added keycloak

2025-10-28 11:51:47 +01:00 · 2025-10-28 11:51:47 +01:00 · 8d8292647a
commit 8d8292647a
parent b535d45e97
4 changed files with 126 additions and 0 deletions
--- a/inventory/hosts.yml
+++ b/inventory/hosts.yml
@ -28,6 +28,8 @@ all:
          ansible_host: 192.168.150.177
        git:
          ansible_host: 192.168.180.20
+        keycloak:
+          ansible_host: 192.168.180.100
        photoprism:
          ansible_host: 192.168.180.180
        vaultwarden:
--- a/playbooks/lehmann-keycloak.yml
+++ b/playbooks/lehmann-keycloak.yml
@ -0,0 +1,62 @@
+#
+# 
+# Automated installation for keycloak
+# 
+# Project: playbooks
+# Author: Tobias Lehmann <tobias.lehmann@captica.de>
+# License: MIT License (see LICENSE.md)
+# 
+# Copyright (c) captica GmbH est. 2021
+#
+- hosts: "leh01"
+  name: Create container
+  vars:
+    lxc_id: 103
+    lxc_name: keycloak
+    lxc_domain: leh01.local
+    lxc_template: "local:vztmpl/debian-12-standard_12.12-1_amd64.tar.zst"
+    lxc_mac: CC:CC:CC:18:01:00
+    lxc_bridge: vmbr180
+    lxc_vlan: ""
+    lxc_disk: datapool:20
+    lxc_cpu: 2
+    lxc_memory: 4096
+    lxc_swap: 4192
+    lxc_ssh_pub_key: ~/.ssh/id_ed25519_ansible.pub
+  roles:
+    - lxc-container
+
+- hosts: "keycloak" 
+  vars:    
+    hostname: keycloak
+    tools_install_users:
+      - root     
+      - ansible
+    ssh_pubkeys_root:
+      - "../files/ssh/root.pub"
+    ssh_pubkeys_ansible:
+      - "../files/ssh/ansible.pub"
+  roles: 
+    - linux-base-install
+    - zsh
+    - vim    
+    - fzf    
+    - linux-docker
+
+- hosts: "keycloak"
+  tags: 
+    - keycloak
+    - install
+  vars:
+    service_name: keycloak
+    service_directory: /opt/keycloak
+    service_volume_dirs:
+      - appdata
+    service_user_name: keycloak
+    service_user_id: 1090
+    service_group_name: keycloak
+    service_group_id: 1090    
+    bankmanager_version: latest
+  tasks:
+    - name: "Install keycloak application"
+      include_tasks: setup-docker-application.yml
--- a/templates/keycloak/.env.j2
+++ b/templates/keycloak/.env.j2
@ -0,0 +1,3 @@
+DB_USER=keycloak
+DB_PASSWORD={{keycloak_db_password}}
+KEYCLOAK_ADMIN_PASSWORD={{keycloak_admin_password}}
--- a/templates/keycloak/docker-compose.yml.j2
+++ b/templates/keycloak/docker-compose.yml.j2
@ -0,0 +1,59 @@
+services:
+  db:
+    image: postgres:16    
+    restart: always
+    environment:
+      - POSTGRES_USER=${DB_USER}
+      - POSTGRES_PASSWORD=${DB_PASSWORD}
+      - POSTGRES_DB=keycloak
+    networks:
+      - default 
+    volumes:
+      - {{ service_directory }}/data/db:/var/lib/postgresql/data
+
+  keycloak:
+    image: quay.io/keycloak/keycloak:26.4.0
+    environment:
+      - USER_UID={{ service_user_id }}
+      - USER_GID={{ service_group_id }}
+      
+      # Admin-Bootstrap
+      - KC_BOOTSTRAP_ADMIN_USERNAME=admin
+      - KC_BOOTSTRAP_ADMIN_PASSWORD=${KEYCLOAK_ADMIN_PASSWORD}
+
+      # DB
+      - KC_DB=postgres
+      - KC_DB_URL=jdbc:postgresql://db:5432/keycloak
+      - KC_DB_USERNAME=${DB_USER}
+      - KC_DB_PASSWORD=${DB_PASSWORD}
+
+      # Reverse-Proxy / Hostname
+      - KC_HOSTNAME=auth.lehmannhaus.de           # <- deine Domain
+      - KC_PROXY=edge                          # erwartet TLS am Proxy
+      - KC_HTTP_ENABLED=true              # intern Klartext (NPM macht TLS)
+      - KC_HOSTNAME_STRICT_HTTPS=true
+
+      # optional: Health/Metrics
+      - KC_HEALTH_ENABLED=true
+      - KC_METRICS_ENABLED=true
+    
+    restart: always
+    volumes:
+      - {{ service_directory }}/data/keycloak:/opt/keycloak/data
+      - /etc/timezone:/etc/timezone:ro
+      - /etc/localtime:/etc/localtime:ro
+    ports:
+      - "8080:8080"
+    depends_on:
+      db:
+    command: ["start"]
+    networks:
+      - default
+
+networks:
+  default:
+    ipam:
+      driver: default
+      config:
+        - subnet: 172.10.0.0/16
+          gateway: 172.10.0.1