Manage certificates that are not issued by letsencrypt.

defaults/main.yml

@@ -1,8 +1,8 @@
 ---
-keycloak_major_version: '19'
+keycloak_major_version: '24'
 keycloak_minor_version: '0'
-keycloak_point_version: '2'
+keycloak_point_version: '1'
-keycloak_openjdk_runtime_version: 11
+keycloak_openjdk_runtime_version: 17
 keycloak_openjdk_version:
   - '{{ keycloak_openjdk_runtime_version }}'
 keycloak_openjdk_bin: '/usr/lib/jvm/java-{{ keycloak_openjdk_runtime_version}}-openjdk-amd64/bin/java'
@@ -44,7 +44,9 @@ keycloak_external_avatar_dir: '{{ keycloak_data_directory }}/avatar'
 keycloak_https_enabled: true
 keycloak_https_protocols: 'TLSv1.3'
 keycloak_letsencrypt_certs: '{{ keycloak_https_enabled }}'
-keycloak_http_enabled: "{% if keycloak_https_enabled %}'false'{% else %}'true'{% endif %}"
+keycloak_source_cert_file: "{{ pki_dir }}/certs/{{ ansible_fqdn }}.pem"
+keycloak_source_cert_key: "{{ pki_dir }}/keys/{{ ansible_fqdn }}-key.pem"
+keycloak_http_enabled: "{% if keycloak_https_enabled %}false{% else %}true{% endif %}"
 # Set to /auth to be backward compatible with the old admin console
 keycloak_http_relative_path: /
 keycloak_listen: '127.0.0.1'

handlers/main.yml

@@ -3,3 +3,7 @@
   ansible.builtin.service:
     name: '{{ keycloak_service_name }}'
     state: restarted
+
+- name: Reload the systemd service
+  ansible.builtin.systemd:
+    daemon_reload: true

tasks/keycloak-certificates.yml

@@ -0,0 +1,66 @@
+---
+- name: keycloak-certificates | TLS certificates management with Letsencrypt
+  when:
+    - keycloak_letsencrypt_certs
+    - letsencrypt_acme_install
+  tags: ['keycloak', 'keycloak_baremetal', 'keycloak_letsencrypt']
+  block:
+    - name: keycloak-certificates | Create the acme hooks directory if it does not yet exist
+      ansible.builtin.file:
+        dest: '{{ letsencrypt_acme_services_scripts_dir }}'
+        state: directory
+        owner: root
+        group: root
+        mode: "0755"
+
+    - name: keycloak-certificates | Copy the key file where keycloak expects it
+      ansible.builtin.copy:
+        src: '{{ letsencrypt_acme_sh_certificates_install_path }}/privkey'
+        dest: '{{ keycloak_conf_directory }}/server.key.pem'
+        owner: root
+        group: '{{ keycloak_user }}'
+        mode: "0640"
+        remote_src: true
+      notify: Restart Keycloak
+
+    - name: keycloak-certificates | Copy the certificate file where keycloak expects it
+      ansible.builtin.copy:
+        src: '{{ letsencrypt_acme_sh_certificates_install_path }}/fullchain'
+        dest: '{{ keycloak_conf_directory }}/server.crt.pem'
+        owner: root
+        group: '{{ keycloak_user }}'
+        mode: "0640"
+        remote_src: true
+      notify: Restart Keycloak
+
+    - name: keycloak-certificates | Install a script that updates the certificates upon renewal
+      ansible.builtin.template:
+        src: keycloak-letsencrypt-hook.j2
+        dest: '{{ letsencrypt_acme_services_scripts_dir }}/keycloak'
+        owner: root
+        group: root
+        mode: "4555"
+
+- name: keycloak-certificates | TLS certificates management without Letsencrypt
+  when: not keycloak_letsencrypt_certs
+  tags: ['keycloak', 'keycloak_baremetal', 'keycloak_letsencrypt']
+  block:
+    - name: keycloak-certificates | Copy the key file where keycloak expects it
+      ansible.builtin.copy:
+        src: '{{ keycloak_certificate_key }}'
+        dest: '{{ keycloak_conf_directory }}/server.key.pem'
+        owner: root
+        group: '{{ keycloak_user }}'
+        mode: "0640"
+        remote_src: true
+      notify: Restart Keycloak
+
+    - name: keycloak-certificates | Copy the certificate file where keycloak expects it
+      ansible.builtin.copy:
+        src: '{{ keycloak_certificate_file }}'
+        dest: '{{ keycloak_conf_directory }}/server.crt.pem'
+        owner: root
+        group: '{{ keycloak_user }}'
+        mode: "0640"
+        remote_src: true
+      notify: Restart Keycloak

