update(vaultwarden): bump version to 1.32.7

Migrate role from `entropia.sso` collection

README.md

@@ -23,6 +23,9 @@ concise area of concern.
 - [`jellyfin`](roles/jellyfin/README.md): Deploy [jellyfin.org](https://jellyfin.org),
   the free software media system for streaming stored media to any device.
 
+- [`keycloak`](roles/keycloak/README.md): Deploy [keycloak](https://www.keycloak.org/),
+  the open source identity and access management solution.
+
 - [`openproject`](roles/openproject/README.md): Deploys an [openproject.org](https://www.openproject.org)
   installation using the upstream provided docker-compose setup.
 

galaxy.yml

@@ -1,6 +1,6 @@
 namespace: finallycoffee
 name: services
-version: 0.1.6
+version: 0.1.10
 readme: README.md
 authors:
 - transcaffeine <transcaffeine@finally.coffee>
@@ -19,5 +19,5 @@ tags:
   - hedgedoc
   - jellyfin
   - vaultwarden
-  - snipe-it
+  - snipeit
   - docker

roles/authelia/defaults/main.yml

@@ -1,5 +1,5 @@
 ---
-authelia_version: "4.38.16"
+authelia_version: "4.38.17"
 authelia_user: authelia
 authelia_base_dir: /opt/authelia
 authelia_domain: authelia.example.org

roles/authelia/handlers/main.yml

@@ -4,5 +4,7 @@
   docker_container:
     name: "{{ authelia_container_name }}"
     state: started
-    restart: yes
+    restart: true
+    comparisons:
+      '*': ignore
   listen: restart-authelia

roles/authelia/vars/main.yml

@@ -170,7 +170,12 @@ authelia_config_access_control:
   default_policy: "{{ authelia_config_access_control_default_policy }}"
   networks: "{{ authelia_config_access_control_networks }}"
   rules: "{{ authelia_config_access_control_rules }}"
-authelia_config_session:
+authelia_config_session: >-2
+  {{ authelia_config_session_base
+    | combine(({'redis': authelia_config_session_redis}
+      if authelia_config_session_redis_host else {}), recursive=true)
+  }}
+authelia_config_session_base:
   name: "{{ authelia_config_session_name }}"
   domain: "{{ authelia_config_session_domain }}"
   same_site: "{{ authelia_config_session_same_site }}"

roles/ghost/defaults/main.yml

@@ -1,6 +1,6 @@
 ---
 ghost_domain: ~
-ghost_version: "5.96.0"
+ghost_version: "5.103.0"
 ghost_user: ghost
 ghost_user_group: ghost
 ghost_base_path: /opt/ghost

roles/gitea/defaults/main.yml

@@ -1,5 +1,5 @@
 ---
-gitea_version: "1.22.3"
+gitea_version: "1.22.4"
 gitea_user: git
 gitea_run_user: "{{ gitea_user }}"
 gitea_base_path: "/opt/gitea"

roles/jellyfin/defaults/main.yml

@@ -1,6 +1,6 @@
 ---
 jellyfin_user: jellyfin
-jellyfin_version: 10.9.11
+jellyfin_version: "10.10.3"
 jellyfin_state: present
 
 jellyfin_base_path: /opt/jellyfin

roles/keycloak/README.md

@@ -0,0 +1,16 @@
+# `finallycoffee.services.keycloak` ansible role
+
+Ansible role for deploying keycloak, currently only supports docker.
+
+Migrated from `entropia.sso.keycloak`.
+
+## Required variables
+
+- `keycloak_database_password` - password for the database user
+- `keycloak_config_hostname` - public domain of the keycloak server
+
+## Database configuration
+
+- `keycloak_database_hostname` - hostname of the database server, defaults to `localhost`
+- `keycloak_database_username` - username to use when connecting to the database server, defaults to `keycloak`
+- `keycloak_database_database` - name of the database to use, defaults to `keycloak`

