diff --git a/defaults/main.yml b/defaults/main.yml index 8bf5001..4c048ae 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -2,10 +2,16 @@ keycloak_major_version: '10' keycloak_minor_version: '0' keycloak_point_version: '2' -keycloak_install_dir: '/opt/keycloak' -keycloak_log_directory: '/var/log/keycloak' -# domain clustered mode is not supported at this time keycloak_wildfly_mode: 'standalone' +keycloak_install_dir: '/opt/keycloak' +keycloak_properties_directory: '/opt/keycloak/properties' +keycloak_distribution_data_directory: '{{ keycloak_install_dir }}/{{ keycloak_distribution }}/{{ keycloak_wildfly_mode }}' +keycloak_data_directory: '/opt/keycloak_data' +keycloak_log_directory: '/var/log/keycloak' +keycloak_startup_properties: + - { name: 'jboss.server.data.dir', value: '{{ keycloak_data_directory }}' } + - { name: 'jboss.server.log.dir', value: '{{ keycloak_log_directory }}' } +# domain clustered mode is not supported at this time keycloak_wildfly_clustered: False keycloak_wildfly_cluster_node_name: '{{ ansible_hostname }}' keycloak_wildfly_cluster_private_bind_address: '{{ ansible_default_ipv4.address }}' @@ -37,3 +43,5 @@ keycloak_admin_user: kadmin #keycloak_admin_password: 'define it into a vault file' keycloak_behind_reverse_proxy: True + +keycloak_jcliff_version: '2.12.7' diff --git a/handlers/main.yml b/handlers/main.yml index 80714ed..e534e7e 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -1,3 +1,4 @@ --- - name: Restart Keycloak - service: name=keycloak state=restarted + #service: name=keycloak state=restarted + shell: exit 0 diff --git a/meta/main.yml b/meta/main.yml index 61c703f..b8d6bce 100644 --- a/meta/main.yml +++ b/meta/main.yml @@ -23,6 +23,7 @@ galaxy_info: galaxy_tags: - users + - oidc dependencies: - src: git+https://gitea-s2i2s.isti.cnr.it/ISTI-ansible-roles/ansible-role-openjdk.git @@ -30,3 +31,5 @@ dependencies: name: openjdk state: latest +collections: + - wildfly.jcliff diff --git a/tasks/keycloak-configuration.yml b/tasks/keycloak-configuration.yml new file mode 100644 index 0000000..b419e0c --- /dev/null +++ b/tasks/keycloak-configuration.yml @@ -0,0 +1,18 @@ +--- +- name: Manage the keycloak configuration + block: + - name: Install the standalone configuration files + template: src={{ item }}.j2 dest={{ keycloak_install_dir }}/{{ keycloak_distribution }}/standalone/configuration/{{ item }} owner=root group={{ keycloak_user }} mode='0440' + with_items: + - standalone.xml + - standalone-ha.xml + notify: Restart Keycloak + + - name: Create the admin user + shell: '{{ keycloak_install_dir }}/{{ keycloak_distribution }}/bin/add-user-keycloak.sh -u {{ keycloak_admin_user }} -p {{ keycloak_admin_password }} && chown {{ keycloak_user }} {{ keycloak_install_dir }}/{{ keycloak_distribution }}/{{ keycloak_wildfly_mode }}/configuration/keycloak-add-user.json && chmod 600 {{ keycloak_install_dir }}/{{ keycloak_distribution }}/{{ keycloak_wildfly_mode }}/configuration/keycloak-add-user.json' + args: + creates: '{{ keycloak_install_dir }}/{{ keycloak_distribution }}/{{ keycloak_wildfly_mode }}/configuration/keycloak-add-user.json' + notify: Restart Keycloak + tags: [ 'keycloak', 'keycloak_user', 'keycloak_conf' ] + + tags: [ 'keycloak', 'keycloak_db', 'keycloak_conf' ] diff --git a/tasks/keycloak-install.yml b/tasks/keycloak-install.yml new file mode 100644 index 0000000..491cc29 --- /dev/null +++ b/tasks/keycloak-install.yml @@ -0,0 +1,48 @@ +--- +- name: Install the keycloak distribution + block: + - name: Create the keycloak user + user: name={{ keycloak_user }} home={{ keycloak_install_dir }} createhome=no shell=/usr/sbin/nologin system=yes + + - name: Create the keycloak installation directory, if it does not already exist. + file: dest={{ keycloak_install_dir }} owner=root