tasks/keycloak-letsencrypt.yml

@@ -1,42 +0,0 @@
----
-- name: TLS certificates management with Letsencrypt
-  block:
-    - name: Create the acme hooks directory if it does not yet exist
-      file:
-        dest: '{{ letsencrypt_acme_services_scripts_dir }}'
-        state: directory
-        owner: root
-        group: root
-
-    - name: Copy the key file where keycloak expects it
-      copy:
-        src: '{{ letsencrypt_acme_sh_certificates_install_path }}/privkey'
-        dest: '{{ keycloak_conf_directory }}/server.key.pem'
-        owner: root
-        group: '{{ keycloak_user }}'
-        mode: 0640
-        remote_src: true
-      notify: Restart Keycloak
-
-    - name: Copy the certificate file where keycloak expects it
-      copy:
-        src: '{{ letsencrypt_acme_sh_certificates_install_path }}/fullchain'
-        dest: '{{ keycloak_conf_directory }}/server.crt.pem'
-        owner: root
-        group: '{{ keycloak_user }}'
-        mode: 0640
-        remote_src: true
-      notify: Restart Keycloak
-
-    - name: Install a script that updates the certificates upon renewal
-      template:
-        src: keycloak-letsencrypt-hook.j2
-        dest: '{{ letsencrypt_acme_services_scripts_dir }}/keycloak'
-        owner: root
-        group: root
-        mode: 4555
-
-  when:
-    - keycloak_letsencrypt_certs
-    - letsencrypt_acme_install
-  tags: ['keycloak', 'keycloak_baremetal', 'keycloak_letsencrypt']

tasks/main.yml

@@ -1,8 +1,12 @@
 ---
-- import_tasks: keycloak-install.yml
+- name: Keycloak install
-- import_tasks: keycloak-letsencrypt.yml
+  ansible.builtin.import_tasks: keycloak-install.yml
-- import_tasks: keycloak-providers.yml
+- name: TLS certificates
-- import_tasks: keycloak-configuration.yml
+  ansible.builtin.import_tasks: keycloak-certificates.yml
+- name: Keycloak providers
+  ansible.builtin.import_tasks: keycloak-providers.yml
+- name: Keycloak configuration
+  ansible.builtin.import_tasks: keycloak-configuration.yml
 
 - name: Manage the keycloak service
   tags:
@@ -18,16 +22,15 @@
         dest: '/etc/systemd/system/{{ keycloak_service_name }}.service'
         owner: root
         group: root
-      mode: 0644
+        mode: "0644"
-    notify: Restart Keycloak
+      notify:
-    register: keycloak_unit
+        - Restart Keycloak
+        - Reload the systemd service
 
-  - name: Reload systemd
+    - name: Reload the systemd service
-    ansible.builtin.systemd:
+      ansible.builtin.meta: flush_handlers
-        daemon_reload: yes
-    when: keycloak_unit is changed
 
-  - name: ensure that the {{ keycloak_service_name }} service is running and enabled
+    - name: Ensure that the Keycload service is running and enabled
       ansible.builtin.service:
         name: '{{ keycloak_service_name }}'
         state: started
@@ -38,4 +41,3 @@
         port: "{% if keycloak_https_enabled %}{{ keycloak_https_port }}{% else %}{{ keycloak_http_port }}{% endif %}"
         delay: 10
         timeout: 90
-