roles/keycloak/defaults/main.yml

@@ -0,0 +1,51 @@
+---
+keycloak_version: 26.0.7
+keycloak_container_name: keycloak
+
+keycloak_container_image_upstream_registry: quay.io
+keycloak_container_image_upstream_namespace: keycloak
+keycloak_container_image_upstream_name: keycloak
+keycloak_container_image_upstream: >-2
+  {{
+    ([
+      keycloak_container_image_upstream_registry | default([]),
+      keycloak_container_image_upstream_namespace | default([]),
+      keycloak_container_image_upstream_name,
+    ] | flatten | join('/'))
+  }}
+keycloak_container_image_name: "keycloak:{{ keycloak_version }}-custom"
+
+keycloak_container_database_vendor: postgres
+keycloak_base_path: /opt/keycloak
+keycloak_container_build_directory: "{{ keycloak_base_path }}/build"
+keycloak_container_build_jar_directory: providers
+keycloak_container_build_flags: {}
+keycloak_provider_jars_directory: "{{ keycloak_base_path }}/providers"
+keycloak_build_provider_jars_directory: "{{ keycloak_container_build_directory }}/{{ keycloak_container_build_jar_directory }}"
+
+keycloak_database_hostname: localhost
+keycloak_database_port: 5432
+keycloak_database_username: keycloak
+keycloak_database_password: ~
+keycloak_database_database: keycloak
+
+keycloak_container_env: {}
+keycloak_container_labels: ~
+keycloak_container_volumes: ~
+keycloak_container_restart_policy: unless-stopped
+keycloak_container_command: >-2
+  start
+  --db-username {{ keycloak_database_username }}
+  --db-password {{ keycloak_database_password }}
+  --db-url jdbc:postgresql://{{ keycloak_database_hostname }}{{ keycloak_database_port | ternary(':' ~ keycloak_database_port, '') }}/{{ keycloak_database_database }}
+  {{ keycloak_container_extra_start_flags | default([]) | join(' ') }}
+  --proxy-headers=xforwarded
+  --hostname {{ keycloak_config_hostname }}
+  --optimized
+
+keycloak_config_health_enabled: true
+keycloak_config_metrics_enabled: true
+
+keycloak_config_hostname: localhost
+keycloak_config_admin_username: admin
+keycloak_config_admin_password: ~

roles/keycloak/meta/main.yml

@@ -0,0 +1,13 @@
+---
+allow_duplicates: true
+dependencies: []
+galaxy_info:
+  role_name: keycloak
+  description: Deploy keycloak, the opensource identity and access management solution
+  galaxy_tags:
+    - keycloak
+    - sso
+    - oidc
+    - oauth2
+    - iam
+    - docker

roles/keycloak/tasks/main.yml

@@ -0,0 +1,72 @@
+---
+
+- name: Ensure build directory exists
+  ansible.builtin.file:
+    name: "{{ keycloak_container_build_directory }}"
+    state: directory
+    recurse: yes
+    mode: 0700
+  tags:
+    - keycloak-build-container
+
+- name: Ensure provider jars directory exists
+  ansible.builtin.file:
+    name: "{{ keycloak_provider_jars_directory }}"
+    state: directory
+    mode: 0775
+  tags:
+    - keycloak-build-container
+
+- name: Ensure Dockerfile is templated
+  ansible.builtin.template:
+    src: Dockerfile.j2
+    dest: "{{ keycloak_container_build_directory }}/Dockerfile"
+    mode: 0700
+  register: keycloak_buildfile_info
+  tags:
+    - keycloak-container
+    - keycloak-build-container
+
+- name: Ensure upstream Keycloak container image '{{ keycloak_container_image_upstream }}:{{ keycloak_version }}' is present
+  community.docker.docker_image:
+    name: "{{ keycloak_container_image_upstream }}:{{ keycloak_version }}"
+    source: pull
+    state: present
+  register: keycloak_container_image_upstream_status
+  tags:
+    - keycloak-container
+    - keycloak-build-container
+
+- name: Ensure custom keycloak container image '{{ keycloak_container_image_name }}' is built
+  community.docker.docker_image:
+    name: "{{ keycloak_container_image_name }}"
+    build:
+      args:
+        DB_VENDOR: "{{ keycloak_container_database_vendor }}"
+        KC_ADMIN_PASSWORD: "{{ keycloak_config_admin_password }}"
+      dockerfile: "{{ keycloak_container_build_directory }}/Dockerfile"
+      path: "{{ keycloak_container_build_directory }}"
+    source: build
+    state: present
+    force_source: "{{ keycloak_buildfile_info.changed or keycloak_container_image_upstream_status.changed or (keycloak_force_rebuild_container | default(false))}}"
+  register: keycloak_container_image_status
+  tags:
+    - keycloak-container
+    - keycloak-build-container
+
+- name: Ensure keycloak container is running
+  community.docker.docker_container:
+    name: "{{ keycloak_container_name }}"
+    image: "{{ keycloak_container_image_name }}"
+    env: "{{ keycloak_container_env | default(omit, true) }}"
+    ports: "{{ keycloak_container_ports | default(omit, true) }}"
+    hostname: "{{ keycloak_container_hostname | default(omit) }}"
+    labels: "{{ keycloak_container_labels | default(omit, true) }}"
+    volumes: "{{ keycloak_container_volumes | default(omit, true) }}"
+    restart_policy: "{{ keycloak_container_restart_policy }}"
+    recreate: "{{ keycloak_container_force_recreate | default(false) or (keycloak_container_image_status.changed if keycloak_container_image_status is defined else false) }}"
+    etc_hosts: "{{ keycloak_container_etc_hosts | default(omit) }}"
+    state: started
+    command: "{{ keycloak_container_command }}"
+  tags:
+    - keycloak-container

