diff --git a/roles/keycloak/.travis.yml b/roles/keycloak/.travis.yml new file mode 100644 index 0000000000000000000000000000000000000000..36bbf6208cfd42ac91bfbe7f9126bc9044e186c6 --- /dev/null +++ b/roles/keycloak/.travis.yml @@ -0,0 +1,29 @@ +--- +language: python +python: "2.7" + +# Use the new container infrastructure +sudo: false + +# Install ansible +addons: + apt: + packages: + - python-pip + +install: + # Install ansible + - pip install ansible + + # Check ansible version + - ansible --version + + # Create ansible.cfg with correct roles_path + - printf '[defaults]\nroles_path=../' >ansible.cfg + +script: + # Basic role syntax check + - ansible-playbook tests/test.yml -i tests/inventory --syntax-check + +notifications: + webhooks: https://galaxy.ansible.com/api/v1/notifications/ \ No newline at end of file diff --git a/roles/keycloak/README.md b/roles/keycloak/README.md new file mode 100644 index 0000000000000000000000000000000000000000..225dd44b9fc5b3abff7e9c68ff9e91d505cdd5f0 --- /dev/null +++ b/roles/keycloak/README.md @@ -0,0 +1,38 @@ +Role Name +========= + +A brief description of the role goes here. + +Requirements +------------ + +Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required. + +Role Variables +-------------- + +A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well. + +Dependencies +------------ + +A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles. + +Example Playbook +---------------- + +Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too: + + - hosts: servers + roles: + - { role: username.rolename, x: 42 } + +License +------- + +BSD + +Author Information +------------------ + +An optional section for the role authors to include contact information, or a website (HTML is not allowed). diff --git a/roles/keycloak/defaults/main.yml b/roles/keycloak/defaults/main.yml new file mode 100644 index 0000000000000000000000000000000000000000..72b8d676942e857900d9ca2d393a2bfcbea7e1b8 --- /dev/null +++ b/roles/keycloak/defaults/main.yml @@ -0,0 +1,5 @@ +--- +# defaults file for loomio +site_name: keycloak +app_main_port: 28080 +keycloak_version: latest \ No newline at end of file diff --git a/roles/keycloak/files/docker-compose.yml b/roles/keycloak/files/docker-compose.yml new file mode 100644 index 0000000000000000000000000000000000000000..db48da882145a4e7ff6448e367f50f0dfe3973bf --- /dev/null +++ b/roles/keycloak/files/docker-compose.yml @@ -0,0 +1,67 @@ +version: '3.9' + +services: + keycloak: + depends_on: + - postgres + container_name: local_keycloak + environment: + DB_VENDOR: postgres + DB_ADDR: postgres + DB_DATABASE: ${POSTGRESQL_DB} + DB_USER: ${POSTGRESQL_USER} + DB_PASSWORD: ${POSTGRESQL_PASS} + KEYCLOAK_USER: ${KEYCLOAK_USER} + KEYCLOAK_PASSWORD: ${KEYCLOAK_PASSWORD} + PROXY_ADDRESS_FORWARDING: 'true' + image: jboss/keycloak:${KEYCLOAK_VERSION} + env_file: ./.env + ports: + - "${PORT_KEYCLOAK}:8080" + restart: unless-stopped + networks: + - main + + postgres: + image: postgres:${POSTGRESQL_VERSION} + restart: unless-stopped + networks: + - main + env_file: ./.env + volumes: + - ./pgdata:/pgdata + - ./pgdumps:/pgdumps + environment: + PGDATA: /pgdata + POSTGRES_DB: ${POSTGRESQL_DB} + POSTGRES_USER: ${POSTGRESQL_USER} + POSTGRES_PASSWORD: ${POSTGRESQL_PASS} + + + pgbackups: + image: prodrigestivill/postgres-backup-local + restart: always + user: postgres:postgres + env_file: ./.env + volumes: + - ./pgdumps:/backups + links: + - postgres + depends_on: + - postgres + environment: + - POSTGRES_HOST=postgres + - POSTGRES_DB=${POSTGRESQL_DB} + - POSTGRES_USER=${POSTGRESQL_USER} + - POSTGRES_PASSWORD=${POSTGRESQL_PASS} + - POSTGRES_EXTRA_OPTS=-Z6 --schema=public --blobs + - SCHEDULE=@daily + - BACKUP_KEEP_DAYS=7 + - BACKUP_KEEP_WEEKS=1 + - BACKUP_KEEP_MONTHS=1 + - HEALTHCHECK_PORT=8080 + + + +networks: + main: \ No newline at end of file diff --git a/roles/keycloak/handlers/main.yml b/roles/keycloak/handlers/main.yml new file mode 100644 index 0000000000000000000000000000000000000000..d4732f936fde269943facdcd90007a33c77f7880 --- /dev/null +++ b/roles/keycloak/handlers/main.yml @@ -0,0 +1,4 @@ +--- +# handlers file for keycloak +- name: reload nginx keycloak + service: name=nginx state=reloaded diff --git a/roles/keycloak/meta/main.yml b/roles/keycloak/meta/main.yml new file mode 100644 index 0000000000000000000000000000000000000000..c572acc9f8b466bea50f2799b0ca1956418b862c --- /dev/null +++ b/roles/keycloak/meta/main.yml @@ -0,0 +1,52 @@ +galaxy_info: + author: your name + description: your role description + company: your company (optional) + + # If the issue tracker for your role is not on github, uncomment the + # next line and provide a value + # issue_tracker_url: http://example.com/issue/tracker + + # Choose a valid license ID from https://spdx.org - some suggested licenses: + # - BSD-3-Clause (default) + # - MIT + # - GPL-2.0-or-later + # - GPL-3.0-only + # - Apache-2.0 + # - CC-BY-4.0 + license: license (GPL-2.0-or-later, MIT, etc) + + min_ansible_version: 2.1 + + # If this a Container Enabled role, provide the minimum Ansible Container version. + # min_ansible_container_version: + + # + # Provide a list of supported platforms, and for each platform a list of versions. + # If you don't wish to enumerate all versions for a particular platform, use 'all'. + # To view available platforms and versions (or releases), visit: + # https://galaxy.ansible.com/api/v1/platforms/ + # + # platforms: + # - name: Fedora + # versions: + # - all + # - 25 + # - name: SomePlatform + # versions: + # - all + # - 1.0 + # - 7 + # - 99.99 + + galaxy_tags: [] + # List tags for your role here, one per line. A tag is a keyword that describes + # and categorizes the role. Users find roles by searching for tags. Be sure to + # remove the '[]' above, if you add tags to this list. + # + # NOTE: A tag is limited to a single word comprised of alphanumeric characters. + # Maximum 20 tags per role. + +dependencies: [] + # List your role dependencies here, one per line. Be sure to remove the '[]' above, + # if you add dependencies to this list. diff --git a/roles/keycloak/tasks/install.yml b/roles/keycloak/tasks/install.yml new file mode 100644 index 0000000000000000000000000000000000000000..8f52e5771674f5b20fa563b2eb79cff87682ab01 --- /dev/null +++ b/roles/keycloak/tasks/install.yml @@ -0,0 +1,66 @@ +--- +# tasks file for keycloak +- name: Create of update let'encrypt certificate + import_role: + name: _letsencrypt_certificate + when: app_domain is defined and app_domain != "" + +- name: create user {{ app_user }} + import_role: + name: _user + vars: + user_name: "{{ app_user }}" + user_password: "{{ app_user_password }}" + when: app_user is defined + +- name: "template nginx_app.j2 {{ app_instance_id }}" + template: + src: "nginx_app.j2" + dest: "/etc/nginx/sites-available/{{ app_instance_id }}.conf" + notify: reload nginx keycloak + tags: + - rev_proxy + +- name: Create a directory if it does not exist + file: + path: "{{ app_instance_root }}" + state: directory + mode: '0755' + +- name: "copy docker-compose {{ app_instance_id }}" + copy: + src: "docker-compose.yml" + dest: "{{ app_instance_root }}/docker-compose.yml" + tags: + - keycloak_installation + +- name: env file for keycloak + template: + src: "env.j2" + dest: "{{ app_instance_root }}/.env" + tags: + - keycloak_installation + +- name: "start keycloak - docker compose" + docker_compose: + project_src: "{{ app_instance_root }}" + state: present + tags: + - keycloak_installation + +- name: log rotate + import_role: + name: _app_logrotate + +- name: "enable site for {{ app_domain }}" + file: + state: link + path: "/etc/nginx/sites-enabled/{{ app_instance_id }}.conf" + src: "/etc/nginx/sites-available/{{ app_instance_id }}.conf" + notify: reload nginx keycloak + +- name: Add monit + import_role: + name: _app_monit + when: monit_request is defined and monit_request != '' + diff --git a/roles/keycloak/tasks/main.yml b/roles/keycloak/tasks/main.yml new file mode 100644 index 0000000000000000000000000000000000000000..51621784d5f8cab7c3c9a9f7d414bc5e1134ffd2 --- /dev/null +++ b/roles/keycloak/tasks/main.yml @@ -0,0 +1,6 @@ +--- +- import_tasks: install.yml + when: app_run in ['install', 'reinstall'] + +- import_tasks: uninstall.yml + when: app_run == 'uninstall' diff --git a/roles/keycloak/tasks/uninstall.yml b/roles/keycloak/tasks/uninstall.yml