mirror of
https://github.com/kevinveenbirkenbach/computer-playbook.git
synced 2025-08-19 02:05:07 +02:00
Kevin Veen-Birkenbach
bfe18dd83c
- Replace KEYCLOAK_KCADM_PATH with KEYCLOAK_EXEC_KCADM consistently - Externalize client.json to separate Jinja2 template and include it in realm.json - Simplify LDAP bind update to use explicit KEYCLOAK_LDAP_* vars - Add async/poll support for long-running kcadm updates - Restructure vars/main.yml: clearer grouping (General, Docker, Server, Update, LDAP, API) - Compute redirectUris/webOrigins centrally in vars - Align post.logout.redirect.uris handling with playbook Conversation: https://chatgpt.com/share/68a1a11f-f8ac-800f-bada-cdc99a4fa1bf
73 lines
2.8 KiB
YAML
73 lines
2.8 KiB
YAML
# Configure Credentials
|
|
- name: Ensure Keycloak CLI credentials are configured
|
|
shell: |
|
|
{{ KEYCLOAK_EXEC_KCADM }} config credentials \
|
|
--server {{ KEYCLOAK_SERVER_INTERNAL_URL }} \
|
|
--realm master \
|
|
--user {{ KEYCLOAK_MASTER_API_USER_NAME }} \
|
|
--password {{ KEYCLOAK_MASTER_API_USER_PASSWORD }}
|
|
|
|
# LDAP Source
|
|
- name: Get ID of LDAP storage provider
|
|
shell: |
|
|
{{ KEYCLOAK_EXEC_KCADM }} get components \
|
|
-r {{ KEYCLOAK_REALM }} \
|
|
--query 'providerId=ldap' \
|
|
--fields id,name \
|
|
--format json
|
|
register: ldap_components
|
|
|
|
- name: Extract LDAP component ID
|
|
set_fact:
|
|
ldap_component_id: "{{ (ldap_components.stdout | from_json)[0].id }}"
|
|
|
|
- name: Ensure {{ ldap.user.attributes.ssh_public_key }} LDAP Mapper exists
|
|
shell: |
|
|
docker exec -i keycloak_application bash -c '
|
|
/opt/keycloak/bin/kcadm.sh get components -r {{ KEYCLOAK_REALM }} \
|
|
| grep -q "\"name\" : \"{{ ldap.user.attributes.ssh_public_key }}\"" \
|
|
|| printf "%s\n" "{
|
|
\"name\": \"{{ ldap.user.attributes.ssh_public_key }}\",
|
|
\"parentId\": \"{{ ldap_component_id }}\",
|
|
\"providerId\": \"user-attribute-ldap-mapper\",
|
|
\"providerType\": \"org.keycloak.storage.ldap.mappers.LDAPStorageMapper\",
|
|
\"config\": {
|
|
\"user.model.attribute\": [\"{{ ldap.user.attributes.ssh_public_key }}\"],
|
|
\"ldap.attribute\": [\"{{ ldap.user.attributes.ssh_public_key }}\"],
|
|
\"read.only\": [\"false\"],
|
|
\"write.only\": [\"true\"],
|
|
\"always.read.value.from.ldap\": [\"false\"],
|
|
\"multivalued\": [\"true\"]
|
|
}
|
|
}" | /opt/keycloak/bin/kcadm.sh create components -r {{ KEYCLOAK_REALM }} -f -'
|
|
register: mapper_create
|
|
changed_when: mapper_create.rc == 0 and mapper_create.stdout != ""
|
|
|
|
# GUI
|
|
|
|
- name: Enable user profile in realm
|
|
shell: >
|
|
{{ KEYCLOAK_EXEC_KCADM }} update realms/{{ KEYCLOAK_REALM }}
|
|
-s 'attributes.userProfileEnabled=true'
|
|
|
|
- name: Re-authenticate to Keycloak after enabling user profile
|
|
shell: |
|
|
{{ KEYCLOAK_EXEC_KCADM }} config credentials \
|
|
--server {{ KEYCLOAK_SERVER_INTERNAL_URL }} \
|
|
--realm master \
|
|
--user {{ KEYCLOAK_MASTER_API_USER_NAME }} \
|
|
--password {{ KEYCLOAK_MASTER_API_USER_PASSWORD }}
|
|
|
|
- name: Render user-profile JSON for SSH key
|
|
template:
|
|
src: import/user-profile.json.j2
|
|
dest: "{{ keycloak_host_import_directory }}/user-profile.json"
|
|
mode: '0644'
|
|
notify: docker compose up
|
|
|
|
- name: Apply SSH Public Key to user-profile via kcadm
|
|
shell: |
|
|
docker exec -i {{ KEYCLOAK_CONTAINER }} \
|
|
/opt/keycloak/bin/kcadm.sh update realms/{{ KEYCLOAK_REALM }} -f {{ KEYCLOAK_DOCKER_IMPORT_DIR }}user-profile.json
|
|
async: "{{ ASYNC_TIME if ASYNC_ENABLED | bool else omit }}"
|
|
poll: "{{ ASYNC_POLL if ASYNC_ENABLED | bool else omit }}" |