ansible: quote file modes; keycloak: robust LDAP bind update + config cleanup

Highlights
- Quote all file modes as strings ("0755"/"0770") across multiple roles to avoid YAML octal quirks and improve portability.
- Keycloak: introduce actions.{import_realm,update_ldap_bind} feature flags and wire them via vars/config.
- Implement idempotent LDAP bind updater (tasks/03_update-ldap-bind.yml):
  * kcadm login with no_log protection,
  * fetch LDAP UserStorage component by name,
  * compare current bindDn/bindCredential and update only when changed.
- Keycloak realm import template: keep providerId="ldap" and set name from keycloak_ldap_component_name.
- Centralize Keycloak readiness check in tasks/main.yml; remove duplicate waits from 02_update_client_redirects.yml and 04_ssh_public_key.yml.
- 01_import.yml: fix typo (keycloak), quote modes, tidy spacing, and replace Jinja-in-Jinja fileglob with concatenation.
- 02_update_client_redirects.yml: correct assert fail_msg filename; keep login-first flow.
- Minor template/vars tidy-ups (spacing, comments, consistent variable usage).

Files touched (excerpt)
- roles/*/*: replace 0755/0770 → "0755"/"0770"
- roles/web-app-keycloak/config/main.yml: add actions map
- roles/web-app-keycloak/vars/main.yml: unify Keycloak vars and feature flags
- roles/web-app-keycloak/tasks/{01_import,02_update_client_redirects,03_update-ldap-bind,04_ssh_public_key,main}.yml
- roles/web-app-keycloak/templates/{docker-compose.yml.j2,import/realm.json.j2}

https://chatgpt.com/share/689bda16-b138-800f-8258-e13f6d7d8239

roles/drv-msi-keyboard-color/tasks/01_core.yml

@@ -14,7 +14,7 @@
   copy:
     src: keyboard_color.py
     dest: /opt/keyboard_color.py
-    mode: 0755
+    mode: "0755"
 
 - name: Copy keyboard-color.infinito.service file
   template:

roles/srv-proxy-6-6-tls-deploy/tasks/main.yml

@@ -8,7 +8,7 @@
   file:
     path: "{{cert_mount_directory}}"
     state: directory
-    mode: 0755
+    mode: "0755"
   notify: restart srv-proxy-6-6-tls-deploy.infinito.service
 
 - name: configure srv-proxy-6-6-tls-deploy.infinito.service

roles/svc-bkp-rmt-2-loc/tasks/main.yml

@@ -15,13 +15,13 @@
   file:
     path: "{{docker_backup_remote_to_local_folder}}"
     state: directory
-    mode: 0755
+    mode: "0755"
 
 - name: create svc-bkp-rmt-2-loc.sh
   copy:
     src: svc-bkp-rmt-2-loc.sh
     dest: "{{docker_backup_remote_to_local_folder}}svc-bkp-rmt-2-loc.sh"
-    mode: 0755
+    mode: "0755"
 
 - name: create svc-bkp-rmt-2-loc.infinito.service
   template:
@@ -33,7 +33,7 @@
   template:
     src: sys-bkp-rmt-2-loc-multi-provider.sh.j2
     dest: "{{docker_backup_remote_to_local_folder}}sys-bkp-rmt-2-loc-multi-provider.sh"
-    mode: 0755
+    mode: "0755"
 
 - name: "set 'service_name' to '{{ role_name }}'"
   set_fact:

roles/svc-db-openldap/tasks/ldifs_creation.yml

@@ -2,7 +2,7 @@
   template:
     src: "{{ item }}"
     dest: "{{ openldap_ldif_host_path }}{{ folder }}/{{ item | basename | regex_replace('\\.j2$', '') }}"
-    mode: '770'
+    mode: "0770"
   loop: >-
     {{
       lookup('fileglob', role_path ~ '/templates/ldif/' ~ folder ~ '/*.j2', wantlist=True)

roles/svc-db-openldap/tasks/main.yml

@@ -44,7 +44,7 @@
   file:
     path: "{{openldap_ldif_host_path}}{{item}}"
     state: directory
-    mode: 0755
+    mode: "0755"
   loop: "{{openldap_ldif_types}}"
 
