331 lines
13 KiB
YAML
331 lines
13 KiB
YAML
---
|
|
- name: Installer et configurer Keycloak
|
|
hosts: servers
|
|
become: true
|
|
gather_facts: true
|
|
|
|
vars:
|
|
git_repo: "https://gite.slm-lab.net/Chabdeltsang/Neah-Enkun.git"
|
|
git_dest: "/opt/Neah-Enkun"
|
|
git_branch: "master"
|
|
keycloak_container: "neah-keycloak"
|
|
keycloak_server: "http://localhost:8080"
|
|
keycloak_realm: "master"
|
|
keycloak_old_admin: "admin"
|
|
keycloak_old_password: "0aff634a5aab66c4cddc0fe9221e4d02defc87c98d2cd81ce6e8e04271f6c189"
|
|
keycloak_admin_user: "enkun"
|
|
keycloak_admin_password: "9569dd645b4963262f76f10dc320b114c62950ea4927c1806c3df56b03185297"
|
|
keycloak_admin_email: "enkun@connect.neah.local"
|
|
keycloak_admin_first_name: "Enkun"
|
|
keycloak_admin_last_name: "Administrator"
|
|
check_file: "/opt/keycloak/data/.configured"
|
|
keycloak_bin: "/opt/keycloak/bin/kcadm.sh"
|
|
keycloak_roles:
|
|
- TEACHERS
|
|
- STUDENTS
|
|
keycloak_groups:
|
|
- TESTING
|
|
teacher_permissions:
|
|
- account/view-groups
|
|
- account/view-applications
|
|
- master-realm/manage-users
|
|
- account/delete-account
|
|
- master-realm/view-users
|
|
- account/manage-account
|
|
- account/view-profile
|
|
student_permissions:
|
|
- master-realm/view-users
|
|
keycloak_client:
|
|
client_id: "front"
|
|
client_secret: "Klsbm7hzyXscypXU0wUPPVBrttFPt6Pn"
|
|
root_url: "http://neah.local/"
|
|
redirect_uris:
|
|
- "http://neah.local/*"
|
|
- "http://localhost:3000/*"
|
|
web_origins:
|
|
- "http://neah.local"
|
|
- "http://localhost:3000"
|
|
keycloak_nextcloud_client:
|
|
client_id: "nextcloud"
|
|
client_secret: "d27b68dbb0f2eb2012837ed5f71e91015465ab72b93d50b3409962dad7812429"
|
|
root_url: "http://cloud.neah.local/"
|
|
redirect_uris:
|
|
- "http://cloud.neah.local/*"
|
|
web_origins:
|
|
- "http://cloud.neah.local"
|
|
|
|
pre_tasks:
|
|
- name: Cloner le dépôt Git
|
|
git:
|
|
repo: "{{ git_repo }}"
|
|
dest: "{{ git_dest }}"
|
|
version: "{{ git_branch }}"
|
|
update: true
|
|
force: true
|
|
register: git_status
|
|
until: git_status is success
|
|
retries: 3
|
|
delay: 5
|
|
|
|
tasks:
|
|
- name: Lancer le service Keycloak
|
|
command: "docker compose up -d --build --remove-orphans keycloak"
|
|
args:
|
|
chdir: "{{ git_dest }}"
|
|
register: keycloak_launch
|
|
until: keycloak_launch is success
|
|
retries: 3
|
|
delay: 5
|
|
|
|
- name: Vérifier si la configuration a déjà été effectuée
|
|
command: docker exec {{ keycloak_container }} test -f {{ check_file }}
|
|
register: check_config
|
|
changed_when: false
|
|
failed_when: false
|
|
|
|
- name: Configurer les credentials avec kcadm.sh
|
|
shell: docker exec {{ keycloak_container }} {{ keycloak_bin }} config credentials --server {{ keycloak_server }} --realm {{ keycloak_realm }} --user {{ keycloak_old_admin }} --password {{ keycloak_old_password }}
|
|
register: config_status
|
|
until: config_status is success
|
|
retries: 6
|
|
delay: 10
|
|
when: check_config.rc != 0
|
|
|
|
