From 4fa1c6cfbdeea740fa22229e2a7cf52cfc5ca183 Mon Sep 17 00:00:00 2001 From: Kevin Veen-Birkenbach Date: Wed, 13 Aug 2025 02:20:38 +0200 Subject: [PATCH] ansible: quote file modes; keycloak: robust LDAP bind update + config cleanup MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Highlights - Quote all file modes as strings ("0755"/"0770") across multiple roles to avoid YAML octal quirks and improve portability. - Keycloak: introduce actions.{import_realm,update_ldap_bind} feature flags and wire them via vars/config. - Implement idempotent LDAP bind updater (tasks/03_update-ldap-bind.yml): * kcadm login with no_log protection, * fetch LDAP UserStorage component by name, * compare current bindDn/bindCredential and update only when changed. - Keycloak realm import template: keep providerId="ldap" and set name from keycloak_ldap_component_name. - Centralize Keycloak readiness check in tasks/main.yml; remove duplicate waits from 02_update_client_redirects.yml and 04_ssh_public_key.yml. - 01_import.yml: fix typo (keycloak), quote modes, tidy spacing, and replace Jinja-in-Jinja fileglob with concatenation. - 02_update_client_redirects.yml: correct assert fail_msg filename; keep login-first flow. - Minor template/vars tidy-ups (spacing, comments, consistent variable usage). Files touched (excerpt) - roles/*/*: replace 0755/0770 → "0755"/"0770" - roles/web-app-keycloak/config/main.yml: add actions map - roles/web-app-keycloak/vars/main.yml: unify Keycloak vars and feature flags - roles/web-app-keycloak/tasks/{01_import,02_update_client_redirects,03_update-ldap-bind,04_ssh_public_key,main}.yml - roles/web-app-keycloak/templates/{docker-compose.yml.j2,import/realm.json.j2} https://chatgpt.com/share/689bda16-b138-800f-8258-e13f6d7d8239 --- .../drv-msi-keyboard-color/tasks/01_core.yml | 2 +- roles/srv-proxy-6-6-tls-deploy/tasks/main.yml | 2 +- roles/svc-bkp-rmt-2-loc/tasks/main.yml | 6 +- .../svc-db-openldap/tasks/ldifs_creation.yml | 2 +- roles/svc-db-openldap/tasks/main.yml | 2 +- roles/svc-opt-ssd-hdd/tasks/main.yml | 4 +- roles/sys-alm-email/tasks/01_core.yml | 2 +- roles/sys-cln-bkps-service/tasks/01_core.yml | 2 +- roles/sys-cln-disc-space/tasks/main.yml | 2 +- roles/sys-hlth-btrfs/tasks/main.yml | 2 +- roles/sys-hlth-csp/tasks/01_core.yml | 4 +- roles/sys-hlth-disc-space/tasks/main.yml | 2 +- .../tasks/01_core.yml | 2 +- .../sys-hlth-docker-volumes/tasks/01_core.yml | 2 +- roles/sys-hlth-journalctl/tasks/01_core.yml | 2 +- roles/sys-hlth-msmtp/tasks/main.yml | 2 +- roles/sys-hlth-webserver/tasks/01_core.yml | 2 +- roles/sys-rpr-docker-hard/tasks/01_core.yml | 2 +- roles/sys-rpr-docker-soft/tasks/01_core.yml | 2 +- roles/web-app-akaunting/tasks/main.yml | 2 +- roles/web-app-elk/tasks/main.yml | 2 +- roles/web-app-keycloak/config/main.yml | 4 +- roles/web-app-keycloak/tasks/01_import.yml | 12 +- .../tasks/02_update_client_redirects.yml | 14 +-- .../tasks/03_update-ldap-bind.yml | 110 ++++++++++++------ .../tasks/04_ssh_public_key.yml | 11 -- roles/web-app-keycloak/tasks/main.yml | 15 +++ .../templates/docker-compose.yml.j2 | 2 +- .../templates/import/realm.json.j2 | 2 +- roles/web-app-keycloak/vars/main.yml | 42 +++---- roles/web-app-matrix-ansible/tasks/main.yml | 4 +- roles/web-app-matrix/tasks/main.yml | 4 +- roles/web-app-mybb/tasks/main.yml | 2 +- roles/web-app-nextcloud/tasks/main.yml | 2 +- roles/web-app-openproject/tasks/main.yml | 2 +- roles/web-app-syncope/tasks/main.yml | 2 +- 36 files changed, 156 insertions(+), 122 deletions(-) diff --git a/roles/drv-msi-keyboard-color/tasks/01_core.yml b/roles/drv-msi-keyboard-color/tasks/01_core.yml index c04f5cc7..8887b726 100644 --- a/roles/drv-msi-keyboard-color/tasks/01_core.yml +++ b/roles/drv-msi-keyboard-color/tasks/01_core.yml @@ -14,7 +14,7 @@ copy: src: keyboard_color.py dest: /opt/keyboard_color.py - mode: 0755 + mode: "0755" - name: Copy keyboard-color.infinito.service file template: diff --git a/roles/srv-proxy-6-6-tls-deploy/tasks/main.yml b/roles/srv-proxy-6-6-tls-deploy/tasks/main.yml index 3d509f31..22165bd8 100644 --- a/roles/srv-proxy-6-6-tls-deploy/tasks/main.yml +++ b/roles/srv-proxy-6-6-tls-deploy/tasks/main.yml @@ -8,7 +8,7 @@ file: path: "{{cert_mount_directory}}" state: directory - mode: 0755 + mode: "0755" notify: restart srv-proxy-6-6-tls-deploy.infinito.service - name: configure srv-proxy-6-6-tls-deploy.infinito.service diff --git a/roles/svc-bkp-rmt-2-loc/tasks/main.yml b/roles/svc-bkp-rmt-2-loc/tasks/main.yml index 0c4e68a8..2945608a 100644 --- a/roles/svc-bkp-rmt-2-loc/tasks/main.yml +++ b/roles/svc-bkp-rmt-2-loc/tasks/main.yml @@ -15,13 +15,13 @@ file: path: "{{docker_backup_remote_to_local_folder}}" state: directory - mode: 0755 + mode: "0755" - name: create svc-bkp-rmt-2-loc.sh copy: src: svc-bkp-rmt-2-loc.sh dest: "{{docker_backup_remote_to_local_folder}}svc-bkp-rmt-2-loc.sh" - mode: 0755 + mode: "0755" - name: create svc-bkp-rmt-2-loc.infinito.service template: @@ -33,7 +33,7 @@ template: src: sys-bkp-rmt-2-loc-multi-provider.sh.j2 dest: "{{docker_backup_remote_to_local_folder}}sys-bkp-rmt-2-loc-multi-provider.sh" - mode: 0755 + mode: "0755" - name: "set 'service_name' to '{{ role_name }}'" set_fact: diff --git a/roles/svc-db-openldap/tasks/ldifs_creation.yml b/roles/svc-db-openldap/tasks/ldifs_creation.yml index 77c76432..9373d765 100644 --- a/roles/svc-db-openldap/tasks/ldifs_creation.yml +++ b/roles/svc-db-openldap/tasks/ldifs_creation.yml @@ -2,7 +2,7 @@ template: src: "{{ item }}" dest: "{{ openldap_ldif_host_path }}{{ folder }}/{{ item | basename | regex_replace('\\.j2$', '') }}" - mode: '770' + mode: "0770" loop: >- {{ lookup('fileglob', role_path ~ '/templates/ldif/' ~ folder ~ '/*.j2', wantlist=True) diff --git a/roles/svc-db-openldap/tasks/main.yml b/roles/svc-db-openldap/tasks/main.yml index 20c7f1f9..8fb893e6 100644 --- a/roles/svc-db-openldap/tasks/main.yml +++ b/roles/svc-db-openldap/tasks/main.yml @@ -44,7 +44,7 @@ file: path: "{{openldap_ldif_host_path}}{{item}}" state: directory - mode: 0755 + mode: "0755" loop: "{{openldap_ldif_types}}" - name: "Import LDIF Configuration" diff --git a/roles/svc-opt-ssd-hdd/tasks/main.yml b/roles/svc-opt-ssd-hdd/tasks/main.yml index 90042990..5ff8f61e 100644 --- a/roles/svc-opt-ssd-hdd/tasks/main.yml +++ b/roles/svc-opt-ssd-hdd/tasks/main.yml @@ -2,7 +2,7 @@ file: path: "{{storage_optimizer_directory}}" state: directory - mode: 0755 + mode: "0755" - name: create svc-opt-ssd-hdd.infinito.service template: @@ -14,7 +14,7 @@ copy: src: svc-opt-ssd-hdd.py dest: "{{storage_optimizer_script}}" - mode: 0755 + mode: "0755" - name: "optimize storage performance" systemd: diff --git a/roles/sys-alm-email/tasks/01_core.yml b/roles/sys-alm-email/tasks/01_core.yml index b208a760..7642a31a 100644 --- a/roles/sys-alm-email/tasks/01_core.yml +++ b/roles/sys-alm-email/tasks/01_core.yml @@ -9,7 +9,7 @@ file: path: "{{systemd_notifier_email_folder}}" state: directory - mode: 0755 + mode: "0755" - name: configure sys-alm-email.sh template: diff --git a/roles/sys-cln-bkps-service/tasks/01_core.yml b/roles/sys-cln-bkps-service/tasks/01_core.yml index 6374b7cd..d145d884 100644 --- a/roles/sys-cln-bkps-service/tasks/01_core.yml +++ b/roles/sys-cln-bkps-service/tasks/01_core.yml @@ -18,7 +18,7 @@ file: path: "{{cleanup_backups_directory}}" state: directory - mode: 0755 + mode: "0755" - name: create