 - name: "Import LDIF Configuration"

roles/svc-opt-ssd-hdd/tasks/main.yml

@@ -2,7 +2,7 @@
   file:
     path: "{{storage_optimizer_directory}}"
     state: directory
-    mode: 0755
+    mode: "0755"
 
 - name: create svc-opt-ssd-hdd.infinito.service
   template: 
@@ -14,7 +14,7 @@
   copy: 
     src: svc-opt-ssd-hdd.py
     dest: "{{storage_optimizer_script}}"
-    mode: 0755
+    mode: "0755"
 
 - name: "optimize storage performance"
   systemd:

roles/sys-alm-email/tasks/01_core.yml

@@ -9,7 +9,7 @@
   file:
     path: "{{systemd_notifier_email_folder}}"
     state: directory
-    mode: 0755
+    mode: "0755"
 
 - name: configure sys-alm-email.sh
   template:

roles/sys-cln-bkps-service/tasks/01_core.yml

@@ -18,7 +18,7 @@
   file:
     path: "{{cleanup_backups_directory}}"
     state: directory
-    mode: 0755
+    mode: "0755"
 
 - name: create sys-cln-backups.py
   copy:

roles/sys-cln-disc-space/tasks/main.yml

@@ -13,7 +13,7 @@
   file:
     path: "{{cleanup_disc_space_folder}}"
     state: directory
-    mode: 0755
+    mode: "0755"
 
 - name: create sys-cln-disc-space.sh
   template:

roles/sys-hlth-btrfs/tasks/main.yml

@@ -12,7 +12,7 @@
   file:
     path: "{{docker_health_btrfs_folder}}"
     state: directory
-    mode: 0755
+    mode: "0755"
 
 - name: create sys-hlth-btrfs.sh
   copy:

roles/sys-hlth-csp/tasks/01_core.yml

@@ -17,13 +17,13 @@
   file:
     path: "{{ health_csp_crawler_folder }}"
     state: directory
-    mode: 0755
+    mode: "0755"
 
 - name: copy sys-hlth-csp.py
   copy:
     src: sys-hlth-csp.py
     dest: "{{ health_csp_crawler_script }}"
-    mode: 0755
+    mode: "0755"
 
 - name: create sys-hlth-csp.infinito.service
   template:

roles/sys-hlth-disc-space/tasks/main.yml

@@ -10,7 +10,7 @@
   file:
     path: "{{health_disc_space_folder}}"
     state: directory
-    mode: 0755
+    mode: "0755"
 
 - name: create sys-hlth-disc-space.sh
   copy:

roles/sys-hlth-docker-container/tasks/01_core.yml

@@ -7,7 +7,7 @@
   file:
     path: "{{health_docker_container_folder}}"
     state: directory
-    mode: 0755
+    mode: "0755"
 
 - name: create sys-hlth-docker-container.sh
   copy:

roles/sys-hlth-docker-volumes/tasks/01_core.yml

@@ -7,7 +7,7 @@
   file:
     path: "{{health_docker_volumes_folder}}"
     state: directory
-    mode: 0755
+    mode: "0755"
 
 - name: create sys-hlth-docker-volumes.sh
   copy:

roles/sys-hlth-journalctl/tasks/01_core.yml

@@ -7,7 +7,7 @@
   file:
     path: "{{health_journalctl_folder}}"
     state: directory
-    mode: 0755
+    mode: "0755"
 
 - name: create sys-hlth-journalctl.sh
   copy:

roles/sys-hlth-msmtp/tasks/main.yml

@@ -10,7 +10,7 @@
   file:
     path: "{{ health_msmtp_folder }}"
     state: directory
-    mode: 0755
+    mode: "0755"
 
 - name: create sys-hlth-msmtp.sh
   template:

roles/sys-hlth-webserver/tasks/01_core.yml

@@ -17,7 +17,7 @@
   file:
     path: "{{ health_nginx_folder }}"
     state: directory
-    mode: 0755
+    mode: "0755"
 
 - name: create sys-hlth-webserver.py
   template:

roles/sys-rpr-docker-hard/tasks/01_core.yml

@@ -7,7 +7,7 @@
   file:
     path: "{{restart_docker_folder}}"
     state: directory
-    mode: 0755
+    mode: "0755"
 
