Prepare Keycloak setup

This commit is contained in:
Albert Stefanov 2024-02-16 21:04:01 +02:00
parent 1316ee640c
commit e55c07179a
9 changed files with 156 additions and 9 deletions

11
ansible/main.yml Normal file
View File

@ -0,0 +1,11 @@
---
- name: Run common tasks
hosts: all
roles:
- common
- name: Auth Server setup
hosts: authservers
roles:
- auth-server

View File

@ -0,0 +1,52 @@
---
- name: Check parameters
ansible.builtin.assert:
that:
- keycloak_podman_user_name is defined
- keycloak_db_password is defined
- name: Create PostgreSQL database
include_tasks: create_postgres_db.yml
vars:
postgres_username: keycloak
postgres_database: keycloak
postgres_password: "{{ keycloak_db_password }}" #TODO: change for a password manager
- name: Set up container user
include_role:
name: container-user
vars:
podman_user: "{{ keycloak_podman_user_name }}"
podman_home: "{{ keycloak_podman_user_home | default(omit) }}"
podman_uid: "{{ keycloak_podman_user_uid | default(omit) }}"
#- name: Create secrets
# containers.podman.podman_secret:
# become: true
# become_user: "{{ keycloak_podman_user_name }}"
- name: Create data directories
ansible.builtin.file:
state: directory
path: "{{ item }}"
with_items:
- "{{ keycloak_data_dir }}/keystore/"
- name: Upload unit files
ansible.builtin.template:
src: units/sso-keycloak.container.j2
dest: ~/.config/containers/systemd/sso-keycloak.container
become: true
become_user: "{{ keycloak_podman_user_name }}"
# Note: enabled in the unit file
- name: Start Keycloak
ansible.builtin.systemd_service:
scope: user
service: sso-keycloak.service
daemon_reload: true
state: started
become: true
become_user: "{{ keycloak_podman_user_name }}"

View File

@ -0,0 +1,11 @@
---
- name: Set up OpenLDAP
include_tasks: ldap.yml
- name: Set up Keycloak
include_tasks: keycloak.yml
vars:
podman_user_name: "{{ keycloak_podman_user_name }}"
podman_user_home: "{{ keycloak_podman_user_home | default(omit) }}"
podman_user_uid: "{{ keycloak_podman_user_uid | default(omit) }}"

View File

@ -0,0 +1,26 @@
[Unit]
Description=SSO Provider for OpenFest
[Container]
ContainerName=sso-keycloak
Image=quay.io/keycloak/keycloak:latest
Environment=JAVA_OPTS="-Xms64m -Xmx512m -XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m -Dfile.encoding=UTF-8 -Dsun.stdout.encoding=UTF-8 -Dsun.err.encoding=UTF-8 -Dstdout.encoding=UTF-8 -Dstderr.encoding=UTF-8 -XX:+ExitOnOutOfMemoryError -Djava.security.egd=file:/dev/urandom -XX:+UseG1GC -XX:MinHeapFreeRatio=10 -XX:MaxHeapFreeRatio=80 -XX:GCTimeRatio=4 -XX:AdaptiveSizePolicyWeight=90 -XX:FlightRecorderOptions=stackdepth=512"
Volume={{ keycloak_data_dir }}/keystore/:/keystore/
Secret=keycloak-admin-user,type=env,target=KEYCLOAK_ADMIN
Secret=keycloak-admin-password,type=env,target=KEYCLOAK_ADMIN_PASSWORD
Secret=keycloak-db-host,type=env,target=KC_DB_URL_HOST
Secret=keycloak-db-name,type=env,target=KC_DB_URL_DATABASE
Secret=keycloak-db-user,type=env,target=KC_DB_USERNAME
Secret=keycloak-db-password,type=env,target=KC_DB_PASSWORD
Environment=KC_DB=postgres
Environment=KC_HEALTH_ENABLED=true
Exec=start --features=preview --hostname {{ keycloak_hostname }} --proxy edge
PublishPort={{ keycloak_listen_address }}:8080
AutoUpdate=registry
[Install]
WantedBy=default.target

View File

@ -3,22 +3,33 @@
- name: Check if required parameters are set
ansible.builtin.assert:
that:
- username is defined
- podman_user_name is defined
- name: Set up as container host
ansible.builtin.include_role:
name: container-host
- name: Create user
ansible.builtin.user:
name: "{{ username }}"
home: "{{ homedir | default(omit) }}"
uid: "{{ uid | default(omit) }}"
name: "{{ podman_user_name }}"
home: "{{ podman_user_home | default(omit) }}"
uid: "{{ podman_user_uid | default(omit) }}"
state: present
- name: Create unit files dir
ansible.builtin.file:
path: ~/.config/containers/systemd
state: directory
become: true
become_user: "{{ podman_user_name }}"
# Note: We check whether lingering is already enabled so we show as OK/skipped instead of changed
- name: Check if user is lingering
stat:
path: "/var/lib/systemd/linger/{{ username }}"
ansible.builtin.stat:
path: "/var/lib/systemd/linger/{{ podman_user_name }}"
register: user_lingering
- name: Enable session lingering
ansible.builtin.command: "loginctl enable-linger {{ username }}"
ansible.builtin.command: "loginctl enable-linger {{ podman_user_name }}"
when:
- not user_lingering.stat.exists

View File

@ -2,4 +2,3 @@
service:
name: postgresql
state: restarted
listen: "restart postgres"

View File

@ -0,0 +1,37 @@
---
- name: Check params
ansible.builtin.assert:
that:
- postgres_username is defined
- postgres_database is defined
- not(postgres_access_host is defined and postgres_password is defined)
- name: Set up PostgreSQL
ansible.builtin.include_role:
name: postgresql-server
- name: Create user
community.postgresql.postgresql_user:
name: "{{ postgres_username }}"
password: "{{ postgres_password | default(omit) }}"
become: true
become_user: postgres
- name: Create postgres_database
community.postgresql.postgresql_db:
name: "{{ postgres_database }}"
owner: "{{ postgres_username }}"
become: true
become_user: postgres
- name: Update pg_hba scram
community.postgresql.postgresql_pg_hba:
contype: host
users: "{{ postgres_username }}"
source: "{{ postgres_access_host }}"
databases: "{{ postgres_database }}"
method: "scram-sha-256"
when: postgres_access_host is defined
notify: Restart PostgreSQL