Commit e93f2354 authored by Thomas Schneider's avatar Thomas Schneider
Browse files

Add keycloak role

parent b493af54
Pipeline #3442 passed with stage
in 2 minutes and 33 seconds
---
keycloak_version: "15.0.2"
keycloak_db:
type: h2
# keycloak_db:
# type: postgres
# user: keycloak
# password: hunter2
# host: db.example.org
# name: keycloak
keycloak_manage_local_postgres: true
[Unit]
Description=Keycloak Identity and Access Management
After=network-online.target postgresql.service
Wants=network-online.target
[Service]
ExecStart=/opt/keycloak/bin/standalone.sh
User=keycloak
Environment=JBOSS_BASE_DIR=/var/lib/keycloak/standalone
Environment=JBOSS_LOG_DIR=/var/log/keycloak
LimitNOFILE=102642
[Install]
WantedBy=multi-user.target
<?xml version="1.0"?>
<module xmlns="urn:jboss:module:1.3" name="org.postgresql">
<resources>
<resource-root path="postgresql.jar"/>
</resources>
<dependencies>
<module name="javax.api"/>
<module name="javax.transaction.api"/>
</dependencies>
</module>
---
- name: Reload systemd
systemd:
daemon_reload: true
- name: Restart keycloak
systemd:
name: keycloak.service
state: restarted
---
- name: Install JRE and other required packages
apt:
name:
- default-jre-headless
- python3-lxml
state: present
- name: Create keycloak group
group:
name: keycloak
system: true
- name: Create keycloak user
user:
name: keycloak
system: true
home: /var/lib/keycloak
group: keycloak
- name: Configure keycloak home directory
file:
path: /var/lib/keycloak
state: directory
owner: keycloak
group: keycloak
mode: '0700'
- name: Configure log directory
file:
path: /var/log/keycloak
state: directory
owner: keycloak
group: keycloak
mode: '0750'
- name: Get installed version
slurp:
src: /opt/keycloak/version.txt
register: keycloak_version_txt
ignore_errors: true
- name: Extract version from string
set_fact:
keycloak_installed_version: >-
{{ keycloak_version_txt.content | b64decode
| regex_search('Version ([\d.]+)', '\1') | first }}
when:
not keycloak_version_txt.failed
- when: >-
keycloak_version_txt.failed or
keycloak_installed_version != keycloak_version
notify:
- Restart keycloak
block:
- name: Create temporary directory
tempfile:
state: directory
register: tempdir
- name: Fetch and extract keycloak
unarchive:
# yamllint disable-line rule:line-length
src: "https://github.com/keycloak/keycloak/releases/download/{{ keycloak_version }}/keycloak-{{ keycloak_version }}.tar.gz"
dest: "{{ tempdir.path }}"
remote_src: true
- name: Ensure the target directory is absent
file:
path: /opt/keycloak-{{ keycloak_version }}
state: absent
- name: Move keycloak to target directory
copy:
src: "{{ tempdir.path }}/keycloak-{{ keycloak_version }}"
dest: /opt/
remote_src: true
owner: root
group: root
mode: preserve
- name: Fix file owner
file:
path: /opt/keycloak-{{ keycloak_version }}
owner: root
group: root
recurse: true
- name: Get old installation path
stat:
path: /opt/keycloak
register: installation_path
- name: Set installation symlink
file:
src: /opt/keycloak-{{ keycloak_version }}
dest: /opt/keycloak
state: link
follow: false
force: true
- name: Remove old version
file:
path: "{{ installation_path.stat.lnk_source }}"
state: absent
when: >-
installation_path.stat.islnk is defined and installation_path.stat.islnk
- name: Remove temporary directory
file:
path: "{{ tempdir.path }}"
state: absent
- name: Check whether configuration/data directory already exists
stat:
path: /var/lib/keycloak/standalone
register: config_directory
- name: Initialise configuration/data directory
when: not config_directory.stat.exists
copy:
src: /opt/keycloak/standalone
dest: /var/lib/keycloak/
remote_src: true
owner: keycloak
group: keycloak
mode: preserve
- name: Ensure log directory points to correct path
file:
path: /var/lib/keycloak/standalone/log
src: /var/log/keycloak
state: link
force: true
