Manage certificates that are not issued by letsencrypt.

2024-03-22 18:45:21 +01:00 · 2024-03-22 18:45:21 +01:00 · 5c33e46a71
parent 46161a5fe0
commit 5c33e46a71
5 changed files with 106 additions and 74 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -1,8 +1,8 @@
 ---
-keycloak_major_version: '19'
+keycloak_major_version: '24'
 keycloak_minor_version: '0'
-keycloak_point_version: '2'
-keycloak_openjdk_runtime_version: 11
+keycloak_point_version: '1'
+keycloak_openjdk_runtime_version: 17
 keycloak_openjdk_version:
  - '{{ keycloak_openjdk_runtime_version }}'
 keycloak_openjdk_bin: '/usr/lib/jvm/java-{{ keycloak_openjdk_runtime_version}}-openjdk-amd64/bin/java'
@ -44,7 +44,9 @@ keycloak_external_avatar_dir: '{{ keycloak_data_directory }}/avatar'
 keycloak_https_enabled: true
 keycloak_https_protocols: 'TLSv1.3'
 keycloak_letsencrypt_certs: '{{ keycloak_https_enabled }}'
-keycloak_http_enabled: "{% if keycloak_https_enabled %}'false'{% else %}'true'{% endif %}"
+keycloak_source_cert_file: "{{ pki_dir }}/certs/{{ ansible_fqdn }}.pem"
+keycloak_source_cert_key: "{{ pki_dir }}/keys/{{ ansible_fqdn }}-key.pem"
+keycloak_http_enabled: "{% if keycloak_https_enabled %}false{% else %}true{% endif %}"
 # Set to /auth to be backward compatible with the old admin console
 keycloak_http_relative_path: /
 keycloak_listen: '127.0.0.1'
--- a/handlers/main.yml
+++ b/handlers/main.yml
@ -3,3 +3,7 @@
  ansible.builtin.service:
    name: '{{ keycloak_service_name }}'
    state: restarted
+
+- name: Reload the systemd service
+  ansible.builtin.systemd:
+    daemon_reload: true
--- a/tasks/keycloak-certificates.yml
+++ b/tasks/keycloak-certificates.yml
@ -0,0 +1,66 @@
+---
+- name: keycloak-certificates | TLS certificates management with Letsencrypt
+  when:
+    - keycloak_letsencrypt_certs
+    - letsencrypt_acme_install
+  tags: ['keycloak', 'keycloak_baremetal', 'keycloak_letsencrypt']
+  block:
+    - name: keycloak-certificates | Create the acme hooks directory if it does not yet exist
+      ansible.builtin.file:
+        dest: '{{ letsencrypt_acme_services_scripts_dir }}'
+        state: directory
+        owner: root
+        group: root
+        mode: "0755"
+
+    - name: keycloak-certificates | Copy the key file where keycloak expects it
+      ansible.builtin.copy:
+        src: '{{ letsencrypt_acme_sh_certificates_install_path }}/privkey'
+        dest: '{{ keycloak_conf_directory }}/server.key.pem'
+        owner: root
+        group: '{{ keycloak_user }}'
+        mode: "0640"
+        remote_src: true
+      notify: Restart Keycloak
+
+    - name: keycloak-certificates | Copy the certificate file where keycloak expects it
+      ansible.builtin.copy:
+        src: '{{ letsencrypt_acme_sh_certificates_install_path }}/fullchain'
+        dest: '{{ keycloak_conf_directory }}/server.crt.pem'
+        owner: root
+        group: '{{ keycloak_user }}'
+        mode: "0640"
+        remote_src: true
+      notify: Restart Keycloak
+
+    - name: keycloak-certificates | Install a script that updates the certificates upon renewal
+      ansible.builtin.template:
+        src: keycloak-letsencrypt-hook.j2
+        dest: '{{ letsencrypt_acme_services_scripts_dir }}/keycloak'
+        owner: root
+        group: root
+        mode: "4555"
+
+- name: keycloak-certificates | TLS certificates management without Letsencrypt
+  when: not keycloak_letsencrypt_certs
+  tags: ['keycloak', 'keycloak_baremetal', 'keycloak_letsencrypt']
+  block:
+    - name: keycloak-certificates | Copy the key file where keycloak expects it
+      ansible.builtin.copy:
+        src: '{{ keycloak_certificate_key }}'
+        dest: '{{ keycloak_conf_directory }}/server.key.pem'
+        owner: root
+        group: '{{ keycloak_user }}'
+        mode: "0640"
+        remote_src: true
+      notify: Restart Keycloak
+
+    - name: keycloak-certificates | Copy the certificate file where keycloak expects it
+      ansible.builtin.copy:
+        src: '{{ keycloak_certificate_file }}'
+        dest: '{{ keycloak_conf_directory }}/server.crt.pem'
+        owner: root
+        group: '{{ keycloak_user }}'
+        mode: "0640"
+        remote_src: true
+      notify: Restart Keycloak
--- a/tasks/keycloak-letsencrypt.yml
+++ b/tasks/keycloak-letsencrypt.yml
@ -1,42 +0,0 @@
---
- name: TLS certificates management with Letsencrypt
-  block:
-    - name: Create the acme hooks directory if it does not yet exist
-      file:
-        dest: '{{ letsencrypt_acme_services_scripts_dir }}'
-        state: directory
-        owner: root
-        group: root
-
-    - name: Copy the key file where keycloak expects it
-      copy:
-        src: '{{ letsencrypt_acme_sh_certificates_install_path }}/privkey'
-        dest: '{{ keycloak_conf_directory }}/server.key.pem'
-        owner: root
-        group: '{{ keycloak_user }}'
-        mode: 0640
-        remote_src: true
-      notify: Restart Keycloak
-
-    - name: Copy the certificate file where keycloak expects it
-      copy:
-        src: '{{ letsencrypt_acme_sh_certificates_install_path }}/fullchain'
-        dest: '{{ keycloak_conf_directory }}/server.crt.pem'
-        owner: root
-        group: '{{ keycloak_user }}'
-        mode: 0640
-        remote_src: true
-      notify: Restart Keycloak
-
-    - name: Install a script that updates the certificates upon renewal
-      template:
-        src: keycloak-letsencrypt-hook.j2
-        dest: '{{ letsencrypt_acme_services_scripts_dir }}/keycloak'
-        owner: root
-        group: root
-        mode: 4555
-
-  when:
-    - keycloak_letsencrypt_certs
-    - letsencrypt_acme_install
-  tags: ['keycloak', 'keycloak_baremetal', 'keycloak_letsencrypt']
--- a/tasks/main.yml
+++ b/tasks/main.yml
@ -1,8 +1,12 @@
 ---
- import_tasks: keycloak-install.yml
- import_tasks: keycloak-letsencrypt.yml
- import_tasks: keycloak-providers.yml
- import_tasks: keycloak-configuration.yml
+- name: Keycloak install
+  ansible.builtin.import_tasks: keycloak-install.yml
+- name: TLS certificates
+  ansible.builtin.import_tasks: keycloak-certificates.yml
+- name: Keycloak providers
+  ansible.builtin.import_tasks: keycloak-providers.yml
+- name: Keycloak configuration
+  ansible.builtin.import_tasks: keycloak-configuration.yml