group=root state=directory recurse=yes + + - name: Create the {{ keycloak_properties_directory }} + file: dest={{ keycloak_properties_directory }} owner=root group=root state=directory + tags: [ keycloak, keycloak_data_dir ] + + - name: Create the {{ keycloak_data_directory }} + file: dest={{ keycloak_data_directory }}/{{ item }} state=directory owner={{ keycloak_user }} group={{ keycloak_user }} mode='0755' + loop: '{{ keycloak_data_subdirs }}' + when: keycloak_data_directory != keycloak_distribution_data_directory + tags: [ keycloak, keycloak_data_dir ] + + - name: Download the keycloak distribution + unarchive: remote_src=yes src={{ keycloak_download_url }} dest={{ keycloak_install_dir }} owner=root group=root + args: + creates: '{{ keycloak_install_dir }}/{{ keycloak_distribution }}' + + - name: Create the keycloak log directory + file: dest={{ keycloak_log_directory }} state=directory owner={{ keycloak_user }} group={{ keycloak_user }} mode='0755' + + - name: Create some log files with the correct permissions + file: dest={{ keycloak_log_directory }}/{{ item }} owner={{ keycloak_user }} group={{ keycloak_user }} mode='0644' state=touch + with_items: + - 'server.log' + - 'audit.log' + + - name: Fix the permissions of some keycloak directories + file: dest={{ keycloak_install_dir }}/{{ keycloak_distribution }}/{{ keycloak_wildfly_mode }}/{{ item }} state=directory owner={{ keycloak_user }} group={{ keycloak_user }} mode='0750' recurse=yes + with_items: '{{ keycloak_owned_directories }}' + when: keycloak_data_directory == keycloak_distribution_data_directory + + - name: Remove the log directory inside the keycloak distribution + file: dest={{ keycloak_install_dir }}/{{ keycloak_distribution }}/{{ keycloak_wildfly_mode }}/log state=absent + + - name: Remove the log directory inside the keycloak distribution + file: dest={{ keycloak_install_dir }}/{{ keycloak_distribution }}/{{ keycloak_wildfly_mode }}/log state=absent + + - name: Link to the external log directory + file: src={{ keycloak_log_directory }} dest={{ keycloak_install_dir }}/{{ keycloak_distribution }}/{{ keycloak_wildfly_mode }}/log state=link + + tags: keycloak diff --git a/tasks/keycloak-jdbc.yml b/tasks/keycloak-jdbc.yml new file mode 100644 index 0000000..65004d1 --- /dev/null +++ b/tasks/keycloak-jdbc.yml @@ -0,0 +1,16 @@ +--- +- name: Manage the keycloak external DB driver + block: + - name: Create the path to the DB driver + file: dest={{ keycloak_install_dir }}/{{ keycloak_distribution }}/modules/system/layers/base/{{ keycloak_db_module_path }}/main state=directory + + - name: Get the JDBC driver {{ keycloack_jdbc_driver }} + get_url: url={{ keycloak_jdbc_driver_url }} dest={{ keycloak_install_dir }}/{{ keycloak_distribution }}/modules/system/layers/base/{{ keycloak_db_module_path }}/main/{{ keycloak_jdbc_driver }} owner=root group=root mode=0444 + notify: Restart Keycloak + + - name: Install the JDBC module configuration + template: src=jdbc-module.xml.j2 dest={{ keycloak_install_dir }}/{{ keycloak_distribution }}/modules/system/layers/base/{{ keycloak_db_module_path }}/main/module.xml owner=root group=root mode=0444 + notify: Restart Keycloak + + when: keycloak_use_external_db + tags: [ 'keycloak', 'keycloak_db', 'keycloak_conf' ] diff --git a/tasks/main.yml b/tasks/main.yml index 3e640f5..ecdfd90 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -1,77 +1,57 @@ --- -- name: Install the keycloak distribution +- name: Manage the JCliff installation on Ubuntu/Debian block: - - name: Create the keycloak user - user: name={{ keycloak_user }} home={{ keycloak_install_dir }} createhome=no shell=/usr/sbin/nologin system=yes + - name: Download the jcliff distribution + unarchive: + remote_src: yes + src: 'https://github.com/bserdar/jcliff/releases/download/v{{ keycloak_jcliff_version }}/jcliff-{{ keycloak_jcliff_version }}-dist.tar.gz' + dest: '/opt' + owner: root + group: root - - name: Create the keycloak installation directory, if it does not already exist. - file: dest={{ keycloak_install_dir }} owner=root group=root state=directory recurse=yes + - name: Fix the jcliff executable permissions + file: + dest: '/opt/jcliff-{{ keycloak_jcliff_version }}/jcliff' + mode: '0755' - - name: Download the keycloak distribution - unarchive: remote_src=yes src={{ keycloak_download_url }} dest={{ keycloak_install_dir }} owner=root group=root - args: - creates: '{{ keycloak_install_dir }}/{{ keycloak_distribution }}' + - name: Link to the executable + file: + src: '/opt/jcliff-{{ keycloak_jcliff_version }}/jcliff' + dest: /usr/bin/jcliff + state: link - - name: Create the keycloak log directory - file: dest={{ keycloak_log_directory }} state=directory owner={{ keycloak_user }} group={{ keycloak_user }} mode='0755' + - name: Link to the shared resources + file: + src: '/opt/jcliff-{{ keycloak_jcliff_version }}' + dest: /usr/share/jcliff + state: link - - name: Create some log files with the correct permissions - file: dest={{ keycloak_log_directory }}/{{ item }} owner={{ keycloak_user }} group={{ keycloak_user }} mode='0644' state=touch - with_items: - - 'server.log' - - 'audit.log' + - name: Set the JBOSS_HOME as {{ jboss_home }} in the global environment profile + template: + src: jboss-env.sh.j2 + dest: /etc/profile.d/jboss-env.sh + owner: root + group: root + mode: '0444' - - name: Fix the permissions of some keycloak directories - file: dest={{ keycloak_install_dir }}/{{ keycloak_distribution }}/{{ keycloak_wildfly_mode }}/{{ item }} state=directory owner={{ keycloak_user }} group={{ keycloak_user }} mode='0750' recurse=yes - with_items: '{{ keycloak_owned_directories }}' + when: ansible_distribution_file_variety == "Debian" + tags: [ keycloak, jcliff ] - - name: Remove the log directory inside the keycloak distribution - file: dest={{ keycloak_install_dir }}/{{ keycloak_distribution }}/{{ keycloak_wildfly_mode }}/log state=absent - - - name: Remove the log directory inside the keycloak distribution - file: dest={{ keycloak_install_dir }}/{{ keycloak_distribution }}/{{ keycloak_wildfly_mode }}/log state=absent - - - name: Link to the external log directory - file: src={{ keycloak_log_directory }} dest={{ keycloak_install_dir }}/{{ keycloak_distribution }}/{{ keycloak_wildfly_mode }}/log state=link - - tags: keycloak - -- name: Manage the keycloak external DB driver - block: - - name: Create the path to the DB driver - file: dest={{ keycloak_install_dir }}/{{ keycloak_distribution }}/modules/system/layers/base/{{ keycloak_db_module_path }}/main state=directory - - - name: Get the JDBC driver - get_url: url={{ keycloak_jdbc_driver_url }} dest={{ keycloak_install_dir }}/{{ keycloak_distribution }}/modules/system/layers/base/{{ keycloak_db_module_path }}/main/{{ keycloak_jdbc_driver }} owner=root group=root mode=0444 - notify: Restart Keycloak - - - name: Install the JDBC module configuration - template: src=jdbc-module.xml.j2 dest={{ keycloak_install_dir }}/{{ keycloak_distribution }}/modules/system/layers/base/{{ keycloak_db_module_path }}/main/module.xml owner=root group=root mode=0444 - notify: Restart Keycloak - - when: keycloak_use_external_db - tags: [ 'keycloak', 'keycloak_db', 'keycloak_conf' ] - -- name: Manage the keycloak configuration - block: - - name: Install the standalone configuration files - template: src={{ item }}.j2 dest={{ keycloak_install_dir }}/{{ keycloak_distribution }}/standalone/configuration/{{ item }} owner=root group={{ keycloak_user }} mode='0440' - with_items: - - standalone.xml - - standalone-ha.xml - notify: Restart