proxy -> proxy-headers. Also fix the systemd unit reload.

Merge pull request 'Removed useless `log-level` commented line from template' (!2 ) from mauro.mugnaini/ansible-role-keycloak:kc24 into master
Reviewed-on: ISTI-ansible-roles/ansible-role-keycloak#2
2024-03-29 18:20:31 +01:00 · 2024-03-29 11:36:41 +01:00 · 2024-03-28 17:03:22 +01:00 · 2024-03-25 14:00:57 +01:00 · 2024-03-25 12:52:16 +01:00 · 2024-03-22 19:05:01 +01:00
10 changed files with 181 additions and 138 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -1,8 +1,8 @@
 ---
-keycloak_major_version: '19'
+keycloak_major_version: '24'
 keycloak_minor_version: '0'
 keycloak_point_version: '2'
-keycloak_openjdk_runtime_version: 11
+keycloak_openjdk_runtime_version: 17
 keycloak_openjdk_version:
  - '{{ keycloak_openjdk_runtime_version }}'
 keycloak_openjdk_bin: '/usr/lib/jvm/java-{{ keycloak_openjdk_runtime_version}}-openjdk-amd64/bin/java'
@ -16,6 +16,7 @@ keycloak_distribution_data_directory: '{{ keycloak_install_dir }}/{{ keycloak_di
 keycloak_conf_directory: '{{ keycloak_runtime_home }}/conf'
 keycloak_providers_directory: '{{ keycloak_runtime_home }}/providers'
 keycloak_data_directory: '{{ keycloak_runtime_home }}/data'
+keycloak_quarkus_directory: "{{ keycloak_runtime_home }}/lib/quarkus"
 keycloak_log_directory: '/var/log/keycloak'
 keycloak_service_name: keycloak
 keycloak_optimize_build_at_startup: true
@ -44,7 +45,9 @@ keycloak_external_avatar_dir: '{{ keycloak_data_directory }}/avatar'
 keycloak_https_enabled: true
 keycloak_https_protocols: 'TLSv1.3'
 keycloak_letsencrypt_certs: '{{ keycloak_https_enabled }}'
-keycloak_http_enabled: "{% if keycloak_https_enabled %}'false'{% else %}'true'{% endif %}"
+keycloak_source_cert_file: "{{ pki_dir }}/certs/{{ ansible_fqdn }}.pem"
+keycloak_source_cert_key: "{{ pki_dir }}/keys/{{ ansible_fqdn }}-key.pem"
+keycloak_http_enabled: "{% if keycloak_https_enabled %}false{% else %}true{% endif %}"
 # Set to /auth to be backward compatible with the old admin console
 keycloak_http_relative_path: /
 keycloak_listen: '127.0.0.1'
@ -79,7 +82,7 @@ keycloak_admin_user: kadmin
 keycloak_before_nginx: false
 keycloak_before_apache_httpd: false
 keycloak_behind_reverse_proxy: true
-keycloak_reverse_proxy_type: '{% if keycloak_https_enabled %}reencrypt{% else %}edge{% endif %}'
+keycloak_reverse_proxy_type: "xforwarded"
 keycloak_reverse_proxy_infinispan_attach_route: 'true'

