| # |
| # |
| # Licensed to the Apache Software Foundation (ASF) under one |
| # or more contributor license agreements. See the NOTICE file |
| # distributed with this work for additional information |
| # regarding copyright ownership. The ASF licenses this file |
| # to you under the Apache License, Version 2.0 (the |
| # "License"); you may not use this file except in compliance |
| # with the License. You may obtain a copy of the License at |
| # |
| # http://www.apache.org/licenses/LICENSE-2.0 |
| # |
| # Unless required by applicable law or agreed to in writing, |
| # software distributed under the License is distributed on an |
| # "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY |
| # KIND, either express or implied. See the License for the |
| # specific language governing permissions and limitations |
| # under the License. |
| # |
| |
| --- |
| - name: Install httpd |
| yum: name="httpd" state=latest update_cache=yes |
| become: yes |
| |
| - name: allow httpd to proxy to Keycloak process |
| seboolean: |
| name: httpd_can_network_connect |
| state: yes |
| persistent: yes |
| become: yes |
| |
| - name: Enable http/s service on public zone (for certbot verification) |
| firewalld: service={{ item }} permanent=true state=enabled zone=public immediate=True |
| with_items: |
| - http |
| - https |
| become: yes |
| |
| # TODO: it seems like a virtual host config of some type is needed for the following to work |
| - name: copy basic virtual host file so certbot can verify domain |
| template: src="basic-vhost.conf.j2" dest=/etc/httpd/conf.d/basic-vhost.conf backup=yes |
| become: yes |
| |
| - name: start httpd |
| service: name=httpd state=started enabled=yes |
| become: yes |
| |
| - name: check if SSL certificate exists |
| stat: |
| path: "{{ keycloak_ssl_certificate_file }}" |
| register: stat_ssl_cert_result |
| become: yes |
| |
| - name: generate certificate if it doesn't exist |
| command: certbot --apache -d {{ keycloak_vhost_servername }} certonly |
| become: yes |
| when: not stat_ssl_cert_result.stat.exists |
| |
| - name: Add keycloak virtual host config that proxies to the keycloak server |
| template: src="vhost.conf.j2" dest=/etc/httpd/conf.d/keycloak.conf backup=yes |
| become: yes |
| notify: |
| - restart httpd |
| |
| # Download keycloak distribution |
| - name: Download and unarchive keycloak |
| unarchive: src="{{ keycloak_downlaod_url }}" |
| dest="{{ user_home }}" |
| copy=no |
| owner="{{ user }}" |
| group="{{ group }}" |
| creates="{{user_home}}/{{ keycloak_install_dir }}/bin/standalone.sh" |
| become: true |
| become_user: "{{ user }}" |
| tags: |
| - always |
| |
| # <---------------------------- Setup Mysql database for keycloak -------------------> |
| |
| # create folder structure |
| - file: |
| path: "{{user_home}}/{{ keycloak_install_dir }}/modules/system/layers/keycloak/org/mysql/main" |
| state: directory |
| mode: 0755 |
| become: true |
| become_user: "{{ user }}" |
| tags: |
| - always |
| |
| - name: Download and unarchive mysql jdbc driver |
| unarchive: src="{{ mysql_db_connector_download_url }}" |
| dest="{{ user_home }}" |
| copy=no |
| owner="{{ user }}" |
| group="{{ group }}" |
| creates="{{user_home}}/{{keycloak_db_connector_name}}/{{keycloak_db_connector_name}}-bin.jar" |
| become: true |
| become_user: "{{ user }}" |
| tags: |
| - always |
| |
| - name: move jdbc connector to keycloak module |
| command: mv {{user_home}}/{{keycloak_db_connector_name}}/{{keycloak_db_connector_name}}-bin.jar {{user_home}}/{{ keycloak_install_dir }}/modules/system/layers/keycloak/org/mysql/main/ |
| become: true |
| become_user: "{{ user }}" |
| tags: |
| - always |
| |
| - name: copy jdbc module configuration file |
| template: > |
| src=module.j2 |
| dest="{{user_home}}/{{ keycloak_install_dir }}/modules/system/layers/keycloak/org/mysql/main/module.xml" |
| owner="{{ user }}" |
| group="{{ group }}" |
| mode="u=rw,g=r,o=r" |
| become: true |
| become_user: "{{ user }}" |
| tags: |
| - always |
| |
| # </---------------------------- Setup Mysql database for keycloak - END -------------------> |
| |
| # <---------------------------- Server Configuration --------------------------------> |
| |
| # Only Executed for standalone mode (SSL Configuration & MySql) |
| - name: copy keycloak configuration file (Standalone) |
| template: > |
| src=standalone.xml.j2 |
| dest="{{ user_home }}/{{ keycloak_install_dir }}/standalone/configuration/standalone.xml" |
| owner="{{ user }}" |
| group="{{ group }}" |
| mode="u=rw,g=r,o=r" |
| become: true |
| become_user: "{{ user }}" |
| tags: |
| - standalone |
| |
| # </------------------------------ Server Configuration ends ----------------------------> |
| |
| # <---------- setup init script for keycloak, starts the server after reboot -----------> |
| |
| # Init script to start keycloak in Standalone mode |
| - name: copy init script file (Standalone) |
| template: > |
| src=keycloak-standalone-init.j2 |
| dest="/etc/init.d/keycloak" |
| owner="{{ user }}" |
| group="{{ group }}" |
| mode="u=rwx,g=rx,o=rx" |
| become: yes |
| become_user: root |
| tags: |
| - standalone |
| |
| # System command to add the init script to enable on startup |
| - name: add init script to chkconfig and startup on boot |
| command: chkconfig --level 345 keycloak on |
| become: yes |
| become_user: root |
| tags: |
| - always |
| |
| # </---------- setup init script for keycloak, starts the server after reboot -----------> |
| |
| # <-------------------------Initialize a new admin for keycloak--------------------------> |
| |
| - name: Add master realm admin account |
| command: "{{user_home}}/{{ keycloak_install_dir }}/bin/add-user-keycloak.sh -r master -u {{ keycloak_master_account_username }} -p {{ keycloak_master_account_password }}" |
| args: |
| creates: "{{user_home}}/{{ keycloak_install_dir }}/standalone/configuration/keycloak-add-user.json" |
| become: yes |
| become_user: root |
| tags: |
| - always |
| |
| |
| # <--------------------------start keycloak Identity server------------------------------> |
| - name: reload Keycloak init script |
| command: systemctl daemon-reload |
| become: yes |
| become_user: root |
| tags: |
| - always |
| |
| # FIXME: restarting Keycloak server doesn't work |
| - name: stop Keycloak server |
| service: name=keycloak state=stopped |
| ignore_errors: yes |
| become: yes |
| become_user: root |
| tags: |
| - always |
| |
| - name: start Keycloak server |
| service: name=keycloak state=started |
| become: yes |
| become_user: root |
| tags: |
| - always |
| ... |