From d3e8f0a15364aaa55fe4c4fd056bebd4cda01471 Mon Sep 17 00:00:00 2001
From: Olivier Navas <olivier.navas@libretic.fr>
Date: Thu, 28 Apr 2022 17:40:43 +0200
Subject: [PATCH] premier commit

---
 README.md                         | 41 ++++++++++++++++++++++++++++
 defaults/main.yml                 |  1 +
 handlers/main.yml                 | 10 +++++++
 tasks/configure_reverse_proxy.yml | 11 ++++++++
 tasks/main.yml                    | 14 ++++++++++
 templates/0_vhost.conf            |  2 ++
 templates/1_vhost_additional.conf |  2 ++
 templates/2_mds_exclusion.conf    |  2 ++
 templates/docker-compose.yml      | 45 +++++++++++++++++++++++++++++++
 9 files changed, 128 insertions(+)
 create mode 100644 README.md
 create mode 100644 defaults/main.yml
 create mode 100644 handlers/main.yml
 create mode 100644 tasks/configure_reverse_proxy.yml
 create mode 100644 tasks/main.yml
 create mode 100644 templates/0_vhost.conf
 create mode 100644 templates/1_vhost_additional.conf
 create mode 100644 templates/2_mds_exclusion.conf
 create mode 100644 templates/docker-compose.yml

diff --git a/README.md b/README.md
new file mode 100644
index 0000000..51c0079
--- /dev/null
+++ b/README.md
@@ -0,0 +1,41 @@
+# Role : docker_keycloak
+
+
+## Services fournis
+
+- main.yml : Installation de keycloak sur un serveur docker_host
+- configure_reverse_proxy.yml : Configuration d'un reverse proxy préalablement installé par le role reverse_proxy
+
+
+## Variables
+
+Fournir les variables suivantes. Par exemple :
+
+```yaml
+docker_keycloak_fqdn: auth.libretic.fr
+docker_keycloak_data_dir: /data1
+docker_keycloak_service_id: auth
+docker_keycloak_rp_cert: LE
+docker_keycloak_rp_docker_host: machine.domaine.local
+docker_keycloak_db_name: keycloak
+docker_keycloak_db_user: keycloakdbuser
+docker_keycloak_db_password: mdp_de_keycloakdbuser
+```
+
+| Option                         | Valeur par défaut | Description                                                                               |
+|--------------------------------|-------------------|-------------------------------------------------------------------------------------------|
+| docker_keycloak_fqdn           |                   | Le nom de domaine pour lequel le service keycloak répond                                  |
+| docker_keycloak_data_dir       |                   | L'emplacement dans lequel se trouvent les volumes de donnees docker pour le service       |
+| docker_keycloak_service_id     |                   | Le nom de service souhaité : conditionne le nommage des volumes et le routage par traefik |
+| docker_keycloak_rp_docker_host |                   | pour configure_reverse_proxy.yml: fqdn de la machine contenant le conteneur docker        |
+| docker_keycloak_rp_cert        | LE                | Type de certificat pour le reverse proxy (LE = letsencrypt)                               |
+| docker_keycloak_db_name        |                   | Nom de la base de données postgres pour keycloak                                          |
+| docker_keycloak_db_user        |                   | Nom du user postgres propriétaire de la base de données                                   |
+| docker_keycloak_db_password    |                   | Mot du passe du user postgres                                                             |
+
+
+
+## Poursuite de l'installation dans keycloak
+
+Après le premier lancement :
+- créer le compte administrateur
diff --git a/defaults/main.yml b/defaults/main.yml
new file mode 100644
index 0000000..a64a83e
--- /dev/null
+++ b/defaults/main.yml
@@ -0,0 +1 @@
+docker_keycloak_rp_cert: LE