sys-cln-backups.py copy: diff --git a/roles/sys-cln-disc-space/tasks/main.yml b/roles/sys-cln-disc-space/tasks/main.yml index 6028696f..6bb267dd 100644 --- a/roles/sys-cln-disc-space/tasks/main.yml +++ b/roles/sys-cln-disc-space/tasks/main.yml @@ -13,7 +13,7 @@ file: path: "{{cleanup_disc_space_folder}}" state: directory - mode: 0755 + mode: "0755" - name: create sys-cln-disc-space.sh template: diff --git a/roles/sys-hlth-btrfs/tasks/main.yml b/roles/sys-hlth-btrfs/tasks/main.yml index ee0aab4a..91742ba8 100644 --- a/roles/sys-hlth-btrfs/tasks/main.yml +++ b/roles/sys-hlth-btrfs/tasks/main.yml @@ -12,7 +12,7 @@ file: path: "{{docker_health_btrfs_folder}}" state: directory - mode: 0755 + mode: "0755" - name: create sys-hlth-btrfs.sh copy: diff --git a/roles/sys-hlth-csp/tasks/01_core.yml b/roles/sys-hlth-csp/tasks/01_core.yml index 91e9e7f0..b93ca40a 100644 --- a/roles/sys-hlth-csp/tasks/01_core.yml +++ b/roles/sys-hlth-csp/tasks/01_core.yml @@ -17,13 +17,13 @@ file: path: "{{ health_csp_crawler_folder }}" state: directory - mode: 0755 + mode: "0755" - name: copy sys-hlth-csp.py copy: src: sys-hlth-csp.py dest: "{{ health_csp_crawler_script }}" - mode: 0755 + mode: "0755" - name: create sys-hlth-csp.infinito.service template: diff --git a/roles/sys-hlth-disc-space/tasks/main.yml b/roles/sys-hlth-disc-space/tasks/main.yml index 40290883..056c5ef1 100644 --- a/roles/sys-hlth-disc-space/tasks/main.yml +++ b/roles/sys-hlth-disc-space/tasks/main.yml @@ -10,7 +10,7 @@ file: path: "{{health_disc_space_folder}}" state: directory - mode: 0755 + mode: "0755" - name: create sys-hlth-disc-space.sh copy: diff --git a/roles/sys-hlth-docker-container/tasks/01_core.yml b/roles/sys-hlth-docker-container/tasks/01_core.yml index ce278247..3a7db41f 100644 --- a/roles/sys-hlth-docker-container/tasks/01_core.yml +++ b/roles/sys-hlth-docker-container/tasks/01_core.yml @@ -7,7 +7,7 @@ file: path: "{{health_docker_container_folder}}" state: directory - mode: 0755 + mode: "0755" - name: create sys-hlth-docker-container.sh copy: diff --git a/roles/sys-hlth-docker-volumes/tasks/01_core.yml b/roles/sys-hlth-docker-volumes/tasks/01_core.yml index f8b05c25..34461ee8 100644 --- a/roles/sys-hlth-docker-volumes/tasks/01_core.yml +++ b/roles/sys-hlth-docker-volumes/tasks/01_core.yml @@ -7,7 +7,7 @@ file: path: "{{health_docker_volumes_folder}}" state: directory - mode: 0755 + mode: "0755" - name: create sys-hlth-docker-volumes.sh copy: diff --git a/roles/sys-hlth-journalctl/tasks/01_core.yml b/roles/sys-hlth-journalctl/tasks/01_core.yml index e62450f7..0ec0a7b3 100644 --- a/roles/sys-hlth-journalctl/tasks/01_core.yml +++ b/roles/sys-hlth-journalctl/tasks/01_core.yml @@ -7,7 +7,7 @@ file: path: "{{health_journalctl_folder}}" state: directory - mode: 0755 + mode: "0755" - name: create sys-hlth-journalctl.sh copy: diff --git a/roles/sys-hlth-msmtp/tasks/main.yml b/roles/sys-hlth-msmtp/tasks/main.yml index d4422646..eb5cf204 100644 --- a/roles/sys-hlth-msmtp/tasks/main.yml +++ b/roles/sys-hlth-msmtp/tasks/main.yml @@ -10,7 +10,7 @@ file: path: "{{ health_msmtp_folder }}" state: directory - mode: 0755 + mode: "0755" - name: create sys-hlth-msmtp.sh template: diff --git a/roles/sys-hlth-webserver/tasks/01_core.yml b/roles/sys-hlth-webserver/tasks/01_core.yml index 4442bd9b..1d4a4817 100644 --- a/roles/sys-hlth-webserver/tasks/01_core.yml +++ b/roles/sys-hlth-webserver/tasks/01_core.yml @@ -17,7 +17,7 @@ file: path: "{{ health_nginx_folder }}" state: directory - mode: 0755 + mode: "0755" - name: create sys-hlth-webserver.py template: diff --git a/roles/sys-rpr-docker-hard/tasks/01_core.yml b/roles/sys-rpr-docker-hard/tasks/01_core.yml index 17692a6a..fbc3e722 