From e55c07179a2c6c730dbf3242964aabaa931ad26a Mon Sep 17 00:00:00 2001
From: Albert Stefanov <aastefanov@outlook.com>
Date: Fri, 16 Feb 2024 21:04:01 +0200
Subject: [PATCH] Prepare Keycloak setup

---
 ansible/main.yml                              | 11 ++++
 ansible/roles/auth-server/tasks/keycloak.yml  | 52 +++++++++++++++++++
 .../main.yml => auth-server/tasks/ldap.yml}   |  0
 ansible/roles/auth-server/tasks/main.yml      | 11 ++++
 .../templates/units/sso-keycloak.container.j2 | 26 ++++++++++
 ansible/roles/container-user/tasks/main.yml   | 27 +++++++---
 .../handlers/main.yml                         |  1 -
 .../tasks/main.yml                            |  0
 ansible/tasks/create_postgres_db.yml          | 37 +++++++++++++
 9 files changed, 156 insertions(+), 9 deletions(-)
 create mode 100644 ansible/main.yml
 create mode 100644 ansible/roles/auth-server/tasks/keycloak.yml
 rename ansible/roles/{ldap-server/tasks/main.yml => auth-server/tasks/ldap.yml} (100%)
 create mode 100644 ansible/roles/auth-server/tasks/main.yml
 create mode 100644 ansible/roles/auth-server/templates/units/sso-keycloak.container.j2
 rename ansible/roles/{postgres-server => postgresql-server}/handlers/main.yml (74%)
 rename ansible/roles/{postgres-server => postgresql-server}/tasks/main.yml (100%)
 create mode 100644 ansible/tasks/create_postgres_db.yml

diff --git a/ansible/main.yml b/ansible/main.yml
new file mode 100644
index 0000000..2943d10
--- /dev/null
+++ b/ansible/main.yml
@@ -0,0 +1,11 @@
+---
+
+- name: Run common tasks
+  hosts: all
+  roles:
+    - common
+
+- name: Auth Server setup
+  hosts: authservers
+  roles:
+    - auth-server
diff --git a/ansible/roles/auth-server/tasks/keycloak.yml b/ansible/roles/auth-server/tasks/keycloak.yml
new file mode 100644
index 0000000..8f4a23f
--- /dev/null
+++ b/ansible/roles/auth-server/tasks/keycloak.yml
@@ -0,0 +1,52 @@
+---
+
+- name: Check parameters
+  ansible.builtin.assert:
+    that:
+      - keycloak_podman_user_name is defined
+      - keycloak_db_password is defined
+
+- name: Create PostgreSQL database
+  include_tasks: create_postgres_db.yml
+  vars:
+    postgres_username: keycloak
+    postgres_database: keycloak
+    postgres_password: "{{ keycloak_db_password }}" #TODO: change for a password manager
+
+- name: Set up container user
+  include_role:
+    name: container-user
+  vars:
+    podman_user: "{{ keycloak_podman_user_name }}"
+    podman_home: "{{ keycloak_podman_user_home | default(omit) }}"
+    podman_uid: "{{ keycloak_podman_user_uid | default(omit) }}"
+
+      #- name: Create secrets
+      #  containers.podman.podman_secret:
+      #  become: true
+      #  become_user: "{{ keycloak_podman_user_name }}"
+
+- name: Create data directories
+  ansible.builtin.file:
+    state: directory
+    path: "{{ item }}"
+  with_items:
+    - "{{ keycloak_data_dir }}/keystore/"
+
+- name: Upload unit files
+  ansible.builtin.template:
+    src: units/sso-keycloak.container.j2
+    dest: ~/.config/containers/systemd/sso-keycloak.container
+  become: true
+  become_user: "{{ keycloak_podman_user_name }}"
+
+
+# Note: enabled in the unit file
+- name: Start Keycloak
+  ansible.builtin.systemd_service:
+    scope: user
+    service: sso-keycloak.service
+    daemon_reload: true
+    state: started
+  become: true
+  become_user: "{{ keycloak_podman_user_name }}"
diff --git a/ansible/roles/ldap-server/tasks/main.yml b/ansible/roles/auth-server/tasks/ldap.yml
similarity index 100%
rename from ansible/roles/ldap-server/tasks/main.yml
rename to ansible/roles/auth-server/tasks/ldap.yml
diff --git a/ansible/roles/auth-server/tasks/main.yml b/ansible/roles/auth-server/tasks/main.yml
new file mode 100644
index 0000000..611df3b
--- /dev/null
+++ b/ansible/roles/auth-server/tasks/main.yml
@@ -0,0 +1,11 @@
+---
+
+- name: Set up OpenLDAP
+  include_tasks: ldap.yml
+
+- name: Set up Keycloak
+  include_tasks: keycloak.yml
+  vars:
+    podman_user_name: "{{ keycloak_podman_user_name }}"
+    podman_user_home: "{{ keycloak_podman_user_home | default(omit) }}"
+    podman_user_uid: "{{ keycloak_podman_user_uid | default(omit) }}"
diff --git a/ansible/roles/auth-server/templates/units/sso-keycloak.container.j2 b/ansible/roles/auth-server/templates/units/sso-keycloak.container.j2
new file mode 100644
index 0000000..f2f7bd2
--- /dev/null
+++ b/ansible/roles/auth-server/templates/units/sso-keycloak.container.j2
@@ -0,0 +1,26 @@
+[Unit]
+Description=SSO Provider for OpenFest
+
+[Container]
+ContainerName=sso-keycloak
+Image=quay.io/keycloak/keycloak:latest
+
+Environment=JAVA_OPTS="-Xms64m -Xmx512m -XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m -Dfile.encoding=UTF-8 -Dsun.stdout.encoding=UTF-8 -Dsun.err.encoding=UTF-8 -Dstdout.encoding=UTF-8 -Dstderr.encoding=UTF-8 -XX:+ExitOnOutOfMemoryError -Djava.security.egd=file:/dev/urandom -XX:+UseG1GC -XX:MinHeapFreeRatio=10 -XX:MaxHeapFreeRatio=80 -XX:GCTimeRatio=4 -XX:AdaptiveSizePolicyWeight=90 -XX:FlightRecorderOptions=stackdepth=512"
+Volume={{ keycloak_data_dir }}/keystore/:/keystore/
+
+Secret=keycloak-admin-user,type=env,target=KEYCLOAK_ADMIN
+Secret=keycloak-admin-password,type=env,target=KEYCLOAK_ADMIN_PASSWORD
+
+Secret=keycloak-db-host,type=env,target=KC_DB_URL_HOST
+Secret=keycloak-db-name,type=env,target=KC_DB_URL_DATABASE
+Secret=keycloak-db-user,type=env,target=KC_DB_USERNAME
+Secret=keycloak-db-password,type=env,target=KC_DB_PASSWORD
+Environment=KC_DB=postgres
+Environment=KC_HEALTH_ENABLED=true
+
+Exec=start --features=preview --hostname {{ keycloak_hostname }} --proxy edge
+
+PublishPort={{ keycloak_listen_address }}:8080
+AutoUpdate=registry
+[Install]
+WantedBy=default.target
diff --git a/ansible/roles/container-user/tasks/main.yml b/ansible/roles/container-user/tasks/main.yml
index 625c230..2f1368c 100644
--- a/ansible/roles/container-user/tasks/main.yml
+++ b/ansible/roles/container-user/tasks/main.yml
@@ -3,22 +3,33 @@
 - name: Check if required parameters are set
   ansible.builtin.assert:
     that:
-      - username is defined
+      - podman_user_name is defined
+
+- name: Set up as container host
+  ansible.builtin.include_role:
+    name: container-host
 
