ansible-collection-core/roles/podman_keycloak/tasks/main.yml

---
- name: Podman Keycloak | PATCH | Install podman and create rootless podman user
  ansible.builtin.include_role:
    role: sr2c.core.podman_host
  vars:
    podman_host_minimum_unpriv_port: 80
    podman_host_rootless_users: ["keycloak"]

- name: Podman Keycloak | PATCH | Enable http service with firewalld
  ansible.posix.firewalld:
    service: http
    state: enabled
    immediate: true
    permanent: true
    zone: public

- name: Podman Keycloak | PATCH | Enable https service with firewalld
  ansible.posix.firewalld:
    service: https
    state: enabled
    immediate: true
    permanent: true
    zone: public

# TODO: These will be relabelled by podman but in the future we should label them from the start
- name: Podman Keycloak | PATCH | Create service configuration directories
  ansible.builtin.file:
    path: "/home/{{ podman_keycloak_podman_rootless_user }}/{{ item }}"
    state: directory
    owner: "{{ podman_keycloak_podman_rootless_user }}"
    group: "{{ podman_keycloak_podman_rootless_user }}"
    mode: "0755"
  become: true
  with_items:
    - keycloak
    - ldap
    - postgres
  when: (item != 'ldap') or podman_keycloak_enable_ldap

- name: Podman Keycloak | PATCH | Download keycloak providers
  ansible.builtin.get_url:
    url: "{{ item.url }}"
    dest: "/home/{{ podman_keycloak_podman_rootless_user }}/keycloak/{{ item.url | basename }}"
    checksum: "sha256:{{ item.sha256 }}"
  with_items: "{{ podman_keycloak_keycloak_providers }}"
  become: true
  become_user: "{{ podman_keycloak_podman_rootless_user }}"
  notify: restart keycloak

- name: Podman Keycloak | PATCH | Install systemd target
  ansible.builtin.template:
    src: "keycloak.target"
    dest: "/home/{{ podman_keycloak_podman_rootless_user }}/.config/systemd/user/keycloak.target"
    owner: "{{ podman_keycloak_podman_rootless_user }}"
    mode: "0400"

- name: Podman Keycloak | PATCH | Install systemd slice
  ansible.builtin.template:
    src: "keycloak.slice"
    dest: "/home/{{ podman_keycloak_podman_rootless_user }}/.config/systemd/user/keycloak.slice"
    owner: "{{ podman_keycloak_podman_rootless_user }}"
    mode: "0400"

- name: Podman Keycloak | PATCH | Install container quadlets
  ansible.builtin.template:
    src: "{{ item }}"
    dest: "/home/{{ podman_keycloak_podman_rootless_user }}/.config/containers/systemd/{{ item }}"
    owner: "{{ podman_keycloak_podman_rootless_user }}"
    mode: "0400"
  with_items:
    - ldap.container
    - keycloak.container
    - postgres.container
  when: (item != 'ldap.container') or podman_keycloak_enable_ldap
  notify:
    - "Restart {{ item | split('.') | first }}"
  become: true

- name: Podman Keycloak | PATCH | Install network quadlets
  ansible.builtin.template:
    src: "{{ item }}"
    dest: "/home/{{ podman_keycloak_podman_rootless_user }}/.config/containers/systemd/{{ item }}"
    owner: "{{ podman_keycloak_podman_rootless_user }}"
    mode: "0400"
  with_items:
    - frontend.network
    - ldap.network
    - keycloak.network
  when: (item != 'ldap.network') or podman_keycloak_enable_ldap
  become: true

- name: Podman Keycloak | AUDIT | Verify quadlets are correctly defined
  ansible.builtin.command: /usr/libexec/podman/quadlet -dryrun -user
  register: podman_keycloak_quadlet_result
  ignore_errors: true
  changed_when: false
  become: true
  become_user: "{{ podman_keycloak_podman_rootless_user }}"

- name: Podman Keycloak | AUDIT | Assert that the quadlet verification succeeded
  ansible.builtin.assert:
    that:
      - podman_keycloak_quadlet_result.rc == 0
    fail_msg: "'/usr/libexec/podman/quadlet -dryrun -user' failed! Output withheld to prevent leaking secrets."