 - name: Manage the keycloak service
  tags:
@ -12,30 +16,28 @@
    - keycloak_providers
    - keycloak_providers_jar
  block:
-  - name: Install the keycloak systemd unit
-    ansible.builtin.template:
-      src: keycloak.service.j2
-      dest: '/etc/systemd/system/{{ keycloak_service_name }}.service'
-      owner: root
-      group: root
-      mode: 0644
-    notify: Restart Keycloak
-    register: keycloak_unit
+    - name: Install the keycloak systemd unit
+      ansible.builtin.template:
+        src: keycloak.service.j2
+        dest: '/etc/systemd/system/{{ keycloak_service_name }}.service'
+        owner: root
+        group: root
+        mode: "0644"
+      notify:
+        - Restart Keycloak
+        - Reload the systemd service

-  - name: Reload systemd
-    ansible.builtin.systemd:
-        daemon_reload: yes
-    when: keycloak_unit is changed
+    - name: Reload the systemd service
+      ansible.builtin.meta: flush_handlers

-  - name: ensure that the {{ keycloak_service_name }} service is running and enabled
-    ansible.builtin.service:
-      name: '{{ keycloak_service_name }}'
-      state: started
-      enabled: true
-
-  - name: Wait for the service to be up before proceeding
-    ansible.builtin.wait_for:
-      port: "{% if keycloak_https_enabled %}{{ keycloak_https_port }}{% else %}{{ keycloak_http_port }}{% endif %}"
-      delay: 10
-      timeout: 90
+    - name: Ensure that the Keycload service is running and enabled
+      ansible.builtin.service:
+        name: '{{ keycloak_service_name }}'
+        state: started
+        enabled: true

+    - name: Wait for the service to be up before proceeding
+      ansible.builtin.wait_for:
+        port: "{% if keycloak_https_enabled %}{{ keycloak_https_port }}{% else %}{{ keycloak_http_port }}{% endif %}"
+        delay: 10
+        timeout: 90