 - name: create {{restart_docker_script}}
   copy:

roles/sys-rpr-docker-soft/tasks/01_core.yml

@@ -7,7 +7,7 @@
   file:
     path: "{{heal_docker}}"
     state: directory
-    mode: 0755
+    mode: "0755"
 
 - name: create sys-rpr-docker-soft.py
   copy:

roles/web-app-akaunting/tasks/main.yml

@@ -13,6 +13,6 @@
   template: 
     src:  "env.j2" 
     dest: "{{docker_compose.files.env}}"
-    mode: '770'
+    mode: "0770"
     force: yes
   notify: docker compose up

roles/web-app-elk/tasks/main.yml

@@ -22,7 +22,7 @@
   file:
     path: "{{docker_elk_compose_path}}"
     state: directory
-    mode: 0755
+    mode: "0755"
 
 - name: git pull web-app-elk
   git:

roles/web-app-keycloak/config/main.yml

@@ -1,4 +1,6 @@
-import_realm:         True     # If True realm will be imported. If false skip.
+actions:
+  import_realm:       True     # Import REALM
+  update_ldap_bind:   True     # Updates LDAP binds
 features:
   matomo:             true
   css:                true

roles/web-app-keycloak/tasks/01_import.yml

@@ -1,7 +1,7 @@
 - name: "load variables from {{ DOCKER_VARS_FILE }}"
   include_vars: "{{ DOCKER_VARS_FILE }}"
 
-- name: Set the directory to which keycloack import files will be copied on host
+- name: Set the directory to which keycloak import files will be copied on host
   set_fact: 
     keycloak_host_import_directory:   "{{ docker_compose.directories.volumes }}import/"
 
@@ -9,11 +9,11 @@
   file:
     path: "{{ keycloak_host_import_directory }}"
     state: directory
-    mode: 0755
+    mode: "0755"
 
 - name: "Copy import files to {{ keycloak_host_import_directory }}"
   template:
     src: "{{ item }}"
     dest: "{{ keycloak_host_import_directory }}/{{ item | basename | regex_replace('\\.j2$', '') }}"
-    mode: '770'
-  loop: "{{ lookup('fileglob', '{{ role_path }}/templates/import/*.j2', wantlist=True) }}"
+    mode: "0770"
+  loop: "{{ lookup('fileglob', role_path ~ '/templates/import/*.j2', wantlist=True) }}"

roles/web-app-keycloak/tasks/02_update_client_redirects.yml

@@ -27,19 +27,7 @@
       - keycloak_redirect_features is defined
       - domains is defined
       - applications is defined
-    fail_msg: "Missing required variable(s). Provide all vars listed at the top of 10_update_client_redirects.yml."
-
-# 0) Wait & login
-- name: "Wait until Keycloak is reachable at {{ keycloak_server_host_url }}"
-  uri:
-    url: "{{ keycloak_server_host_url }}/realms/master"
-    method: GET
-    status_code: 200
-    validate_certs: false
-  register: kc_up
-  retries: 30
-  delay: 5
-  until: kc_up.status == 200
+    fail_msg: "Missing required variable(s). Provide all vars listed at the top of 02_update_client_redirects.yml."
 
 - name: "kcadm login"
   no_log: "{{ MASK_CREDENTIALS_IN_LOGS | bool }}"

roles/web-app-keycloak/tasks/03_update-ldap-bind.yml

@@ -1,42 +1,80 @@
-# Draft 
+---
+# Updates the LDAP provider's bind DN / password using kcadm.sh, idempotently.
+# Sources DN/password from group_vars/all/13_ldap.yml:
+#   - DN:        ldap.dn.administrator.data
+#   - Password:  ldap.bind_credential
 
-- name: Wait until Keycloak is up
-  uri:
-    url: "{{ keycloak_server_host_url }}/realms/{{ keycloak_realm }}"
-    method: GET
-    status_code: 200
-    validate_certs: false
-  register: keycloak_up
-  retries: 30
-  delay: 5
-  until: keycloak_up.status == 200
+- name: "Assert required vars exist"
+  assert:
+    that:
+      - keycloak_realm is defined
+      - keycloak_server_host_url is defined
+      - keycloak_server_internal_url is defined
+      - keycloak_kcadm_path is defined
+      - keycloak_master_api_user_name is defined
+      - keycloak_master_api_user_password is defined
+      - keycloak_ldap_component_name is defined
+      - ldap is defined
+      - ldap.dn.administrator.data is defined
+      - ldap.bind_credential is defined
+    fail_msg: "Missing Keycloak/LDAP vars. Ensure 13_ldap.yml is loaded and credentials are set."
 
