computer-playbook/roles/web-app-keycloak/vars/main.yml

# General
application_id:                   "web-app-keycloak"                                                                          # Internal Infinito.Nexus application id 
database_type:                    "postgres"                                                                                  # Database which will be used

# Keycloak

## General
KEYCLOAK_URL:                       "{{ domains | get_url(application_id, WEB_PROTOCOL) }}"
KEYCLOAK_REALM:                     "{{ OIDC.CLIENT.REALM }}" # This is the name of the default realm which is used by the applications
KEYCLOAK_REALM_URL:                 "{{ WEB_PROTOCOL }}://{{ KEYCLOAK_REALM }}"
KEYCLOAK_DEBUG_ENABLED:             "{{ MODE_DEBUG }}"
KEYCLOAK_CLIENT_ID:                 "{{ OIDC.CLIENT.ID }}"
KEYCLOAK_SERVER_INTERNAL_URL:       "http://127.0.0.1:8080"
KEYCLOAK_LOAD_DEPENDENCIES:         "{{ applications | get_app_conf(application_id, 'load_dependencies') }}"
KEYCLOAK_DOMAIN:                    "{{ domains | get_domain('web-app-keycloak') }}"

# RBAC
KEYCLOAK_RBAC_GROUP_CLAIM:          "{{ RBAC.GROUP.CLAIM }}"
KEYCLOAK_RBAC_GROUP_NAME:           "{{ RBAC.GROUP.NAME }}"

## Health
KEYCLOAK_HEALTH_ENABLED:            true

## Import
KEYCLOAK_REALM_IMPORT_ENABLED:      "{{ applications | get_app_conf(application_id, 'actions.import_realm') }}"
KEYCLOAK_REALM_IMPORT_DIR_HOST:     "{{ [docker_compose.directories.volumes,'import'] | path_join }}"
KEYCLOAK_REALM_IMPORT_DIR_DOCKER:   "/opt/keycloak/data/import/"
KEYCLOAK_REALM_IMPORT_FILE_SRC:     "import/realm.json.j2"
KEYCLOAK_REALM_IMPORT_FILE_DST:     "{{ [KEYCLOAK_REALM_IMPORT_DIR_HOST,'realm.json'] | path_join }}"

## Credentials

### Bootstrap
KEYCLOAK_BOOTSTRAP_ADMIN_USERNAME:  "{{ applications | get_app_conf(application_id, 'accounts.bootstrap.username') }}"
KEYCLOAK_BOOTSTRAP_ADMIN_PASSWORD:  "{{ applications | get_app_conf(application_id, 'credentials.administrator_password') }}"

### Permanent
KEYCLOAK_PERMANENT_ADMIN_USERNAME:  "{{ applications | get_app_conf(application_id, 'accounts.system.username') }}"
KEYCLOAK_PERMANENT_ADMIN_PASSWORD:  "{{ applications | get_app_conf(application_id, 'credentials.administrator_password') }}"

## Docker
KEYCLOAK_CONTAINER:                 "{{ applications | get_app_conf(application_id, 'docker.services.keycloak.name') }}"
KEYCLOAK_EXEC_CONTAINER:            "docker exec -i {{ KEYCLOAK_CONTAINER }}"
KEYCLOAK_KCADM:                     "/opt/keycloak/bin/kcadm.sh"
KEYCLOAK_EXEC_KCADM:                "{{ KEYCLOAK_EXEC_CONTAINER }} {{ KEYCLOAK_KCADM }}"
KEYCLOAK_IMAGE:                     "{{ applications | get_app_conf(application_id, 'docker.services.keycloak.image') }}"
KEYCLOAK_VERSION:                   "{{ applications | get_app_conf(application_id, 'docker.services.keycloak.version') }}"

## Server
KEYCLOAK_SERVER_HOST:               "127.0.0.1:{{ ports.localhost.http[application_id] }}"
  
## Update
KEYCLOAK_REDIRECT_FEATURES:         ["features.oauth2","features.oidc"]
KEYCLOAK_FRONTCHANNEL_LOGOUT_URL:   "{{ domains | get_url('web-svc-logout', WEB_PROTOCOL) }}/"
KEYCLOAK_REDIRECT_URIS:             "{{ domains | redirect_uris(applications, WEB_PROTOCOL, '/*', KEYCLOAK_REDIRECT_FEATURES) }}"
KEYCLOAK_WEB_ORIGINS: >-
  {{ KEYCLOAK_REDIRECT_URIS
      | map('regex_replace','/\\*$','')
      | map('regex_search','^(https?://[^/]+)')
      | select('string')
      | list | unique }}
KEYCLOAK_POST_LOGOUT_URIS:           "+"

## LDAP
KEYCLOAK_LDAP_ENABLED:              "{{ applications | get_app_conf(application_id, 'features.ldap', False) }}"
KEYCLOAK_LDAP_CMP_NAME:             "{{ LDAP.SERVER.DOMAIN }}"          # Name of the LDAP User Federation component in Keycloak (as shown in UI)
KEYCLOAK_LDAP_BIND_DN:              "{{ LDAP.DN.ADMINISTRATOR.DATA }}"
KEYCLOAK_LDAP_BIND_PW:              "{{ LDAP.BIND_CREDENTIAL }}"
KEYCLOAK_LDAP_URL:                  "{{ LDAP.SERVER.URI }}"

# It's important to filter the posixAccount class out, because it is just used by ansible
KEYCLOAK_LDAP_USER_OBJECT_CLASSES: >  
  {{ 
    (
        (LDAP.USER.OBJECTS.STRUCTURAL | reject('equalto','posixAccount') | list)
        + (LDAP.USER.OBJECTS.AUXILIARY | dict2items | map(attribute='value') | list)
      ) | join(', ') 
  }}

# Dictionaries
KEYCLOAK_DICTIONARY_REALM_RAW: "{{ lookup('template', 'import/realm.json.j2') }}"
KEYCLOAK_DICTIONARY_REALM: >-
  {{
    KEYCLOAK_DICTIONARY_REALM_RAW
      if (KEYCLOAK_DICTIONARY_REALM_RAW is mapping)
      else (KEYCLOAK_DICTIONARY_REALM_RAW | from_json)
  }}