160 lines
No EOL
5.3 KiB
YAML
160 lines
No EOL
5.3 KiB
YAML
---
|
|
- name: Podman Keycloak | PATCH | Install podman and create rootless podman user
|
|
ansible.builtin.include_role:
|
|
role: sr2c.core.podman_host
|
|
vars:
|
|
podman_host_minimum_unpriv_port: 80
|
|
podman_host_rootless_users: ["keycloak"]
|
|
|
|
- name: Podman Keycloak | PATCH | Enable http service with firewalld
|
|
ansible.posix.firewalld:
|
|
service: http
|
|
state: enabled
|
|
immediate: true
|
|
permanent: true
|
|
zone: public
|
|
|
|
- name: Podman Keycloak | PATCH | Enable https service with firewalld
|
|
ansible.posix.firewalld:
|
|
service: https
|
|
state: enabled
|
|
immediate: true
|
|
permanent: true
|
|
zone: public
|
|
|
|
# TODO: These will be relabelled by podman but in the future we should label them from the start
|
|
- name: Podman Keycloak | PATCH | Create service configuration directories
|
|
ansible.builtin.file:
|
|
path: "/home/{{ podman_keycloak_podman_rootless_user }}/{{ item }}"
|
|
state: directory
|
|
owner: "{{ podman_keycloak_podman_rootless_user }}"
|
|
group: "{{ podman_keycloak_podman_rootless_user }}"
|
|
mode: "0755"
|
|
become: true
|
|
with_items:
|
|
- keycloak
|
|
- ldap
|
|
- postgres
|
|
when: (item != 'ldap') or podman_keycloak_enable_ldap
|
|
|
|
- name: Podman Keycloak | PATCH | Download keycloak providers
|
|
ansible.builtin.get_url:
|
|
url: "{{ item.url }}"
|
|
dest: "/home/{{ podman_keycloak_podman_rootless_user }}/keycloak/{{ item.url | basename }}"
|
|
checksum: "sha256:{{ item.sha256 }}"
|
|
with_items: "{{ podman_keycloak_keycloak_providers }}"
|
|
become: true
|
|
become_user: "{{ podman_keycloak_podman_rootless_user }}"
|
|
notify: restart keycloak
|
|
|
|
- name: Podman Keycloak | PATCH | Install systemd target
|
|
ansible.builtin.template:
|
|
src: "keycloak.target"
|
|
dest: "/home/{{ podman_keycloak_podman_rootless_user }}/.config/systemd/user/keycloak.target"
|
|
owner: "{{ podman_keycloak_podman_rootless_user }}"
|
|
mode: "0400"
|
|
|
|
- name: Podman Keycloak | PATCH | Install systemd slice
|
|
ansible.builtin.template:
|
|
src: "keycloak.slice"
|
|
dest: "/home/{{ podman_keycloak_podman_rootless_user }}/.config/systemd/user/keycloak.slice"
|
|
owner: "{{ podman_keycloak_podman_rootless_user }}"
|
|
mode: "0400"
|
|
|
|
- name: Podman Keycloak | PATCH | Install container quadlets
|
|
ansible.builtin.template:
|
|
src: "{{ item }}"
|
|
dest: "/home/{{ podman_keycloak_podman_rootless_user }}/.config/containers/systemd/{{ item }}"
|
|
owner: "{{ podman_keycloak_podman_rootless_user }}"
|
|
mode: "0400"
|
|
with_items:
|
|
- ldap.container
|
|
- keycloak.container
|
|
- postgres.container
|
|
when: (item != 'ldap.container') or podman_keycloak_enable_ldap
|
|
notify:
|
|
- "Restart {{ item | split('.') | first }}"
|
|
become: true
|
|
|
|
- name: Podman Keycloak | PATCH | Install network quadlets
|
|
ansible.builtin.template:
|
|
src: "{{ item }}"
|
|
dest: "/home/{{ podman_keycloak_podman_rootless_user }}/.config/containers/systemd/{{ item }}"
|
|
owner: "{{ podman_keycloak_podman_rootless_user }}"
|
|
mode: "0400"
|
|
with_items:
|
|
- frontend.network
|
|
- ldap.network
|
|
- keycloak.network
|
|
when: (item != 'ldap.network') or podman_keycloak_enable_ldap
|
|
become: true
|
|
|
|
- name: Podman Keycloak | AUDIT | Verify quadlets are correctly defined
|
|
ansible.builtin.command: /usr/libexec/podman/quadlet -dryrun -user
|
|
register: podman_keycloak_quadlet_result
|
|
ignore_errors: true
|
|
changed_when: false
|
|
become: true
|
|
become_user: "{{ podman_keycloak_podman_rootless_user }}"
|
|
|
|
- name: Podman Keycloak | AUDIT | Assert that the quadlet verification succeeded
|
|
ansible.builtin.assert:
|
|
that:
|
|
- podman_keycloak_quadlet_result.rc == 0
|
|
fail_msg: "'/usr/libexec/podman/quadlet -dryrun -user' failed! Output withheld to prevent leaking secrets."
|
|
|
|
- name: Podman Keycloak | PATCH | Start PostgreSQL and keycloak containers
|
|
ansible.builtin.systemd_service:
|
|
name: "{{ item }}"
|
|
state: started
|
|
scope: user
|
|
daemon_reload: true
|
|
become: true
|
|
become_user: "{{ podman_keycloak_podman_rootless_user }}"
|
|
with_items:
|
|
- postgres
|
|
- keycloak
|
|
|
|
- name: Podman Keycloak | PATCH | Configure nginx container
|
|
ansible.builtin.include_role:
|
|
name: sr2c.core.podman_nginx
|
|
vars:
|
|
podman_nginx_podman_rootless_user: "{{ podman_keycloak_podman_rootless_user }}"
|
|
podman_nginx_primary_hostname: "{{ podman_keycloak_keycloak_hostname }}"
|
|
podman_nginx_frontend_network: frontend
|
|
podman_nginx_systemd_service_slice: keycloak.slice
|
|
podman_nginx_systemd_service_target: keycloak.target
|
|
|
|
- name: Podman Keycloak | PATCH | Start LDAP container
|
|
ansible.builtin.systemd_service:
|
|
name: ldap
|
|
state: started
|
|
scope: user
|
|
when: podman_keycloak_enable_ldap
|
|
become: true
|
|
become_user: "{{ podman_keycloak_podman_rootless_user }}"
|
|
|
|
- name: Podman Keycloak | PATCH | Create nginx configuration file
|
|
ansible.builtin.template:
|
|
src: nginx.conf
|
|
dest: "/home/{{ podman_keycloak_podman_rootless_user }}/nginx/nginx.conf"
|
|
owner: "{{ podman_keycloak_podman_rootless_user }}"
|
|
group: "{{ podman_keycloak_podman_rootless_user }}"
|
|
mode: "0644"
|
|
become: true
|
|
notify: restart nginx
|
|
|
|
- name: Podman Keycloak | PATCH | Configure the LDAP directory
|
|
ansible.builtin.include_tasks:
|
|
file: ldap.yml
|
|
when: podman_keycloak_enable_ldap
|
|
|
|
- name: Podman Keycloak | PATCH | Enable keycloak.target
|
|
ansible.builtin.systemd_service:
|
|
name: keycloak.target
|
|
state: started
|
|
enabled: true
|
|
scope: user
|
|
daemon_reload: true
|
|
become: true
|
|
become_user: "{{ podman_keycloak_podman_rootless_user }}" |