--- - name: Installer et configurer Keycloak hosts: servers become: true gather_facts: true vars: git_repo: "https://gite.slm-lab.net/Chabdeltsang/Neah-Enkun.git" git_dest: "/opt/Neah-Enkun" git_branch: "master" keycloak_container: "neah-keycloak" keycloak_server: "http://localhost:8080" keycloak_realm: "master" keycloak_old_admin: "admin" keycloak_old_password: "0aff634a5aab66c4cddc0fe9221e4d02defc87c98d2cd81ce6e8e04271f6c189" keycloak_admin_user: "enkun" keycloak_admin_password: "9569dd645b4963262f76f10dc320b114c62950ea4927c1806c3df56b03185297" keycloak_admin_email: "enkun@connect.neah.local" keycloak_admin_first_name: "Enkun" keycloak_admin_last_name: "Administrator" check_file: "/opt/keycloak/data/.configured" keycloak_bin: "/opt/keycloak/bin/kcadm.sh" keycloak_roles: - TEACHERS - STUDENTS keycloak_groups: - TESTING teacher_permissions: - account/view-groups - account/view-applications - master-realm/manage-users - account/delete-account - master-realm/view-users - account/manage-account - account/view-profile student_permissions: - master-realm/view-users keycloak_client: client_id: "front" client_secret: "Klsbm7hzyXscypXU0wUPPVBrttFPt6Pn" root_url: "http://neah.local/" redirect_uris: - "http://neah.local/*" - "http://localhost:3000/*" web_origins: - "http://neah.local" - "http://localhost:3000" keycloak_nextcloud_client: client_id: "nextcloud" client_secret: "d27b68dbb0f2eb2012837ed5f71e91015465ab72b93d50b3409962dad7812429" root_url: "http://cloud.neah.local/" redirect_uris: - "http://cloud.neah.local/*" web_origins: - "http://cloud.neah.local" pre_tasks: - name: Cloner le dépôt Git git: repo: "{{ git_repo }}" dest: "{{ git_dest }}" version: "{{ git_branch }}" update: true force: true register: git_status until: git_status is success retries: 3 delay: 5 tasks: - name: Lancer le service Keycloak command: "docker compose up -d --build --remove-orphans keycloak" args: chdir: "{{ git_dest }}" register: keycloak_launch until: keycloak_launch is success retries: 3 delay: 5 - name: Vérifier si la configuration a déjà été effectuée command: docker exec {{ keycloak_container }} test -f {{ check_file }} register: check_config changed_when: false failed_when: false - name: Configurer les credentials avec kcadm.sh shell: docker exec {{ keycloak_container }} {{ keycloak_bin }} config credentials --server {{ keycloak_server }} --realm {{ keycloak_realm }} --user {{ keycloak_old_admin }} --password {{ keycloak_old_password }} register: config_status until: config_status is success retries: 6 delay: 10 when: check_config.rc != 0 - name: Créer un nouvel utilisateur administrateur block: - name: Créer l'utilisateur shell: docker exec {{ keycloak_container }} {{ keycloak_bin }} create users -r {{ keycloak_realm }} -s username={{ keycloak_admin_user }} -s email={{ keycloak_admin_email }} -s firstName={{ keycloak_admin_first_name }} -s lastName={{ keycloak_admin_last_name }} -s emailVerified=true -s enabled=true register: create_user - name: Définir le mot de passe shell: docker exec {{ keycloak_container }} {{ keycloak_bin }} set-password -r {{ keycloak_realm }} --username {{ keycloak_admin_user }} --new-password {{ keycloak_admin_password }} --temporary=false register: set_password - name: Attribuer le rôle d'administrateur shell: docker exec {{ keycloak_container }} {{ keycloak_bin }} add-roles -r {{ keycloak_realm }} --uusername {{ keycloak_admin_user }} --rolename admin register: add_role when: check_config.rc != 0 rescue: - name: Gérer les erreurs de configuration debug: msg: "Erreur lors de la configuration de l'utilisateur administrateur" - name: Créer les rôles block: - name: Créer le rôle {{ item }} shell: docker exec {{ keycloak_container }} {{ keycloak_bin }} create roles -r {{ keycloak_realm }} -s name={{ item }} register: create_role with_items: "{{ keycloak_roles }}" until: create_role is success retries: 3 delay: 5 when: check_config.rc != 0 rescue: - name: Gérer les erreurs de création des rôles debug: msg: "Erreur lors de la création du rôle {{ item }}" - name: Créer les groupes block: - name: Créer le groupe {{ item }} shell: docker exec {{ keycloak_container }} {{ keycloak_bin }} create groups -r {{ keycloak_realm }} -s name={{ item }} register: create_group with_items: "{{ keycloak_groups }}" until: create_group is success retries: 3 delay: 5 when: check_config.rc != 0 rescue: - name: Gérer les erreurs de création des groupes debug: msg: "Erreur lors de la création du groupe {{ item }}" - name: Attribuer les permissions aux rôles block: - name: Attribuer les permissions au rôle TEACHERS shell: docker exec {{ keycloak_container }} {{ keycloak_bin }} add-roles -r {{ keycloak_realm }} --rname TEACHERS --cclientid {{ item.split('/')[0] }} --rolename {{ item.split('/')[1] }} with_items: "{{ teacher_permissions }}" register: add_teacher_perms until: add_teacher_perms is success retries: 3 delay: 5 - name: Attribuer les permissions au rôle STUDENTS shell: docker exec {{ keycloak_container }} {{ keycloak_bin }} add-roles -r {{ keycloak_realm }} --rname STUDENTS --cclientid {{ item.split('/')[0] }} --rolename {{ item.split('/')[1] }} with_items: "{{ student_permissions }}" register: add_student_perms until: add_student_perms is success retries: 3 delay: 5 when: check_config.rc != 0 rescue: - name: Gérer les erreurs d'attribution des permissions debug: msg: "Erreur lors de l'attribution des permissions aux rôles" - name: Configurer le client front block: - name: Créer le client shell: > docker exec {{ keycloak_container }} {{ keycloak_bin }} create clients -r {{ keycloak_realm }} -s clientId={{ keycloak_client.client_id }} -s secret={{ keycloak_client.client_secret }} -s protocol=openid-connect -s publicClient=false -s authorizationServicesEnabled=true -s serviceAccountsEnabled=true -s standardFlowEnabled=true -s implicitFlowEnabled=true -s directAccessGrantsEnabled=true -s rootUrl={{ keycloak_client.root_url }} -s baseUrl={{ keycloak_client.root_url }} -s 'redirectUris=["{{ keycloak_client.redirect_uris | join('","') }}"]' -s 'webOrigins=["{{ keycloak_client.web_origins | join('","') }}"]' register: create_client until: create_client is success retries: 3 delay: 5 when: check_config.rc != 0 rescue: - name: Gérer les erreurs de création du client debug: msg: "Erreur lors de la création du client front" - name: Configurer le Client Scope Profile block: - name: Récupérer l'ID du scope profile shell: | ID=$(docker exec {{ keycloak_container }} {{ keycloak_bin }} get client-scopes -r {{ keycloak_realm }} --fields id,name --format json | jq -r '.