diff --git a/handlers/main.yml b/handlers/main.yml
new file mode 100644
index 0000000..495276b
--- /dev/null
+++ b/handlers/main.yml
@@ -0,0 +1,10 @@
+- name: docker-compose-up
+  shell: |
+    docker-compose up -d
+  args:
+    chdir: /opt/{{ docker_keycloak_service_id }}/
+
+- name: reverse-proxy-reload
+  service:
+    name: apache2
+    state: reloaded
diff --git a/tasks/configure_reverse_proxy.yml b/tasks/configure_reverse_proxy.yml
new file mode 100644
index 0000000..d900996
--- /dev/null
+++ b/tasks/configure_reverse_proxy.yml
@@ -0,0 +1,11 @@
+- name: prepare reverse_proxy
+  template:
+    src: "{{ item }}"
+    dest: /etc/apache2/vhosts.d/{{ docker_keycloak_fqdn }}/
+  with_items:
+    - 0_vhost.conf
+    - 1_vhost_additional.conf
+    - 2_mds_exclusion.conf
+  notify: reverse-proxy-reload
+  
+
diff --git a/tasks/main.yml b/tasks/main.yml
new file mode 100644
index 0000000..4c11541
--- /dev/null
+++ b/tasks/main.yml
@@ -0,0 +1,14 @@
+- name: docker directory
+  file:
+    path: /opt/{{ docker_keycloak_service_id }}/
+    state: directory
+
+- name: prepare docker-compose.yml
+  template:
+    src: "{{ item }}"
+    dest: /opt/{{ docker_keycloak_service_id }}/
+  with_items:
+    - docker-compose.yml
+  notify: docker-compose-up
+  
+
diff --git a/templates/0_vhost.conf b/templates/0_vhost.conf
new file mode 100644
index 0000000..726862f
--- /dev/null
+++ b/templates/0_vhost.conf
@@ -0,0 +1,2 @@
+# {{ ansible_managed }}
+Use vhost_HTTPS_Generic {{ docker_keycloak_fqdn }} {{ docker_keycloak_rp_cert }} http {{ docker_keycloak_rp_docker_host }} info OpenAccessPolicy BlockCrawlerIndexing On
diff --git a/templates/1_vhost_additional.conf b/templates/1_vhost_additional.conf
new file mode 100644
index 0000000..3f356b7
--- /dev/null
+++ b/templates/1_vhost_additional.conf
@@ -0,0 +1,2 @@
+# {{ ansible_managed }}
+ProxyErrorOverride off
diff --git a/templates/2_mds_exclusion.conf b/templates/2_mds_exclusion.conf
new file mode 100644
index 0000000..ab0d77f
--- /dev/null
+++ b/templates/2_mds_exclusion.conf
@@ -0,0 +1,2 @@
+# {{ ansible_managed }}
+
diff --git a/templates/docker-compose.yml b/templates/docker-compose.yml
new file mode 100644
index 0000000..41dea81
--- /dev/null
+++ b/templates/docker-compose.yml
@@ -0,0 +1,45 @@
+# {{ ansible_managed }}
+version: '3.1'
+
+services:
+  keycloak:
+    image: docker.io/bitnami/keycloak:16
+    restart: always
+    environment:
+      KEYCLOAK_DATABASE_HOST: "db"
+      KEYCLOAK_DATABASE_PORT: "5432"
+      KEYCLOAK_DATABASE_NAME: "{{ docker_keycloak_db_name }}"
+      KEYCLOAK_DATABASE_USER: "{{ docker_keycloak_db_user }}"
+      KEYCLOAK_DATABASE_PASSWORD: "{{ docker_keycloak_db_password }}"
+      KEYCLOAK_DATABASE_SCHEMA: "public"
+      KEYCLOAK_PROXY_ADDRESS_FORWARDING: "true"
+    depends_on:
+      - db
+    labels:
+      - "traefik.enable=true"
+      - "traefik.docker.network=traefik"
+      - "traefik.http.routers.{{ docker_keycloak_service_id }}.entrypoints=web"
+      - "traefik.http.routers.{{ docker_keycloak_service_id }}.rule=Host(`{{ docker_keycloak_fqdn }}`)"
+      - "traefik.http.services.{{ docker_keycloak_service_id }}.loadbalancer.server.port=8080"
+    networks:
+      - default
+      - traefik
+
+  db:
+    image: postgres:13
+    restart: always
+    environment:
+      POSTGRES_DB: "{{ docker_keycloak_db_name }}"
+      POSTGRES_USER: "{{ docker_keycloak_db_user }}"
+      POSTGRES_PASSWORD: "{{ docker_keycloak_db_password }}"
+    networks:
+      - default
+    volumes:
+      - /data1/{{ docker_keycloak_service_id }}/postgres:/var/lib/postgresql/data
+
+
+networks:
+  traefik:
+    external: true
+  default:
+    internal: true