refactor(authelia): add state and deployment_method role parameters

Migrate role from `entropia.sso` collection

README.md

@@ -23,6 +23,9 @@ concise area of concern.
 - [`jellyfin`](roles/jellyfin/README.md): Deploy [jellyfin.org](https://jellyfin.org),
   the free software media system for streaming stored media to any device.
 
+- [`keycloak`](roles/keycloak/README.md): Deploy [keycloak](https://www.keycloak.org/),
+  the open source identity and access management solution.
+
 - [`openproject`](roles/openproject/README.md): Deploys an [openproject.org](https://www.openproject.org)
   installation using the upstream provided docker-compose setup.
 

galaxy.yml

@@ -1,6 +1,6 @@
 namespace: finallycoffee
 name: services
-version: 0.1.7
+version: 0.1.10
 readme: README.md
 authors:
 - transcaffeine <transcaffeine@finally.coffee>

roles/authelia/defaults/main.yml

@@ -1,9 +1,12 @@
 ---
-authelia_version: "4.38.16"
+authelia_version: "4.38.18"
 authelia_user: authelia
 authelia_base_dir: /opt/authelia
 authelia_domain: authelia.example.org
 
+authelia_state: present
+authelia_deployment_method: docker
+
 authelia_config_dir: "{{ authelia_base_dir }}/config"
 authelia_config_file: "{{ authelia_config_dir }}/config.yaml"
 authelia_data_dir: "{{ authelia_base_dir }}/data"
@@ -42,7 +45,8 @@ authelia_container_ports: ~
 authelia_container_networks: ~
 authelia_container_purge_networks: ~
 authelia_container_restart_policy: unless-stopped
-authelia_container_state: started
+authelia_container_state: >-2
+  {{ (authelia_state == 'present' | ternary('started', 'absent') }}
 
 authelia_container_listen_port: 9091
 authelia_tls_minimum_version: TLS1.2

roles/authelia/handlers/main.yml

@@ -4,5 +4,7 @@
   docker_container:
     name: "{{ authelia_container_name }}"
     state: started
-    restart: yes
+    restart: true
+    comparisons:
+      '*': ignore
   listen: restart-authelia

roles/authelia/tasks/main.yml

@@ -1,16 +1,20 @@
 ---
+- name: Ensure state is valid
+  ansible.builtin.fail:
+    msg: "Invalid state '{{ authelia_state }}'! Valid states are {{ authelia_states | join(', ') }}"
+  when: authelia_state not in authelia_states
 
-- name: Ensure user {{ authelia_user }} exists
+- name: Ensure user {{ authelia_user }} is {{ authelia_state }}
   ansible.builtin.user:
     name: "{{ authelia_user }}"
-    state: present
+    state: "{{ authelia_state }}"
     system: true
   register: authelia_user_info
 
 - name: Ensure host directories are created with correct permissions
   ansible.builtin.file:
     path: "{{ item.path }}"
-    state: directory
+    state: "{{ (authelia_state == 'present') | ternary('directory', 'absent') }}"
     owner: "{{ item.owner | default(authelia_user) }}"
     group: "{{ item.group | default(authelia_user) }}"
     mode: "{{ item.mode | default('0750') }}"
@@ -32,62 +36,9 @@
     owner: "{{ authelia_run_user }}"
     group: "{{ authelia_run_group }}"
     mode: "0640"
+  when: authelia_state == 'present'
   notify: restart-authelia
 
