diff --git a/files/module-mariadb.xml b/files/module-mariadb.xml
new file mode 100644
index 0000000000000000000000000000000000000000..eb195122a207c9985f4283f210a87794bdd2c6c9
--- /dev/null
+++ b/files/module-mariadb.xml
@@ -0,0 +1,12 @@
+<?xml version="1.0" ?>
+<module xmlns="urn:jboss:module:1.3" name="org.mariadb.jdbc">
+
+ <resources>
+ <resource-root path="/usr/share/java/mariadb-java-client.jar"/>
+ </resources>
+
+ <dependencies>
+ <module name="javax.api"/>
+ <module name="javax.transaction.api"/>
+ </dependencies>
+</module>
diff --git a/handlers/main.yml b/handlers/main.yml
index 087862c63c13bca7d943eaa25e07eddefc382521..df2b09e658dbfe34f69eadd5d4482a242a531ddb 100644
--- a/handlers/main.yml
+++ b/handlers/main.yml
@@ -1,2 +1,14 @@
---
# handlers file for sso-lqdn
+
+- name: reload systemd
+ systemd:
+ daemon_reload: yes
+ become: yes
+
+- name: restart keycloak
+ systemd:
+ name: keycloak
+ enabled: yes
+ state: restarted
+ become: yes
diff --git a/tasks/install-configuration.yml b/tasks/install-configuration.yml
index 101d7799efe0ee645f9fb46fea20b893cc88de16..320764ea54e9ef1a354c596090e0d8242706442b 100644
--- a/tasks/install-configuration.yml
+++ b/tasks/install-configuration.yml
@@ -1,3 +1,26 @@
---
- name : Configuring Keycloak
+ template:
+ src: standalone-ha.xml.j2
+ dest: {{ keycloak_config_dir }}/standalone-ha.xml
+ owner: root
+ group: root
+ mode: 0644
+ become: yes
+ notify:
+ - reload systemd
+ - restart keycloak
+
+- name: create Keycloak admin user
+ command:
+ args:
+ argv:
+ - "{{ keycloak_jboss_home }}/bin/add-user-keycloak.sh"
+ - -rmaster
+ - -u{{ keycloak_admin_user }}
+ - -p{{ keycloak_admin_password }}
+ creates: "{{ keycloak_config_dir }}/keycloak-add-user.json"
+ become: yes
+ tags:
+ - skip_ansible_lint
diff --git a/tasks/install-database.yml b/tasks/install-database.yml
index ed97d539c095cf1413af30cc23dea272095b97dd..d8bc08cf56686de0b0be2523b4f7994edfec8eb1 100644
--- a/tasks/install-database.yml
+++ b/tasks/install-database.yml
@@ -1 +1,51 @@
---
+# Adding the database to be used by Keycloak
+
+# Adding the Java Database Driver
+- name : Installation of the latest Java OpenJDK Driver
+ package :
+ name :
+ - libmariadb-java
+ state : latest
+
+# Creating the database user and password for keycloak
+- name: "Update root password"
+ mysql_user:
+ name: root
+ password: "{{ keycloack_mysql_root_password }}"
+ check_implicit_admin: yes
+ priv: "*.*:ALL,GRANT"
+ # Assuming the root user has only localhost access
+ host_all: yes
+
+- name: "Delete the anonymous user."
+ mysql_user:
+ user: ""
+ state: "absent"
+ login_user: root
+ login_password: "{{ keycloack_mysql_root_password }}"
+ ignore_errors: yes
+
+- name: "Removes the MySQL test database"
+ mysql_db:
+ name: test
+ state: absent
+ login_user: root
+ login_password: "{{ keycloack_mysql_root_password }}"
+ ignore_errors: yes
+
+- name: "Add Database {{ keycloak_db_name }}."
+ mysql_db:
+ name: "{{ keycloak_db_name }}"
+ login_user: root
+ login_password: "{{ keycloack_mysql_root_password }}"
+ state: present
+
+- name: "Configure the database user."
+ mysql_user:
+ name: "{{ keycloak_db_admin }}"
+ password: "{{ keycloak_db_pwd }}"
+ priv: "{{ keycloak_db_name }}.*:ALL"
+ login_user: root
+ login_password: "{{ keycloak_mysql_root_pwd }}"
+ state: present
diff --git a/tasks/install-dependencies.yml b/tasks/install-dependencies.yml
index 287415b547f002a7ebb1b8e49f147eb1d6a216e6..7e5c1d421be390c03a2d33000ed09f6619f684a1 100644
--- a/tasks/install-dependencies.yml
+++ b/tasks/install-dependencies.yml
@@ -13,8 +13,8 @@
- tar
state : present
-- name : Installation of pSQL
+- name : Installation of MariaDB
package :
name :
- - postgresql
+ - mariadb
state : present
diff --git a/tasks/install-reverse-proxy.yml b/tasks/install-reverse-proxy.yml
index 09531451b0961c7331bb8cabe08b5b9b4b68c440..3f591a30e802b6c4ecc53d86f416228663d07aa8 100644
--- a/tasks/install-reverse-proxy.yml
+++ b/tasks/install-reverse-proxy.yml
@@ -1,7 +1,7 @@
---
-
-- name : Installing Nginx
-
-- name : Configuring Nginx to reverse proxy Keycloak
-
-- name : Configuring Nginx to process the SSL certificates
+#
+# - name : Installing Nginx
+#
+# - name : Configuring Nginx to reverse proxy Keycloak
+#
+# - name : Configuring Nginx to process the SSL certificates
diff --git a/tasks/install-run-service.yml b/tasks/install-run-service.yml
index 7fabfdb28cbec0fafc9601e550d447e6b5af4932..436008adf0faa6c332c567ab630b1297f2545d2f 100644
--- a/tasks/install-run-service.yml
+++ b/tasks/install-run-service.yml
@@ -1,5 +1,13 @@
---
-- name : Installing the SystemD service script
-
-- name : Launching the service
+- name: Installing the SystemD service script
+ template:
+ src: keycloak.service.j2
+ dest: /etc/systemd/system/keycloak.service
+ owner: root
+ group: root
+ mode: 0644
+ become: yes
+ notify:
+ - reload systemd
+ - restart keycloak
diff --git a/tasks/install-service.yml b/tasks/install-service.yml
index 77cf8924a98205261a0979fb86157bee8450ab3c..6245868ec874f24132f65a7f024c5d7f52041a78 100644
--- a/tasks/install-service.yml
+++ b/tasks/install-service.yml
