Compare commits
8 Commits
d423d87cd2
...
f1e4f03e90
| Author | SHA1 | Date |
|---|---|---|
 Mauro Mugnaini
|
f1e4f03e90
|
|
 Andrea Dell'Amico
|
e4468ab062
|
|
|
Andrea Dell'Amico
|
cfd46a0a36
|
|
|
Andrea Dell'Amico
|
1ada201b12
|
|
|
Andrea Dell'Amico
|
97ec4389be
|
|
|
Andrea Dell'Amico
|
5c33e46a71
|
|
|
Andrea Dell'Amico
|
46161a5fe0 | |
|
Mauro Mugnaini
|
150fbef519
|
|
|
@ -1,8 +1,8 @@
|
|||
---
|
||||
keycloak_major_version: '19'
|
||||
keycloak_major_version: '24'
|
||||
keycloak_minor_version: '0'
|
||||
keycloak_point_version: '2'
|
||||
keycloak_openjdk_runtime_version: 11
|
||||
keycloak_openjdk_runtime_version: 17
|
||||
keycloak_openjdk_version:
|
||||
- '{{ keycloak_openjdk_runtime_version }}'
|
||||
keycloak_openjdk_bin: '/usr/lib/jvm/java-{{ keycloak_openjdk_runtime_version}}-openjdk-amd64/bin/java'
|
||||
|
|
@ -44,7 +44,9 @@ keycloak_external_avatar_dir: '{{ keycloak_data_directory }}/avatar'
|
|||
keycloak_https_enabled: true
|
||||
keycloak_https_protocols: 'TLSv1.3'
|
||||
keycloak_letsencrypt_certs: '{{ keycloak_https_enabled }}'
|
||||
keycloak_http_enabled: "{% if keycloak_https_enabled %}'false'{% else %}'true'{% endif %}"
|
||||
keycloak_source_cert_file: "{{ pki_dir }}/certs/{{ ansible_fqdn }}.pem"
|
||||
keycloak_source_cert_key: "{{ pki_dir }}/keys/{{ ansible_fqdn }}-key.pem"
|
||||
keycloak_http_enabled: "{% if keycloak_https_enabled %}false{% else %}true{% endif %}"
|
||||
# Set to /auth to be backward compatible with the old admin console
|
||||
keycloak_http_relative_path: /
|
||||
keycloak_listen: '127.0.0.1'
|
||||
|
|
|
|||
|
|
@ -3,3 +3,7 @@
|
|||
ansible.builtin.service:
|
||||
name: '{{ keycloak_service_name }}'
|
||||
state: restarted
|
||||
|
||||
- name: Reload the systemd service
|
||||
ansible.builtin.systemd:
|
||||
daemon_reload: true
|
||||
|
|
|
|||
|
|
@ -0,0 +1,66 @@
|
|||
---
|
||||
- name: keycloak-certificates | TLS certificates management with Letsencrypt
|
||||
when:
|
||||
- keycloak_letsencrypt_certs
|
||||
- letsencrypt_acme_install
|
||||
tags: ['keycloak', 'keycloak_baremetal', 'keycloak_letsencrypt']
|
||||
block:
|
||||
- name: keycloak-certificates | Create the acme hooks directory if it does not yet exist
|
||||
ansible.builtin.file:
|
||||
dest: '{{ letsencrypt_acme_services_scripts_dir }}'
|
||||
state: directory
|
||||
owner: root
|
||||
group: root
|
||||
mode: "0755"
|
||||
|
||||
- name: keycloak-certificates | Copy the key file where keycloak expects it
|
||||
ansible.builtin.copy:
|
||||
src: '{{ letsencrypt_acme_sh_certificates_install_path }}/privkey'
|
||||
dest: '{{ keycloak_conf_directory }}/server.key.pem'
|
||||
owner: root
|
||||
group: '{{ keycloak_user }}'
|
||||
mode: "0640"
|
||||
remote_src: true
|
||||
notify: Restart Keycloak
|
||||
|
||||
- name: keycloak-certificates | Copy the certificate file where keycloak expects it
|
||||
ansible.builtin.copy:
|
||||
src: '{{ letsencrypt_acme_sh_certificates_install_path }}/fullchain'
|
||||
dest: '{{ keycloak_conf_directory }}/server.crt.pem'
|
||||
owner: root
|
||||
group: '{{ keycloak_user }}'
|
||||
mode: "0640"
|
||||
remote_src: true
|
||||
notify: Restart Keycloak
|
||||
|
||||
- name: keycloak-certificates | Install a script that updates the certificates upon renewal
|
||||
ansible.builtin.template:
|
||||
src: keycloak-letsencrypt-hook.j2
|
||||
dest: '{{ letsencrypt_acme_services_scripts_dir }}/keycloak'