 - name: Create user
   ansible.builtin.user:
-    name: "{{ username }}"
-    home: "{{ homedir | default(omit) }}"
-    uid: "{{ uid | default(omit) }}"
+    name: "{{ podman_user_name }}"
+    home: "{{ podman_user_home | default(omit) }}"
+    uid: "{{ podman_user_uid | default(omit) }}"
     state: present
 
+- name: Create unit files dir
+  ansible.builtin.file:
+    path: ~/.config/containers/systemd
+    state: directory
+  become: true
+  become_user: "{{ podman_user_name }}"
+
 # Note: We check whether lingering is already enabled so we show as OK/skipped instead of changed
 - name: Check if user is lingering
-  stat:
-    path: "/var/lib/systemd/linger/{{ username }}"
+  ansible.builtin.stat:
+    path: "/var/lib/systemd/linger/{{ podman_user_name }}"
   register: user_lingering
 
 - name: Enable session lingering
-  ansible.builtin.command: "loginctl enable-linger {{ username }}"
+  ansible.builtin.command: "loginctl enable-linger {{ podman_user_name }}"
   when:
-    - not user_lingering.stat.exists
\ No newline at end of file
+    - not user_lingering.stat.exists
diff --git a/ansible/roles/postgres-server/handlers/main.yml b/ansible/roles/postgresql-server/handlers/main.yml
similarity index 74%
rename from ansible/roles/postgres-server/handlers/main.yml
rename to ansible/roles/postgresql-server/handlers/main.yml
index af3f58f..ef04727 100644
--- a/ansible/roles/postgres-server/handlers/main.yml
+++ b/ansible/roles/postgresql-server/handlers/main.yml
@@ -2,4 +2,3 @@
   service:
     name: postgresql
     state: restarted
-  listen: "restart postgres"
\ No newline at end of file
diff --git a/ansible/roles/postgres-server/tasks/main.yml b/ansible/roles/postgresql-server/tasks/main.yml
similarity index 100%
rename from ansible/roles/postgres-server/tasks/main.yml
rename to ansible/roles/postgresql-server/tasks/main.yml
diff --git a/ansible/tasks/create_postgres_db.yml b/ansible/tasks/create_postgres_db.yml
new file mode 100644
index 0000000..6e6b23c
--- /dev/null
+++ b/ansible/tasks/create_postgres_db.yml
@@ -0,0 +1,37 @@
+---
+
+- name: Check params
+  ansible.builtin.assert:
+    that:
+      - postgres_username is defined
+      - postgres_database is defined
+      - not(postgres_access_host is defined and postgres_password is defined)
+
+- name: Set up PostgreSQL
+  ansible.builtin.include_role:
+    name: postgresql-server
+
+- name: Create user
+  community.postgresql.postgresql_user:
+    name: "{{ postgres_username }}"
+    password: "{{ postgres_password | default(omit) }}"
+  become: true
+  become_user: postgres
+
+- name: Create postgres_database
+  community.postgresql.postgresql_db:
+    name: "{{ postgres_database }}"
+    owner: "{{ postgres_username }}"
+  become: true
+  become_user: postgres
+    
+
+- name: Update pg_hba scram
+  community.postgresql.postgresql_pg_hba:
+    contype: host
+    users: "{{ postgres_username }}"
+    source: "{{ postgres_access_host }}"
+    databases: "{{ postgres_database }}"
+    method: "scram-sha-256"
+  when: postgres_access_host is defined
+  notify: Restart PostgreSQL