100644 --- a/roles/sys-rpr-docker-hard/tasks/01_core.yml +++ b/roles/sys-rpr-docker-hard/tasks/01_core.yml @@ -7,7 +7,7 @@ file: path: "{{restart_docker_folder}}" state: directory - mode: 0755 + mode: "0755" - name: create {{restart_docker_script}} copy: diff --git a/roles/sys-rpr-docker-soft/tasks/01_core.yml b/roles/sys-rpr-docker-soft/tasks/01_core.yml index f0567aaf..050cdbd4 100644 --- a/roles/sys-rpr-docker-soft/tasks/01_core.yml +++ b/roles/sys-rpr-docker-soft/tasks/01_core.yml @@ -7,7 +7,7 @@ file: path: "{{heal_docker}}" state: directory - mode: 0755 + mode: "0755" - name: create sys-rpr-docker-soft.py copy: diff --git a/roles/web-app-akaunting/tasks/main.yml b/roles/web-app-akaunting/tasks/main.yml index 0ae199d3..7919c800 100644 --- a/roles/web-app-akaunting/tasks/main.yml +++ b/roles/web-app-akaunting/tasks/main.yml @@ -13,6 +13,6 @@ template: src: "env.j2" dest: "{{docker_compose.files.env}}" - mode: '770' + mode: "0770" force: yes notify: docker compose up diff --git a/roles/web-app-elk/tasks/main.yml b/roles/web-app-elk/tasks/main.yml index 327f707e..281ca261 100644 --- a/roles/web-app-elk/tasks/main.yml +++ b/roles/web-app-elk/tasks/main.yml @@ -22,7 +22,7 @@ file: path: "{{docker_elk_compose_path}}" state: directory - mode: 0755 + mode: "0755" - name: git pull web-app-elk git: diff --git a/roles/web-app-keycloak/config/main.yml b/roles/web-app-keycloak/config/main.yml index 6d1f9faa..befdb41e 100644 --- a/roles/web-app-keycloak/config/main.yml +++ b/roles/web-app-keycloak/config/main.yml @@ -1,4 +1,6 @@ -import_realm: True # If True realm will be imported. If false skip. +actions: + import_realm: True # Import REALM + update_ldap_bind: True # Updates LDAP binds features: matomo: true css: true diff --git a/roles/web-app-keycloak/tasks/01_import.yml b/roles/web-app-keycloak/tasks/01_import.yml index 5f20c3f6..85e791b9 100644 --- a/roles/web-app-keycloak/tasks/01_import.yml +++ b/roles/web-app-keycloak/tasks/01_import.yml @@ -1,19 +1,19 @@ - name: "load variables from {{ DOCKER_VARS_FILE }}" include_vars: "{{ DOCKER_VARS_FILE }}" -- name: Set the directory to which keycloack import files will be copied on host +- name: Set the directory to which keycloak import files will be copied on host set_fact: keycloak_host_import_directory: "{{ docker_compose.directories.volumes }}import/" -- name: "create directory {{keycloak_host_import_directory}}" +- name: "create directory {{ keycloak_host_import_directory }}" file: - path: "{{keycloak_host_import_directory}}" + path: "{{ keycloak_host_import_directory }}" state: directory - mode: 0755 + mode: "0755" - name: "Copy import files to {{ keycloak_host_import_directory }}" template: src: "{{ item }}" dest: "{{ keycloak_host_import_directory }}/{{ item | basename | regex_replace('\\.j2$', '') }}" - mode: '770' - loop: "{{ lookup('fileglob', '{{ role_path }}/templates/import/*.j2', wantlist=True) }}" \ No newline at end of file + mode: "0770" + loop: "{{ lookup('fileglob', role_path ~ '/templates/import/*.j2', wantlist=True) }}" \ No newline at end of file diff --git a/roles/web-app-keycloak/tasks/02_update_client_redirects.yml b/roles/web-app-keycloak/tasks/02_update_client_redirects.yml index ce9ef816..203114f5 100644 --- a/roles/web-app-keycloak/tasks/02_update_client_redirects.yml +++ b/roles/web-app-keycloak/tasks/02_update_client_redirects.yml @@ -27,19 +27,7 @@ - keycloak_redirect_features is defined - domains is defined - applications is defined - fail_msg: "Missing required variable(s). Provide all vars listed at the top of 10_update_client_redirects.yml." - -# 0) Wait & login -- name: "Wait until Keycloak is reachable at {{ keycloak_server_host_url }}" - uri: - url: "{{ keycloak_server_host_url }}/realms/master" - method: GET - status_code: 200 - validate_certs: false - register: kc_up - retries: 30 - delay: 5 - until: kc_up.status == 200 + fail_msg: "Missing required variable(s). Provide all vars listed at the top of 02_update_client_redirects.yml." - name: "kcadm login" no_log: "{{ MASK_CREDENTIALS_IN_LOGS | bool }}" diff --git a/roles/web-app-keycloak/tasks/03_update-ldap-bind.yml b/roles/web-app-keycloak/tasks/03_update-ldap-bind.yml index a6234d81..e34c8c50 100644 --- a/roles/web-app-keycloak/tasks/03_update-ldap-bind.yml +++ b/roles/web-app-keycloak/tasks/03_update-ldap-bind.yml @@ -1,42 +1,80 @@ -# Draft +--- +# Updates the LDAP provider's bind DN / password using kcadm.sh, idempotently. +# Sources DN/password from group_vars/all/13_ldap.yml: +# - DN: ldap.dn.administrator.data +# - Password: ldap.bind_credential -- name: Wait until Keycloak is up - uri: - url: "{{ keycloak_server_host_url }}/realms/{{ keycloak_realm }}" - method: GET - status_code: 200 - validate_certs: false - register: keycloak_up - retries: 30 - delay: 5 - until: keycloak_up.status == 200 +- name: "Assert required vars exist" + assert: + that: + - keycloak_realm is defined + - keycloak_server_host_url is defined + - keycloak_server_internal_url is defined + - keycloak_kcadm_path is defined + - keycloak_master_api_user_name is defined + - keycloak_master_api_user_password is defined + - keycloak_ldap_component_name is defined + - ldap is defined + - ldap.dn.administrator.data is defined + - ldap.bind_credential is defined + fail_msg: "Missing Keycloak/LDAP vars. Ensure 13_ldap.yml is loaded and credentials are set." -- name: Log in with kcadm.sh - shell: | - {{ keycloak_kcadm_path }} config credentials \ - --server {{ keycloak_server_internal_url }} \ - --realm master \ - --user {{ keycloak_master_api_user_name }} \ - --password {{ keycloak_master_api_user_password }} - -- name: Retrieve LDAP component ID - shell: | - {{ keycloak_kcadm_path }} get components \ - -r {{ keycloak_realm }} \ - --query 'providerId=ldap' \ - --fields id \ - --format json \ - | jq -r '.[0].id' - register: ldap_component +- name: "kcadm login (master)" + no_log: "{{ MASK_CREDENTIALS_IN_LOGS | bool }}" + shell: > + {{ keycloak_kcadm_path }} config credentials + --server {{ keycloak_server_internal_url }} + --realm master + --user {{ keycloak_master_api_user_name }} + --password {{ keycloak_master_api_user_password }} changed_when: false -- name: Update LDAP bind password +# Resolve the LDAP component *by name* to avoid picking the wrong one. +- name: "Resolve LDAP component id by name '{{ keycloak_ldap_component_name }}'" + shell: > + {{ keycloak_kcadm_path }} get components + -r {{ keycloak_realm }} + --query 'name={{ keycloak_ldap_component_name }}' + --fields id,name,providerId,config --format json + register: kc_ldap_list + changed_when: false + +- name: "Validate that exactly one LDAP component matched" vars: - new_bind_password: "MyNewLdapPassword123!" - shell: | - {{ keycloak_kcadm_path }} update components/{{ ldap_component.stdout }} \ - -r {{ keycloak_realm }} \ - -s 'config.bindCredential=["{{ new_bind_password }}"]' + parsed: "{{ kc_ldap_list.stdout | from_json }}" + assert: + that: + - (parsed | length) == 1 + fail_msg: >- + Expected exactly one LDAP component named '{{ keycloak_ldap_component_name }}', + found {{ (kc_ldap_list.stdout | from_json) | length }}. + +- name: "Extract LDAP component facts" no_log: "{{ MASK_CREDENTIALS_IN_LOGS | bool }}" - register: update_bind - changed_when: update_bind.rc == 0 + set_fact: + kc_ldap_component_id: "{{ (kc_ldap_list.stdout | from_json)[0].id }}" + kc_ldap_current_bind_dn: "{{ ((kc_ldap_list.stdout | from_json)[0].config['bindDn'] | default(['']))[0] }}" + kc_ldap_current_bind_pw: "{{ ((kc_ldap_list.stdout | from_json)[0].config['bindCredential'] | default(['']))[0] }}" + +- name: "Determine if update is required" + set_fact: + kc_needs_update: >- + {{ (kc_ldap_current_bind_dn != ldap.dn.administrator.data) + or (kc_ldap_current_bind_pw != ldap.bind_credential) }} + +- name: "Update LDAP bind DN / bind password" + no_log: "{{ MASK_CREDENTIALS_IN_LOGS | bool }}" + shell: > + {{ keycloak_kcadm_path }} update components/{{ kc_ldap_component_id }} + -r {{ keycloak_realm }} + -s 'config.bindDn=["{{ ldap.dn.administrator.data | replace("'", "\\'") }}"]' + -s 'config.bindCredential=["{{ ldap.bind_credential | replace("'", "\\'") }}"]' + when: kc_needs_update | bool + register: kc_bind_update + +- name: "LDAP bind credentials updated" + debug: + msg: "LDAP bind DN/password updated on component {{ keycloak_ldap_component_name }}." + when: + - kc_bind_update is defined + - kc_bind_update.rc == 0 diff --git a/roles/web-app-keycloak/tasks/04_ssh_public_key.yml b/roles/web-app-keycloak/tasks/04_ssh_public_key.yml index 19c2d179..1f1b509a 100644 --- a/roles/web-app-keycloak/tasks/04_ssh_public_key.yml +++ b/roles/web-app-keycloak/tasks/04_ssh_public_key.yml @@ -1,14 +1,3 @@ -- name: "Wait until Keycloak is reachable at {{ keycloak_server_host_url }}" - uri: - url: "{{ keycloak_server_host_url }}/realms/master" - method: GET - status_code: 200 - validate_certs: false - register: keycloak_check - retries: 30 - delay: 5 - until: keycloak_check.status == 200 - # Configure Credentials - name: Ensure Keycloak CLI credentials are configured shell: | diff --git a/roles/web-app-keycloak/tasks/main.yml b/roles/web-app-keycloak/tasks/main.yml index efdcfbfb..e4588c6c 100644 --- a/roles/web-app-keycloak/tasks/main.yml +++ b/roles/web-app-keycloak/tasks/main.yml @@ -6,9 +6,24 @@ include_role: name: cmp-db-docker-proxy +- name: "Wait until Keycloak is reachable at {{ keycloak_server_host_url }}" + uri: + url: "{{ keycloak_server_host_url }}/realms/master" + method: GET + status_code: 200 + validate_certs: false + register: kc_up + retries: 30 + delay: 5 + until: kc_up.status == 200 + - name: "Apply client redirects without realm import" include_tasks: 02_update_client_redirects.yml +- name: "Update LDAP bind credentials from ldap.*" + when: keycloak_update_ldap_bind | bool + include_tasks: 03_update-ldap-bind.yml + # Deactivated temporary. Import now via realm.yml #- name: Implement SSH Public Key Attribut # include_tasks: 03_ssh_public_key.yml \ No newline at end of file diff --git a/roles/web-app-keycloak/templates/docker-compose.yml.j2 b/roles/web-app-keycloak/templates/docker-compose.yml.j2 index a7806029..3fc8647e 100644 --- a/roles/web-app-keycloak/templates/docker-compose.yml.j2 +++ b/roles/web-app-keycloak/templates/docker-compose.yml.j2 @@ -8,7 +8,7 @@ ports: - "{{ keycloak_server_host }}:8080" volumes: - - "{{keycloak_host_import_directory}}:{{keycloak_docker_import_directory}}" + - "{{ keycloak_host_import_directory }}:{{keycloak_docker_import_directory}}" {% include 'roles/docker-container/templates/depends_on/dmbs_excl.yml.j2' %} {% include 'roles/docker-container/templates/networks.yml.j2' %} {% set container_port = 9000 %} diff --git a/roles/web-app-keycloak/templates/import/realm.json.j2 b/roles/web-app-keycloak/templates/import/realm.json.j2 index b962b5e1..98a2c45b 100644 --- a/roles/web-app-keycloak/templates/import/realm.json.j2 +++ b/roles/web-app-keycloak/templates/import/realm.json.j2 @@ -1822,7 +1822,7 @@ "org.keycloak.storage.UserStorageProvider": [ { "id": "bBD2l6kVRMaSABbfOJVRaw", - "name": "{{ldap.server.domain}}", + "name": "{{ keycloak_ldap_component_name }}", "providerId": "ldap", "subComponents": { "org.keycloak.storage.ldap.mappers.LDAPStorageMapper": [ diff --git a/roles/web-app-keycloak/vars/main.yml b/roles/web-app-keycloak/vars/main.yml index aa8b02f2..ddb6a481 100644 --- a/roles/web-app-keycloak/vars/main.yml +++ b/roles/web-app-keycloak/vars/main.yml @@ -1,24 +1,26 @@ # General -application_id: "web-app-keycloak" # Internal Infinito.Nexus application id -database_type: "postgres" # Database which will be used +application_id: "web-app-keycloak" # Internal Infinito.Nexus application id +database_type: "postgres" # Database which will be used -# Keycloak Specific -keycloak_container: "{{ applications | get_app_conf(application_id, 'docker.services.keycloak.name', True) }}" # Name of the keycloack docker container -keycloak_docker_import_directory: "/opt/keycloak/data/import/" # Directory in which keycloack import files are placed in the running docker container -keycloak_realm: "{{ primary_domain}}" # This is the name of the default realm which is used by the applications -keycloak_master_api_user: "{{ applications | get_app_conf(application_id, 'users.administrator', True) }}" # Master Administrator -keycloak_master_api_user_name: "{{ keycloak_master_api_user.username }}" # Master Administrator Username -keycloak_master_api_user_password: "{{ keycloak_master_api_user.password }}" # Master Administrator Password -keycloak_kcadm_path: "docker exec -i {{ keycloak_container }} /opt/keycloak/bin/kcadm.sh" # Init script for keycloak -keycloak_server_internal_url: "http://127.0.0.1:8080" -keycloak_server_host: "127.0.0.1:{{ ports.localhost.http[application_id] }}" -keycloak_server_host_url: "http://{{ keycloak_server_host }}" -keycloak_image: "{{ applications | get_app_conf(application_id, 'docker.services.keycloak.image', True) }}" # Keycloak docker image -keycloak_version: "{{ applications | get_app_conf(application_id, 'docker.services.keycloak.version', True) }}" # Keyloak docker version -keycloak_import_realm: "{{ applications | get_app_conf(application_id, 'import_realm', True, True) }}" # Activate realm import -keycloak_debug_enabled: "{{ enable_debug }}" -keycloak_redirect_features: ["features.oauth2","features.oidc"] -keycloak_client_id: "{{ oidc.client.id }}" +# Keycloak +keycloak_container: "{{ applications | get_app_conf(application_id, 'docker.services.keycloak.name') }}" # Name of the keycloak docker container +keycloak_docker_import_directory: "/opt/keycloak/data/import/" # Directory in which keycloak import files are placed in the running docker container +keycloak_realm: "{{ primary_domain}}" # This is the name of the default realm which is used by the applications +keycloak_master_api_user: "{{ applications | get_app_conf(application_id, 'users.administrator') }}" # Master Administrator +keycloak_master_api_user_name: "{{ keycloak_master_api_user.username }}" # Master Administrator Username +keycloak_master_api_user_password: "{{ keycloak_master_api_user.password }}" # Master Administrator Password +keycloak_kcadm_path: "docker exec -i {{ keycloak_container }} /opt/keycloak/bin/kcadm.sh" # Init script for keycloak +keycloak_server_internal_url: "http://127.0.0.1:8080" +keycloak_server_host: "127.0.0.1:{{ ports.localhost.http[application_id] }}" +keycloak_server_host_url: "http://{{ keycloak_server_host }}" +keycloak_image: "{{ applications | get_app_conf(application_id, 'docker.services.keycloak.image') }}" # Keycloak docker image +keycloak_version: "{{ applications | get_app_conf(application_id, 'docker.services.keycloak.version') }}" # Keycloak