-- name: Ensure sqlite database file exists before mounting it
-  ansible.builtin.file:
-    path: "{{ authelia_sqlite_storage_file }}"
-    state: touch
-    owner: "{{ authelia_run_user }}"
-    group: "{{ authelia_run_group }}"
-    mode: "0640"
-    access_time: preserve
-    modification_time: preserve
-  when: authelia_config_storage_local_path | default(false, true)
-
-- name: Ensure user database exists before mounting it
-  ansible.builtin.file:
-    path: "{{ authelia_user_storage_file }}"
-    state: touch
-    owner: "{{ authelia_run_user }}"
-    group: "{{ authelia_run_group }}"
-    mode: "0640"
-    access_time: preserve
-    modification_time: preserve
-  when: authelia_config_authentication_backend_file_path | default(false, true)
-
-- name: Ensure notification reports file exists before mounting it
-  ansible.builtin.file:
-    path: "{{ authelia_notification_storage_file }}"
-    state: touch
-    owner: "{{ authelia_run_user }}"
-    group: "{{ authelia_run_group }}"
-    mode: "0640"
-    access_time: preserve
-    modification_time: preserve
-  when: authelia_config_notifier_filesystem_filename | default(false, true)
-
-- name: Ensure authelia container image is present
-  community.docker.docker_image:
-    name: "{{ authelia_container_image_ref }}"
-    state: present
-    source: pull
-    force_source: "{{ authelia_container_image_force_pull }}"
-  register: authelia_container_image_info
-
-- name: Ensure authelia container is running
-  community.docker.docker_container:
-    name: "{{ authelia_container_name }}"
-    image: "{{ authelia_container_image_ref }}"
-    env: "{{ authelia_container_env }}"
-    user: "{{ authelia_run_user }}:{{ authelia_run_group }}"
-    ports: "{{ authelia_container_ports | default(omit, true) }}"
-    labels: "{{ authelia_container_labels }}"
-    volumes: "{{ authelia_container_volumes }}"
-    networks: "{{ authelia_container_networks | default(omit, true) }}"
-    etc_hosts: "{{ authelia_container_etc_hosts | default(omit, true) }}"
-    purge_networks: "{{ authelia_container_purge_networks | default(omit, true)}}"
-    restart_policy: "{{ authelia_container_restart_policy }}"
-    recreate: "{{ authelia_container_recreate | default(omit, true) }}"
-    state: "{{ authelia_container_state }}"
-  register: authelia_container_info
+- name: Deploy using {{ authelia_deployment_method }}
+  ansible.builtin.include_tasks:
+    file: "deploy-{{ authelia_deployment_method }}.yml"

roles/authelia/vars/main.yml

@@ -1,4 +1,9 @@
 ---
+authelia_states:
+  - present
+  - absent
+authelia_deployment_methods:
+  - docker
 
 authelia_run_user: "{{ (authelia_user_info.uid) if authelia_user_info is defined else authelia_user }}"
 authelia_run_group: "{{ (authelia_user_info.group) if authelia_user_info is defined else authelia_user }}"
@@ -170,7 +175,12 @@ authelia_config_access_control:
   default_policy: "{{ authelia_config_access_control_default_policy }}"
   networks: "{{ authelia_config_access_control_networks }}"
   rules: "{{ authelia_config_access_control_rules }}"
-authelia_config_session:
+authelia_config_session: >-2
+  {{ authelia_config_session_base
+    | combine(({'redis': authelia_config_session_redis}
+      if authelia_config_session_redis_host else {}), recursive=true)
+  }}
+authelia_config_session_base:
   name: "{{ authelia_config_session_name }}"
   domain: "{{ authelia_config_session_domain }}"
   same_site: "{{ authelia_config_session_same_site }}"

roles/ghost/defaults/main.yml

@@ -1,6 +1,6 @@
 ---
 ghost_domain: ~
-ghost_version: "5.96.0"
+ghost_version: "5.105.0"
 ghost_user: ghost
 ghost_user_group: ghost
 ghost_base_path: /opt/ghost

roles/gitea/defaults/main.yml

@@ -1,5 +1,5 @@
 ---
-gitea_version: "1.22.3"
+gitea_version: "1.23.1"
 gitea_user: git
 gitea_run_user: "{{ gitea_user }}"
 gitea_base_path: "/opt/gitea"