|
||||
owner: root
|
||||
group: root
|
||||
mode: "4555"
|
||||
|
||||
- name: keycloak-certificates | TLS certificates management without Letsencrypt
|
||||
when: not keycloak_letsencrypt_certs
|
||||
tags: ['keycloak', 'keycloak_baremetal', 'keycloak_letsencrypt']
|
||||
block:
|
||||
- name: keycloak-certificates | Copy the key file where keycloak expects it
|
||||
ansible.builtin.copy:
|
||||
src: '{{ keycloak_source_cert_key }}'
|
||||
dest: '{{ keycloak_conf_directory }}/server.key.pem'
|
||||
owner: root
|
||||
group: '{{ keycloak_user }}'
|
||||
mode: "0640"
|
||||
remote_src: true
|
||||
notify: Restart Keycloak
|
||||
|
||||
- name: keycloak-certificates | Copy the certificate file where keycloak expects it
|
||||
ansible.builtin.copy:
|
||||
src: '{{ keycloak_source_cert_file }}'
|
||||
dest: '{{ keycloak_conf_directory }}/server.crt.pem'
|
||||
owner: root
|
||||
group: '{{ keycloak_user }}'
|
||||
mode: "0640"
|
||||
remote_src: true
|
||||
notify: Restart Keycloak
|
||||
|
|
@ -1,42 +0,0 @@
|
|||
---
|
||||
- name: TLS certificates management with Letsencrypt
|
||||
block:
|
||||
- name: Create the acme hooks directory if it does not yet exist
|
||||
file:
|
||||
dest: '{{ letsencrypt_acme_services_scripts_dir }}'
|
||||
state: directory
|
||||
owner: root
|
||||
group: root
|
||||
|
||||
- name: Copy the key file where keycloak expects it
|
||||
copy:
|
||||
src: '{{ letsencrypt_acme_sh_certificates_install_path }}/privkey'
|
||||
dest: '{{ keycloak_conf_directory }}/server.key.pem'
|
||||
owner: root
|
||||
group: '{{ keycloak_user }}'
|
||||
mode: 0640
|
||||
remote_src: true
|
||||
notify: Restart Keycloak
|
||||
|
||||
- name: Copy the certificate file where keycloak expects it
|
||||
copy:
|
||||
src: '{{ letsencrypt_acme_sh_certificates_install_path }}/fullchain'
|
||||
dest: '{{ keycloak_conf_directory }}/server.crt.pem'
|
||||
owner: root
|
||||
group: '{{ keycloak_user }}'
|
||||
mode: 0640
|
||||
remote_src: true
|
||||
notify: Restart Keycloak
|
||||
|
||||
- name: Install a script that updates the certificates upon renewal
|
||||
template:
|
||||
src: keycloak-letsencrypt-hook.j2
|
||||
dest: '{{ letsencrypt_acme_services_scripts_dir }}/keycloak'
|
||||
owner: root
|
||||
group: root
|
||||
mode: 4555
|
||||
|
||||
when:
|
||||
- keycloak_letsencrypt_certs
|
||||
- letsencrypt_acme_install
|
||||
tags: ['keycloak', 'keycloak_baremetal', 'keycloak_letsencrypt']
|
||||
|
|
@ -1,8 +1,12 @@
|
|||
---
|
||||
- import_tasks: keycloak-install.yml
|
||||
- import_tasks: keycloak-letsencrypt.yml
|
||||
- import_tasks: keycloak-providers.yml
|
||||
- import_tasks: keycloak-configuration.yml
|
||||
- name: Keycloak install
|
||||
ansible.builtin.import_tasks: keycloak-install.yml
|
||||
- name: TLS certificates
|
||||
ansible.builtin.import_tasks: keycloak-certificates.yml
|
||||
- name: Keycloak providers
|
||||
ansible.builtin.import_tasks: keycloak-providers.yml
|
||||
- name: Keycloak configuration
|
||||
ansible.builtin.import_tasks: keycloak-configuration.yml
|
||||
|
||||
- name: Manage the keycloak service
|
||||
tags:
|
||||
|
|
@ -12,30 +16,28 @@
|
|||
- keycloak_providers
|
||||
- keycloak_providers_jar
|
||||
block:
|
||||
- name: Install the keycloak systemd unit
|
||||
ansible.builtin.template:
|
||||
src: keycloak.service.j2
|
||||
dest: '/etc/systemd/system/{{ keycloak_service_name }}.service'