- name: Podman Keycloak | PATCH | Start PostgreSQL and keycloak containers
  ansible.builtin.systemd_service:
    name: "{{ item }}"
    state: started
    scope: user
    daemon_reload: true
  become: true
  become_user: "{{ podman_keycloak_podman_rootless_user }}"
  with_items:
    - postgres
    - keycloak

- name: Podman Keycloak | PATCH | Configure nginx container
  ansible.builtin.include_role:
    name: sr2c.core.podman_nginx
  vars:
    podman_nginx_podman_rootless_user: "{{ podman_keycloak_podman_rootless_user }}"
    podman_nginx_primary_hostname: "{{ podman_keycloak_keycloak_hostname }}"
    podman_nginx_frontend_network: frontend
    podman_nginx_systemd_service_slice: keycloak.slice
    podman_nginx_systemd_service_target: keycloak.target

- name: Podman Keycloak | PATCH | Start LDAP container
  ansible.builtin.systemd_service:
    name: ldap
    state: started
    scope: user
  when: podman_keycloak_enable_ldap
  become: true
  become_user: "{{ podman_keycloak_podman_rootless_user }}"

- name: Podman Keycloak | PATCH | Create nginx configuration file
  ansible.builtin.template:
    src: nginx.conf
    dest: "/home/{{ podman_keycloak_podman_rootless_user }}/nginx/nginx.conf"
    owner: "{{ podman_keycloak_podman_rootless_user }}"
    group: "{{ podman_keycloak_podman_rootless_user }}"
    mode: "0644"
  become: true
  notify: restart nginx

- name: Podman Keycloak | PATCH | Configure the LDAP directory
  ansible.builtin.include_tasks:
    file: ldap.yml
  when: podman_keycloak_enable_ldap

- name: Podman Keycloak | PATCH | Enable keycloak.target
  ansible.builtin.systemd_service:
    name: keycloak.target
    state: started
    enabled: true
    scope: user
    daemon_reload: true
  become: true
  become_user: "{{ podman_keycloak_podman_rootless_user }}"
Initial import; migrate some roles from irl.wip 2025-10-31 22:36:32 +00:00			`---`
			`- name: Podman Keycloak \| PATCH \| Install podman and create rootless podman user`
			`ansible.builtin.include_role:`
			`role: sr2c.core.podman_host`
			`vars:`
			`podman_host_minimum_unpriv_port: 80`
			`podman_host_rootless_users: ["keycloak"]`

			`- name: Podman Keycloak \| PATCH \| Enable http service with firewalld`
			`ansible.posix.firewalld:`
			`service: http`
			`state: enabled`
			`immediate: true`
			`permanent: true`
			`zone: public`

			`- name: Podman Keycloak \| PATCH \| Enable https service with firewalld`
			`ansible.posix.firewalld:`
			`service: https`
			`state: enabled`
			`immediate: true`
			`permanent: true`
			`zone: public`

			`# TODO: These will be relabelled by podman but in the future we should label them from the start`
			`- name: Podman Keycloak \| PATCH \| Create service configuration directories`
			`ansible.builtin.file:`
			`path: "/home/{{ podman_keycloak_podman_rootless_user }}/{{ item }}"`
			`state: directory`
			`owner: "{{ podman_keycloak_podman_rootless_user }}"`
			`group: "{{ podman_keycloak_podman_rootless_user }}"`
			`mode: "0755"`
			`become: true`
			`with_items:`
			`- keycloak`
			`- ldap`
			`- postgres`
			`when: (item != 'ldap') or podman_keycloak_enable_ldap`

			`- name: Podman Keycloak \| PATCH \| Download keycloak providers`
			`ansible.builtin.get_url:`
			`url: "{{ item.url }}"`
			`dest: "/home/{{ podman_keycloak_podman_rootless_user }}/keycloak/{{ item.url \| basename }}"`
			`checksum: "sha256:{{ item.sha256 }}"`
			`with_items: "{{ podman_keycloak_keycloak_providers }}"`
			`become: true`
			`become_user: "{{ podman_keycloak_podman_rootless_user }}"`
			`notify: restart keycloak`

			`- name: Podman Keycloak \| PATCH \| Install systemd target`
			`ansible.builtin.template:`
			`src: "keycloak.target"`
			`dest: "/home/{{ podman_keycloak_podman_rootless_user }}/.config/systemd/user/keycloak.target"`
			`owner: "{{ podman_keycloak_podman_rootless_user }}"`
			`mode: "0400"`

			`- name: Podman Keycloak \| PATCH \| Install systemd slice`
			`ansible.builtin.template:`
			`src: "keycloak.slice"`
			`dest: "/home/{{ podman_keycloak_podman_rootless_user }}/.config/systemd/user/keycloak.slice"`
			`owner: "{{ podman_keycloak_podman_rootless_user }}"`
			`mode: "0400"`