roles/hedgedoc/defaults/main/container.yml

@@ -53,5 +53,5 @@ hedgedoc_container_all_labels: >-2
   {{ hedgedoc_container_base_labels | default({}, true)
     | combine(hedgedoc_container_labels | default({}, true)) }}
 hedgedoc_container_restart_policy: >-2
-  {{ (hedgedoc_deployment_method === 'docker')
+  {{ (hedgedoc_deployment_method == 'docker')
       | ternary('unless-stopped', 'on-failure') }}

roles/jellyfin/defaults/main.yml

@@ -1,6 +1,6 @@
 ---
 jellyfin_user: jellyfin
-jellyfin_version: "10.10.0"
+jellyfin_version: "10.10.3"
 jellyfin_state: present
 
 jellyfin_base_path: /opt/jellyfin

roles/keycloak/README.md

@@ -0,0 +1,16 @@
+# `finallycoffee.services.keycloak` ansible role
+
+Ansible role for deploying keycloak, currently only supports docker.
+
+Migrated from `entropia.sso.keycloak`.
+
+## Required variables
+
+- `keycloak_database_password` - password for the database user
+- `keycloak_config_hostname` - public domain of the keycloak server
+
+## Database configuration
+
+- `keycloak_database_hostname` - hostname of the database server, defaults to `localhost`
+- `keycloak_database_username` - username to use when connecting to the database server, defaults to `keycloak`
+- `keycloak_database_database` - name of the database to use, defaults to `keycloak`

roles/keycloak/defaults/main.yml

@@ -0,0 +1,51 @@
+---
+keycloak_version: 26.0.7
+keycloak_container_name: keycloak
+
+keycloak_container_image_upstream_registry: quay.io
+keycloak_container_image_upstream_namespace: keycloak
+keycloak_container_image_upstream_name: keycloak
+keycloak_container_image_upstream: >-2
+  {{
+    ([
+      keycloak_container_image_upstream_registry | default([]),
+      keycloak_container_image_upstream_namespace | default([]),
+      keycloak_container_image_upstream_name,
+    ] | flatten | join('/'))
+  }}
+keycloak_container_image_name: "keycloak:{{ keycloak_version }}-custom"
+
+keycloak_container_database_vendor: postgres
+keycloak_base_path: /opt/keycloak
+keycloak_container_build_directory: "{{ keycloak_base_path }}/build"
+keycloak_container_build_jar_directory: providers
+keycloak_container_build_flags: {}
+keycloak_provider_jars_directory: "{{ keycloak_base_path }}/providers"
+keycloak_build_provider_jars_directory: "{{ keycloak_container_build_directory }}/{{ keycloak_container_build_jar_directory }}"
+
+keycloak_database_hostname: localhost
+keycloak_database_port: 5432
+keycloak_database_username: keycloak
+keycloak_database_password: ~
+keycloak_database_database: keycloak
+
+keycloak_container_env: {}
+keycloak_container_labels: ~
+keycloak_container_volumes: ~
+keycloak_container_restart_policy: unless-stopped
+keycloak_container_command: >-2
+  start
+  --db-username {{ keycloak_database_username }}
+  --db-password {{ keycloak_database_password }}
+  --db-url jdbc:postgresql://{{ keycloak_database_hostname }}{{ keycloak_database_port | ternary(':' ~ keycloak_database_port, '') }}/{{ keycloak_database_database }}
+  {{ keycloak_container_extra_start_flags | default([]) | join(' ') }}
+  --proxy-headers=xforwarded
+  --hostname {{ keycloak_config_hostname }}
+  --optimized
+
+keycloak_config_health_enabled: true
+keycloak_config_metrics_enabled: true
+
+keycloak_config_hostname: localhost
+keycloak_config_admin_username: admin
+keycloak_config_admin_password: ~

roles/keycloak/meta/main.yml

@@ -0,0 +1,13 @@
+---
+allow_duplicates: true
+dependencies: []
+galaxy_info:
+  role_name: keycloak
+  description: Deploy keycloak, the opensource identity and access management solution
+  galaxy_tags:
+    - keycloak
+    - sso
+    - oidc
+    - oauth2
+    - iam
+    - docker

