mirror of
https://github.com/kevinveenbirkenbach/computer-playbook.git
synced 2025-08-18 17:55:09 +02:00
Kevin Veen-Birkenbach
7d0502ebc5
Replace 01_import.yml with 01_initialize.yml (KEYCLOAK_HOST_IMPORT_DIR) Add generic 02_update.yml (kcadm updater for clients/components) - Resolve ID → read current → merge (kc_merge_path optional) - Preserve immutable fields; support kc_force_attrs Update tasks/main.yml: - Readiness via KEYCLOAK_MASTER_REALM_URL; kcadm login - Merge LDAP component config from Realm when KEYCLOAK_LDAP_ENABLED - Update client settings incl. frontchannel.logout.url realm.json.j2: include ldap.json in UserStorageProvider ldap.json.j2: use KEYCLOAK_LDAP_* vars for bindDn/credential/connectionUrl vars/main.yml: add KEYCLOAK_* URLs/dirs and KEYCLOAK_DICTIONARY_REALM(_RAW) docker-compose.yml.j2: mount KEYCLOAK_HOST_IMPORT_DIR Cleanup: remove 02_update_client_redirects.yml, 03_update-ldap-bind.yml, 04_ssh_public_key.yml; drop obsolete config flag; formatting Note: redirectUris/webOrigins ordering may still cause changed=true; consider sorting for stability in a follow-up.
48 lines
1.3 KiB
YAML
48 lines
1.3 KiB
YAML
actions:
|
|
import_realm: True # Import REALM
|
|
features:
|
|
matomo: true
|
|
css: true
|
|
desktop: true
|
|
ldap: true
|
|
central_database: true
|
|
recaptcha: true
|
|
|
|
# Doesn't make sense to activate logout page for keycloak, because the logout page
|
|
# anyhow should be included via iframe in keycloak.
|
|
# The JS is also messing with the keycloak config fields
|
|
# @todo optimize the JS
|
|
logout: false
|
|
server:
|
|
csp:
|
|
flags:
|
|
script-src-elem:
|
|
unsafe-inline: true
|
|
script-src:
|
|
unsafe-inline: true
|
|
style-src:
|
|
unsafe-inline: true
|
|
whitelist:
|
|
frame-src:
|
|
- "*" # For frontend channel logout it's necessary that iframes can be loaded
|
|
domains:
|
|
canonical:
|
|
- "auth.{{ PRIMARY_DOMAIN }}"
|
|
scopes:
|
|
rbac_roles: rbac_roles
|
|
nextcloud: nextcloud
|
|
|
|
rbac_groups: "/rbac"
|
|
docker:
|
|
services:
|
|
keycloak:
|
|
image: "quay.io/keycloak/keycloak"
|
|
version: "latest"
|
|
name: "keycloak"
|
|
database:
|
|
enabled: true
|
|
|
|
credentials:
|
|
recaptcha:
|
|
website_key: "YOUR_RECAPTCHA_WEBSITE_KEY" # Required if you enabled recaptcha:
|
|
secret_key: "YOUR_RECAPTCHA_SECRET_KEY" # Required if you enabled recaptcha: |