Initial import; migrate some roles from irl.wip

roles/podman_keycloak/templates/frontend.network

@@ -0,0 +1,5 @@
+[Network]
+Driver=bridge
+
+[Install]
+WantedBy=keycloak.target

roles/podman_keycloak/templates/keycloak.container

@@ -0,0 +1,40 @@
+[Unit]
+Requires=postgres.service
+After=postgres.service
+PartOf=keycloak.target
+
+[Container]
+AutoUpdate=registry
+ContainerName=keycloak
+Environment=KC_LOG_LEVEL=info
+Environment=KC_DB=postgres
+Environment=KC_DB_PASSWORD={{ podman_keycloak_postgres_keycloak_password }}
+Environment=KC_DB_URL=jdbc:postgresql://postgres/{{ podman_keycloak_postgres_keycloak_database }}
+Environment=KC_DB_USERNAME={{ podman_keycloak_postgres_keycloak_username }}
+Environment=KC_HOSTNAME={{ podman_keycloak_keycloak_hostname }}
+Environment=KC_HTTP_ENABLED=true
+Environment=KC_HTTP_PORT=8080
+Environment=KC_PROXY_HEADERS=xforwarded
+Environment=KC_BOOTSTRAP_ADMIN_USERNAME={{ podman_keycloak_keycloak_admin_username }}
+Environment=KC_BOOTSTRAP_ADMIN_PASSWORD={{ podman_keycloak_keycloak_admin_password }}
+Environment=PROXY_ADDRESS_FORWARDING=true
+Exec=start --features=quick-theme
+Image=quay.io/keycloak/keycloak:26.4
+Network=keycloak.network
+{% if podman_keycloak_enable_ldap %}
+Network=ldap.network
+{% endif %}
+Network=frontend.network
+{% for provider in podman_keycloak_keycloak_providers %}
+Volume=/home/{{ podman_keycloak_podman_rootless_user }}/keycloak/{{ provider.url | basename }}:/opt/keycloak/providers/{{ provider.url | basename }}:ro,z
+{% endfor %}
+{% for item in podman_keycloak_keycloak_additional_volumes %}
+Volume={{ item.src }}:{{ item.dest }}:{{ item.options }}
+{% endfor %}
+
+[Service]
+Slice=keycloak.slice
+Restart=always
+
+[Install]
+WantedBy=keycloak.target

roles/podman_keycloak/templates/keycloak.network

@@ -0,0 +1,5 @@
+[Network]
+Driver=bridge
+
+[Install]
+WantedBy=keycloak.target

roles/podman_keycloak/templates/keycloak.slice

@@ -0,0 +1,2 @@
+[Unit]
+Description=Podman Keycloak Stack by SR2 Communications

roles/podman_keycloak/templates/keycloak.target

@@ -0,0 +1,10 @@
+[Unit]
+Description=Podman Keycloak Stack by SR2 Communications
+Requires=keycloak.service
+{% if podman_keycloak_enable_ldap %}
+Requires=ldap.service
+{% endif %}
+Requires=nginx.service
+
+[Install]
+WantedBy=default.target

roles/podman_keycloak/templates/ldap.container

@@ -0,0 +1,22 @@
+[Unit]
+PartOf=keycloak.target
+
+[Container]
+ContainerName=ldap
+Environment=DS_DM_PASSWORD={{ podman_keycloak_ldap_directory_manager_password }}
+Image=quay.io/389ds/dirsrv:latest
+Network=ldap.network
+PublishPort=636:3636/tcp
+Volume=/home/{{ podman_keycloak_podman_rootless_user }}/ldap:/data:rw,Z
+Volume=/home/{{ podman_keycloak_podman_rootless_user }}/certbot/conf/live/{{ podman_keycloak_keycloak_hostname }}/privkey.pem:/data/tls/server.key:ro,z
+Volume=/home/{{ podman_keycloak_podman_rootless_user }}/certbot/conf/live/{{ podman_keycloak_keycloak_hostname }}/cert.pem:/data/tls/server.crt:ro,z
+Volume=/home/{{ podman_keycloak_podman_rootless_user }}/certbot/conf/live/{{ podman_keycloak_keycloak_hostname }}/chain.pem:/data/tls/ca/chain.crt:ro,z
+
+[Service]
+Slice=keycloak.slice
+Restart=always
+# RuntimeMaxSec is used to restart the service periodically to pick up new Let's Encrypt certificates
+RuntimeMaxSec=604800
+
+[Install]
+WantedBy=keycloak.target

roles/podman_keycloak/templates/ldap.network

@@ -0,0 +1,5 @@
+[Network]
+Driver=bridge
+
+[Install]
+WantedBy=keycloak.target

roles/podman_keycloak/templates/nginx.conf

@@ -0,0 +1,39 @@
+# {{ ansible_managed }}
+
+server {
+    listen 80;
+    listen [::]:80;
+
+    server_name {{ podman_keycloak_keycloak_hostname }};
+    server_tokens off;
+
+    location /.well-known/acme-challenge/ {
+        root /var/www/certbot;
+    }
+
+    location / {
+        return 301 https://{{ podman_keycloak_keycloak_hostname }}$request_uri;
+    }
+}
+
+server {
+    listen 443 default_server ssl;
+    listen [::]:443 ssl;
+    http2 on;
+
+    server_name {{ podman_keycloak_keycloak_hostname }};
+    server_tokens off;
+
+    ssl_certificate /etc/letsencrypt/live/{{ podman_keycloak_keycloak_hostname }}/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/{{ podman_keycloak_keycloak_hostname }}/privkey.pem;
+
+    location / {
+        proxy_pass http://keycloak:8080/;
+        proxy_redirect off;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $remote_addr;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header X-Forwarded-Port 443;
+    }
+}

roles/podman_keycloak/templates/postgres.container

@@ -0,0 +1,21 @@
+[Unit]
+PartOf=keycloak.target
+
+[Container]
+AutoUpdate=registry
+ContainerName=postgres
+Environment=POSTGRES_DB={{ podman_keycloak_postgres_keycloak_database }}
+Environment=POSTGRES_PASSWORD={{ podman_keycloak_postgres_keycloak_password }}
+Environment=POSTGRES_USER={{ podman_keycloak_postgres_keycloak_username }}
+Environment=POSTGRES_HOST_AUTH_METHOD=scram-sha-256
+Environment=POSTGRES_INITDB_ARGS=--auth-host=scram-sha-256
+Image=docker.io/postgres:17.3
+Network=keycloak.network
+Volume=/home/{{ podman_keycloak_podman_rootless_user }}/postgres:/var/lib/postgresql/data:rw,Z
+
+[Service]
+Slice=keycloak.slice
+Restart=always
+
+[Install]
+WantedBy=keycloak.target