Keycloak - - - name: Create the admin user - shell: '{{ keycloak_install_dir }}/{{ keycloak_distribution }}/bin/add-user-keycloak.sh -u {{ keycloak_admin_user }} -p {{ keycloak_admin_password }} && chown {{ keycloak_user }} {{ keycloak_install_dir }}/{{ keycloak_distribution }}/{{ keycloak_wildfly_mode }}/configuration/keycloak-add-user.json && chmod 600 {{ keycloak_install_dir }}/{{ keycloak_distribution }}/{{ keycloak_wildfly_mode }}/configuration/keycloak-add-user.json' - args: - creates: '{{ keycloak_install_dir }}/{{ keycloak_distribution }}/{{ keycloak_wildfly_mode }}/configuration/keycloak-add-user.json' - notify: Restart Keycloak - tags: [ 'keycloak', 'keycloak_user', 'keycloak_conf' ] - - tags: [ 'keycloak', 'keycloak_db', 'keycloak_conf' ] +- import_tasks: keycloak-install.yml +- import_tasks: keycloak-jdbc.yml +- import_tasks: keycloak-configuration.yml - name: Manage the keycloak service block: + - name: Install the keycloak properties file + template: + src: wildfly.properties.j2 + dest: '{{ keycloak_properties_directory }}/wildfly.properties' + owner: root + group: root + mode: '0444' + notify: Restart Keycloak + - name: Install the keycloak systemd unit template: src=keycloak.service.j2 dest=/etc/systemd/system/keycloak.service owner=root group=root mode=0644 notify: Restart Keycloak @@ -82,8 +62,8 @@ daemon_reload: yes when: keycloak_unit is changed - - name: ensure that the keycloak service is running and enabled - service: name=keycloak state=started enabled=yes +# - name: ensure that the keycloak service is running and enabled +# service: name=keycloak state=started enabled=yes tags: [ 'keycloak', 'keycloak_service', 'keycloak_conf' ] diff --git a/templates/jboss-env.sh.j2 b/templates/jboss-env.sh.j2 new file mode 100644 index 0000000..e1a81e0 --- /dev/null +++ b/templates/jboss-env.sh.j2 @@ -0,0 +1 @@ +export JBOSS_HOME={{ jboss_home }} diff --git a/templates/keycloak.service.j2 b/templates/keycloak.service.j2 index 2099300..f0fe928 100644 --- a/templates/keycloak.service.j2 +++ b/templates/keycloak.service.j2 @@ -9,7 +9,7 @@ Environment=JBOSS_LOG_DIR={{ keycloak_log_directory }} Environment="JAVA_OPTS=-Xms{{ keycloak_java_min_heap }} -Xmx{{ keycloak_java_max_heap }}" User={{ keycloak_user }} Group={{ keycloak_user }} -ExecStart={{ keycloak_runtime_home }}/bin/standalone.sh -b {{ keycloak_listen }} {% if keycloak_wildfly_clustered %} --server-config=standalone-ha.xml -Djboss.node.name={{ keycloak_wildfly_cluster_node_name }}{% endif %} +ExecStart={{ keycloak_runtime_home }}/bin/standalone.sh -P {{ keycloak_properties_directory }}/wildfly.properties -b {{ keycloak_listen }} {% if keycloak_wildfly_clustered %}--server-config=standalone-ha.xml -Djboss.node.name={{ keycloak_wildfly_cluster_node_name }}{% endif %} TimeoutStartSec=600 TimeoutStopSec=600 diff --git a/templates/wildfly.properties.j2 b/templates/wildfly.properties.j2 new file mode 100644 index 0000000..602ac7f --- /dev/null +++ b/templates/wildfly.properties.j2 @@ -0,0 +1,3 @@ +{% for prop in keycloak_startup_properties %} +{{ prop.name }}={{ prop.value }} +{% endfor %} diff --git a/vars/main.yml b/vars/main.yml index 46bb22b..0fbad09 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -9,9 +9,15 @@ keycloak_distribution: 'keycloak-{{ keycloak_version }}' keycloak_distribution_archive: '{{ keycloak_distribution }}.tar.gz' keycloak_download_url: 'https://downloads.jboss.org/keycloak/{{ keycloak_version }}/{{ keycloak_distribution_archive }}' keycloak_runtime_home: '{{ keycloak_install_dir }}/{{ keycloak_distribution }}' +jboss_home: '{{ keycloak_runtime_home }}' keycloak_owned_directories: - data - tmp - configuration - deployments - +keycloak_data_subdirs: + - avatar + - content + - kernel + - timer-service-data + - tx-object-store