-- name: Log in with kcadm.sh
-  shell: |
-    {{ keycloak_kcadm_path }} config credentials \
-      --server {{ keycloak_server_internal_url }} \
-      --realm master \
-      --user {{ keycloak_master_api_user_name }} \
+- name: "kcadm login (master)"
+  no_log: "{{ MASK_CREDENTIALS_IN_LOGS | bool }}"
+  shell: >
+    {{ keycloak_kcadm_path }} config credentials
+    --server {{ keycloak_server_internal_url }}
+    --realm master
+    --user {{ keycloak_master_api_user_name }}
     --password {{ keycloak_master_api_user_password }}
-
-- name: Retrieve LDAP component ID
-  shell: |
-    {{ keycloak_kcadm_path }} get components \
-      -r {{ keycloak_realm }} \
-      --query 'providerId=ldap' \
-      --fields id \
-      --format json \
-      | jq -r '.[0].id'
-  register: ldap_component
   changed_when: false
 
-- name: Update LDAP bind password
+# Resolve the LDAP component *by name* to avoid picking the wrong one.
+- name: "Resolve LDAP component id by name '{{ keycloak_ldap_component_name }}'"
+  shell: >
+    {{ keycloak_kcadm_path }} get components
+    -r {{ keycloak_realm }}
+    --query 'name={{ keycloak_ldap_component_name }}'
+    --fields id,name,providerId,config --format json
+  register: kc_ldap_list
+  changed_when: false
+
+- name: "Validate that exactly one LDAP component matched"
   vars:
-    new_bind_password: "MyNewLdapPassword123!"
-  shell: |
-    {{ keycloak_kcadm_path }} update components/{{ ldap_component.stdout }} \
-      -r {{ keycloak_realm }} \
-      -s 'config.bindCredential=["{{ new_bind_password }}"]'
+    parsed: "{{ kc_ldap_list.stdout | from_json }}"
+  assert:
+    that:
+      - (parsed | length) == 1
+    fail_msg: >-
+      Expected exactly one LDAP component named '{{ keycloak_ldap_component_name }}',
+      found {{ (kc_ldap_list.stdout | from_json) | length }}.
+
+- name: "Extract LDAP component facts"
   no_log: "{{ MASK_CREDENTIALS_IN_LOGS | bool }}"
-  register: update_bind
-  changed_when: update_bind.rc == 0
+  set_fact:
+    kc_ldap_component_id: "{{ (kc_ldap_list.stdout | from_json)[0].id }}"
+    kc_ldap_current_bind_dn: "{{ ((kc_ldap_list.stdout | from_json)[0].config['bindDn'] | default(['']))[0] }}"
+    kc_ldap_current_bind_pw: "{{ ((kc_ldap_list.stdout | from_json)[0].config['bindCredential'] | default(['']))[0] }}"
+
+- name: "Determine if update is required"
+  set_fact:
+    kc_needs_update: >-
+      {{ (kc_ldap_current_bind_dn != ldap.dn.administrator.data)
+         or (kc_ldap_current_bind_pw != ldap.bind_credential) }}
+
+- name: "Update LDAP bind DN / bind password"
+  no_log: "{{ MASK_CREDENTIALS_IN_LOGS | bool }}"
+  shell: >
+    {{ keycloak_kcadm_path }} update components/{{ kc_ldap_component_id }}
+    -r {{ keycloak_realm }}
+    -s 'config.bindDn=["{{ ldap.dn.administrator.data | replace("'", "\\'") }}"]'
+    -s 'config.bindCredential=["{{ ldap.bind_credential | replace("'", "\\'") }}"]'
+  when: kc_needs_update | bool
+  register: kc_bind_update
+
+- name: "LDAP bind credentials updated"
+  debug:
+    msg: "LDAP bind DN/password updated on component {{ keycloak_ldap_component_name }}."
+  when: 
+    - kc_bind_update is defined
+    - kc_bind_update.rc == 0

