mirror of
https://github.com/kevinveenbirkenbach/computer-playbook.git
synced 2025-08-15 16:40:45 +02:00
Kevin Veen-Birkenbach
4fa1c6cfbd
Highlights
- Quote all file modes as strings ("0755"/"0770") across multiple roles to avoid YAML octal quirks and improve portability.
- Keycloak: introduce actions.{import_realm,update_ldap_bind} feature flags and wire them via vars/config.
- Implement idempotent LDAP bind updater (tasks/03_update-ldap-bind.yml):
* kcadm login with no_log protection,
* fetch LDAP UserStorage component by name,
* compare current bindDn/bindCredential and update only when changed.
- Keycloak realm import template: keep providerId="ldap" and set name from keycloak_ldap_component_name.
- Centralize Keycloak readiness check in tasks/main.yml; remove duplicate waits from 02_update_client_redirects.yml and 04_ssh_public_key.yml.
- 01_import.yml: fix typo (keycloak), quote modes, tidy spacing, and replace Jinja-in-Jinja fileglob with concatenation.
- 02_update_client_redirects.yml: correct assert fail_msg filename; keep login-first flow.
- Minor template/vars tidy-ups (spacing, comments, consistent variable usage).
Files touched (excerpt)
- roles/*/*: replace 0755/0770 → "0755"/"0770"
- roles/web-app-keycloak/config/main.yml: add actions map
- roles/web-app-keycloak/vars/main.yml: unify Keycloak vars and feature flags
- roles/web-app-keycloak/tasks/{01_import,02_update_client_redirects,03_update-ldap-bind,04_ssh_public_key,main}.yml
- roles/web-app-keycloak/templates/{docker-compose.yml.j2,import/realm.json.j2}
https://chatgpt.com/share/689bda16-b138-800f-8258-e13f6d7d8239
49 lines
1.3 KiB
YAML
49 lines
1.3 KiB
YAML
actions:
|
|
import_realm: True # Import REALM
|
|
update_ldap_bind: True # Updates LDAP binds
|
|
features:
|
|
matomo: true
|
|
css: true
|
|
port-ui-desktop: true
|
|
ldap: true
|
|
central_database: true
|
|
recaptcha: true
|
|
|
|
# Doesn't make sense to activate logout page for keycloak, because the logout page
|
|
# anyhow should be included via iframe in keycloak.
|
|
# The JS is also messing with the keycloak config fields
|
|
# @todo optimize the JS
|
|
logout: false
|
|
server:
|
|
csp:
|
|
flags:
|
|
script-src-elem:
|
|
unsafe-inline: true
|
|
script-src:
|
|
unsafe-inline: true
|
|
style-src:
|
|
unsafe-inline: true
|
|
whitelist:
|
|
frame-src:
|
|
- "*" # For frontend channel logout it's necessary that iframes can be loaded
|
|
domains:
|
|
canonical:
|
|
- "auth.{{ primary_domain }}"
|
|
scopes:
|
|
rbac_roles: rbac_roles
|
|
nextcloud: nextcloud
|
|
|
|
rbac_groups: "/rbac"
|
|
docker:
|
|
services:
|
|
keycloak:
|
|
image: "quay.io/keycloak/keycloak"
|
|
version: "latest"
|
|
name: "keycloak"
|
|
database:
|
|
enabled: true
|
|
|
|
credentials:
|
|
recaptcha:
|
|
website_key: "YOUR_RECAPTCHA_WEBSITE_KEY" # Required if you enabled recaptcha:
|
|
secret_key: "YOUR_RECAPTCHA_SECRET_KEY" # Required if you enabled recaptcha: |