Initial import; migrate some roles from irl.wip

2025-10-31 22:36:32 +00:00 · 2025-10-31 22:36:32 +00:00 · 2ba6c6691b
commit 2ba6c6691b
44 changed files with 1573 additions and 0 deletions
--- a/roles/podman_keycloak/tasks/ldap.yml
+++ b/roles/podman_keycloak/tasks/ldap.yml
@ -0,0 +1,115 @@
+---
+- name: wait 30 seconds for ldap server to start
+  ansible.builtin.pause:
+    seconds: 30
+
+- name: create ldap suffix
+  containers.podman.podman_container_exec:
+    name: ldap
+    argv:
+      - dsconf
+      - -v
+      - localhost
+      - backend
+      - create
+      - --suffix
+      - "{{ podman_keycloak_ldap_database_suffix_dn }}"
+      - --be-name
+      - "{{ podman_keycloak_ldap_database_backend_name }}"
+      - --create-suffix
+  become: true
+  become_user: "{{ podman_keycloak_podman_rootless_user }}"
+  register: podman_keycloak_create_suffix
+  ignore_errors: true
+  changed_when: false
+  tags:
+    - ldap
+
+- name: create suffix result (only when changed)
+  debug:
+    msg: "Suffix was created"
+  when: not podman_keycloak_create_suffix.failed
+  changed_when: not podman_keycloak_create_suffix.failed
+
+- name: ldap organisational units
+  community.general.ldap_entry:
+    dn: "ou={{ item }},{{ podman_keycloak_ldap_database_suffix_dn }}"
+    objectClass:
+      - top
+      - organizationalUnit
+    server_uri: ldaps://{{ inventory_hostname }}/
+    bind_dn: "cn=Directory Manager"
+    bind_pw: "{{ podman_keycloak_ldap_directory_manager_password }}"
+  delegate_to: localhost
+  with_items:
+    - Administrators
+    - People
+    - Groups
+  environment:
+    - LDAPTLS_REQCERT: "{% if podman_keycloak_certbot_testing %}never{% else %}always{% endif %}"
+  tags: ldap
+
+- name: enable memberOf plugin
+  containers.podman.podman_container_exec:
+    name: ldap
+    argv:
+      - dsconf
+      - -v
+      - localhost
+      - -D "cn=Directory Manager"
+      - plugin
+      - memberof
+      - enable
+  become: true
+  become_user: "{{ podman_keycloak_podman_rootless_user }}"
+  tags:
+    - ldap
+
+- name: disable anonymous bind
+  containers.podman.podman_container_exec:
+    name: ldap
+    argv:
+      - dsconf
+      - -v
+      - localhost
+      - -D "cn=Directory Manager"
+      - config
+      - replace
+      - nsslapd-allow-anonymous-access=off
+  become: true
+  become_user: "{{ podman_keycloak_podman_rootless_user }}"
+  tags:
+    - ldap
+
+- name: ldap read-only administrator
+  community.general.ldap_entry:
+    dn: "uid=admin,ou=Administrators,{{ podman_keycloak_ldap_database_suffix_dn }}"
+    objectClass:
+      - top
+      - person
+      - organizationalPerson
+      - inetOrgPerson
+    attributes:
+      cn: admin
+      sn: admin
+      userPassword: "{{ podman_keycloak_ldap_administrator_password }}"
+    server_uri: ldaps://{{ inventory_hostname }}/
+    bind_dn: "cn=Directory Manager"
+    bind_pw: "{{ podman_keycloak_ldap_directory_manager_password }}"
+  delegate_to: localhost
+  environment:
+    - LDAPTLS_REQCERT: "{% if podman_keycloak_certbot_testing %}never{% else %}always{% endif %}"
+  tags: ldap
+
+- name: ldap access control information
+  community.general.ldap_attrs:
+    dn: "{{ podman_keycloak_ldap_database_suffix_dn }}"
+    attributes:
+      aci: '(target="ldap:///{{ podman_keycloak_ldap_database_suffix_dn }}")(targetattr="*") (version 3.0; acl "readonly"; allow (search,read,compare) userdn="ldap:///uid=admin,ou=Administrators,{{ podman_keycloak_ldap_database_suffix_dn }}";)'
+    server_uri: ldaps://{{ inventory_hostname }}/
+    bind_dn: "cn=Directory Manager"
+    bind_pw: "{{ podman_keycloak_ldap_directory_manager_password }}"
+  delegate_to: localhost
+  environment:
+    - LDAPTLS_REQCERT: "{% if podman_keycloak_certbot_testing %}never{% else %}always{% endif %}"
+  tags: ldap
--- a/roles/podman_keycloak/tasks/main.yml
+++ b/roles/podman_keycloak/tasks/main.yml
@ -0,0 +1,160 @@
+---
+- name: Podman Keycloak | PATCH | Install podman and create rootless podman user
+  ansible.builtin.include_role:
+    role: sr2c.core.podman_host
+  vars:
+    podman_host_minimum_unpriv_port: 80
+    podman_host_rootless_users: ["keycloak"]
+
+- name: Podman Keycloak | PATCH | Enable http service with firewalld
+  ansible.posix.firewalld:
+    service: http
+    state: enabled
+    immediate: true
+    permanent: true
+    zone: public
+
+- name: Podman Keycloak | PATCH | Enable https service with firewalld
+  ansible.posix.firewalld:
+    service: https
+    state: enabled
+    immediate: true
+    permanent: true
+    zone: public
+
+# TODO: These will be relabelled by podman but in the future we should label them from the start
+- name: Podman Keycloak | PATCH | Create service configuration directories
+  ansible.builtin.file:
+    path: "/home/{{ podman_keycloak_podman_rootless_user }}/{{ item }}"
+    state: directory
+    owner: "{{ podman_keycloak_podman_rootless_user }}"
+    group: "{{ podman_keycloak_podman_rootless_user }}"
+    mode: "0755"
+  become: true
+  with_items:
+    - keycloak
+    - ldap
+    - postgres
+  when: (item != 'ldap') or podman_keycloak_enable_ldap
+
+- name: Podman Keycloak | PATCH | Download keycloak providers
+  ansible.builtin.get_url:
+    url: "{{ item.url }}"
+    dest: "/home/{{ podman_keycloak_podman_rootless_user }}/keycloak/{{ item.url | basename }}"
+    checksum: "sha256:{{ item.sha256 }}"
+  with_items: "{{ podman_keycloak_keycloak_providers }}"
+  become: true
+  become_user: "{{ podman_keycloak_podman_rootless_user }}"
+  notify: restart keycloak
+
+- name: Podman Keycloak | PATCH | Install systemd target
+  ansible.builtin.template:
+    src: "keycloak.target"
+    dest: "/home/{{ podman_keycloak_podman_rootless_user }}/.config/systemd/user/keycloak.target"
+    owner: "{{ podman_keycloak_podman_rootless_user }}"
+    mode: "0400"
+
+- name: Podman Keycloak | PATCH | Install systemd slice
+  ansible.builtin.template:
+    src: "keycloak.slice"
+    dest: "/home/{{ podman_keycloak_podman_rootless_user }}/.config/systemd/user/keycloak.slice"
+    owner: "{{ podman_keycloak_podman_rootless_user }}"
+    mode: "0400"
+
+- name: Podman Keycloak | PATCH | Install container quadlets
+  ansible.builtin.template:
+    src: "{{ item }}"
+    dest: "/home/{{ podman_keycloak_podman_rootless_user }}/.config/containers/systemd/{{ item }}"
+    owner: "{{ podman_keycloak_podman_rootless_user }}"
+    mode: "0400"
+  with_items:
+    - ldap.container
+    - keycloak.container
+    - postgres.container
+  when: (item != 'ldap.container') or podman_keycloak_enable_ldap
+  notify:
+    - "Restart {{ item | split('.') | first }}"
+  become: true
+
+- name: Podman Keycloak | PATCH | Install network quadlets
+  ansible.builtin.template:
+    src: "{{ item }}"
+    dest: "/home/{{ podman_keycloak_podman_rootless_user }}/.config/containers/systemd/{{ item }}"
+    owner: "{{ podman_keycloak_podman_rootless_user }}"
+    mode: "0400"
+  with_items:
+    - frontend.network
+    - ldap.network
+    - keycloak.network
+  when: (item != 'ldap.network') or podman_keycloak_enable_ldap
+  become: true
+
+- name: Podman Keycloak | AUDIT | Verify quadlets are correctly defined
+  ansible.builtin.command: /usr/libexec/podman/quadlet -dryrun -user
+  register: podman_keycloak_quadlet_result
+  ignore_errors: true
+  changed_when: false
+  become: true
+  become_user: "{{ podman_keycloak_podman_rootless_user }}"
+
+- name: Podman Keycloak | AUDIT | Assert that the quadlet verification succeeded
+  ansible.builtin.assert:
+    that:
+      - podman_keycloak_quadlet_result.rc == 0
+    fail_msg: "'/usr/libexec/podman/quadlet -dryrun -user' failed! Output withheld to prevent leaking secrets."
+
+- name: Podman Keycloak | PATCH | Start PostgreSQL and keycloak containers
+  ansible.builtin.systemd_service:
+    name: "{{ item }}"
+    state: started
+    scope: user
+    daemon_reload: true
+  become: true
+  become_user: "{{ podman_keycloak_podman_rootless_user }}"
+  with_items:
+    - postgres
+    - keycloak
+
+- name: Podman Keycloak | PATCH | Configure nginx container
+  ansible.builtin.include_role:
+    name: sr2c.core.podman_nginx
+  vars:
+    podman_nginx_podman_rootless_user: "{{ podman_keycloak_podman_rootless_user }}"
+    podman_nginx_primary_hostname: "{{ podman_keycloak_keycloak_hostname }}"
+    podman_nginx_frontend_network: frontend
+    podman_nginx_systemd_service_slice: keycloak.slice
+    podman_nginx_systemd_service_target: keycloak.target
+
+- name: Podman Keycloak | PATCH | Start LDAP container
+  ansible.builtin.systemd_service:
+    name: ldap
+    state: started
+    scope: user
+  when: podman_keycloak_enable_ldap
+  become: true
+  become_user: "{{ podman_keycloak_podman_rootless_user }}"
+
+- name: Podman Keycloak | PATCH | Create nginx configuration file
+  ansible.builtin.template:
+    src: nginx.conf
+    dest: "/home/{{ podman_keycloak_podman_rootless_user }}/nginx/nginx.conf"
+    owner: "{{ podman_keycloak_podman_rootless_user }}"
+    group: "{{ podman_keycloak_podman_rootless_user }}"
+    mode: "0644"
+  become: true
+  notify: restart nginx
+
+- name: Podman Keycloak | PATCH | Configure the LDAP directory
+  ansible.builtin.include_tasks:
+    file: ldap.yml
+  when: podman_keycloak_enable_ldap
+
+- name: Podman Keycloak | PATCH | Enable keycloak.target
+  ansible.builtin.systemd_service:
+    name: keycloak.target
+    state: started
+    enabled: true
+    scope: user
+    daemon_reload: true
+  become: true
+  become_user: "{{ podman_keycloak_podman_rootless_user }}"