roles/keycloak/templates/Dockerfile.j2

@@ -0,0 +1,41 @@
+FROM {{ keycloak_container_image_upstream }}:{{ keycloak_version }} as builder
+
+# Enable health and metrics support
+ENV KC_HEALTH_ENABLED={{ keycloak_config_health_enabled | ternary('true', 'false') }}
+ENV KC_METRICS_ENABLED={{ keycloak_config_metrics_enabled | ternary('true', 'false') }}
+
+# Configure a database vendor
+ARG DB_VENDOR
+ENV KC_DB=$DB_VENDOR
+
+WORKDIR {{ keycloak_container_working_directory }}
+
+ADD ./providers/* providers/
+# Workaround to set correct mode on jar files
+USER root
+RUN chmod -R 0770 providers/*
+USER keycloak
+
+RUN {{ keycloak_container_working_directory }}/bin/kc.sh --verbose \
+{% for argument in keycloak_container_build_flags | dict2items(key_name='flag', value_name='value') %}
+  --{{- argument['flag'] -}}{{- argument['value'] | default(false, true) | ternary('=' + argument['value'], '') }} \
+{% endfor%}
+  build{% if keycloak_container_build_features | default([]) | length > 0 %} \
+{% endif %}
+{% if keycloak_container_build_features | default([]) | length > 0 %}
+  --features="{{ keycloak_container_build_features | join(',') }}"
+{% endif %}
+
+
+FROM {{ keycloak_container_image_upstream }}:{{ keycloak_version }}
+COPY --from=builder {{ keycloak_container_working_directory }}/ {{ keycloak_container_working_directory }}/
+
+ENV KC_HOSTNAME={{ keycloak_config_hostname }}
+ENV KEYCLOAK_ADMIN={{ keycloak_config_admin_username }}
+ARG KC_ADMIN_PASSWORD
+{% if keycloak_version | split('.') | first | int > 21 %}
+ENV KEYCLOAK_ADMIN_PASSWORD=$KC_ADMIN_PASSWORD
+{% else %}
+ENV KEYCLOAK_PASSWORD=$KC_ADMIN_PASSWORD
+{% endif %}
+ENTRYPOINT ["{{ keycloak_container_working_directory }}/bin/kc.sh"]

roles/keycloak/vars/main.yml

@@ -0,0 +1,3 @@
+---
+
+keycloak_container_working_directory: /opt/keycloak

roles/openproject/defaults/main.yml

@@ -2,9 +2,9 @@
 openproject_base_path: "/opt/openproject"
 
 openproject_upstream_git_url: "https://github.com/opf/openproject-deploy.git"
-openproject_upstream_git_branch: "stable/13"
+openproject_upstream_git_branch: "stable/14"
 
-openproject_compose_project_path: "{{ openproject_base_path }}/compose"
+openproject_compose_project_path: "{{ openproject_base_path }}"
 openproject_compose_project_name: "openproject"
 openproject_compose_project_env_file: "{{ openproject_compose_project_path }}/.env"
 openproject_compose_project_override_file: "{{ openproject_compose_project_path }}/docker-compose.override.yml"

roles/openproject/tasks/main.yml

@@ -26,14 +26,13 @@
     content: "{{ openproject_compose_overrides | default({}) | to_nice_yaml }}"
 
 - name: Ensure containers are pulled
-  community.docker.docker_compose:
+  community.docker.docker_compose_v2:
     project_src: "{{ openproject_compose_project_path }}"
     project_name: "{{ openproject_compose_project_name }}"
-    pull: true
+    pull: "missing"
 
 - name: Ensure services are running
-  community.docker.docker_compose:
+  community.docker.docker_compose_v2:
     project_src: "{{ openproject_compose_project_path }}"
     project_name: "{{ openproject_compose_project_name }}"
     state: "present"
-    build: false

roles/snipe_it/defaults/main/main.yml

@@ -1,6 +1,6 @@
 ---
 snipe_it_user: snipeit
-snipe_it_version: "7.0.13"
+snipe_it_version: "7.1.15"
 snipe_it_domain: ~
 snipe_it_state: present
 snipe_it_deployment_method: docker

roles/vaultwarden/defaults/main/main.yml

@@ -1,6 +1,6 @@
 ---
 vaultwarden_user: vaultwarden
-vaultwarden_version: "1.32.2"
+vaultwarden_version: "1.32.7"
 
 vaultwarden_config_file: "/etc/vaultwarden/config.json"
 vaultwarden_config_directory: "{{ vaultwarden_config_file | dirname }}"