@@ -18,16 +18,72 @@
state: absent
when: existing_deploy.stat.exists and keycloak_force_install | bool
-
- name: Checking for an existing deployment after possible forced removal
stat:
path: "{{ keycloak_jboss_home }}"
register: existing_deploy
-- name: Downloading Keycloak
+- name: create Keycloak install location
+ file:
+ dest: "{{ keycloak_base_path }}"
+ state: directory
+ owner: "{{ keycloak_service_user }}"
+ group: "{{ keycloak_service_group }}"
+ become: yes
+
+- block:
+ - name: download Keycloak archive to target
+ get_url:
+ url: "{{ keycloak_url }}"
+ dest: "{{ keycloak_dest }}"
+ owner: "{{ keycloak_service_user }}"
+ group: "{{ keycloak_service_group }}"
+ - name: extract Keycloak archive on target
+ unarchive:
+ remote_src: yes
+ src: "{{ keycloak_dest }}/{{ keycloak_archive }}"
+ dest: "{{ keycloak_dest }}"
+ creates: "{{ keycloak_jboss_home }}"
+ owner: "{{ keycloak_service_user }}"
+ group: "{{ keycloak_service_group }}"
+ notify:
+ - restart keycloak
+ become: yes
+ when: keycloak_archive_on_target
-- name: Extracting Keycloak
+- block:
+ - name: download Keycloak archive to local
+ delegate_to: localhost
+ get_url:
+ url: "{{ keycloak_url }}"
+ dest: "{{ keycloak_local_download_dest }}/{{ keycloak_archive }}"
+ - name: extract Keycloak archive on local
+ unarchive:
+ remote_src: no
+ src: "{{ keycloak_local_download_dest }}/{{ keycloak_archive }}"
+ dest: "{{ keycloak_dest }}"
+ creates: "{{ keycloak_jboss_home }}"
+ owner: "{{ keycloak_service_user }}"
+ group: "{{ keycloak_service_group }}"
+ become: yes
+ notify:
+ - restart keycloak
+ when: not keycloak_archive_on_target
-- name: Downloading postgresql jdbc driver
+- name: Create module.xml for mariadb jdbc driver
+ copy:
+ src: "module-mariadb.xml"
+ dest: "{{ keycloak_jboss_home }}/modules/system/layers/keycloak/org/mariadb/main/module.xml"
+ owner: "{{ keycloak_service_user }}"
+ group: "{{ keycloak_service_group }}"
-- name: Create module.xml for postgresql jdbc driver
+- name: Add systemd unit file for keycloak service
+ template:
+ src: "keycloak.service.j2"
+ dest: "/etc/systemd/system/{{ keycloak_service_name }}.service"
+ owner: root
+ group: root
+ mode: 0644
+ notify:
+ - reload systemd
+ - restart keycloak
diff --git a/tasks/install-ssl.yml b/tasks/install-ssl.yml
index 32251461b4f91b8eb4f00bde7d1dbadf597d956e..e9869c51053ac17488a07669de1ce06849347d38 100644
--- a/tasks/install-ssl.yml
+++ b/tasks/install-ssl.yml
@@ -1,9 +1,9 @@
---
-- name : Installing Let's Encrypt
-
-- name : Configuring the certificates for Keycloak
-
-- name : Verifing the SSL certificates
-
-- name : Setting up automatic renewal of the certificates
+# - name : Installing Let's Encrypt
+#
+# - name : Configuring the certificates for Keycloak
+#
+# - name : Verifing the SSL certificates
+#
+# - name : Setting up automatic renewal of the certificates
diff --git a/tasks/install-update.yml b/tasks/install-update.yml
index d126430f43101fbaff0978df72d2b2ab41675735..044c1307bf16e980c3e4d42469c31eca9f8a3825 100644
--- a/tasks/install-update.yml
+++ b/tasks/install-update.yml
@@ -1,5 +1,5 @@
---
-- name : Verifying that we are running the last version of Keycloak
-
-- name : Updating the variables to install the last version of keycloak
+# - name : Verifying that we are running the last version of Keycloak
+#
+# - name : Updating the variables to install the last version of keycloak
diff --git a/tasks/main.yml b/tasks/main.yml
index 93e2875a8e11c79b3d05a8431a08da9c4e926833..cb793c2237c753d76360d39f04a67765e01965b3 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -23,10 +23,10 @@
- include: install-configuration.yml
# Install NGINX as a reverse proxy
-- include: install-reverse-proxy.yml
+# - include: install-reverse-proxy.yml
# Configuration of the SSL certificates
-- include: install-ssl.yml
+# - include: install-ssl.yml
# Launch the service
- include: install-run-service.yml
diff --git a/templates/keycloak.service.j2 b/templates/keycloak.service.j2
new file mode 100644
index 0000000000000000000000000000000000000000..bd33e2f56d4c0028b168fe5235e531e7a706dcaa
--- /dev/null
+++ b/templates/keycloak.service.j2
@@ -0,0 +1,18 @@
+[Unit]
+Description=Keycloak Server
+After=network.target
+Wants.mariadb.service
+
+[Service]
+Type=simple
+Environment="JAVA_OPTS={{ keycloak_java_opts }}"
+Environment="JBOSS_HOME={{ keycloak_jboss_home }}"
+Restart=always
+User={{ keycloak_service_user }}
+Group={{ keycloak_service_group }}
+ExecStart={{ keycloak_jboss_home }}/bin/standalone.sh --server-config=standalone-ha.xml -b={{ keycloak_bind_address }} -Djboss.http.port={{ keycloak_http_port }} -Djboss.https.port={{ keycloak_https_port }} -Djboss.management.http.port={{ keycloak_management_http_port }} -Djboss.management.https.port={{ keycloak_management_https_port }}
+TimeoutStartSec=600
+TimeoutStopSec=600
+
+[Install]
+WantedBy=multi-user.target
diff --git a/templates/standalone-ha.xml.j2 b/templates/standalone-ha.xml.j2
new file mode 100644
index 0000000000000000000000000000000000000000..284b28b5e93838177d6d94150d1e66351ac06f87
--- /dev/null