- name: Créer un nouvel utilisateur administrateur
|
|
block:
|
|
- name: Créer l'utilisateur
|
|
shell: docker exec {{ keycloak_container }} {{ keycloak_bin }} create users -r {{ keycloak_realm }} -s username={{ keycloak_admin_user }} -s email={{ keycloak_admin_email }} -s firstName={{ keycloak_admin_first_name }} -s lastName={{ keycloak_admin_last_name }} -s emailVerified=true -s enabled=true
|
|
register: create_user
|
|
|
|
- name: Définir le mot de passe
|
|
shell: docker exec {{ keycloak_container }} {{ keycloak_bin }} set-password -r {{ keycloak_realm }} --username {{ keycloak_admin_user }} --new-password {{ keycloak_admin_password }} --temporary=false
|
|
register: set_password
|
|
|
|
- name: Attribuer le rôle d'administrateur
|
|
shell: docker exec {{ keycloak_container }} {{ keycloak_bin }} add-roles -r {{ keycloak_realm }} --uusername {{ keycloak_admin_user }} --rolename admin
|
|
register: add_role
|
|
when: check_config.rc != 0
|
|
rescue:
|
|
- name: Gérer les erreurs de configuration
|
|
debug:
|
|
msg: "Erreur lors de la configuration de l'utilisateur administrateur"
|
|
|
|
- name: Créer les rôles
|
|
block:
|
|
- name: Créer le rôle {{ item }}
|
|
shell: docker exec {{ keycloak_container }} {{ keycloak_bin }} create roles -r {{ keycloak_realm }} -s name={{ item }}
|
|
register: create_role
|
|
with_items: "{{ keycloak_roles }}"
|
|
until: create_role is success
|
|
retries: 3
|
|
delay: 5
|
|
when: check_config.rc != 0
|
|
rescue:
|
|
- name: Gérer les erreurs de création des rôles
|
|
debug:
|
|
msg: "Erreur lors de la création du rôle {{ item }}"
|
|
|
|
- name: Créer les groupes
|
|
block:
|
|
- name: Créer le groupe {{ item }}
|
|
shell: docker exec {{ keycloak_container }} {{ keycloak_bin }} create groups -r {{ keycloak_realm }} -s name={{ item }}
|
|
register: create_group
|
|
with_items: "{{ keycloak_groups }}"
|
|
until: create_group is success
|
|
retries: 3
|
|
delay: 5
|
|
when: check_config.rc != 0
|
|
rescue:
|
|
- name: Gérer les erreurs de création des groupes
|
|
debug:
|
|
msg: "Erreur lors de la création du groupe {{ item }}"
|
|
|
|
- name: Attribuer les permissions aux rôles
|
|
block:
|
|
- name: Attribuer les permissions au rôle TEACHERS
|
|
shell: docker exec {{ keycloak_container }} {{ keycloak_bin }} add-roles -r {{ keycloak_realm }} --rname TEACHERS --cclientid {{ item.split('/')[0] }} --rolename {{ item.split('/')[1] }}
|
|
with_items: "{{ teacher_permissions }}"
|
|
register: add_teacher_perms
|
|
until: add_teacher_perms is success
|
|
retries: 3
|
|
delay: 5
|
|
|
|
- name: Attribuer les permissions au rôle STUDENTS
|
|
shell: docker exec {{ keycloak_container }} {{ keycloak_bin }} add-roles -r {{ keycloak_realm }} --rname STUDENTS --cclientid {{ item.split('/')[0] }} --rolename {{ item.split('/')[1] }}
|
|
with_items: "{{ student_permissions }}"
|
|
register: add_student_perms
|
|
until: add_student_perms is success
|
|
retries: 3
|
|
delay: 5
|
|
when: check_config.rc != 0
|
|
rescue:
