diff --git a/inventory/hosts.yml b/inventory/hosts.yml index 8e7b120..d647de9 100644 --- a/inventory/hosts.yml +++ b/inventory/hosts.yml @@ -28,6 +28,8 @@ all: ansible_host: 192.168.150.177 git: ansible_host: 192.168.180.20 + keycloak: + ansible_host: 192.168.180.100 photoprism: ansible_host: 192.168.180.180 vaultwarden: diff --git a/playbooks/lehmann-keycloak.yml b/playbooks/lehmann-keycloak.yml new file mode 100644 index 0000000..a3e90fc --- /dev/null +++ b/playbooks/lehmann-keycloak.yml @@ -0,0 +1,62 @@ +# +# +# Automated installation for keycloak +# +# Project: playbooks +# Author: Tobias Lehmann +# License: MIT License (see LICENSE.md) +# +# Copyright (c) captica GmbH est. 2021 +# +- hosts: "leh01" + name: Create container + vars: + lxc_id: 103 + lxc_name: keycloak + lxc_domain: leh01.local + lxc_template: "local:vztmpl/debian-12-standard_12.12-1_amd64.tar.zst" + lxc_mac: CC:CC:CC:18:01:00 + lxc_bridge: vmbr180 + lxc_vlan: "" + lxc_disk: datapool:20 + lxc_cpu: 2 + lxc_memory: 4096 + lxc_swap: 4192 + lxc_ssh_pub_key: ~/.ssh/id_ed25519_ansible.pub + roles: + - lxc-container + +- hosts: "keycloak" + vars: + hostname: keycloak + tools_install_users: + - root + - ansible + ssh_pubkeys_root: + - "../files/ssh/root.pub" + ssh_pubkeys_ansible: + - "../files/ssh/ansible.pub" + roles: + - linux-base-install + - zsh + - vim + - fzf + - linux-docker + +- hosts: "keycloak" + tags: + - keycloak + - install + vars: + service_name: keycloak + service_directory: /opt/keycloak + service_volume_dirs: + - appdata + service_user_name: keycloak + service_user_id: 1090 + service_group_name: keycloak + service_group_id: 1090 + bankmanager_version: latest + tasks: + - name: "Install keycloak application" + include_tasks: setup-docker-application.yml \ No newline at end of file diff --git a/templates/keycloak/.env.j2 b/templates/keycloak/.env.j2 new file mode 100644 index 0000000..abc298d --- /dev/null +++ b/templates/keycloak/.env.j2 @@ -0,0 +1,3 @@ +DB_USER=keycloak +DB_PASSWORD={{keycloak_db_password}} +KEYCLOAK_ADMIN_PASSWORD={{keycloak_admin_password}} \ No newline at end of file diff --git a/templates/keycloak/docker-compose.yml.j2 b/templates/keycloak/docker-compose.yml.j2 new file mode 100644 index 0000000..53a749e --- /dev/null +++ b/templates/keycloak/docker-compose.yml.j2 @@ -0,0 +1,59 @@ +services: + db: + image: postgres:16 + restart: always + environment: + - POSTGRES_USER=${DB_USER} + - POSTGRES_PASSWORD=${DB_PASSWORD} + - POSTGRES_DB=keycloak + networks: + - default + volumes: + - {{ service_directory }}/data/db:/var/lib/postgresql/data + + keycloak: + image: quay.io/keycloak/keycloak:26.4.0 + environment: + - USER_UID={{ service_user_id }} + - USER_GID={{ service_group_id }} + + # Admin-Bootstrap + - KC_BOOTSTRAP_ADMIN_USERNAME=admin + - KC_BOOTSTRAP_ADMIN_PASSWORD=${KEYCLOAK_ADMIN_PASSWORD} + + # DB + - KC_DB=postgres + - KC_DB_URL=jdbc:postgresql://db:5432/keycloak + - KC_DB_USERNAME=${DB_USER} + - KC_DB_PASSWORD=${DB_PASSWORD} + + # Reverse-Proxy / Hostname + - KC_HOSTNAME=auth.lehmannhaus.de # <- deine Domain + - KC_PROXY=edge # erwartet TLS am Proxy + - KC_HTTP_ENABLED=true # intern Klartext (NPM macht TLS) + - KC_HOSTNAME_STRICT_HTTPS=true + + # optional: Health/Metrics + - KC_HEALTH_ENABLED=true + - KC_METRICS_ENABLED=true + + restart: always + volumes: + - {{ service_directory }}/data/keycloak:/opt/keycloak/data + - /etc/timezone:/etc/timezone:ro + - /etc/localtime:/etc/localtime:ro + ports: + - "8080:8080" + depends_on: + db: + command: ["start"] + networks: + - default + +networks: + default: + ipam: + driver: default + config: + - subnet: 172.10.0.0/16 + gateway: 172.10.0.1