roles/keycloak/tasks/main.yml

@@ -0,0 +1,72 @@
+---
+
+- name: Ensure build directory exists
+  ansible.builtin.file:
+    name: "{{ keycloak_container_build_directory }}"
+    state: directory
+    recurse: yes
+    mode: 0700
+  tags:
+    - keycloak-build-container
+
+- name: Ensure provider jars directory exists
+  ansible.builtin.file:
+    name: "{{ keycloak_provider_jars_directory }}"
+    state: directory
+    mode: 0775
+  tags:
+    - keycloak-build-container
+
+- name: Ensure Dockerfile is templated
+  ansible.builtin.template:
+    src: Dockerfile.j2
+    dest: "{{ keycloak_container_build_directory }}/Dockerfile"
+    mode: 0700
+  register: keycloak_buildfile_info
+  tags:
+    - keycloak-container
+    - keycloak-build-container
+
+- name: Ensure upstream Keycloak container image '{{ keycloak_container_image_upstream }}:{{ keycloak_version }}' is present
+  community.docker.docker_image:
+    name: "{{ keycloak_container_image_upstream }}:{{ keycloak_version }}"
+    source: pull
+    state: present
+  register: keycloak_container_image_upstream_status
+  tags:
+    - keycloak-container
+    - keycloak-build-container
+
+- name: Ensure custom keycloak container image '{{ keycloak_container_image_name }}' is built
+  community.docker.docker_image:
+    name: "{{ keycloak_container_image_name }}"
+    build:
+      args:
+        DB_VENDOR: "{{ keycloak_container_database_vendor }}"
+        KC_ADMIN_PASSWORD: "{{ keycloak_config_admin_password }}"
+      dockerfile: "{{ keycloak_container_build_directory }}/Dockerfile"
+      path: "{{ keycloak_container_build_directory }}"
+    source: build
+    state: present
+    force_source: "{{ keycloak_buildfile_info.changed or keycloak_container_image_upstream_status.changed or (keycloak_force_rebuild_container | default(false))}}"
+  register: keycloak_container_image_status
+  tags:
+    - keycloak-container
+    - keycloak-build-container
+
+- name: Ensure keycloak container is running
+  community.docker.docker_container:
+    name: "{{ keycloak_container_name }}"
+    image: "{{ keycloak_container_image_name }}"
+    env: "{{ keycloak_container_env | default(omit, true) }}"
+    ports: "{{ keycloak_container_ports | default(omit, true) }}"
+    hostname: "{{ keycloak_container_hostname | default(omit) }}"
+    labels: "{{ keycloak_container_labels | default(omit, true) }}"
+    volumes: "{{ keycloak_container_volumes | default(omit, true) }}"
+    restart_policy: "{{ keycloak_container_restart_policy }}"
+    recreate: "{{ keycloak_container_force_recreate | default(false) or (keycloak_container_image_status.changed if keycloak_container_image_status is defined else false) }}"
+    etc_hosts: "{{ keycloak_container_etc_hosts | default(omit) }}"
+    state: started
+    command: "{{ keycloak_container_command }}"
+  tags:
+    - keycloak-container