|
|
- name: Gérer les erreurs d'attribution des permissions
|
|
debug:
|
|
msg: "Erreur lors de l'attribution des permissions aux rôles"
|
|
|
|
- name: Configurer le client front
|
|
block:
|
|
- name: Créer le client
|
|
shell: >
|
|
docker exec {{ keycloak_container }} {{ keycloak_bin }} create clients -r {{ keycloak_realm }}
|
|
-s clientId={{ keycloak_client.client_id }}
|
|
-s secret={{ keycloak_client.client_secret }}
|
|
-s protocol=openid-connect
|
|
-s publicClient=false
|
|
-s authorizationServicesEnabled=true
|
|
-s serviceAccountsEnabled=true
|
|
-s standardFlowEnabled=true
|
|
-s implicitFlowEnabled=true
|
|
-s directAccessGrantsEnabled=true
|
|
-s rootUrl={{ keycloak_client.root_url }}
|
|
-s baseUrl={{ keycloak_client.root_url }}
|
|
-s 'redirectUris=["{{ keycloak_client.redirect_uris | join('","') }}"]'
|
|
-s 'webOrigins=["{{ keycloak_client.web_origins | join('","') }}"]'
|
|
register: create_client
|
|
until: create_client is success
|
|
retries: 3
|
|
delay: 5
|
|
when: check_config.rc != 0
|
|
rescue:
|
|
- name: Gérer les erreurs de création du client
|
|
debug:
|
|
msg: "Erreur lors de la création du client front"
|
|
|
|
- name: Configurer le Client Scope Profile
|
|
block:
|
|
- name: Récupérer l'ID du scope profile
|
|
shell: |
|
|
ID=$(docker exec {{ keycloak_container }} {{ keycloak_bin }} get client-scopes -r {{ keycloak_realm }} --fields id,name --format json | jq -r '.[] | select(.name=="profile") | .id')
|
|
echo $ID
|
|
register: profile_scope_id
|
|
until: profile_scope_id.stdout != ""
|
|
retries: 3
|
|
delay: 5
|
|
|
|
- name: Ajouter le Mapper realm roles au scope profile
|
|
shell: >
|
|
docker exec {{ keycloak_container }} {{ keycloak_bin }} create client-scopes/{{ profile_scope_id.stdout | trim }}/protocol-mappers/models
|
|
-r {{ keycloak_realm }}
|
|
-s name="realm roles"
|
|
-s protocol="openid-connect"
|
|
-s protocolMapper="oidc-usermodel-realm-role-mapper"
|
|
-s 'config."id.token.claim"=true'
|
|
-s 'config."access.token.claim"=true'
|
|
-s 'config."userinfo.token.claim"=true'
|
|
-s 'config."claim.name"="realm_roles"'
|
|
-s 'config."introspection.token.claim"=true'
|
|
-s 'config."multivalued"=true'
|
|
register: create_mapper
|
|
until: create_mapper is success
|
|
retries: 3
|
|
delay: 5
|
|
when: profile_scope_id.stdout != ""
|
|
when: check_config.rc != 0
|
|
rescue:
|
|
- name: Gérer les erreurs de configuration du mapper
|
|
debug:
|
|
msg: "Erreur lors de la configuration du mapper realm roles"
|
|
|
|
- name: Configurer le client Nextcloud
|
|
block:
|
|
- name: Créer le client Nextcloud
|
|
shell: >
|
|
docker exec {{ keycloak_container }} {{ keycloak_bin }} create clients -r {{ keycloak_realm }}
|
|
-s clientId={{ keycloak_nextcloud_client.client_id }}
|
|
-s secret={{ keycloak_nextcloud_client.client_secret }}
|
|
-s protocol=openid-connect
|
|
-s publicClient=false
|
|
-s authorizationServicesEnabled=true
|
|
-s serviceAccountsEnabled=true
|
|
-s standardFlowEnabled=true