[] | select(.name=="profile") | .id') echo $ID register: profile_scope_id until: profile_scope_id.stdout != "" retries: 3 delay: 5 - name: Ajouter le Mapper realm roles au scope profile shell: > docker exec {{ keycloak_container }} {{ keycloak_bin }} create client-scopes/{{ profile_scope_id.stdout | trim }}/protocol-mappers/models -r {{ keycloak_realm }} -s name="realm roles" -s protocol="openid-connect" -s protocolMapper="oidc-usermodel-realm-role-mapper" -s 'config."id.token.claim"=true' -s 'config."access.token.claim"=true' -s 'config."userinfo.token.claim"=true' -s 'config."claim.name"="realm_roles"' -s 'config."introspection.token.claim"=true' -s 'config."multivalued"=true' register: create_mapper until: create_mapper is success retries: 3 delay: 5 when: profile_scope_id.stdout != "" when: check_config.rc != 0 rescue: - name: Gérer les erreurs de configuration du mapper debug: msg: "Erreur lors de la configuration du mapper realm roles" - name: Configurer le client Nextcloud block: - name: Créer le client Nextcloud shell: > docker exec {{ keycloak_container }} {{ keycloak_bin }} create clients -r {{ keycloak_realm }} -s clientId={{ keycloak_nextcloud_client.client_id }} -s secret={{ keycloak_nextcloud_client.client_secret }} -s protocol=openid-connect -s publicClient=false -s authorizationServicesEnabled=true -s serviceAccountsEnabled=true -s standardFlowEnabled=true -s implicitFlowEnabled=false -s directAccessGrantsEnabled=true -s rootUrl={{ keycloak_nextcloud_client.root_url }} -s baseUrl={{ keycloak_nextcloud_client.root_url }} -s 'redirectUris=["{{ keycloak_nextcloud_client.redirect_uris | join('","') }}"]' -s 'webOrigins=["{{ keycloak_nextcloud_client.web_origins | join('","') }}"]' register: create_nextcloud_client until: create_nextcloud_client is success retries: 3 delay: 5 - name: Récupérer l'ID du client Nextcloud shell: > docker exec {{ keycloak_container }} {{ keycloak_bin }} get clients -r {{ keycloak_realm }} -q clientId={{ keycloak_nextcloud_client.client_id }} --format json register: get_client_id until: get_client_id is success retries: 3 delay: 5 - name: Extraire l'ID du client set_fact: nextcloud_client_id: "{{ (get_client_id.stdout | from_json)[0].id }}" - name: Configurer les mappers pour Nextcloud shell: > docker exec {{ keycloak_container }} {{ keycloak_bin }} create clients/{{ nextcloud_client_id }}/protocol-mappers/models -r {{ keycloak_realm }} -s name="{{ item.name }}" -s protocol="openid-connect" -s protocolMapper="{{ item.mapper }}" -s 'config."id.token.claim"=true' -s 'config."access.token.claim"=true' -s 'config."userinfo.token.claim"=true' -s 'config."claim.name"="{{ item.claim }}"' with_items: - { name: "username", mapper: "oidc-usermodel-property-mapper", claim: "preferred_username", } - { name: "email", mapper: "oidc-usermodel-property-mapper", claim: "email", } - { name: "name", mapper: "oidc-usermodel-property-mapper", claim: "name", } - { name: "roles", mapper: "oidc-usermodel-realm-role-mapper", claim: "roles", } register: create_nextcloud_mappers until: create_nextcloud_mappers is success retries: 3 delay: 5 when: check_config.rc != 0 rescue: - name: Gérer les erreurs de création du client Nextcloud debug: msg: "Erreur lors de la création du client Nextcloud" - name: Supprimer l'administrateur temporaire block: - name: Récupérer les informations shell: docker exec {{ keycloak_container }} {{ keycloak_bin }} get users -r {{ keycloak_realm }} -q username={{ keycloak_old_admin }} register: temp_admin_info - name: Extraire l'ID set_fact: temp_admin_id: "{{ (temp_admin_info.stdout | from_json)[0].id }}" - name: Supprimer l'utilisateur shell: docker exec {{ keycloak_container }} {{ keycloak_bin }} delete users/{{ temp_admin_id }} when: check_config.rc != 0 - name: Marquer la configuration comme terminée shell: docker exec {{ keycloak_container }} touch {{ check_file }} when: check_config.rc != 0 handlers: - name: Redémarrer Keycloak command: "docker compose restart keycloak" args: chdir: "{{ git_dest }}"