+++ b/templates/standalone-ha.xml.j2
@@ -0,0 +1,665 @@
+<?xml version='1.0' encoding='UTF-8'?>
+
+<server xmlns="urn:jboss:domain:14.0">
+ <extensions>
+ <extension module="org.jboss.as.clustering.infinispan"/>
+ <extension module="org.jboss.as.clustering.jgroups"/>
+ <extension module="org.jboss.as.connector"/>
+ <extension module="org.jboss.as.deployment-scanner"/>
+ <extension module="org.jboss.as.ee"/>
+ <extension module="org.jboss.as.ejb3"/>
+ <extension module="org.jboss.as.jaxrs"/>
+ <extension module="org.jboss.as.jmx"/>
+ <extension module="org.jboss.as.jpa"/>
+ <extension module="org.jboss.as.logging"/>
+ <extension module="org.jboss.as.mail"/>
+ <extension module="org.jboss.as.modcluster"/>
+ <extension module="org.jboss.as.naming"/>
+ <extension module="org.jboss.as.remoting"/>
+ <extension module="org.jboss.as.security"/>
+ <extension module="org.jboss.as.transactions"/>
+ <extension module="org.jboss.as.weld"/>
+ <extension module="org.keycloak.keycloak-server-subsystem"/>
+ <extension module="org.wildfly.extension.bean-validation"/>
+ <extension module="org.wildfly.extension.core-management"/>
+ <extension module="org.wildfly.extension.elytron"/>
+ <extension module="org.wildfly.extension.io"/>
+ <extension module="org.wildfly.extension.microprofile.config-smallrye"/>
+ <extension module="org.wildfly.extension.microprofile.health-smallrye"/>
+ <extension module="org.wildfly.extension.microprofile.metrics-smallrye"/>
+ <extension module="org.wildfly.extension.request-controller"/>
+ <extension module="org.wildfly.extension.security.manager"/>
+ <extension module="org.wildfly.extension.undertow"/>
+ </extensions>
+ <management>
+ <security-realms>
+ <security-realm name="ManagementRealm">
+ <authentication>
+ <local default-user="$local" skip-group-loading="true"/>
+ <properties path="mgmt-users.properties" relative-to="jboss.server.config.dir"/>
+ </authentication>
+ <authorization map-groups-to-roles="false">
+ <properties path="mgmt-groups.properties" relative-to="jboss.server.config.dir"/>
+ </authorization>
+ </security-realm>
+ <security-realm name="ApplicationRealm">
+ <server-identities>
+ <ssl>
+ <keystore path="application.keystore" relative-to="jboss.server.config.dir" keystore-password="password" alias="server" key-password="password" generate-self-signed-certificate-host="localhost"/>
+ </ssl>
+ </server-identities>
+ <authentication>
+ <local default-user="$local" allowed-users="*" skip-group-loading="true"/>
+ <properties path="application-users.properties" relative-to="jboss.server.config.dir"/>
+ </authentication>
+ <authorization>
+ <properties path="application-roles.properties" relative-to="jboss.server.config.dir"/>
+ </authorization>
+ </security-realm>
+ </security-realms>
+ <audit-log>
+ <formatters>
+ <json-formatter name="json-formatter"/>
+ </formatters>
+ <handlers>
+ <file-handler name="file" formatter="json-formatter" path="audit-log.log" relative-to="jboss.server.data.dir"/>
+ </handlers>
+ <logger log-boot="true" log-read-only="false" enabled="false">
+ <handlers>
+ <handler name="file"/>
+ </handlers>
+ </logger>
+ </audit-log>
+ <management-interfaces>
+ <http-interface security-realm="ManagementRealm">
+ <http-upgrade enabled="true"/>
+ <socket-binding http="management-http"/>
+ </http-interface>
+ </management-interfaces>
+ <access-control provider="simple">
+ <role-mapping>
+ <role name="SuperUser">
+ <include>
+ <user name="$local"/>
+ </include>
+ </role>
+ </role-mapping>
+ </access-control>
+ </management>
+ <profile>
+ <subsystem xmlns="urn:jboss:domain:logging:8.0">
+ <console-handler name="CONSOLE">
+ <level name="INFO"/>
+ <formatter>
+ <named-formatter name="COLOR-PATTERN"/>
+ </formatter>
+ </console-handler>
+ <periodic-rotating-file-handler name="FILE" autoflush="true">
+ <formatter>
+ <named-formatter name="PATTERN"/>
+ </formatter>
+ <file relative-to="jboss.server.log.dir" path="server.log"/>
+ <suffix value=".yyyy-MM-dd"/>
+ <append value="true"/>
+ </periodic-rotating-file-handler>
+ <logger category="com.arjuna">
+ <level name="WARN"/>
+ </logger>
+ <logger category="io.jaegertracing.Configuration">
+ <level name="WARN"/>
+ </logger>
+ <logger category="org.jboss.as.config">
+ <level name="DEBUG"/>
+ </logger>
+ <logger category="sun.rmi">
+ <level name="WARN"/>
+ </logger>
+ <root-logger>
+ <level name="INFO"/>
+ <handlers>
+ <handler name="CONSOLE"/>
+ <handler name="FILE"/>
+ </handlers>
+ </root-logger>
+ <formatter name="PATTERN">
+ <pattern-formatter pattern="%d{yyyy-MM-dd HH:mm:ss,SSS} %-5p [%c] (%t) %s%e%n"/>
+ </formatter>
+ <formatter name="COLOR-PATTERN">
+ <pattern-formatter pattern="%K{level}%d{HH:mm:ss,SSS} %-5p [%c] (%t) %s%e%n"/>
+ </formatter>
+ </subsystem>
+ <subsystem xmlns="urn:jboss:domain:bean-validation:1.0"/>
+ <subsystem xmlns="urn:jboss:domain:core-management:1.0"/>
+ <subsystem xmlns="urn:jboss:domain:datasources:6.0">
+ <datasources>
+ <datasource jndi-name="java:jboss/datasources/ExampleDS" pool-name="ExampleDS" enabled="true" use-java-context="true" statistics-enabled="${wildfly.datasources.statistics-enabled:${wildfly.statistics-enabled:false}}">
