|
notify:
|
|
restart keycloak
|
|
|
|
- name: Flush handlers
|
|
meta: flush_handlers
|
|
|
|
- name: check if /opt/keycloak/current/standalone/configuration/keycloak-add-user.json exists
|
|
stat:
|
|
path: /opt/keycloak/current/standalone/configuration/keycloak-add-user.json
|
|
register: file_exists
|
|
|
|
- name: check if user exists
|
|
shell: "grep username /opt/keycloak/current/standalone/configuration/keycloak-add-user.json | grep admin"
|
|
register: userexists
|
|
when: file_exists.stat.exists
|
|
|
|
- name: create initial admin user
|
|
command: /opt/keycloak/current/bin/add-user-keycloak.sh -u admin -p {{ keycloak_initial_admin_password }} -r master
|
|
when: file_exists.stat.exists and userexists.stdout == ""
|
|
|
|
- name: enable apache module proxy
|
|
command: a2enmod proxy
|
|
args:
|
|
creates: /etc/apache2/mods-enabled/proxy.load
|
|
notify:
|
|
restart apache2
|
|
|
|
- name: enable apache module proxy_html
|
|
command: a2enmod proxy_html
|
|
args:
|
|
creates: /etc/apache2/mods-enabled/proxy_html.load
|
|
notify:
|
|
restart apache2
|
|
|
|
- name: enable apache module proxy_http
|
|
command: a2enmod proxy_http
|
|
args:
|
|
creates: /etc/apache2/mods-enabled/proxy_http.load
|
|
notify:
|
|
restart apache2
|
|
|
|
- name: enable apache module proxy_http2
|
|
command: a2enmod proxy_http2
|
|
args:
|
|
creates: /etc/apache2/mods-enabled/proxy_http2.load
|
|
notify:
|
|
restart apache2
|
|
|
|
- name: enable apache module ssl
|
|
command: a2enmod ssl
|
|
args:
|
|
creates: /etc/apache2/mods-enabled/ssl.load
|
|
notify:
|
|
restart apache2
|
|
|
|
- name: enable apache module headers
|
|
command: a2enmod headers
|
|
args:
|
|
creates: /etc/apache2/mods-enabled/headers.load
|
|
notify:
|
|
restart apache2
|
|
|
|
- name: install acme.sh
|
|
include_role:
|
|
name: acme.sh
|
|
|
|
- name: set amce server url
|
|
set_fact:
|
|
acmeshserver: "--server {{ acme_sh_server }} --insecure --force"
|
|
when: acme_sh_server is defined
|
|
|
|
- name: set amce server url
|
|
set_fact:
|
|
acmeshserver: ""
|
|
when: not acme_sh_server is defined
|
|
|
|
- name: get certificates
|
|
command: /root/.acme.sh/acme.sh --issue --apache {{ acmeshserver }} -d {{ inventory_hostname }} --email {{ acme_sh_email }} --key-file /etc/ssl/private/{{ inventory_hostname }}.key --fullchain-file /etc/ssl/certs/{{ inventory_hostname }}.pem --reloadcmd "service apache2 reload"
|
|
args:
|
|
creates: /etc/ssl/private/sso.speedport.ip.key
|
|
|
|
- name: generate /etc/apache2/sites-available/{{ inventory_hostname }}.conf
|
|
template:
|
|
src: apache.conf.j2
|
|
dest: /etc/apache2/sites-available/{{ inventory_hostname }}.conf
|
|
owner: root
|
|
group: root
|
|
mode: "0644"
|
|
|
|
- name: generate /etc/apache2/sites-available/{{ inventory_hostname }}-ssl.conf
|
|
template:
|
|
src: apache-ssl.conf.j2
|
|
dest: /etc/apache2/sites-available/{{ inventory_hostname }}-ssl.conf
|
|
owner: root
|
|
group: root
|
|
mode: "0644"
|
|
|
|
- name: activate /etc/apache2/sites-available/{{ inventory_hostname }}.conf
|
|
file:
|
|
state: link
|
|
src: /etc/apache2/sites-available/{{ inventory_hostname }}.conf
|
|
dest: /etc/apache2/sites-enabled/{{ inventory_hostname }}.conf
|
|
notify:
|
|
- reload apache2
|
|
|
|
- name: activate /etc/apache2/sites-available/{{ inventory_hostname }}-ssl.conf
|
|
file:
|
|
state: link
|
|
src: /etc/apache2/sites-available/{{ inventory_hostname }}-ssl.conf
|
|
dest: /etc/apache2/sites-enabled/{{ inventory_hostname }}-ssl.conf
|
|
notify:
|
|
- reload apache2
|
|
|