Prepare Keycloak setup

ansible/main.yml

@@ -0,0 +1,11 @@
+---
+
+- name: Run common tasks
+  hosts: all
+  roles:
+    - common
+
+- name: Auth Server setup
+  hosts: authservers
+  roles:
+    - auth-server

ansible/roles/auth-server/tasks/keycloak.yml

@@ -0,0 +1,52 @@
+---
+
+- name: Check parameters
+  ansible.builtin.assert:
+    that:
+      - keycloak_podman_user_name is defined
+      - keycloak_db_password is defined
+
+- name: Create PostgreSQL database
+  include_tasks: create_postgres_db.yml
+  vars:
+    postgres_username: keycloak
+    postgres_database: keycloak
+    postgres_password: "{{ keycloak_db_password }}" #TODO: change for a password manager
+
+- name: Set up container user
+  include_role:
+    name: container-user
+  vars:
+    podman_user: "{{ keycloak_podman_user_name }}"
+    podman_home: "{{ keycloak_podman_user_home | default(omit) }}"
+    podman_uid: "{{ keycloak_podman_user_uid | default(omit) }}"
+
+      #- name: Create secrets
+      #  containers.podman.podman_secret:
+      #  become: true
+      #  become_user: "{{ keycloak_podman_user_name }}"
+
+- name: Create data directories
+  ansible.builtin.file:
+    state: directory
+    path: "{{ item }}"
+  with_items:
+    - "{{ keycloak_data_dir }}/keystore/"
+
+- name: Upload unit files
+  ansible.builtin.template:
+    src: units/sso-keycloak.container.j2
+    dest: ~/.config/containers/systemd/sso-keycloak.container
+  become: true
+  become_user: "{{ keycloak_podman_user_name }}"
+
+
+# Note: enabled in the unit file
+- name: Start Keycloak
+  ansible.builtin.systemd_service:
+    scope: user
+    service: sso-keycloak.service
+    daemon_reload: true
+    state: started
+  become: true
+  become_user: "{{ keycloak_podman_user_name }}"

ansible/roles/auth-server/tasks/main.yml

@@ -0,0 +1,11 @@
+---
+
+- name: Set up OpenLDAP
+  include_tasks: ldap.yml
+
+- name: Set up Keycloak
+  include_tasks: keycloak.yml
+  vars:
+    podman_user_name: "{{ keycloak_podman_user_name }}"
+    podman_user_home: "{{ keycloak_podman_user_home | default(omit) }}"
+    podman_user_uid: "{{ keycloak_podman_user_uid | default(omit) }}"

ansible/roles/auth-server/templates/units/sso-keycloak.container.j2

@@ -0,0 +1,26 @@
+[Unit]
+Description=SSO Provider for OpenFest
+
+[Container]
+ContainerName=sso-keycloak
+Image=quay.io/keycloak/keycloak:latest
+
+Environment=JAVA_OPTS="-Xms64m -Xmx512m -XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m -Dfile.encoding=UTF-8 -Dsun.stdout.encoding=UTF-8 -Dsun.err.encoding=UTF-8 -Dstdout.encoding=UTF-8 -Dstderr.encoding=UTF-8 -XX:+ExitOnOutOfMemoryError -Djava.security.egd=file:/dev/urandom -XX:+UseG1GC -XX:MinHeapFreeRatio=10 -XX:MaxHeapFreeRatio=80 -XX:GCTimeRatio=4 -XX:AdaptiveSizePolicyWeight=90 -XX:FlightRecorderOptions=stackdepth=512"
+Volume={{ keycloak_data_dir }}/keystore/:/keystore/
+
+Secret=keycloak-admin-user,type=env,target=KEYCLOAK_ADMIN
+Secret=keycloak-admin-password,type=env,target=KEYCLOAK_ADMIN_PASSWORD
+
+Secret=keycloak-db-host,type=env,target=KC_DB_URL_HOST
+Secret=keycloak-db-name,type=env,target=KC_DB_URL_DATABASE
+Secret=keycloak-db-user,type=env,target=KC_DB_USERNAME
+Secret=keycloak-db-password,type=env,target=KC_DB_PASSWORD
+Environment=KC_DB=postgres
+Environment=KC_HEALTH_ENABLED=true
+
+Exec=start --features=preview --hostname {{ keycloak_hostname }} --proxy edge
+
+PublishPort={{ keycloak_listen_address }}:8080
+AutoUpdate=registry
+[Install]
+WantedBy=default.target

ansible/roles/container-user/tasks/main.yml

@@ -3,22 +3,33 @@
 - name: Check if required parameters are set
   ansible.builtin.assert:
     that:
-      - username is defined
+      - podman_user_name is defined
+
+- name: Set up as container host
+  ansible.builtin.include_role:
+    name: container-host
 
 - name: Create user
   ansible.builtin.user:
-    name: "{{ username }}"
+    name: "{{ podman_user_name }}"
-    home: "{{ homedir | default(omit) }}"
+    home: "{{ podman_user_home | default(omit) }}"
-    uid: "{{ uid | default(omit) }}"
+    uid: "{{ podman_user_uid | default(omit) }}"
     state: present
 
+- name: Create unit files dir
+  ansible.builtin.file:
+    path: ~/.config/containers/systemd
+    state: directory
+  become: true
+  become_user: "{{ podman_user_name }}"
+
 # Note: We check whether lingering is already enabled so we show as OK/skipped instead of changed
 - name: Check if user is lingering
-  stat:
+  ansible.builtin.stat:
-    path: "/var/lib/systemd/linger/{{ username }}"
+    path: "/var/lib/systemd/linger/{{ podman_user_name }}"
   register: user_lingering
 
 - name: Enable session lingering
-  ansible.builtin.command: "loginctl enable-linger {{ username }}"
+  ansible.builtin.command: "loginctl enable-linger {{ podman_user_name }}"
   when:
-    - not user_lingering.stat.exists
+    - not user_lingering.stat.exists

ansible/roles/postgresql-server/handlers/main.yml

@@ -2,4 +2,3 @@
   service:
     name: postgresql
     state: restarted
-  listen: "restart postgres"

ansible/tasks/create_postgres_db.yml

@@ -0,0 +1,37 @@
+---
+
+- name: Check params
+  ansible.builtin.assert:
+    that:
+      - postgres_username is defined
+      - postgres_database is defined
+      - not(postgres_access_host is defined and postgres_password is defined)
+
+- name: Set up PostgreSQL
+  ansible.builtin.include_role:
+    name: postgresql-server
+
+- name: Create user
+  community.postgresql.postgresql_user:
+    name: "{{ postgres_username }}"
+    password: "{{ postgres_password | default(omit) }}"
+  become: true
+  become_user: postgres
+
+- name: Create postgres_database
+  community.postgresql.postgresql_db:
+    name: "{{ postgres_database }}"
+    owner: "{{ postgres_username }}"
+  become: true
+  become_user: postgres
+    
+
+- name: Update pg_hba scram
+  community.postgresql.postgresql_pg_hba:
+    contype: host
+    users: "{{ postgres_username }}"
+    source: "{{ postgres_access_host }}"
+    databases: "{{ postgres_database }}"
+    method: "scram-sha-256"
+  when: postgres_access_host is defined
+  notify: Restart PostgreSQL