 keycloak_cluster: false
--- a/handlers/main.yml
+++ b/handlers/main.yml
@ -3,3 +3,7 @@
  ansible.builtin.service:
    name: '{{ keycloak_service_name }}'
    state: restarted
+
+- name: Reload the systemd service
+  ansible.builtin.systemd:
+    daemon_reload: true
--- a/tasks/keycloak-certificates.yml
+++ b/tasks/keycloak-certificates.yml
@ -0,0 +1,66 @@
+---
+- name: keycloak-certificates | TLS certificates management with Letsencrypt
+  when:
+    - keycloak_letsencrypt_certs
+    - letsencrypt_acme_install
+  tags: ['keycloak', 'keycloak_baremetal', 'keycloak_letsencrypt']
+  block:
+    - name: keycloak-certificates | Create the acme hooks directory if it does not yet exist
+      ansible.builtin.file:
+        dest: '{{ letsencrypt_acme_services_scripts_dir }}'
+        state: directory
+        owner: root
+        group: root
+        mode: "0755"
+
+    - name: keycloak-certificates | Copy the key file where keycloak expects it
+      ansible.builtin.copy:
+        src: '{{ letsencrypt_acme_sh_certificates_install_path }}/privkey'
+        dest: '{{ keycloak_conf_directory }}/server.key.pem'
+        owner: root
+        group: '{{ keycloak_user }}'
+        mode: "0640"
+        remote_src: true
+      notify: Restart Keycloak
+
+    - name: keycloak-certificates | Copy the certificate file where keycloak expects it
+      ansible.builtin.copy:
+        src: '{{ letsencrypt_acme_sh_certificates_install_path }}/fullchain'
+        dest: '{{ keycloak_conf_directory }}/server.crt.pem'
+        owner: root
+        group: '{{ keycloak_user }}'
+        mode: "0640"
+        remote_src: true
+      notify: Restart Keycloak
+
+    - name: keycloak-certificates | Install a script that updates the certificates upon renewal
+      ansible.builtin.template:
+        src: keycloak-letsencrypt-hook.j2
+        dest: '{{ letsencrypt_acme_services_scripts_dir }}/keycloak'
+        owner: root
+        group: root
+        mode: "4555"
+
+- name: keycloak-certificates | TLS certificates management without Letsencrypt
+  when: not keycloak_letsencrypt_certs
+  tags: ['keycloak', 'keycloak_baremetal', 'keycloak_letsencrypt']
+  block:
+    - name: keycloak-certificates | Copy the key file where keycloak expects it
+      ansible.builtin.copy:
+        src: '{{ keycloak_source_cert_key }}'
+        dest: '{{ keycloak_conf_directory }}/server.key.pem'
+        owner: root
+        group: '{{ keycloak_user }}'
+        mode: "0640"
+        remote_src: true
+      notify: Restart Keycloak
+
+    - name: keycloak-certificates | Copy the certificate file where keycloak expects it
+      ansible.builtin.copy:
+        src: '{{ keycloak_source_cert_file }}'
+        dest: '{{ keycloak_conf_directory }}/server.crt.pem'
+        owner: root
+        group: '{{ keycloak_user }}'
+        mode: "0640"
+        remote_src: true
+      notify: Restart Keycloak
--- a/tasks/keycloak-configuration.yml
+++ b/tasks/keycloak-configuration.yml
@ -1,13 +1,13 @@
 ---
- name: Manage the keycloak configuration
+- name: keycloak-configuration | Manage the keycloak configuration
+  tags: ['keycloak', 'keycloak_db', 'keycloak_conf']
  block:
-  - name: Install the Keycloak and infinispan configuration files
-    ansible.builtin.template:
-      src: '{{ item }}.j2'
-      dest: '{{ keycloak_conf_directory }}/{{ item }}'
-      owner: root
-      group: root
-    loop: '{{ keycloak_configuration_files }}'
-    notify: Restart Keycloak
-
-  tags: [ 'keycloak', 'keycloak_db', 'keycloak_conf' ]
+    - name: keycloak-configuration | Install the Keycloak and infinispan configuration files
+      ansible.builtin.template:
+        src: '{{ item }}.j2'
+        dest: '{{ keycloak_conf_directory }}/{{ item }}'
+        owner: root
+        group: root
+        mode: "0644"
+      loop: '{{ keycloak_configuration_files }}'
+      notify: Restart Keycloak
--- a/tasks/keycloak-install.yml
+++ b/tasks/keycloak-install.yml
@ -1,58 +1,67 @@
 ---
- name: Install the keycloak distribution
+- name: keycloak-install | Install the keycloak distribution
  tags: keycloak
  block:
-  - name: Create the keycloak user
-    ansible.builtin.user:
-      name: '{{ keycloak_user }}'
-      home: '{{ keycloak_install_dir }}'
-      createhome: false
-      shell: /usr/sbin/nologin
-      system: true
+    - name: keycloak-install | Create the keycloak user
+      ansible.builtin.user:
+        name: '{{ keycloak_user }}'
+        home: '{{ keycloak_install_dir }}'
+        createhome: false
+        shell: /usr/sbin/nologin
+        system: true