+ <connection-url>jdbc:h2:mem:test;DB_CLOSE_DELAY=-1;DB_CLOSE_ON_EXIT=FALSE</connection-url>
+ <driver>h2</driver>
+ <security>
+ <user-name>sa</user-name>
+ <password>sa</password>
+ </security>
+ </datasource>
+ <datasource jndi-name="java:jboss/datasources/KeycloakDS" pool-name="KeycloakDS" enabled="true" use-java-context="true" statistics-enabled="${wildfly.datasources.statistics-enabled:${wildfly.statistics-enabled:false}}">
+ <connection-url>jdbc:mariadb://localhost/keycloak?characterEncoding=UTF-8</connection-url>
+ <driver>mariadb</driver>
+ <pool>
+ <max-pool-size>100</max-pool-size>
+ </pool>
+ <security>
+ <user-name>{{ keycloak_db_admin }}</user-name>
+ <password>{{ keycloak_db_pwd }}</password>
+ </security>
+ </datasource>
+ <drivers>
+ <driver name="mariadb" module="org.mariadb.jdbc">
+ <xa-datasource-class>org.mariadb.jdbc.MariaDbDataSource</xa-datasource-class>
+ </driver>
+ <driver name="h2" module="com.h2database.h2">
+ <xa-datasource-class>org.h2.jdbcx.JdbcDataSource</xa-datasource-class>
+ </driver>
+ </drivers>
+ </datasources>
+ </subsystem>
+ <subsystem xmlns="urn:jboss:domain:deployment-scanner:2.0">
+ <deployment-scanner path="deployments" relative-to="jboss.server.base.dir" scan-interval="5000" runtime-failure-causes-rollback="${jboss.deployment.scanner.rollback.on.failure:false}"/>
+ </subsystem>
+ <subsystem xmlns="urn:jboss:domain:ee:5.0">
+ <spec-descriptor-property-replacement>false</spec-descriptor-property-replacement>
+ <concurrent>
+ <context-services>
+ <context-service name="default" jndi-name="java:jboss/ee/concurrency/context/default" use-transaction-setup-provider="true"/>
+ </context-services>
+ <managed-thread-factories>
+ <managed-thread-factory name="default" jndi-name="java:jboss/ee/concurrency/factory/default" context-service="default"/>
+ </managed-thread-factories>
+ <managed-executor-services>
+ <managed-executor-service name="default" jndi-name="java:jboss/ee/concurrency/executor/default" context-service="default" hung-task-threshold="60000" keepalive-time="5000"/>
+ </managed-executor-services>
+ <managed-scheduled-executor-services>
+ <managed-scheduled-executor-service name="default" jndi-name="java:jboss/ee/concurrency/scheduler/default" context-service="default" hung-task-threshold="60000" keepalive-time="3000"/>
+ </managed-scheduled-executor-services>
+ </concurrent>
+ <default-bindings context-service="java:jboss/ee/concurrency/context/default" datasource="java:jboss/datasources/ExampleDS" managed-executor-service="java:jboss/ee/concurrency/executor/default" managed-scheduled-executor-service="java:jboss/ee/concurrency/scheduler/default" managed-thread-factory="java:jboss/ee/concurrency/factory/default"/>
+ </subsystem>
+ <subsystem xmlns="urn:jboss:domain:ejb3:8.0">
+ <session-bean>
+ <stateless>
+ <bean-instance-pool-ref pool-name="slsb-strict-max-pool"/>
+ </stateless>
+ <stateful default-access-timeout="5000" cache-ref="distributable" passivation-disabled-cache-ref="simple"/>
+ <singleton default-access-timeout="5000"/>
+ </session-bean>
+ <pools>
+ <bean-instance-pools>
+ <strict-max-pool name="mdb-strict-max-pool" derive-size="from-cpu-count" instance-acquisition-timeout="5" instance-acquisition-timeout-unit="MINUTES"/>
+ <strict-max-pool name="slsb-strict-max-pool" derive-size="from-worker-pools" instance-acquisition-timeout="5" instance-acquisition-timeout-unit="MINUTES"/>
+ </bean-instance-pools>
+ </pools>
+ <caches>
+ <cache name="simple"/>
+ <cache name="distributable" passivation-store-ref="infinispan" aliases="passivating clustered"/>
+ </caches>
+ <passivation-stores>
+ <passivation-store name="infinispan" cache-container="ejb" max-size="10000"/>
+ </passivation-stores>
+ <async thread-pool-name="default"/>
+ <timer-service thread-pool-name="default" default-data-store="default-file-store">
+ <data-stores>
+ <file-data-store name="default-file-store" path="timer-service-data" relative-to="jboss.server.data.dir"/>
+ </data-stores>
+ </timer-service>
+ <remote cluster="ejb" connectors="http-remoting-connector" thread-pool-name="default">
+ <channel-creation-options>
+ <option name="MAX_OUTBOUND_MESSAGES" value="1234" type="remoting"/>
+ </channel-creation-options>
+ </remote>
+ <thread-pools>
+ <thread-pool name="default">
+ <max-threads count="10"/>
+ <keepalive-time time="60" unit="seconds"/>
+ </thread-pool>
+ </thread-pools>
+ <default-security-domain value="other"/>
+ <default-missing-method-permissions-deny-access value="true"/>
+ <statistics enabled="${wildfly.ejb3.statistics-enabled:${wildfly.statistics-enabled:false}}"/>
+ <log-system-exceptions value="true"/>
+ </subsystem>
+ <subsystem xmlns="urn:jboss:domain:io:3.0">
+ <worker name="default"/>
+ <buffer-pool name="default"/>
+ </subsystem>
+ <subsystem xmlns="urn:jboss:domain:infinispan:11.0">
+ <cache-container name="keycloak" module="org.keycloak.keycloak-model-infinispan">
+ <transport lock-timeout="60000"/>
+ <local-cache name="realms">
+ <heap-memory size="10000"/>
+ </local-cache>
+ <local-cache name="users">