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0644
|
||||
notify: Restart Keycloak
|
||||
register: keycloak_unit
|
||||
- name: Install the keycloak systemd unit
|
||||
ansible.builtin.template:
|
||||
src: keycloak.service.j2
|
||||
dest: '/etc/systemd/system/{{ keycloak_service_name }}.service'
|
||||
owner: root
|
||||
group: root
|
||||
mode: "0644"
|
||||
notify:
|
||||
- Restart Keycloak
|
||||
- Reload the systemd service
|
||||
|
||||
- name: Reload systemd
|
||||
ansible.builtin.systemd:
|
||||
daemon_reload: yes
|
||||
when: keycloak_unit is changed
|
||||
- name: Reload the systemd service
|
||||
ansible.builtin.meta: flush_handlers
|
||||
|
||||
- name: ensure that the {{ keycloak_service_name }} service is running and enabled
|
||||
ansible.builtin.service:
|
||||
name: '{{ keycloak_service_name }}'
|
||||
state: started
|
||||
enabled: true
|
||||
|
||||
- name: Wait for the service to be up before proceeding
|
||||
ansible.builtin.wait_for:
|
||||
port: "{% if keycloak_https_enabled %}{{ keycloak_https_port }}{% else %}{{ keycloak_http_port }}{% endif %}"
|
||||
delay: 10
|
||||
timeout: 90
|
||||
- name: Ensure that the Keycload service is running and enabled
|
||||
ansible.builtin.service:
|
||||
name: '{{ keycloak_service_name }}'
|
||||
state: started
|
||||
enabled: true
|
||||
|
||||
- name: Wait for the service to be up before proceeding
|
||||
ansible.builtin.wait_for:
|
||||
port: "{% if keycloak_https_enabled %}{{ keycloak_https_port }}{% else %}{{ keycloak_http_port }}{% endif %}"
|
||||
delay: 10
|
||||
timeout: 90
|
||||
|
|
|
|||
|
|
@ -3,7 +3,6 @@ http-relative-path={{ keycloak_http_relative_path }}
|
|||
http-enabled={{ keycloak_http_enabled }}
|
||||
http-host={{ keycloak_listen }}
|
||||
http-port={{ keycloak_http_port }}
|
||||
#log-level=DEBUG
|
||||
|
||||
# Database
|
||||
# The database vendor.
|
||||
|
|
@ -44,6 +43,13 @@ hostname={{ keycloak_hostname }}
|
|||
spi-avatar-storage-avatar-storage-file-avatar-folder={{ keycloak_external_avatar_dir}}
|
||||
{% endif %}
|
||||
|
||||
{% if keycloak_s3_avatar_enabled %}
|
||||
spi-avatar-storage-avatar-storage-s3-server-url={{ keycloak_s3_avatar_url }}
|
||||
spi-avatar-storage-avatar-storage-s3-access-key={{ keycloak_s3_avatar_key }}
|
||||
spi-avatar-storage-avatar-storage-s3-secret-key={{ keycloak_s3_avatar_secret }}
|
||||
spi-avatar-storage-avatar-storage-s3-root-bucket={{ keycloak_s3_avatar_bucket }}
|
||||
{% endif %}
|
||||
|
||||
{% if keycloak_cluster %}
|
||||
# Do not attach route to cookies and rely on the session affinity capabilities from reverse proxy
|
||||
spi-sticky-session-encoder-infinispan-should-attach-route={{ keycloak_reverse_proxy_infinispan_attach_route }}
|
||||
|
|
|
|||
|
|
@ -12,7 +12,9 @@ quarkus.http.access-log.rotate=true
|
|||
quarkus.http.access-log.rotation.max-file-size={{ keycloak_log_max_size }}
|
||||
quarkus.http.access-log.rotation.max-backup-index={{ keycloak_log_backup_index }}
|
||||
quarkus.http.access-log.pattern=%t [%{i,X-Forwarded-For}, %h] %l (user:%u) - '%r' => %s (%b bytes) '%{i,User-Agent}' (Referer: '%{i,Referer}') - [%I, %Dms]
|
||||
#
|
||||
quarkus.http.record-request-start-time=true
|
||||
quarkus.transaction-manager.enable-recovery=true
|
||||
{% for prop in keycloak_quarkus_additional_properties %}
|
||||
{{ prop }}
|
||||
{% endfor %}
|
||||
|
|
|
|||
Loading…
Reference in New Issue