-  - name: Create the keycloak installation directory, if it does not already exist.
-    ansible.builtin.file:
-      dest: '{{ keycloak_install_dir }}'
-      owner: root
-      group: root
-      state: directory
-      recurse: true
+    - name: keycloak-install | Create the keycloak installation directory, if it does not already exist.
+      ansible.builtin.file:
+        dest: '{{ keycloak_install_dir }}'
+        owner: root
+        group: root
+        state: directory
+        recurse: true

-  - name: Create the keycloak log directory
-    file: dest={{ keycloak_log_directory }} state=directory owner={{ keycloak_user }} group={{ keycloak_user }} mode='0755'
+    - name: keycloak-install | Create the keycloak log directory
+      ansible.builtin.file:
+        dest: "{{ keycloak_log_directory }}"
+        state: directory
+        owner: "{{ keycloak_user }}"
+        group: "{{ keycloak_user }}"
+        mode: '0755'

-  - name: Download the keycloak distribution
-    unarchive: remote_src=yes src={{ keycloak_download_url }} dest={{ keycloak_install_dir }} owner=root group=root
-    args:
-      creates: '{{ keycloak_install_dir }}/{{ keycloak_distribution }}'
+    - name: keycloak-install | Download the keycloak distribution
+      ansible.builtin.unarchive:
+        remote_src: true
+        src: "{{ keycloak_download_url }}"
+        dest: "{{ keycloak_install_dir }}"
+        owner: root
+        group: root
+      args:
+        creates: '{{ keycloak_install_dir }}/{{ keycloak_distribution }}'

-  - name: Set the permissions of the {{ keycloak_data_directory }} directory 
-    ansible.builtin.file:
-      dest: '{{ keycloak_data_directory }}'
-      state: directory
-      owner: '{{ keycloak_user }}'
-      group: '{{ keycloak_user }}'
-      mode: 0750
-      recurse: true
-    tags: [ keycloak, keycloak_data_dir ]
+    - name: keycloak-install | Set the permissions of {{ keycloak_data_directory }}
+      ansible.builtin.file:
+        dest: '{{ keycloak_data_directory }}'
+        state: directory
+        owner: '{{ keycloak_user }}'
+        group: '{{ keycloak_user }}'
+        mode: "0750"
+        recurse: true
+      tags: [keycloak, keycloak_data_dir]


-  - name: Set the permissions of the {{ keycloak_runtime_home }}/lib/quarkus directory 
-    ansible.builtin.file:
-      dest: '{{ keycloak_runtime_home }}/lib/quarkus'
-      state: directory
-      owner: '{{ keycloak_user }}'
-      group: '{{ keycloak_user }}'
-      mode: 0750
-      recurse: true
-    tags: [ keycloak, keycloak_data_dir ]
-
-  - name: Avatar directory
-    ansible.builtin.file:
-      dest: '{{ keycloak_external_avatar_dir }}'
-      state: directory
-      owner: '{{ keycloak_user }}'
-      group: '{{ keycloak_user }}'
-      mode: 0750
-    when: not keycloak_external_avatar_dir_enabled
+    - name: keycloak-install | Set the permissions of {{ keycloak_quarkus_directory }}
+      ansible.builtin.file:
+        dest: "{{ keycloak_quarkus_directory }}"
+        state: directory
+        owner: '{{ keycloak_user }}'
+        group: '{{ keycloak_user }}'
+        mode: "0750"
+        recurse: true
+      tags: [keycloak, keycloak_data_dir]