			`- name: Podman Keycloak \| PATCH \| Install container quadlets`
			`ansible.builtin.template:`
			`src: "{{ item }}"`
			`dest: "/home/{{ podman_keycloak_podman_rootless_user }}/.config/containers/systemd/{{ item }}"`
			`owner: "{{ podman_keycloak_podman_rootless_user }}"`
			`mode: "0400"`
			`with_items:`
			`- ldap.container`
			`- keycloak.container`
			`- postgres.container`
			`when: (item != 'ldap.container') or podman_keycloak_enable_ldap`
			`notify:`
			`- "Restart {{ item \| split('.') \| first }}"`
			`become: true`

			`- name: Podman Keycloak \| PATCH \| Install network quadlets`
			`ansible.builtin.template:`
			`src: "{{ item }}"`
			`dest: "/home/{{ podman_keycloak_podman_rootless_user }}/.config/containers/systemd/{{ item }}"`
			`owner: "{{ podman_keycloak_podman_rootless_user }}"`
			`mode: "0400"`
			`with_items:`
			`- frontend.network`
			`- ldap.network`
			`- keycloak.network`
			`when: (item != 'ldap.network') or podman_keycloak_enable_ldap`
			`become: true`

			`- name: Podman Keycloak \| AUDIT \| Verify quadlets are correctly defined`
			`ansible.builtin.command: /usr/libexec/podman/quadlet -dryrun -user`
			`register: podman_keycloak_quadlet_result`
			`ignore_errors: true`
			`changed_when: false`
			`become: true`
			`become_user: "{{ podman_keycloak_podman_rootless_user }}"`

			`- name: Podman Keycloak \| AUDIT \| Assert that the quadlet verification succeeded`
			`ansible.builtin.assert:`
			`that:`
			`- podman_keycloak_quadlet_result.rc == 0`
			`fail_msg: "'/usr/libexec/podman/quadlet -dryrun -user' failed! Output withheld to prevent leaking secrets."`

			`- name: Podman Keycloak \| PATCH \| Start PostgreSQL and keycloak containers`
			`ansible.builtin.systemd_service:`
			`name: "{{ item }}"`
			`state: started`
			`scope: user`
			`daemon_reload: true`
			`become: true`
			`become_user: "{{ podman_keycloak_podman_rootless_user }}"`
			`with_items:`
			`- postgres`
			`- keycloak`

			`- name: Podman Keycloak \| PATCH \| Configure nginx container`
			`ansible.builtin.include_role:`
			`name: sr2c.core.podman_nginx`
			`vars:`
			`podman_nginx_podman_rootless_user: "{{ podman_keycloak_podman_rootless_user }}"`
			`podman_nginx_primary_hostname: "{{ podman_keycloak_keycloak_hostname }}"`
			`podman_nginx_frontend_network: frontend`
			`podman_nginx_systemd_service_slice: keycloak.slice`
			`podman_nginx_systemd_service_target: keycloak.target`

			`- name: Podman Keycloak \| PATCH \| Start LDAP container`
			`ansible.builtin.systemd_service:`
			`name: ldap`
			`state: started`
			`scope: user`
			`when: podman_keycloak_enable_ldap`
			`become: true`
			`become_user: "{{ podman_keycloak_podman_rootless_user }}"`

			`- name: Podman Keycloak \| PATCH \| Create nginx configuration file`
			`ansible.builtin.template:`
			`src: nginx.conf`
			`dest: "/home/{{ podman_keycloak_podman_rootless_user }}/nginx/nginx.conf"`
			`owner: "{{ podman_keycloak_podman_rootless_user }}"`
			`group: "{{ podman_keycloak_podman_rootless_user }}"`
			`mode: "0644"`
			`become: true`
			`notify: restart nginx`

			`- name: Podman Keycloak \| PATCH \| Configure the LDAP directory`
			`ansible.builtin.include_tasks:`
			`file: ldap.yml`
			`when: podman_keycloak_enable_ldap`

			`- name: Podman Keycloak \| PATCH \| Enable keycloak.target`
			`ansible.builtin.systemd_service:`
			`name: keycloak.target`
			`state: started`
			`enabled: true`
			`scope: user`
			`daemon_reload: true`
			`become: true`
lint: ansible-lint suggested updates 2025-11-01 15:07:36 +00:00			`become_user: "{{ podman_keycloak_podman_rootless_user }}"`