+ <heap-memory size="10000"/>
+ </local-cache>
+ <distributed-cache name="sessions" owners="1"/>
+ <distributed-cache name="authenticationSessions" owners="1"/>
+ <distributed-cache name="offlineSessions" owners="1"/>
+ <distributed-cache name="clientSessions" owners="1"/>
+ <distributed-cache name="offlineClientSessions" owners="1"/>
+ <distributed-cache name="loginFailures" owners="1"/>
+ <local-cache name="authorization">
+ <heap-memory size="10000"/>
+ </local-cache>
+ <replicated-cache name="work"/>
+ <local-cache name="keys">
+ <heap-memory size="1000"/>
+ <expiration max-idle="3600000"/>
+ </local-cache>
+ <distributed-cache name="actionTokens" owners="2">
+ <heap-memory size="-1"/>
+ <expiration max-idle="-1" interval="300000"/>
+ </distributed-cache>
+ </cache-container>
+ <cache-container name="server" aliases="singleton cluster" default-cache="default" module="org.wildfly.clustering.server">
+ <transport lock-timeout="60000"/>
+ <replicated-cache name="default">
+ <transaction mode="BATCH"/>
+ </replicated-cache>
+ </cache-container>
+ <cache-container name="web" default-cache="dist" module="org.wildfly.clustering.web.infinispan">
+ <transport lock-timeout="60000"/>
+ <replicated-cache name="sso">
+ <locking isolation="REPEATABLE_READ"/>
+ <transaction mode="BATCH"/>
+ </replicated-cache>
+ <distributed-cache name="dist">
+ <locking isolation="REPEATABLE_READ"/>
+ <transaction mode="BATCH"/>
+ <file-store/>
+ </distributed-cache>
+ <distributed-cache name="routing"/>
+ </cache-container>
+ <cache-container name="ejb" aliases="sfsb" default-cache="dist" module="org.wildfly.clustering.ejb.infinispan">
+ <transport lock-timeout="60000"/>
+ <distributed-cache name="dist">
+ <locking isolation="REPEATABLE_READ"/>
+ <transaction mode="BATCH"/>
+ <file-store/>
+ </distributed-cache>
+ </cache-container>
+ <cache-container name="hibernate" module="org.infinispan.hibernate-cache">
+ <transport lock-timeout="60000"/>
+ <local-cache name="local-query">
+ <heap-memory size="10000"/>
+ <expiration max-idle="100000"/>
+ </local-cache>
+ <invalidation-cache name="entity">
+ <transaction mode="NON_XA"/>
+ <heap-memory size="10000"/>
+ <expiration max-idle="100000"/>
+ </invalidation-cache>
+ <replicated-cache name="timestamps"/>
+ </cache-container>
+ </subsystem>
+ <subsystem xmlns="urn:jboss:domain:jaxrs:2.0"/>
+ <subsystem xmlns="urn:jboss:domain:jca:5.0">
+ <archive-validation enabled="true" fail-on-error="true" fail-on-warn="false"/>
+ <bean-validation enabled="true"/>
+ <default-workmanager>
+ <short-running-threads>
+ <core-threads count="50"/>
+ <queue-length count="50"/>
+ <max-threads count="50"/>
+ <keepalive-time time="10" unit="seconds"/>
+ </short-running-threads>
+ <long-running-threads>
+ <core-threads count="50"/>
+ <queue-length count="50"/>
+ <max-threads count="50"/>
+ <keepalive-time time="10" unit="seconds"/>
+ </long-running-threads>
+ </default-workmanager>
+ <cached-connection-manager/>
+ </subsystem>
+ <subsystem xmlns="urn:jboss:domain:jgroups:8.0">
+ <channels default="ee">
+ <channel name="ee" stack="udp" cluster="ejb"/>
+ </channels>
+ <stacks>
+ <stack name="udp">
+ <transport type="UDP" socket-binding="jgroups-udp"/>
+ <protocol type="PING"/>
+ <protocol type="MERGE3"/>
+ <socket-protocol type="FD_SOCK" socket-binding="jgroups-udp-fd"/>
+ <protocol type="FD_ALL"/>
+ <protocol type="VERIFY_SUSPECT"/>
+ <protocol type="pbcast.NAKACK2"/>
+ <protocol type="UNICAST3"/>
+ <protocol type="pbcast.STABLE"/>
+ <protocol type="pbcast.GMS"/>
+ <protocol type="UFC"/>
+ <protocol type="MFC"/>
+ <protocol type="FRAG3"/>
+ </stack>
+ <stack name="tcp">
+ <transport type="TCP" socket-binding="jgroups-tcp"/>
+ <socket-protocol type="MPING" socket-binding="jgroups-mping"/>
+ <protocol type="MERGE3"/>
+ <socket-protocol type="FD_SOCK" socket-binding="jgroups-tcp-fd"/>
+ <protocol type="FD_ALL"/>
+ <protocol type="VERIFY_SUSPECT"/>
+ <protocol type="pbcast.NAKACK2"/>
+ <protocol type="UNICAST3"/>
+ <protocol type="pbcast.STABLE"/>
+ <protocol type="pbcast.GMS"/>
+ <protocol type="MFC"/>
+ <protocol type="FRAG3"/>
+ </stack>
+ </stacks>
+ </subsystem>
+ <subsystem xmlns="urn:jboss:domain:jmx:1.3">
+ <expose-resolved-model/>
+ <expose-expression-model/>
+ <remoting-connector/>
+ </subsystem>
+ <subsystem xmlns="urn:jboss:domain:jpa:1.1">
+ <jpa default-datasource="" default-extended-persistence-inheritance="DEEP"/>
+ </subsystem>
+ <subsystem xmlns="urn:jboss:domain:mail:4.0">
+ <mail-session name="default" jndi-name="java:jboss/mail/Default">
+ <smtp-server outbound-socket-binding-ref="mail-smtp"/>
+ </mail-session>
+ </subsystem>
+ <subsystem xmlns="urn:jboss:domain:modcluster:5.0">
+ <proxy name="default" advertise-socket="modcluster" listener="ajp">
+ <dynamic-load-provider>
+ <load-metric type="cpu"/>
+ </dynamic-load-provider>
+ </proxy>
+ </subsystem>
+ <subsystem xmlns="urn:jboss:domain:naming:2.0">
+ <remote-naming/>
+ </subsystem>
+ <subsystem xmlns="urn:jboss:domain:remoting:4.0">
+ <http-connector name="http-remoting-connector" connector-ref="default" security-realm="ApplicationRealm"/>