new file mode 100644 index 0000000000000000000000000000000000000000..c232149ae6eb41985f267cff6be810c98ccedf62 --- /dev/null +++ b/roles/keycloak/tasks/uninstall.yml @@ -0,0 +1,7 @@ +--- +- name: "Stop keycloak - docker compose" + docker_compose: + project_src: "{{ app_instance_root }}" + state: absent + tags: + - keycloak_installation \ No newline at end of file diff --git a/roles/keycloak/templates/env.j2 b/roles/keycloak/templates/env.j2 new file mode 100644 index 0000000000000000000000000000000000000000..050d42a2a3ef0d8c4f10fb92c629d5faff65988c --- /dev/null +++ b/roles/keycloak/templates/env.j2 @@ -0,0 +1,8 @@ +KEYCLOAK_VERSION={{ keycloak_version }} +PORT_KEYCLOAK={{ app_main_port }} +POSTGRESQL_USER={{ app_instance_id }}_usr +POSTGRESQL_PASS={{ db_pass }} +POSTGRESQL_DB={{ app_instance_id }}_db +POSTGRESQL_VERSION={{ postgresql_version }} +KEYCLOAK_USER={{ admin_user }} +KEYCLOAK_PASSWORD={{ admin_pwd }} \ No newline at end of file diff --git a/roles/keycloak/templates/nginx_app.j2 b/roles/keycloak/templates/nginx_app.j2 new file mode 100644 index 0000000000000000000000000000000000000000..4b34402a8a9a5aaad410f265bd30288364878c7e --- /dev/null +++ b/roles/keycloak/templates/nginx_app.j2 @@ -0,0 +1,67 @@ +map $http_user_agent $log_ua { + ~Monit 0; + default 1; +} + +server { + listen 80; + listen [::]:80; + server_name {{ app_domain | mandatory }}; + # enforce https + return 301 https://$server_name$request_uri; +} + +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name {{ app_domain }}; + + ssl_certificate /etc/letsencrypt/live/{{ app_domain }}/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/{{ app_domain }}/privkey.pem; + + # Add headers to serve security related headers + # Before enabling Strict-Transport-Security headers please read into this + # topic first. + # add_header Strict-Transport-Security "max-age=15768000; + # includeSubDomains; preload;"; + # + # WARNING: Only add the preload option once you read about + # the consequences in https://hstspreload.org/. This option + # will add the domain to a hardcoded list that is shipped + # in all major browsers and getting removed from this list + # could take several months. + + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; + add_header X-Robots-Tag all; # https://developers.google.com/search/docs/advanced/robots/robots_meta_tag + add_header X-Download-Options noopen; + add_header X-Permitted-Cross-Domain-Policies none; + add_header Strict-Transport-Security "max-age=15768000"; + + # Enable gzip but do not remove ETag headers + gzip on; + gzip_vary on; + gzip_comp_level 4; + gzip_min_length 256; + gzip_proxied expired no-cache no-store private no_last_modified no_etag auth; + gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy; + + + access_log {{ www_log }}/{{ app_instance_id }}/access.log combined if=$log_ua; + error_log {{ www_log }}/{{ app_instance_id }}/error.log; + + # set max upload size + client_max_body_size 512M; + fastcgi_buffers 64 4K; + + + location / { + proxy_set_header HOST $host; + proxy_set_header X-Forwarded-Proto https; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $server_name; + proxy_pass http://localhost:{{ app_main_port }}; + } + +} diff --git a/roles/keycloak/tests/inventory b/roles/keycloak/tests/inventory new file mode 100644 index 0000000000000000000000000000000000000000..878877b0776c44f55fc4e458f70840f31da5bb01 --- /dev/null +++ b/roles/keycloak/tests/inventory @@ -0,0 +1,2 @@ +localhost + diff --git a/roles/keycloak/tests/test.yml b/roles/keycloak/tests/test.yml new file mode 100644 index 0000000000000000000000000000000000000000..ce08a0ba476aa2564074b62b7330df03192d9609 --- /dev/null +++ b/roles/keycloak/tests/test.yml @@ -0,0 +1,5 @@ +--- +- hosts: localhost + remote_user: root + roles: + - keycloak diff --git a/roles/keycloak/vars/main.yml b/roles/keycloak/vars/main.yml new file mode 100644 index 0000000000000000000000000000000000000000..eb9471961358d16d9e094b5e2ed803b578daf0da --- /dev/null +++ b/roles/keycloak/vars/main.yml @@ -0,0 +1,4 @@ +--- +# vars file for keycloak +app_user_home: "/home/{{ app_user }}" +app_instance_root: "{{ app_user_home }}/{{ app_instance_id }}"