diff --git a/defaults/main.yml b/defaults/main.yml index 7989aa8..33e52e9 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1,8 +1,8 @@ --- -keycloak_major_version: '19' +keycloak_major_version: '24' keycloak_minor_version: '0' -keycloak_point_version: '2' -keycloak_openjdk_runtime_version: 11 +keycloak_point_version: '1' +keycloak_openjdk_runtime_version: 17 keycloak_openjdk_version: - '{{ keycloak_openjdk_runtime_version }}' keycloak_openjdk_bin: '/usr/lib/jvm/java-{{ keycloak_openjdk_runtime_version}}-openjdk-amd64/bin/java' @@ -44,7 +44,9 @@ keycloak_external_avatar_dir: '{{ keycloak_data_directory }}/avatar' keycloak_https_enabled: true keycloak_https_protocols: 'TLSv1.3' keycloak_letsencrypt_certs: '{{ keycloak_https_enabled }}' -keycloak_http_enabled: "{% if keycloak_https_enabled %}'false'{% else %}'true'{% endif %}" +keycloak_source_cert_file: "{{ pki_dir }}/certs/{{ ansible_fqdn }}.pem" +keycloak_source_cert_key: "{{ pki_dir }}/keys/{{ ansible_fqdn }}-key.pem" +keycloak_http_enabled: "{% if keycloak_https_enabled %}false{% else %}true{% endif %}" # Set to /auth to be backward compatible with the old admin console keycloak_http_relative_path: / keycloak_listen: '127.0.0.1' diff --git a/handlers/main.yml b/handlers/main.yml index 871bd28..99da614 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -3,3 +3,7 @@ ansible.builtin.service: name: '{{ keycloak_service_name }}' state: restarted + +- name: Reload the systemd service + ansible.builtin.systemd: + daemon_reload: true diff --git a/tasks/keycloak-certificates.yml b/tasks/keycloak-certificates.yml new file mode 100644 index 0000000..569330f --- /dev/null +++ b/tasks/keycloak-certificates.yml @@ -0,0 +1,66 @@ +--- +- name: keycloak-certificates | TLS certificates management with Letsencrypt + when: + - keycloak_letsencrypt_certs + - letsencrypt_acme_install + tags: ['keycloak', 'keycloak_baremetal', 'keycloak_letsencrypt'] + block: + - name: keycloak-certificates | Create the acme hooks directory if it does not yet exist + ansible.builtin.file: + dest: '{{ letsencrypt_acme_services_scripts_dir }}' + state: directory + owner: root + group: root + mode: "0755" + + - name: keycloak-certificates | Copy the key file where keycloak expects it + ansible.builtin.copy: + src: '{{ letsencrypt_acme_sh_certificates_install_path }}/privkey' + dest: '{{ keycloak_conf_directory }}/server.key.pem' + owner: root + group: '{{ keycloak_user }}' + mode: "0640" + remote_src: true + notify: Restart Keycloak + + - name: keycloak-certificates | Copy the certificate file where keycloak expects it + ansible.builtin.copy: + src: '{{ letsencrypt_acme_sh_certificates_install_path }}/fullchain' + dest: '{{ keycloak_conf_directory }}/server.crt.pem' + owner: root + group: '{{ keycloak_user }}' + mode: "0640" + remote_src: true + notify: Restart Keycloak + + - name: keycloak-certificates | Install a script that updates the certificates upon renewal + ansible.builtin.template: + src: keycloak-letsencrypt-hook.j2 + dest: '{{ letsencrypt_acme_services_scripts_dir }}/keycloak' + owner: root + group: root + mode: "4555" + +- name: keycloak-certificates | TLS certificates management without Letsencrypt + when: not keycloak_letsencrypt_certs + tags: ['keycloak', 'keycloak_baremetal', 'keycloak_letsencrypt'] + block: + - name: keycloak-certificates | Copy the key file where keycloak expects it + ansible.builtin.copy: + src: '{{ keycloak_certificate_key }}' + dest: '{{ keycloak_conf_directory }}/server.key.pem' + owner: root + group: '{{ keycloak_user }}' + mode: "0640" + remote_src: true + notify: Restart Keycloak + + - name: keycloak-certificates | Copy the certificate file where keycloak expects it + ansible.builtin.copy: + src: '{{ keycloak_certificate_file }}' + dest: '{{ keycloak_conf_directory }}/server.crt.pem' + owner: root + group: '{{ keycloak_user }}' + mode: "0640" + remote_src: true + notify: Restart Keycloak diff --git a/tasks/keycloak-letsencrypt.yml b/tasks/keycloak-letsencrypt.yml deleted file mode 100644 index 9ce4f45..0000000 --- a/tasks/keycloak-letsencrypt.yml +++ /dev/null @@ -1,42 +0,0 @@ ---- -- name: TLS certificates management with Letsencrypt - block: - - name: Create the acme hooks directory if it does not yet exist - file: - dest: '{{ letsencrypt_acme_services_scripts_dir }}' - state: directory - owner: root - group: root - - - name: Copy the key file where keycloak expects it - copy: - src: '{{ letsencrypt_acme_sh_certificates_install_path }}/privkey' - dest: '{{ keycloak_conf_directory }}/server.key.pem' - owner: root - group: '{{ keycloak_user }}' - mode: 0640 - remote_src: true - notify: Restart Keycloak - - - name: Copy the certificate file where keycloak expects it - copy: - src: '{{ letsencrypt_acme_sh_certificates_install_path }}/fullchain' - dest: '{{ keycloak_conf_directory }}/server.crt.pem' - owner: root - group: '{{ keycloak_user }}' - mode: 0640 - remote_src: true - notify: Restart Keycloak - - - name: Install a script that updates the certificates upon renewal - template: - src: keycloak-letsencrypt-hook.j2 - dest: '{{ letsencrypt_acme_services_scripts_dir }}/keycloak' - owner: root - group: root - mode: 4555 - - when: - - keycloak_letsencrypt_certs - - letsencrypt_acme_install - tags: ['keycloak', 'keycloak_baremetal', 'keycloak_letsencrypt'] diff --git a/tasks/main.yml b/tasks/main.yml index 6306042..cc27149 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -1,8 +1,12 @@ --- -- import_tasks: keycloak-install.yml -- import_tasks: keycloak-letsencrypt.yml -- import_tasks: keycloak-providers.yml -- import_tasks: keycloak-configuration.yml +- name: Keycloak install + ansible.builtin.import_tasks: keycloak-install.yml +- name: TLS certificates + ansible.builtin.import_tasks: keycloak-certificates.yml +- name: Keycloak providers + ansible.builtin.import_tasks: keycloak-providers.yml +- name: Keycloak configuration + ansible.builtin.import_tasks: keycloak-configuration.yml - name: Manage the keycloak service tags: @@ -12,30 +16,28 @@ - keycloak_providers - keycloak_providers_jar block: - - name: Install the keycloak systemd unit - ansible.builtin.template: - src: keycloak.service.j2 - dest: '/etc/systemd/system/{{ keycloak_service_name }}.service' - owner: root - group: root - mode: 0644 - notify: Restart Keycloak - register: keycloak_unit + - name: Install the keycloak systemd unit + ansible.builtin.template: + src: keycloak.service.j2 + dest: '/etc/systemd/system/{{ keycloak_service_name }}.service' + owner: root + group: root + mode: "0644" + notify: + - Restart Keycloak + - Reload the systemd service - - name: Reload systemd - ansible.builtin.systemd: - daemon_reload: yes - when: keycloak_unit is changed + - name: Reload the systemd service + ansible.builtin.meta: flush_handlers - - name: ensure that the {{ keycloak_service_name }} service is running and enabled - ansible.builtin.service: - name: '{{ keycloak_service_name }}' - state: started - enabled: true - - - name: Wait for the service to be up before proceeding - ansible.builtin.wait_for: - port: "{% if keycloak_https_enabled %}{{ keycloak_https_port }}{% else %}{{ keycloak_http_port }}{% endif %}" - delay: 10 - timeout: 90 + - name: Ensure that the Keycload service is running and enabled + ansible.builtin.service: + name: '{{ keycloak_service_name }}' + state: started + enabled: true + - name: Wait for the service to be up before proceeding + ansible.builtin.wait_for: + port: "{% if keycloak_https_enabled %}{{ keycloak_https_port }}{% else %}{{ keycloak_http_port }}{% endif %}" + delay: 10 + timeout: 90