+ </subsystem>
+ <subsystem xmlns="urn:jboss:domain:request-controller:1.0"/>
+ <subsystem xmlns="urn:jboss:domain:security-manager:1.0">
+ <deployment-permissions>
+ <maximum-set>
+ <permission class="java.security.AllPermission"/>
+ </maximum-set>
+ </deployment-permissions>
+ </subsystem>
+ <subsystem xmlns="urn:wildfly:elytron:11.0" final-providers="combined-providers" disallowed-providers="OracleUcrypto">
+ <providers>
+ <aggregate-providers name="combined-providers">
+ <providers name="elytron"/>
+ <providers name="openssl"/>
+ </aggregate-providers>
+ <provider-loader name="elytron" module="org.wildfly.security.elytron"/>
+ <provider-loader name="openssl" module="org.wildfly.openssl"/>
+ </providers>
+ <audit-logging>
+ <file-audit-log name="local-audit" path="audit.log" relative-to="jboss.server.log.dir" format="JSON"/>
+ </audit-logging>
+ <security-domains>
+ <security-domain name="ApplicationDomain" default-realm="ApplicationRealm" permission-mapper="default-permission-mapper">
+ <realm name="ApplicationRealm" role-decoder="groups-to-roles"/>
+ <realm name="local"/>
+ </security-domain>
+ <security-domain name="ManagementDomain" default-realm="ManagementRealm" permission-mapper="default-permission-mapper">
+ <realm name="ManagementRealm" role-decoder="groups-to-roles"/>
+ <realm name="local" role-mapper="super-user-mapper"/>
+ </security-domain>
+ </security-domains>
+ <security-realms>
+ <identity-realm name="local" identity="$local"/>
+ <properties-realm name="ApplicationRealm">
+ <users-properties path="application-users.properties" relative-to="jboss.server.config.dir" digest-realm-name="ApplicationRealm"/>
+ <groups-properties path="application-roles.properties" relative-to="jboss.server.config.dir"/>
+ </properties-realm>
+ <properties-realm name="ManagementRealm">
+ <users-properties path="mgmt-users.properties" relative-to="jboss.server.config.dir" digest-realm-name="ManagementRealm"/>
+ <groups-properties path="mgmt-groups.properties" relative-to="jboss.server.config.dir"/>
+ </properties-realm>
+ </security-realms>
+ <mappers>
+ <simple-permission-mapper name="default-permission-mapper" mapping-mode="first">
+ <permission-mapping>
+ <principal name="anonymous"/>
+ <permission-set name="default-permissions"/>
+ </permission-mapping>
+ <permission-mapping match-all="true">
+ <permission-set name="login-permission"/>
+ <permission-set name="default-permissions"/>
+ </permission-mapping>
+ </simple-permission-mapper>
+ <constant-realm-mapper name="local" realm-name="local"/>
+ <simple-role-decoder name="groups-to-roles" attribute="groups"/>
+ <constant-role-mapper name="super-user-mapper">
+ <role name="SuperUser"/>
+ </constant-role-mapper>
+ </mappers>
+ <permission-sets>
+ <permission-set name="login-permission">
+ <permission class-name="org.wildfly.security.auth.permission.LoginPermission"/>
+ </permission-set>
+ <permission-set name="default-permissions">
+ <permission class-name="org.wildfly.extension.batch.jberet.deployment.BatchPermission" module="org.wildfly.extension.batch.jberet" target-name="*"/>
+ <permission class-name="org.wildfly.transaction.client.RemoteTransactionPermission" module="org.wildfly.transaction.client"/>
+ <permission class-name="org.jboss.ejb.client.RemoteEJBPermission" module="org.jboss.ejb-client"/>
+ </permission-set>
+ </permission-sets>
+ <http>
+ <http-authentication-factory name="management-http-authentication" security-domain="ManagementDomain" http-server-mechanism-factory="global">
+ <mechanism-configuration>
+ <mechanism mechanism-name="DIGEST">
+ <mechanism-realm realm-name="ManagementRealm"/>
+ </mechanism>
+ </mechanism-configuration>
+ </http-authentication-factory>
+ <provider-http-server-mechanism-factory name="global"/>
+ </http>
+ <sasl>
+ <sasl-authentication-factory name="application-sasl-authentication" sasl-server-factory="configured" security-domain="ApplicationDomain">
+ <mechanism-configuration>
+ <mechanism mechanism-name="JBOSS-LOCAL-USER" realm-mapper="local"/>
+ <mechanism mechanism-name="DIGEST-MD5">
+ <mechanism-realm realm-name="ApplicationRealm"/>
+ </mechanism>
+ </mechanism-configuration>
+ </sasl-authentication-factory>
+ <sasl-authentication-factory name="management-sasl-authentication" sasl-server-factory="configured" security-domain="ManagementDomain">
+ <mechanism-configuration>
+ <mechanism mechanism-name="JBOSS-LOCAL-USER" realm-mapper="local"/>
+ <mechanism mechanism-name="DIGEST-MD5">
+ <mechanism-realm realm-name="ManagementRealm"/>
+ </mechanism>
+ </mechanism-configuration>
+ </sasl-authentication-factory>
+ <configurable-sasl-server-factory name="configured" sasl-server-factory="elytron">
+ <properties>
+ <property name="wildfly.sasl.local-user.default-user" value="$local"/>
+ </properties>
+ </configurable-sasl-server-factory>
+ <mechanism-provider-filtering-sasl-server-factory name="elytron" sasl-server-factory="global">
+ <filters>
+ <filter provider-name="WildFlyElytron"/>
+ </filters>
+ </mechanism-provider-filtering-sasl-server-factory>
+ <provider-sasl-server-factory name="global"/>