roles/web-app-keycloak/tasks/04_ssh_public_key.yml

@@ -1,14 +1,3 @@
-- name: "Wait until Keycloak is reachable at {{ keycloak_server_host_url }}"
-  uri:
-    url: "{{ keycloak_server_host_url }}/realms/master"
-    method: GET
-    status_code: 200
-    validate_certs: false
-  register: keycloak_check
-  retries: 30
-  delay: 5
-  until: keycloak_check.status == 200
-
 # Configure Credentials
 - name: Ensure Keycloak CLI credentials are configured
   shell: |

roles/web-app-keycloak/tasks/main.yml

@@ -6,9 +6,24 @@
   include_role: 
     name: cmp-db-docker-proxy
 
+- name: "Wait until Keycloak is reachable at {{ keycloak_server_host_url }}"
+  uri:
+    url: "{{ keycloak_server_host_url }}/realms/master"
+    method: GET
+    status_code: 200
+    validate_certs: false
+  register: kc_up
+  retries: 30
+  delay: 5
+  until: kc_up.status == 200
+
 - name: "Apply client redirects without realm import"
   include_tasks: 02_update_client_redirects.yml
 
+- name: "Update LDAP bind credentials from ldap.*"
+  when: keycloak_update_ldap_bind | bool
+  include_tasks: 03_update-ldap-bind.yml
+
 # Deactivated temporary. Import now via realm.yml
 #- name: Implement SSH Public Key Attribut
 #  include_tasks: 03_ssh_public_key.yml

roles/web-app-keycloak/templates/import/realm.json.j2

@@ -1822,7 +1822,7 @@
     "org.keycloak.storage.UserStorageProvider": [
       {
         "id": "bBD2l6kVRMaSABbfOJVRaw",
-        "name": "{{ldap.server.domain}}",
+        "name": "{{ keycloak_ldap_component_name }}",
         "providerId": "ldap",
         "subComponents": {
           "org.keycloak.storage.ldap.mappers.LDAPStorageMapper": [

roles/web-app-keycloak/vars/main.yml

@@ -2,23 +2,25 @@
 application_id:                   "web-app-keycloak"                                                                          # Internal Infinito.Nexus application id 
 database_type:                    "postgres"                                                                                  # Database which will be used
 
-# Keycloak Specific
-keycloak_container:               "{{ applications | get_app_conf(application_id, 'docker.services.keycloak.name', True) }}"      # Name of the keycloack docker container
-keycloak_docker_import_directory: "/opt/keycloak/data/import/"                                                                    # Directory in which keycloack import files are placed in the running docker container
+# Keycloak
+keycloak_container:                 "{{ applications | get_app_conf(application_id, 'docker.services.keycloak.name') }}"      # Name of the keycloak docker container
+keycloak_docker_import_directory:   "/opt/keycloak/data/import/"                                                              # Directory in which keycloak import files are placed in the running docker container
 keycloak_realm:                     "{{ primary_domain}}"                                                                     # This is the name of the default realm which is used by the applications
-keycloak_master_api_user:           "{{ applications | get_app_conf(application_id, 'users.administrator', True) }}"                # Master Administrator
+keycloak_master_api_user:           "{{ applications | get_app_conf(application_id, 'users.administrator') }}"                # Master Administrator
 keycloak_master_api_user_name:      "{{ keycloak_master_api_user.username }}"                                                 # Master Administrator Username
 keycloak_master_api_user_password:  "{{ keycloak_master_api_user.password }}"                                                 # Master Administrator Password
 keycloak_kcadm_path:                "docker exec -i {{ keycloak_container }} /opt/keycloak/bin/kcadm.sh"                      # Init script for keycloak
 keycloak_server_internal_url:       "http://127.0.0.1:8080"
 keycloak_server_host:               "127.0.0.1:{{ ports.localhost.http[application_id] }}"
 keycloak_server_host_url:           "http://{{ keycloak_server_host }}"
-keycloak_image:                   "{{ applications | get_app_conf(application_id, 'docker.services.keycloak.image', True) }}"     # Keycloak docker image
-keycloak_version:                 "{{ applications | get_app_conf(application_id, 'docker.services.keycloak.version', True) }}"   # Keyloak docker version
-keycloak_import_realm:            "{{ applications | get_app_conf(application_id, 'import_realm', True, True) }}"                 # Activate realm import
+keycloak_image:                     "{{ applications | get_app_conf(application_id, 'docker.services.keycloak.image') }}"     # Keycloak docker image
+keycloak_version:                   "{{ applications | get_app_conf(application_id, 'docker.services.keycloak.version') }}"   # Keycloak docker version
 keycloak_debug_enabled:             "{{ enable_debug }}"
 keycloak_redirect_features:         ["features.oauth2","features.oidc"]
 keycloak_client_id:                 "{{ oidc.client.id }}"
+keycloak_ldap_component_name:       "{{ ldap.server.domain }}"                                                                                    # Name of the LDAP User Federation component in Keycloak (as shown in UI)
+keycloak_import_realm:              "{{ applications | get_app_conf(application_id, 'actions.import_realm') }}"               # Activate realm import  
+keycloak_update_ldap_bind:          "{{ applications | get_app_conf(application_id, 'actions.update_ldap_bind') }}"           # Toggle the LDAP bind update step
 
