From f65ad3fce22b66a9ca099e0cdc799706c95a525c Mon Sep 17 00:00:00 2001 From: irl Date: Sun, 30 Nov 2025 15:00:12 +0000 Subject: [PATCH 1/3] fix(podman_nginx): modifying firewall requires become --- roles/podman_nginx/tasks/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/podman_nginx/tasks/main.yml b/roles/podman_nginx/tasks/main.yml index 7308833..271c70e 100644 --- a/roles/podman_nginx/tasks/main.yml +++ b/roles/podman_nginx/tasks/main.yml @@ -6,6 +6,7 @@ permanent: true immediate: true state: enabled + become: true with_items: - http - https From 57c58eb26aaa2b4163984d67cc8909f0e5842609 Mon Sep 17 00:00:00 2001 From: irl Date: Sun, 30 Nov 2025 15:02:16 +0000 Subject: [PATCH 2/3] fix(podman_keycloak): allow override of podman username --- roles/podman_keycloak/tasks/main.yml | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/roles/podman_keycloak/tasks/main.yml b/roles/podman_keycloak/tasks/main.yml index 9068847..0626281 100644 --- a/roles/podman_keycloak/tasks/main.yml +++ b/roles/podman_keycloak/tasks/main.yml @@ -4,7 +4,7 @@ role: sr2c.core.podman_host vars: podman_host_minimum_unpriv_port: 80 - podman_host_rootless_users: ["keycloak"] + podman_host_rootless_users: ["{{ podman_keycloak_podman_rootless_user }}"] - name: Podman Keycloak | PATCH | Enable http service with firewalld ansible.posix.firewalld: @@ -22,7 +22,6 @@ permanent: true zone: public -# TODO: These will be relabelled by podman but in the future we should label them from the start - name: Podman Keycloak | PATCH | Create service configuration directories ansible.builtin.file: path: "/home/{{ podman_keycloak_podman_rootless_user }}/{{ item }}" @@ -45,7 +44,7 @@ with_items: "{{ podman_keycloak_keycloak_providers }}" become: true become_user: "{{ podman_keycloak_podman_rootless_user }}" - notify: restart keycloak + notify: Restart keycloak - name: Podman Keycloak | PATCH | Install systemd target ansible.builtin.template: @@ -142,7 +141,7 @@ group: "{{ podman_keycloak_podman_rootless_user }}" mode: "0644" become: true - notify: restart nginx + notify: Restart nginx - name: Podman Keycloak | PATCH | Configure the LDAP directory ansible.builtin.include_tasks: From e098840fabb81c276f10f5520ff06b9cd6f8bf2a Mon Sep 17 00:00:00 2001 From: irl Date: Sun, 30 Nov 2025 15:02:51 +0000 Subject: [PATCH 3/3] feat(podman_keycloak): nginx enhancements (buffering + DNS) * lookup of the keycloak container is at runtime to allow for the keycloak container being restarted while nginx is running * increased buffer sizes to permit for larger signed SAML exchanges (was required for Google Workspace) --- roles/podman_keycloak/templates/nginx.conf | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/roles/podman_keycloak/templates/nginx.conf b/roles/podman_keycloak/templates/nginx.conf index c98d07c..d63f7de 100644 --- a/roles/podman_keycloak/templates/nginx.conf +++ b/roles/podman_keycloak/templates/nginx.conf @@ -1,5 +1,12 @@ # {{ ansible_managed }} +resolver 10.89.0.1 ipv6=off valid=10s; + +upstream keycloak { + zone keycloak_upstream 64k; + server keycloak:8080 resolve; +} + server { listen 80; listen [::]:80; @@ -28,12 +35,15 @@ server { ssl_certificate_key /etc/letsencrypt/live/{{ podman_keycloak_keycloak_hostname }}/privkey.pem; location / { - proxy_pass http://keycloak:8080/; + proxy_pass http://keycloak; proxy_redirect off; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Port 443; + proxy_buffer_size 128k; + proxy_buffers 4 256k; + proxy_busy_buffers_size 256k; } }