+ </sasl>
+ </subsystem>
+ <subsystem xmlns="urn:jboss:domain:security:2.0">
+ <security-domains>
+ <security-domain name="other" cache-type="default">
+ <authentication>
+ <login-module code="Remoting" flag="optional">
+ <module-option name="password-stacking" value="useFirstPass"/>
+ </login-module>
+ <login-module code="RealmDirect" flag="required">
+ <module-option name="password-stacking" value="useFirstPass"/>
+ </login-module>
+ </authentication>
+ </security-domain>
+ <security-domain name="jboss-web-policy" cache-type="default">
+ <authorization>
+ <policy-module code="Delegating" flag="required"/>
+ </authorization>
+ </security-domain>
+ <security-domain name="jaspitest" cache-type="default">
+ <authentication-jaspi>
+ <login-module-stack name="dummy">
+ <login-module code="Dummy" flag="optional"/>
+ </login-module-stack>
+ <auth-module code="Dummy"/>
+ </authentication-jaspi>
+ </security-domain>
+ <security-domain name="jboss-ejb-policy" cache-type="default">
+ <authorization>
+ <policy-module code="Delegating" flag="required"/>
+ </authorization>
+ </security-domain>
+ </security-domains>
+ </subsystem>
+ <subsystem xmlns="urn:jboss:domain:transactions:5.0">
+ <core-environment node-identifier="${jboss.tx.node.id:1}">
+ <process-id>
+ <uuid/>
+ </process-id>
+ </core-environment>
+ <recovery-environment socket-binding="txn-recovery-environment" status-socket-binding="txn-status-manager"/>
+ <coordinator-environment statistics-enabled="${wildfly.transactions.statistics-enabled:${wildfly.statistics-enabled:false}}"/>
+ <object-store path="tx-object-store" relative-to="jboss.server.data.dir"/>
+ </subsystem>
+ <subsystem xmlns="urn:jboss:domain:weld:4.0"/>
+ <subsystem xmlns="urn:wildfly:microprofile-config-smallrye:1.0"/>
+ <subsystem xmlns="urn:wildfly:microprofile-health-smallrye:2.0" security-enabled="false" empty-liveness-checks-status="${env.MP_HEALTH_EMPTY_LIVENESS_CHECKS_STATUS:UP}" empty-readiness-checks-status="${env.MP_HEALTH_EMPTY_READINESS_CHECKS_STATUS:UP}"/>
+ <subsystem xmlns="urn:wildfly:microprofile-metrics-smallrye:2.0" security-enabled="false" exposed-subsystems="*" prefix="${wildfly.metrics.prefix:wildfly}"/>
+ <subsystem xmlns="urn:jboss:domain:undertow:11.0" default-server="default-server" default-virtual-host="default-host" default-servlet-container="default" default-security-domain="other" statistics-enabled="${wildfly.undertow.statistics-enabled:${wildfly.statistics-enabled:false}}">
+ <buffer-cache name="default"/>
+ <server name="default-server">
+ <ajp-listener name="ajp" socket-binding="ajp"/>
+ <http-listener name="default" socket-binding="http" redirect-socket="proxy-https" proxy-address-forwarding="true" enable-http2="true"/>
+ <https-listener name="https" socket-binding="https" security-realm="ApplicationRealm" enable-http2="true"/>
+ <host name="default-host" alias="localhost">
+ <location name="/" handler="welcome-content"/>
+ <http-invoker security-realm="ApplicationRealm"/>
+ </host>
+ </server>
+ <servlet-container name="default">
+ <jsp-config/>
+ <websockets/>
+ </servlet-container>
+ <handlers>
+ <file name="welcome-content" path="${jboss.home.dir}/welcome-content"/>
+ </handlers>
+ </subsystem>
+ <subsystem xmlns="urn:jboss:domain:keycloak-server:1.1">
+ <web-context>auth</web-context>
+ <providers>
+ <provider>classpath:${jboss.home.dir}/providers/*</provider>
+ </providers>
+ <master-realm-name>master</master-realm-name>
+ <scheduled-task-interval>900</scheduled-task-interval>
+ <theme>
+ <staticMaxAge>2592000</staticMaxAge>
+ <cacheThemes>true</cacheThemes>
+ <cacheTemplates>true</cacheTemplates>
+ <dir>${jboss.home.dir}/themes</dir>
+ </theme>
+ <spi name="eventsStore">
+ <provider name="jpa" enabled="true">
+ <properties>
+ <property name="exclude-events" value="["REFRESH_TOKEN"]"/>
+ </properties>
+ </provider>
+ </spi>
+ <spi name="userCache">
+ <provider name="default" enabled="true"/>
+ </spi>
+ <spi name="userSessionPersister">
+ <default-provider>jpa</default-provider>
+ </spi>
+ <spi name="timer">
+ <default-provider>basic</default-provider>
+ </spi>
+ <spi name="connectionsHttpClient">
+ <provider name="default" enabled="true"/>
+ </spi>
+ <spi name="connectionsJpa">
+ <provider name="default" enabled="true">
+ <properties>
+ <property name="dataSource" value="java:jboss/datasources/KeycloakDS"/>
+ <property name="initializeEmpty" value="true"/>
+ <property name="migrationStrategy" value="update"/>
+ <property name="migrationExport" value="${jboss.home.dir}/keycloak-database-update.sql"/>
+ </properties>
+ </provider>
+ </spi>
+ <spi name="realmCache">
+ <provider name="default" enabled="true"/>
+ </spi>
+ <spi name="connectionsInfinispan">
+ <default-provider>default</default-provider>
+ <provider name="default" enabled="true">
+ <properties>
+ <property name="cacheContainer" value="java:jboss/infinispan/container/keycloak"/>
+ </properties>
+ </provider>
+ </spi>
+ <spi name="jta-lookup">
+ <default-provider>${keycloak.jta.lookup.provider:jboss}</default-provider>
+ <provider name="jboss" enabled="true"/>