docker version +keycloak_debug_enabled: "{{ enable_debug }}" +keycloak_redirect_features: ["features.oauth2","features.oidc"] +keycloak_client_id: "{{ oidc.client.id }}" +keycloak_ldap_component_name: "{{ ldap.server.domain }}" # Name of the LDAP User Federation component in Keycloak (as shown in UI) +keycloak_import_realm: "{{ applications | get_app_conf(application_id, 'actions.import_realm') }}" # Activate realm import +keycloak_update_ldap_bind: "{{ applications | get_app_conf(application_id, 'actions.update_ldap_bind') }}" # Toggle the LDAP bind update step # Docker -docker_compose_flush_handlers: true # Remember to copy realm import before flushg when set to true \ No newline at end of file +docker_compose_flush_handlers: true # Remember to copy realm import before flush when set to true \ No newline at end of file diff --git a/roles/web-app-matrix-ansible/tasks/main.yml b/roles/web-app-matrix-ansible/tasks/main.yml index e67b5592..399b9463 100644 --- a/roles/web-app-matrix-ansible/tasks/main.yml +++ b/roles/web-app-matrix-ansible/tasks/main.yml @@ -108,13 +108,13 @@ # file: # path: "{{docker_compose.directories.instance}}" # state: directory -# mode: 0755 +# mode: "0755" # #- name: "create {{docker_compose.directories.instance}}mautrix_whatsapp" # file: # path: "{{docker_compose.directories.instance}}mautrix_whatsapp" # state: directory -# mode: 0755 +# mode: "0755" # #- name: add whatsapp-bridge-config.yml # template: diff --git a/roles/web-app-matrix/tasks/main.yml b/roles/web-app-matrix/tasks/main.yml index 10568b66..4379dd92 100644 --- a/roles/web-app-matrix/tasks/main.yml +++ b/roles/web-app-matrix/tasks/main.yml @@ -69,7 +69,7 @@ file: path: "{{docker_compose.directories.instance}}mautrix/{{item.bridge_name}}" state: directory - mode: 0755 + mode: "0755" loop: "{{ bridges }}" - name: add multiple mautrix bridge configuration @@ -138,7 +138,7 @@ - name: "change file permissions" file: path: "{{docker_compose.directories.instance}}mautrix/{{item.bridge_name}}/registration.yaml" - mode: 0755 + mode: "0755" loop: "{{ bridges }}" - name: create admin account diff --git a/roles/web-app-mybb/tasks/main.yml b/roles/web-app-mybb/tasks/main.yml index 7a7bcfcc..53e984b8 100644 --- a/roles/web-app-mybb/tasks/main.yml +++ b/roles/web-app-mybb/tasks/main.yml @@ -20,7 +20,7 @@ file: path: "{{docker_compose_instance_confd_directory}}" state: directory - mode: 0755 + mode: "0755" recurse: yes - name: "create {{docker_compose_instance_confd_defaultconf_file}}" diff --git a/roles/web-app-nextcloud/tasks/main.yml b/roles/web-app-nextcloud/tasks/main.yml index 1a816ae1..df5a4174 100644 --- a/roles/web-app-nextcloud/tasks/main.yml +++ b/roles/web-app-nextcloud/tasks/main.yml @@ -7,7 +7,7 @@ file: path: "{{ nextcloud_host_config_additives_directory }}" state: directory - mode: 0755 + mode: "0755" - name: "Create config files at {{ nextcloud_host_config_additives_directory }}" template: diff --git a/roles/web-app-openproject/tasks/main.yml b/roles/web-app-openproject/tasks/main.yml index 9329d4b2..5a2c6193 100644 --- a/roles/web-app-openproject/tasks/main.yml +++ b/roles/web-app-openproject/tasks/main.yml @@ -21,7 +21,7 @@ file: path: "{{ openproject_dummy_volume }}" state: directory - mode: 0755 + mode: "0755" - name: flush docker service meta: flush_handlers diff --git a/roles/web-app-syncope/tasks/main.yml b/roles/web-app-syncope/tasks/main.yml index 7032f201..d6f8b707 100644 --- a/roles/web-app-syncope/tasks/main.yml +++ b/roles/web-app-syncope/tasks/main.yml @@ -23,7 +23,7 @@ template: src: "database.j2" dest: "{{docker_compose.files.env}}" - mode: '770' + mode: "0770" force: yes notify: docker compose up