feat(keycloak): add ansible role

Migrate role from `entropia.sso` collection

README.md

@@ -23,6 +23,9 @@ concise area of concern.
 - [`jellyfin`](roles/jellyfin/README.md): Deploy [jellyfin.org](https://jellyfin.org),
   the free software media system for streaming stored media to any device.
 
+- [`keycloak`](roles/keycloak/README.md): Deploy [keycloak](https://www.keycloak.org/),
+  the open source identity and access management solution.
+
 - [`openproject`](roles/openproject/README.md): Deploys an [openproject.org](https://www.openproject.org)
   installation using the upstream provided docker-compose setup.
 

roles/keycloak/README.md

@@ -0,0 +1,5 @@
+# `finallycoffee.services.keycloak` ansible role
+
+Ansible role for deploying keycloak, currently only supports docker.
+
+Migrated from `entropia.sso.keycloak`.

roles/keycloak/defaults/main.yml

@@ -0,0 +1,38 @@
+---
+keycloak_version: 24.0.4
+keycloak_container_name: keycloak
+
+keycloak_container_upstream_image_name: quay.io/keycloak/keycloak
+keycloak_container_image_name: "keycloak:{{ keycloak_version }}-custom"
+
+keycloak_container_database_vendor: postgres
+keycloak_base_path: /opt/keycloak
+keycloak_container_build_directory: "{{ keycloak_base_path }}/build"
+keycloak_container_build_jar_directory: providers
+keycloak_container_build_flags: {}
+keycloak_provider_jars_directory: "{{ keycloak_base_path }}/providers"
+keycloak_build_provider_jars_directory: "{{ keycloak_container_build_directory }}/{{ keycloak_container_build_jar_directory }}"
+
+keycloak_database_hostname: localhost
+keycloak_database_port: 5432
+keycloak_database_username: keycloak
+keycloak_database_password: ~
+keycloak_database_database: keycloak
+
+keycloak_container_env: {}
+keycloak_container_labels: ~
+keycloak_container_volumes: ~
+keycloak_container_restart_policy: unless-stopped
+keycloak_container_command: >-2
+  start
+  --db-username {{ keycloak_database_username }}
+  --db-password {{ keycloak_database_password }}
+  --db-url jdbc:postgresql://{{ keycloak_database_hostname }}:{{ keycloak_database_port }}/{{ keycloak_database_database }}
+  --optimized
+
+keycloak_config_health_enabled: true
+keycloak_config_metrics_enabled: true
+
+keycloak_config_hostname: localhost
+keycloak_config_admin_username: admin
+keycloak_config_admin_password: ~

roles/keycloak/meta/main.yml

@@ -0,0 +1,13 @@
+---
+allow_duplicates: true
+dependencies: []
+galaxy_info:
+  role_name: keycloak
+  description: Deploy keycloak, the opensource identity and access management solution
+  galaxy_tags:
+    - keycloak
+    - sso
+    - oidc
+    - oauth2
+    - iam
+    - docker