+    - name: keycloak-install | Avatar directory
+      ansible.builtin.file:
+        dest: '{{ keycloak_external_avatar_dir }}'
+        state: directory
+        owner: '{{ keycloak_user }}'
+        group: '{{ keycloak_user }}'
+        mode: "0750"
+      when: not keycloak_external_avatar_dir_enabled
--- a/tasks/keycloak-letsencrypt.yml
+++ b/tasks/keycloak-letsencrypt.yml
@ -1,42 +0,0 @@
---
- name: TLS certificates management with Letsencrypt
-  block:
-    - name: Create the acme hooks directory if it does not yet exist
-      file:
-        dest: '{{ letsencrypt_acme_services_scripts_dir }}'
-        state: directory
-        owner: root
-        group: root
-
-    - name: Copy the key file where keycloak expects it
-      copy:
-        src: '{{ letsencrypt_acme_sh_certificates_install_path }}/privkey'
-        dest: '{{ keycloak_conf_directory }}/server.key.pem'
-        owner: root
-        group: '{{ keycloak_user }}'
-        mode: 0640
-        remote_src: true
-      notify: Restart Keycloak
-
-    - name: Copy the certificate file where keycloak expects it
-      copy:
-        src: '{{ letsencrypt_acme_sh_certificates_install_path }}/fullchain'
-        dest: '{{ keycloak_conf_directory }}/server.crt.pem'
-        owner: root
-        group: '{{ keycloak_user }}'
-        mode: 0640
-        remote_src: true
-      notify: Restart Keycloak
-
-    - name: Install a script that updates the certificates upon renewal
-      template:
-        src: keycloak-letsencrypt-hook.j2
-        dest: '{{ letsencrypt_acme_services_scripts_dir }}/keycloak'
-        owner: root
-        group: root
-        mode: 4555
-
-  when:
-    - keycloak_letsencrypt_certs
-    - letsencrypt_acme_install
-  tags: ['keycloak', 'keycloak_baremetal', 'keycloak_letsencrypt']
--- a/tasks/keycloak-providers.yml
+++ b/tasks/keycloak-providers.yml
@ -1,6 +1,6 @@
 ---
- name: Get the keycloak providers
-  maven_artifact:
+- name: keycloak-providers | Get the keycloak providers
+  community.general.maven_artifactmaven_artifact:
    artifact_id: "{{ item.maven_id }}"
    version: "{{ item.maven_version | default('latest') }}"
    group_id: "{{ item.maven_group_id }}"
@ -8,7 +8,7 @@
    repository_url: "{{ item.maven_repo_url }}"
    dest: "{{ keycloak_providers_directory }}/{{ item.name }}.{{ item.maven_extension | default('jar') }}"
    verify_checksum: always
-    mode: 0644
+    mode: "0644"
  loop: '{{ keycloak_remote_providers }}'
  when: item.maven_extension is not defined or item.maven_extension != "ear"
  notify: Restart Keycloak
--- a/tasks/main.yml
+++ b/tasks/main.yml
@ -1,8 +1,12 @@
 ---
- import_tasks: keycloak-install.yml
- import_tasks: keycloak-letsencrypt.yml
- import_tasks: keycloak-providers.yml
- import_tasks: keycloak-configuration.yml
+- name: Keycloak install
+  ansible.builtin.import_tasks: keycloak-install.yml
+- name: TLS certificates
+  ansible.builtin.import_tasks: keycloak-certificates.yml
+- name: Keycloak providers
+  ansible.builtin.import_tasks: keycloak-providers.yml
+- name: Keycloak configuration
+  ansible.builtin.import_tasks: keycloak-configuration.yml

 - name: Manage the keycloak service
  tags:
@ -12,30 +16,28 @@
    - keycloak_providers
    - keycloak_providers_jar
  block:
-  - name: Install the keycloak systemd unit
-    ansible.builtin.template:
-      src: keycloak.service.j2
-      dest: '/etc/systemd/system/{{ keycloak_service_name }}.service'
-      owner: root
-      group: root
-      mode: 0644
-    notify: Restart Keycloak
-    register: keycloak_unit
+    - name: Install the keycloak systemd unit
+      ansible.builtin.template:
+        src: keycloak.service.j2
+        dest: '/etc/systemd/system/{{ keycloak_service_name }}.service'
+        owner: root
+        group: root
+        mode: "0644"
+      notify:
+        - Reload the systemd service
+        - Restart Keycloak

-  - name: Reload systemd
-    ansible.builtin.systemd:
-        daemon_reload: yes
-    when: keycloak_unit is changed
+    - name: Reload the systemd service
+      ansible.builtin.meta: flush_handlers