|
|
-s implicitFlowEnabled=false
|
|
-s directAccessGrantsEnabled=true
|
|
-s rootUrl={{ keycloak_nextcloud_client.root_url }}
|
|
-s baseUrl={{ keycloak_nextcloud_client.root_url }}
|
|
-s 'redirectUris=["{{ keycloak_nextcloud_client.redirect_uris | join('","') }}"]'
|
|
-s 'webOrigins=["{{ keycloak_nextcloud_client.web_origins | join('","') }}"]'
|
|
register: create_nextcloud_client
|
|
until: create_nextcloud_client is success
|
|
retries: 3
|
|
delay: 5
|
|
|
|
- name: Récupérer l'ID du client Nextcloud
|
|
shell: >
|
|
docker exec {{ keycloak_container }} {{ keycloak_bin }} get clients -r {{ keycloak_realm }}
|
|
-q clientId={{ keycloak_nextcloud_client.client_id }} --format json
|
|
register: get_client_id
|
|
until: get_client_id is success
|
|
retries: 3
|
|
delay: 5
|
|
|
|
- name: Extraire l'ID du client
|
|
set_fact:
|
|
nextcloud_client_id: "{{ (get_client_id.stdout | from_json)[0].id }}"
|
|
|
|
- name: Configurer les mappers pour Nextcloud
|
|
shell: >
|
|
docker exec {{ keycloak_container }} {{ keycloak_bin }}
|
|
create clients/{{ nextcloud_client_id }}/protocol-mappers/models
|
|
-r {{ keycloak_realm }}
|
|
-s name="{{ item.name }}"
|
|
-s protocol="openid-connect"
|
|
-s protocolMapper="{{ item.mapper }}"
|
|
-s 'config."id.token.claim"=true'
|
|
-s 'config."access.token.claim"=true'
|
|
-s 'config."userinfo.token.claim"=true'
|
|
-s 'config."claim.name"="{{ item.claim }}"'
|
|
with_items:
|
|
- {
|
|
name: "username",
|
|
mapper: "oidc-usermodel-property-mapper",
|
|
claim: "preferred_username",
|
|
}
|
|
- {
|
|
name: "email",
|
|
mapper: "oidc-usermodel-property-mapper",
|
|
claim: "email",
|
|
}
|
|
- {
|
|
name: "name",
|
|
mapper: "oidc-usermodel-property-mapper",
|
|
claim: "name",
|
|
}
|
|
- {
|
|
name: "roles",
|
|
mapper: "oidc-usermodel-realm-role-mapper",
|
|
claim: "roles",
|
|
}
|
|
register: create_nextcloud_mappers
|
|
until: create_nextcloud_mappers is success
|
|
retries: 3
|
|
delay: 5
|
|
when: check_config.rc != 0
|
|
rescue:
|
|
- name: Gérer les erreurs de création du client Nextcloud
|
|
debug:
|
|
msg: "Erreur lors de la création du client Nextcloud"
|
|
|
|
- name: Supprimer l'administrateur temporaire
|
|
block:
|
|
- name: Récupérer les informations
|
|
shell: docker exec {{ keycloak_container }} {{ keycloak_bin }} get users -r {{ keycloak_realm }} -q username={{ keycloak_old_admin }}
|
|
register: temp_admin_info
|
|
|
|
- name: Extraire l'ID
|
|
set_fact:
|
|
temp_admin_id: "{{ (temp_admin_info.stdout | from_json)[0].id }}"
|
|
|
|
- name: Supprimer l'utilisateur
|
|
shell: docker exec {{ keycloak_container }} {{ keycloak_bin }} delete users/{{ temp_admin_id }}
|
|
when: check_config.rc != 0
|
|
|
|
- name: Marquer la configuration comme terminée
|
|
shell: docker exec {{ keycloak_container }} touch {{ check_file }}
|
|
when: check_config.rc != 0
|
|
|
|
handlers:
|
|
- name: Redémarrer Keycloak
|
|
command: "docker compose restart keycloak"
|
|
args:
|
|
chdir: "{{ git_dest }}"
|