roles/keycloak/tasks/main.yml

@@ -0,0 +1,78 @@
+---
+
+- name: Ensure build directory exists
+  ansible.builtin.file:
+    name: "{{ keycloak_container_build_directory }}"
+    state: directory
+    recurse: yes
+    mode: 0700
+  tags:
+    - keycloak-build-container
+
+- name: Ensure provider jars directory exists
+  ansible.builtin.file:
+    name: "{{ keycloak_provider_jars_directory }}"
+    state: directory
+    mode: 0775
+  tags:
+    - keycloak-build-container
+
+- name: Ensure Dockerfile is templated
+  ansible.builtin.template:
+    src: Dockerfile.j2
+    dest: "{{ keycloak_container_build_directory }}/Dockerfile"
+    mode: 0700
+  register: keycloak_buildfile_info
+  tags:
+    - keycloak-container
+    - keycloak-build-container
+
+- name: Ensure upstream Keycloak container image '{{ keycloak_container_upstream_image_name }}:{{ keycloak_version }}' is present
+  docker_image:
+    name: "{{ keycloak_container_upstream_image_name }}:{{ keycloak_version }}"
+    source: pull
+    state: present
+  register: keycloak_container_image_upstream_status
+  tags:
+    - keycloak-container
+    - keycloak-build-container
+
+- name: Ensure custom keycloak container image '{{ keycloak_container_image_name }}' is built
+  community.docker.docker_image:
+    name: "{{ keycloak_container_image_name }}"
+    build:
+      args:
+        DB_VENDOR: "{{ keycloak_container_database_vendor }}"
+        KC_ADMIN_PASSWORD: "{{ keycloak_config_admin_password }}"
+      dockerfile: "{{ keycloak_container_build_directory }}/Dockerfile"
+      path: "{{ keycloak_container_build_directory }}"
+    source: build
+    state: present
+    force_source: "{{ keycloak_buildfile_info.changed or keycloak_container_image_upstream_status.changed or (keycloak_force_rebuild_container | default(false))}}"
+  register: keycloak_container_image_status
+  tags:
+    - keycloak-container
+    - keycloak-build-container
+
+- name: Ensure keycloak container is running
+  community.docker.docker_container:
+    name: "{{ keycloak_container_name }}"
+    image: "{{ keycloak_container_image_name }}"
+    env: "{{ keycloak_container_env | default(omit, true) }}"
+    ports: "{{ keycloak_container_ports | default(omit, true) }}"
+    hostname: "{{ keycloak_container_hostname | default(omit) }}"
+    labels: "{{ keycloak_container_labels | default(omit, true) }}"
+    volumes: "{{ keycloak_container_volumes | default(omit, true) }}"
+    restart_policy: "{{ keycloak_container_restart_policy }}"
+    recreate: "{{ keycloak_container_force_recreate | default(false) or (keycloak_container_image_status.changed if keycloak_container_image_status is defined else false) }}"
+    etc_hosts: "{{ keycloak_container_etc_hosts | default(omit) }}"
+    state: started
+    command: >-2
+      start
+      --db-username {{ keycloak_database_username }}
+      --db-password {{ keycloak_database_password }}
+      --db-url jdbc:postgresql://{{ keycloak_database_hostname }}{{ keycloak_database_port | ternary(':' ~ keycloak_database_port, '') }}/{{ keycloak_database_database }}
+      {{ keycloak_container_extra_start_flags | default([]) | join(' ') }}
+      --optimized
+  tags:
+    - keycloak-container

roles/keycloak/templates/Dockerfile.j2

@@ -0,0 +1,41 @@
+FROM {{ keycloak_container_upstream_image_name }}:{{ keycloak_version }} as builder
+
+# Enable health and metrics support
+ENV KC_HEALTH_ENABLED={{ keycloak_config_health_enabled | ternary('true', 'false') }}
+ENV KC_METRICS_ENABLED={{ keycloak_config_metrics_enabled | ternary('true', 'false') }}
+
+# Configure a database vendor
+ARG DB_VENDOR
+ENV KC_DB=$DB_VENDOR
+
+WORKDIR {{ keycloak_container_working_directory }}
+
+ADD ./providers/* providers/
+# Workaround to set correct mode on jar files
+USER root
+RUN chmod -R 0770 providers/*
+USER keycloak
+
+RUN {{ keycloak_container_working_directory }}/bin/kc.sh --verbose \
+{% for argument in keycloak_container_build_flags | dict2items(key_name='flag', value_name='value') %}
+  --{{- argument['flag'] -}}{{- argument['value'] | default(false, true) | ternary('=' + argument['value'], '') }} \
+{% endfor%}
+  build{% if keycloak_container_build_features | default([]) | length > 0 %} \
+{% endif %}
+{% if keycloak_container_build_features | default([]) | length > 0 %}
+  --features="{{ keycloak_container_build_features | join(',') }}"
+{% endif %}
+
+
+FROM {{ keycloak_container_upstream_image_name }}:{{ keycloak_version }}
+COPY --from=builder {{ keycloak_container_working_directory }}/ {{ keycloak_container_working_directory }}/
+
+ENV KC_HOSTNAME={{ keycloak_config_hostname }}
+ENV KEYCLOAK_ADMIN={{ keycloak_config_admin_username }}
+ARG KC_ADMIN_PASSWORD
+{% if keycloak_version | split('.') | first | int > 21 %}
+ENV KEYCLOAK_ADMIN_PASSWORD=$KC_ADMIN_PASSWORD
+{% else %}
+ENV KEYCLOAK_PASSWORD=$KC_ADMIN_PASSWORD
+{% endif %}
+ENTRYPOINT ["{{ keycloak_container_working_directory }}/bin/kc.sh"]

roles/keycloak/vars/main.yml

@@ -0,0 +1,3 @@
+---
+
+keycloak_container_working_directory: /opt/keycloak