+ </spi>
+ <spi name="publicKeyStorage">
+ <provider name="infinispan" enabled="true">
+ <properties>
+ <property name="minTimeBetweenRequests" value="10"/>
+ </properties>
+ </provider>
+ </spi>
+ <spi name="x509cert-lookup">
+ <default-provider>${keycloak.x509cert.lookup.provider:default}</default-provider>
+ <provider name="default" enabled="true"/>
+ </spi>
+ <spi name="hostname">
+ <default-provider>default</default-provider>
+ <provider name="default" enabled="true">
+ <properties>
+ <property name="frontendUrl" value="${keycloak.frontendUrl:}"/>
+ <property name="forceBackendUrlToFrontendUrl" value="false"/>
+ </properties>
+ </provider>
+ </spi>
+ </subsystem>
+ </profile>
+ <interfaces>
+ <interface name="management">
+ <inet-address value="${jboss.bind.address.management:127.0.0.1}"/>
+ </interface>
+ <interface name="private">
+ <inet-address value="${jboss.bind.address.private:127.0.0.1}"/>
+ </interface>
+ <interface name="public">
+ <inet-address value="${jboss.bind.address:127.0.0.1}"/>
+ </interface>
+ </interfaces>
+ <socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:0}">
+ <socket-binding name="ajp" port="${jboss.ajp.port:8009}"/>
+ <socket-binding name="http" port="${jboss.http.port:8080}"/>
+ <socket-binding name="https" port="${jboss.https.port:8443}"/>
+ <socket-binding name="jgroups-mping" interface="private" multicast-address="${jboss.default.multicast.address:230.0.0.4}" multicast-port="45700"/>
+ <socket-binding name="jgroups-tcp" interface="private" port="7600"/>
+ <socket-binding name="jgroups-tcp-fd" interface="private" port="57600"/>
+ <socket-binding name="jgroups-udp" interface="private" port="55200" multicast-address="${jboss.default.multicast.address:230.0.0.4}" multicast-port="45688"/>
+ <socket-binding name="jgroups-udp-fd" interface="private" port="54200"/>
+ <socket-binding name="management-http" interface="management" port="${jboss.management.http.port:9990}"/>
+ <socket-binding name="management-https" interface="management" port="${jboss.management.https.port:9993}"/>
+ <socket-binding name="modcluster" multicast-address="${jboss.modcluster.multicast.address:224.0.1.105}" multicast-port="23364"/>
+ <socket-binding name="proxy-https" port="443"/>
+ <socket-binding name="txn-recovery-environment" port="4712"/>
+ <socket-binding name="txn-status-manager" port="4713"/>
+ <outbound-socket-binding name="mail-smtp">
+ <remote-destination host="${jboss.mail.server.host:localhost}" port="${jboss.mail.server.port:25}"/>
+ </outbound-socket-binding>
+ </socket-binding-group>
+</server>
diff --git a/vars/main.yml b/vars/main.yml
index 387959f0fc15d9f2629ccf6fc735d8dfd8a717ad..fedd77b47de4a58cd079372bca26e86370691c52 100644
--- a/vars/main.yml
+++ b/vars/main.yml
@@ -1,29 +1,34 @@
---
# vars file for sso-lqdn
-## General (required)
-keycloak_version: "12.0.1"
-keycloak_url: "https://github.com/keycloak/keycloak/releases/download/{{ keycloak_version }}/keycloak-{{ keycloak_version }}.zip"
-keycloak_force_install: false
-keycloak_create_admin: false
-keycloak_admin_user: "admin"
+# General user setup
-## General (optional)
+keycloak_service_group: "keycloak"
keycloak_service_user: "keycloak"
-keycloak_service_group: "{{ keycloak_service_user }}"
keycloak_service_name: "keycloak"
-keycloak_base_path: "/var/www/keycloak"
+keycloak_base_path: "/opt/keycloak"
+keycloak_dest: "{{ keycloak_base_path }}"
+
+## General settings
+keycloak_version: "12.0.4"
+keycloak_url: "https://github.com/keycloak/keycloak/releases/download/{{ keycloak_version }}/keycloak-{{ keycloak_version }}.zip"
+keycloak_archive: "keycloak-{{ keycloak_version }}.zip"
+keycloak_archive_on_target: True # To download the archive directly to the server
+
+# Database settings
+keycloack_mysql_root_password: "{{ vault_keycloak_mysql_root_password}}"
+keycloak_db_name: "keycloak"
+keycloak_db_admin: "keycloak"
+keycloak_db_pwd: "{{ vault_keycloak_db_pwd }}"
+
+# More General settings ( Optional )
keycloak_jboss_home: "{{ keycloak_base_path }}/keycloak-{{ keycloak_version }}"
keycloak_config_dir: "{{ keycloak_jboss_home }}/standalone/configuration"
-keycloak_startup_timeout: "300"
-keycloak_java_opts: "-Xms256m -Xmx1024m"
-## Database
-keycloak_postgresql_jdbc_version: "42.2.18"
-keycloak_postgresql_jdbc_url: "https://jdbc.postgresql.org/download/postgresql-{{ keycloak_postgresql_jdbc_version }}.jar"
-keycloak_postgresql_host: "localhost"
-keycloak_postgresql_port: "5432"
-keycloak_postgresql_database: "keycloak"
+# If you want to create the admin user
+keycloak_create_admin: false
+keycloak_admin_user: "admin"
+keycloak_admin_password: "{{ vault_keycloak_admin_password }}"
## Networking
keycloak_behind_reverseproxy: true
@@ -33,6 +38,13 @@ keycloak_https_port: "8443"
keycloak_management_http_port: "9990"
keycloak_management_https_port: "9993"
+# Run settings
+keycloak_startup_timeout: "300"
+keycloak_java_opts: "-Xms256m -Xmx1024m"
+
+# In case you want to force the re installation
+keycloak_force_install: false
+
## Customization
keycloak_profile_preview: false
keycloak_welcome_theme: "keycloak"