-  - name: ensure that the {{ keycloak_service_name }} service is running and enabled
-    ansible.builtin.service:
-      name: '{{ keycloak_service_name }}'
-      state: started
-      enabled: true
-
-  - name: Wait for the service to be up before proceeding
-    ansible.builtin.wait_for:
-      port: "{% if keycloak_https_enabled %}{{ keycloak_https_port }}{% else %}{{ keycloak_http_port }}{% endif %}"
-      delay: 10
-      timeout: 90
+    - name: Ensure that the Keycload service is running and enabled
+      ansible.builtin.service:
+        name: '{{ keycloak_service_name }}'
+        state: started
+        enabled: true

+    - name: Wait for the service to be up before proceeding
+      ansible.builtin.wait_for:
+        port: "{% if keycloak_https_enabled %}{{ keycloak_https_port }}{% else %}{{ keycloak_http_port }}{% endif %}"
+        delay: 10
+        timeout: 90
--- a/templates/keycloak.conf.j2
+++ b/templates/keycloak.conf.j2
@ -3,7 +3,6 @@ http-relative-path={{ keycloak_http_relative_path }}
 http-enabled={{ keycloak_http_enabled }}
 http-host={{ keycloak_listen }}
 http-port={{ keycloak_http_port }}
-#log-level=DEBUG

 # Database
 # The database vendor.
@ -32,7 +31,7 @@ https-port={{ keycloak_https_port }}

 {% if keycloak_behind_reverse_proxy %}
 # The proxy address forwarding mode if the server is behind a reverse proxy.
-proxy={{ keycloak_reverse_proxy_type }}
+proxy-headers={{ keycloak_reverse_proxy_type }}
 {% endif %}

 {% if keycloak_set_hostname %}
--- a/templates/quarkus.properties.j2
+++ b/templates/quarkus.properties.j2
@ -12,7 +12,9 @@ quarkus.http.access-log.rotate=true
 quarkus.http.access-log.rotation.max-file-size={{ keycloak_log_max_size }}
 quarkus.http.access-log.rotation.max-backup-index={{ keycloak_log_backup_index }}
 quarkus.http.access-log.pattern=%t [%{i,X-Forwarded-For}, %h] %l (user:%u) - '%r' => %s (%b bytes) '%{i,User-Agent}' (Referer: '%{i,Referer}') - [%I, %Dms]
+#
 quarkus.http.record-request-start-time=true
+quarkus.transaction-manager.enable-recovery=true
 {% for prop in keycloak_quarkus_additional_properties %}
 {{ prop }}
 {% endfor %}
Author	SHA1	Message	Date
Andrea Dell'Amico	d9f914aff7	proxy -> proxy-headers. Also fix the systemd unit reload.	2024-03-29 18:20:31 +01:00
Andrea Dell'Amico	c90ec14535	Merge pull request 'Removed useless `log-level` commented line from template' (!2 ) from mauro.mugnaini/ansible-role-keycloak:kc24 into master Reviewed-on: ISTI-ansible-roles/ansible-role-keycloak#2	2024-03-29 11:36:41 +01:00
Mauro Mugnaini	f1e4f03e90	Removed useless `log-level` commented line from template	2024-03-28 17:03:22 +01:00
Andrea Dell'Amico	e4468ab062	Add quarkus.transaction-manager.enable-recovery=true.	2024-03-25 14:00:57 +01:00
Andrea Dell'Amico	cfd46a0a36	New default version.	2024-03-25 12:52:16 +01:00
Andrea Dell'Amico	1ada201b12	Fix a variable name.	2024-03-22 19:05:01 +01:00
Andrea Dell'Amico	97ec4389be	Fix a variable name.	2024-03-22 18:55:55 +01:00
Andrea Dell'Amico	5c33e46a71	Manage certificates that are not issued by letsencrypt.	2024-03-22 18:45:21 +01:00
Andrea Dell'Amico	46161a5fe0	Merge pull request 'Added support for S3 avatar enabling and configuration' (!1 ) from mauro.mugnaini/ansible-role-keycloak:master into master Reviewed-on: ISTI-ansible-roles/ansible-role-keycloak#1	2024-02-22 11:23:43 +01:00