roles/keycloak/templates/Dockerfile.j2

@@ -0,0 +1,41 @@
+FROM {{ keycloak_container_image_upstream }}:{{ keycloak_version }} as builder
+
+# Enable health and metrics support
+ENV KC_HEALTH_ENABLED={{ keycloak_config_health_enabled | ternary('true', 'false') }}
+ENV KC_METRICS_ENABLED={{ keycloak_config_metrics_enabled | ternary('true', 'false') }}
+
+# Configure a database vendor
+ARG DB_VENDOR
+ENV KC_DB=$DB_VENDOR
+
+WORKDIR {{ keycloak_container_working_directory }}
+
+ADD ./providers/* providers/
+# Workaround to set correct mode on jar files
+USER root
+RUN chmod -R 0770 providers/*
+USER keycloak
+
+RUN {{ keycloak_container_working_directory }}/bin/kc.sh --verbose \
+{% for argument in keycloak_container_build_flags | dict2items(key_name='flag', value_name='value') %}
+  --{{- argument['flag'] -}}{{- argument['value'] | default(false, true) | ternary('=' + argument['value'], '') }} \
+{% endfor%}
+  build{% if keycloak_container_build_features | default([]) | length > 0 %} \
+{% endif %}
+{% if keycloak_container_build_features | default([]) | length > 0 %}
+  --features="{{ keycloak_container_build_features | join(',') }}"
+{% endif %}
+
+
+FROM {{ keycloak_container_image_upstream }}:{{ keycloak_version }}
+COPY --from=builder {{ keycloak_container_working_directory }}/ {{ keycloak_container_working_directory }}/
+
+ENV KC_HOSTNAME={{ keycloak_config_hostname }}
+ENV KEYCLOAK_ADMIN={{ keycloak_config_admin_username }}
+ARG KC_ADMIN_PASSWORD
+{% if keycloak_version | split('.') | first | int > 21 %}
+ENV KEYCLOAK_ADMIN_PASSWORD=$KC_ADMIN_PASSWORD
+{% else %}
+ENV KEYCLOAK_PASSWORD=$KC_ADMIN_PASSWORD
+{% endif %}
+ENTRYPOINT ["{{ keycloak_container_working_directory }}/bin/kc.sh"]

roles/keycloak/vars/main.yml

@@ -0,0 +1,3 @@
+---
+
+keycloak_container_working_directory: /opt/keycloak

roles/openproject/defaults/main.yml

@@ -2,9 +2,9 @@
 openproject_base_path: "/opt/openproject"
 
 openproject_upstream_git_url: "https://github.com/opf/openproject-deploy.git"
-openproject_upstream_git_branch: "stable/13"
+openproject_upstream_git_branch: "stable/14"
 
-openproject_compose_project_path: "{{ openproject_base_path }}/compose"
+openproject_compose_project_path: "{{ openproject_base_path }}"
 openproject_compose_project_name: "openproject"
 openproject_compose_project_env_file: "{{ openproject_compose_project_path }}/.env"
 openproject_compose_project_override_file: "{{ openproject_compose_project_path }}/docker-compose.override.yml"

roles/openproject/tasks/main.yml

@@ -26,14 +26,13 @@
     content: "{{ openproject_compose_overrides | default({}) | to_nice_yaml }}"
 
 - name: Ensure containers are pulled
-  community.docker.docker_compose:
+  community.docker.docker_compose_v2:
     project_src: "{{ openproject_compose_project_path }}"
     project_name: "{{ openproject_compose_project_name }}"
-    pull: true
+    pull: "missing"
 
 - name: Ensure services are running
-  community.docker.docker_compose:
+  community.docker.docker_compose_v2:
     project_src: "{{ openproject_compose_project_path }}"
     project_name: "{{ openproject_compose_project_name }}"
     state: "present"
-    build: false

roles/snipe_it/defaults/main/main.yml

@@ -1,6 +1,6 @@
 ---
 snipe_it_user: snipeit
-snipe_it_version: "7.0.13"
+snipe_it_version: "7.1.15"
 snipe_it_domain: ~
 snipe_it_state: present
 snipe_it_deployment_method: docker

roles/vaultwarden/defaults/main/main.yml

@@ -1,6 +1,6 @@
 ---
 vaultwarden_user: vaultwarden
-vaultwarden_version: "1.32.2"
+vaultwarden_version: "1.32.7"
 
 vaultwarden_config_file: "/etc/vaultwarden/config.json"
 vaultwarden_config_directory: "{{ vaultwarden_config_file | dirname }}"