 # Docker 
-docker_compose_flush_handlers:    true                                                                                            # Remember to copy realm import before flushg when set to true
+docker_compose_flush_handlers:      true                                                                                      # Remember to copy realm import before flush when set to true

roles/web-app-matrix-ansible/tasks/main.yml

@@ -108,13 +108,13 @@
 #  file:
 #    path: "{{docker_compose.directories.instance}}"
 #    state: directory
-#    mode: 0755
+#    mode: "0755"
 #
 #- name: "create {{docker_compose.directories.instance}}mautrix_whatsapp"
 #  file:
 #    path: "{{docker_compose.directories.instance}}mautrix_whatsapp"
 #    state: directory
-#    mode: 0755
+#    mode: "0755"
 #
 #- name: add whatsapp-bridge-config.yml
 #  template: 

roles/web-app-matrix/tasks/main.yml

@@ -69,7 +69,7 @@
   file:
     path: "{{docker_compose.directories.instance}}mautrix/{{item.bridge_name}}"
     state: directory
-    mode: 0755
+    mode: "0755"
   loop: "{{ bridges }}"
 
 - name: add multiple mautrix bridge configuration
@@ -138,7 +138,7 @@
 - name: "change file permissions"
   file:
     path: "{{docker_compose.directories.instance}}mautrix/{{item.bridge_name}}/registration.yaml"
-    mode: 0755
+    mode: "0755"
   loop: "{{ bridges }}"
 
 - name: create admin account

roles/web-app-mybb/tasks/main.yml

@@ -20,7 +20,7 @@
   file:
     path: "{{docker_compose_instance_confd_directory}}"
     state: directory
-    mode: 0755
+    mode: "0755"
     recurse: yes
 
 - name: "create {{docker_compose_instance_confd_defaultconf_file}}"

roles/web-app-nextcloud/tasks/main.yml

@@ -7,7 +7,7 @@
   file:
     path: "{{ nextcloud_host_config_additives_directory }}"
     state: directory
-    mode: 0755
+    mode: "0755"
 
 - name: "Create config files at {{ nextcloud_host_config_additives_directory }}"
   template:

roles/web-app-openproject/tasks/main.yml

@@ -21,7 +21,7 @@
   file:
     path: "{{ openproject_dummy_volume }}"
     state: directory
-    mode: 0755
+    mode: "0755"
 
 - name: flush docker service
   meta: flush_handlers

roles/web-app-syncope/tasks/main.yml

@@ -23,7 +23,7 @@
   template: 
     src:  "database.j2" 
     dest: "{{docker_compose.files.env}}"
-    mode: '770'
+    mode: "0770"
     force: yes
   notify: docker compose up