- name: Ensure correct configuration/data directory permissions
file:
path: /var/lib/keycloak/standalone
owner: keycloak
group: keycloak
recurse: true
- import_tasks: postgres.yml
when: keycloak_db.type == "postgres"
- name: Configure H2 datasource
when: keycloak_db.type == "h2"
xml:
path: /var/lib/keycloak/standalone/configuration/standalone.xml
namespaces:
ds: urn:jboss:domain:datasources:6.0
xpath: >-
//ds:subsystem/ds:datasources/ds:datasource[@jndi-name="java:jboss/datasources/KeycloakDS"]
input_type: xml
set_children:
- <connection-url>jdbc:h2:${jboss.server.data.dir}/keycloak;AUTO_SERVER=TRUE</connection-url>
- <driver>h2</driver>
- >-
<security>
<user-name>sa</user-name>
<password>sa</password>
</security>
notify:
- Restart keycloak
- name: Configure keycloak for reverse proxy usage
xml:
path: /var/lib/keycloak/standalone/configuration/standalone.xml
namespaces:
ut: urn:jboss:domain:undertow:12.0
xpath: >-
//ut:subsystem/ut:server[@name="default-server"]/ut:http-listener[@name="default"]
attribute: proxy-address-forwarding
value: "true"
- name: Install systemd service
copy:
src: keycloak.service
dest: /etc/systemd/system/keycloak.service
owner: root
group: root
mode: '0644'
notify:
- Reload systemd
- Restart keycloak
- name: Enable and start keycloak
systemd:
name: keycloak.service
state: started
enabled: true
---
- when: keycloak_manage_local_postgres
become: true
become_user: postgres
block:
- name: Create postgres user
postgresql_user:
name: "{{ keycloak_db.user }}"
password: "{{ keycloak_db.password }}"
state: present
- name: Create postgres database
postgresql_db:
name: "{{ keycloak_db.name }}"
owner: "{{ keycloak_db.user }}"
state: present
- name: Install JDBC postgres driver
apt:
name: libpostgresql-jdbc-java
state: present
- name: Create postgres driver module directory
file:
path: /opt/keycloak/modules/system/layers/keycloak/org/postgresql/main
state: directory
owner: root
group: root
mode: '0755'
- name: Link postgres driver
file:
src: /usr/share/java/postgresql.jar
dest: >-
/opt/keycloak/modules/system/layers/keycloak/org/postgresql/main/postgresql.jar
state: link
notify:
- Restart keycloak
- name: Register postgres driver module
copy:
src: postgres-module.xml
dest: >-
/opt/keycloak/modules/system/layers/keycloak/org/postgresql/main/module.xml
owner: root
group: root
mode: '0644'
notify:
- Restart keycloak
- name: Check whether postgres datasource driver is registered
xml:
path: /var/lib/keycloak/standalone/configuration/standalone.xml
namespaces:
ds: urn:jboss:domain:datasources:6.0
xpath: >-
//ds:subsystem/ds:datasources/ds:drivers/ds:driver[@name="postgresql"]
count: true
register: postgres_datasource
- name: Register postgres datasource driver
xml:
path: /var/lib/keycloak/standalone/configuration/standalone.xml
namespaces:
ds: urn:jboss:domain:datasources:6.0
xpath: //ds:subsystem/ds:datasources/ds:drivers
input_type: xml
add_children:
- >-
<driver name="postgresql" module="org.postgresql">
<xa-datasource-class>org.postgresql.xa.PGXADataSource</xa-datasource-class>
</driver>
when: postgres_datasource.count == 0
notify:
- Restart keycloak
- name: Configure postgres datasource
xml:
path: /var/lib/keycloak/standalone/configuration/standalone.xml
namespaces:
ds: urn:jboss:domain:datasources:6.0
xpath: >-
//ds:subsystem/ds:datasources/ds:datasource[@jndi-name="java:jboss/datasources/KeycloakDS"]
input_type: xml
set_children:
# yamllint disable-line rule:line-length
- <connection-url>jdbc:postgresql://{{ keycloak_db.host }}/{{ keycloak_db.name }}</connection-url>
- <driver>postgresql</driver>
- >-
<pool>
<max-pool-size>20</max-pool-size>
</pool>
- >-
<security>
<user-name>{{ keycloak_db.user }}</user-name>
<password>{{ keycloak_db.password }}</password>
</security>
notify:
- Restart keycloak
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment