7 files changed, 288 insertions, 62 deletions
diff --git a/dan/host_vars/sk-cloudio.yml b/dan/host_vars/sk-cloudio.yml
index c5887a82..348a49fb 100644
--- a/dan/host_vars/sk-cloudio.yml
+++ b/dan/host_vars/sk-cloudio.yml
@@ -1,53 +1,62 @@
 $ANSIBLE_VAULT;1.2;AES256;dan
-35643164636339633130626437653864373332623936633833316362643239373437373830353237
-6531666166396233303132646135366565613934313037350a373031643132346537303036333662
-31393333363733663465643833303536353463633937643136323435643465333437326634363066
-6337613661633636650a323634383436363838346566373262653039343435383362623934303332
-30353866653836363631636466396334393765656163366163353134633339396534336235333535
-36306262623332323465376435386134333631623762623136323764373538666463386562666630
-65633233333366626539323134616432356237636334383264366263316663313933653465386661
-32363561383661653138383362373662313464303766663666353733666462376566666563633963
-39633032313764623839656639386564383665313535333831313166323237393163303163313838
-32653661343163386166636438323662653537636130333334623663353333313338316461346632
-33316538336135306233366430613531303763313732393931626235646666643235323035353237
-36623933383461653631663961666134666636666535646161393963343533643235616432643965
-61663130333732656431323235376561313036646262376232666138323964623030633437373732
-31663139353064353365343966353435353430623531643939366336333962333030363066353735
-66653062663730363230383432356538363839383434323338623434373536386561323534323239
-33356434663032376562356139333238643836613061646135303861656339333466383033353561
-34353633326131623933376263623665336337356362386332303136383366306631656136663832
-39653166333934386336653861643964356337383362656466306164663235343665646463643064
-39366365393863386430323533353866633533353633343666643665366666653965376336386564
-64613633383464373533636661333665333262646135383234303534626635333863336362343932
-34323466373031326365316366313832633165623037303039616462643161376532366637653564
-38616438326361313765636332323965623631626632306363383530316234613337656562663637
-34643266376461653939653730393162633738356137383662313132363961613338626561653931
-30653639313966316130373934333965366637653839333238303932313565323436656635653665
-37396338613939663162353034373463333737383232333633326238623837353938356266393036
-39663463303066343835396161303166353164663434356165363233333538623430376164663832
-37616330643138343135666434343431353064303838626239336165366362393634663965333664
-65333365333035646465306232666361366331393762613535306263376265303065353834323231
-30363165663036313838363539636231343966316537306639663863663664393733613362616566
-37613239383364373036653039336534353661613261646632353763623435376664336534346236
-32353534316561353763646361333063656136373230306331343261613332363136626531363433
-30373065653139623533303932363931306264613866313734663634356133636661316234623632
-66383532343266366164393561316230626534313634623264353964346432383037316365333763
-61653062383434663939346265343563323039383164666239313965323061333164343236386636
-38666338653066656235316332626366316334323066356139613838313633323738366531303865
-38663466626364356335336230313630326365393762396162306164303733643761323539316437
-65626238643734303730623430383137643463373133383165333337646437356366613562643730
-33633365313534356665373332353361306661356434616433663765643139613937353065306465
-62313235393433663963383035613736626433306661633262306134613065386664663935396337
-37643437616235663639363537353237383539663866646164313863343230613362336164653834
-34666361356135376333343033613930393438626235333964313732616331356432636661326361
-30366432663663626430356665613431353661303961366564613865643862383264363331343364
-31393966663133306539663532623337653537336132613430346333653437373664373537373261
-38616366333761343033626261653630366434633332613465393566646561613665646363363833
-32613161376434333736653532313335653537313038333134613164623562663364653037313638
-38333261616262363461393931303364613836353363326236616161373933613035353961386238
-32323266633465393335323138343433396133626664626438356464616130633266363532313431
-64663662346663306365616463393933363965643465643863653561623538306662353264346561
-30646232623031363431386632393763623437656565333662376238643465366134313334376437
-36363262663433343061313839653665343366306336616461303739356464646638633966343631
-38323933376136343664333239623834303339613735383964663165316631366234383531316433
-62626666313939633364
+63663565313965643461303636396364383664663433373739303261633538343536653962663961
+3464303239313633363463313962663861623937393331340a386363643133666237396462663832
+35346165386562363630346136313666656635353734383233343138643630643530653331613764
+3431376232653438300a383862363030393839323935356361383838376137623635386232633035
+66323134653030626232366162633030656134306566633932336139323032383130616336656164
+66383436343361306266396232326463333434393163343335633061363336316661393338323462
+30633138323965623038356436383234303137366534333631613132613266643636393761393330
+64663561363738636331613465333463613735626265313538383732343766383965363239656132
+63366666653364343033663866376634343937303463656131336233653762363261656662613564
+63646236373266353934363737393132356535623066366239636363653665313965353265316262
+65396231646631353637613739626666363339313734373661303261623031306334646461363535
+36333034303166623764316133633139643230633333646663376537653938656531616438313935
+66363633623232373539363236373938396235333764323866623336306230363264363364333539
+65373731396136663233626539613530326539326164393638663663376239646333386330633266
+64636336613237323138363935643464613832306634376530646638666239306633383938303831
+35373565383038343532386338346161613731616333663863383431386365363330383636376433
+37663262346535626666323730653563393965306637363035613261363439633062306130643166
+66653437323764316162333564303031656636373331373135386264356366383464633261313235
+64316266343762323334653861636137656362636532373537396566386435396434633866613266
+61626332633833363636336364653361636632613662373162313362333032633937666163326462
+63326562393937396236636661353465643531653332373063336235613434616230353162633634
+61663436613237396362386330303039386132333932616265383833623636326134663265346431
+36656637353666646235313730326537373133646162313534396136363834613735306166323238
+63323065393566363134353039613862616238363362633232363961323730336634326431613136
+64626465663563303563663564623764633133616338363435336632306664643934343238346630
+65343635646334623330383562656166393136623161373061386663636135366232623133666436
+39613135626362643165316637633332333731356263633861613862346537633933646365313038
+32316662636464343664323331343639346134623333376438633530643535313766666463323439
+34393561323764663639323833656239316133373866633631336439396537663863336232343034
+65336562346432663438346535313736303032613832613232343163643831656238626430346631
+61653565303436313737613064303031353530393366386130633366656366303430383862346266
+62323730383836303165376466386261666262353465316637393534373439666338363862373764
+30643138623866663035306336333232306537393036353261656463386437643665633263663064
+39386563316362616639393130313339316232313464633463363664326231346466363530373135
+32386665346635633965636134346161323737633364353932373738666138363933613035326534
+30383863303938653536633964396161656338643437366661333261353034396430643933366432
+64346233623232346338383433306137663231326337613439633230646534666361313766636263
+61626433393563343436663063636465303362666334363738356431666334616637316535373361
+63633935663235663834343738663139353630653832336333306463393835623361653936313336
+62623132346539346363323065336535333739353439646237303131656364646663396465383063
+62663531666264326638313232626131313138666463313666313830636661343462643565383530
+38316638316234343362396534663636346230316230663930326562326336353365393563653866
+63633336333635376263653531613836636162313064626138306163353934306136633736363463
+66643636376534353035666638623038643061346237353730363166333636316366373836663261
+31366161366162303532623134393434626239313539353436306435383938353132393438323733
+37626533626266373930336566323863373062643964343835366438323464356132316265666135
+64376630366464633938356233396132306432643631356439303862623364326236373834386336
+36343765363735323236353864656635386133396134663037396566343163353537666333356531
+63343136636564363731383937613863626235663063316638656561666263326666353132343363
+64396461343463633631656432656366336164306437393866633535653431393431343030656631
+61336539616436366539613261333532333939343531343666343535633732353661303362383666
+31653462373738333433376562363734623462656330663664663732656262326665613035626230
+38646137346535336538633730623433333030343661386237373939333032373864663838356161
+35316535386431383963636139613539346462386436666334366338333964626639366261633637
+39303836383233623734383165366637633334323338646562653064643130306461303961383964
+62353236393130666538346634353339636561626536633835313563623761313335623630303330
+35626132303935623938663537343033313834393665613639653635373364353030396638363636
+61333038633361616531633334346638636336646336383131313531663862633166653036353932
+66363935333364396438623831643737323030356263643036326639613262313963623630333039
+38343431663932646566373739316136656632336230626531613739313431653561373136373237
+3833
diff --git a/dan/sk-cloudio.yml b/dan/sk-cloudio.yml
index dfdee8e8..c3e80838 100644
--- a/dan/sk-cloudio.yml
+++ b/dan/sk-cloudio.yml
@@ -21,3 +21,4 @@
   - role: apps/etherpad-lite
   - role: apps/coturn
   - role: apps/jitsi/meet
+  - role: apps/keycloak
diff --git a/inventory/host_vars/sk-cloudio/keycloak.yml b/inventory/host_vars/sk-cloudio/keycloak.yml
new file mode 100644
index 00000000..b9bc445d
--- /dev/null
+++ b/inventory/host_vars/sk-cloudio/keycloak.yml
@@ -0,0 +1,22 @@
+---
+keycloak_zfs:
+  pool: storage
+  name: keycloak
+  properties:
+    compression: lz4
+
+keycloak_instances:
+  id.elevate.at:
+#    new: true
+    version: 11.0.3
+    port: 8500
+    hostname: id.elevate.at
+    admin:
+      username: admin
+      password: "{{ vault_keycloak_admin_passwords['id.elevate.at'] }}"
+    zfs_properties:
+      quota: 1G
+    database:
+      type: mariadb
+      version: 10.5.8
+      password: "{{ vault_keycloak_database_passwords['id.elevate.at'] }}"
diff --git a/roles/apps/keycloak/defaults/main.yml b/roles/apps/keycloak/defaults/main.yml
new file mode 100644
index 00000000..24326601
--- /dev/null
+++ b/roles/apps/keycloak/defaults/main.yml
@@ -0,0 +1,30 @@
+---
+keycloak_app_uid: "920"
+keycloak_app_gid: "920"
+
+keycloak_db_uid: "921"
+keycloak_db_gid: "921"
+
+# keycloak_base_path: /srv/keycloak
+
+# keycloak_zfs:
+#   pool: storage
+#   name: keycloak
+#   properties:
+#     compression: lz4
+
+# keycloak_instances:
+#   example:
+#     new: yes
+#     version: 11.0.3
+#     port: 8500
+#     hostname: id.example.com
+#     admin:
+#       username: admin
+#       password: "{{ vault_keycloak_admin_passwords['example'] }}"
+#     zfs_properties:
+#       quota: 1G
+#     database:
+#       type: mariadb
+#       version: 10.5.8
+#       password: "{{ vault_keycloak_database_passwords['example'] }}"
diff --git a/roles/apps/keycloak/tasks/main.yml b/roles/apps/keycloak/tasks/main.yml
new file mode 100644
index 00000000..917aa68e
--- /dev/null
+++ b/roles/apps/keycloak/tasks/main.yml
@@ -0,0 +1,105 @@
+---
+- name: create zfs datasets
+  when: keycloak_zfs is defined
+  block:
+  - name: create zfs base dataset
+    zfs:
+      name: "{{ keycloak_zfs.pool }}/{{ keycloak_zfs.name }}"
+      state: present
+      extra_zfs_properties: "{{ keycloak_zfs.properties | default(omit) }}"
+
+  - name: create zfs volumes for instances
+    loop: "{{ keycloak_instances | dict2items }}"
+    loop_control:
+      label: "{{ item.key }} ({{ (item.value.zfs_properties | default({})).items() | map('join', '=') | join(', ') }})"
+    zfs:
+      name: "{{ keycloak_zfs.pool }}/{{ keycloak_zfs.name }}/{{ item.key }}"
+      state: present
+      extra_zfs_properties: "{{ item.value.zfs_properties | default(omit) }}"
+
+  - name: configure keycloak base bath
+    set_fact:
+      keycloak_base_path: "{{ zfs_pools[keycloak_zfs.pool].mountpoint }}/{{ keycloak_zfs.name }}"
+
+
+- name: create instance subdirectories
+  when: keycloak_zfs is not defined
+  loop: "{{ keycloak_instances | list }}"
+  file:
+    path: "{{ keycloak_base_path }}/{{ item }}"
+    state: directory
+
+
+
+- name: add group for keycloak app
+  group:
+    name: kc-app
+    gid: "{{ keycloak_app_gid }}"
+
+- name: add user for keycloak app
+  user:
+    name: kc-app
+    uid: "{{ keycloak_app_uid }}"
+    group: kc-app
+    password: "!"
+
+- name: create keycloak app subdirectory
+  loop: "{{ keycloak_instances | list }}"
+  file:
+    path: "{{ keycloak_base_path }}/{{ item }}/keycloak"
+    owner: "{{ keycloak_app_uid }}"
+    group: "{{ keycloak_app_gid }}"
+    state: directory
+
+
+- name: add group for keycloak db
+  group:
+    name: kc-db
+    gid: "{{ keycloak_db_gid }}"
+
+- name: add user for keycloak db
+  user:
+    name: kc-db
+    uid: "{{ keycloak_db_uid }}"
+    group: kc-db
+    password: "!"
+
+- name: create keycloak database subdirectory
+  loop: "{{ keycloak_instances | dict2items}}"
+  loop_control:
+    label: "{{ item.key }} ({{ item.value.database.type }})"
+  file:
+    path: "{{ keycloak_base_path }}/{{ item.key }}/{{ item.value.database.type }}"
+    owner: "{{ keycloak_db_uid }}"
+    group: "{{ keycloak_db_gid }}"
+    state: directory
+
+
+- name: install pod manifest
+  loop: "{{ keycloak_instances | dict2items }}"
+  loop_control:
+    label: "{{ item.key }}"
+  vars:
+    kubernetes_standalone_pod:
+      name: "keycloak-{{ item.key }}"
+      spec: "{{ lookup('template', 'pod-spec-with-{{ item.value.database.type }}.yml.j2') }}"
+      mode: "0600"
+  include_role:
+    name: kubernetes/standalone/pod
+
+
+- name: configure nginx vhost
+  loop: "{{ keycloak_instances | dict2items }}"
+  loop_control:
+    label: "{{ item.key }}"
+  vars:
+    nginx_vhost:
+      name: "keycloak-{{ item.key }}"
+      template: generic-proxy-no-buffering-with-acme
+      acme: true
+      hostnames:
+      - "{{ item.value.hostname }}"
+      client_max_body_size: "0"
+      proxy_pass: "http://127.0.0.1:{{ item.value.port }}/auth/"
+  include_role:
+    name: nginx/vhost
diff --git a/roles/apps/keycloak/templates/pod-spec-with-mariadb.yml.j2 b/roles/apps/keycloak/templates/pod-spec-with-mariadb.yml.j2
new file mode 100644
index 00000000..dd63d3a0
--- /dev/null
+++ b/roles/apps/keycloak/templates/pod-spec-with-mariadb.yml.j2
@@ -0,0 +1,59 @@
+securityContext:
+  allowPrivilegeEscalation: false
+containers:
+- name: keycloak
+  image: "quay.io/keycloak/keycloak:{{ item.value.version }}"
+  # securityContext:
+  #   runAsUser: {{ keycloak_app_uid }}
+  #   runAsGroup: {{ keycloak_app_gid }}
+  resources:
+    limits:
+      memory: "1Gi"
+  env:
+  - name: DB_VENDOR
+    value: mariadb
+  - name: DB_ADDR
+    value: 127.0.0.1
+  - name: DB_DATABASE
+    value: keycloak
+  - name: DB_USER
+    value: keycloak
+  - name: DB_PASSWORD
+    value: "{{ item.value.database.password }}"
+  - name: KEYCLOAK_USER
+    value: "{{ item.value.admin.username }}"
+  - name: KEYCLOAK_PASSWORD
+    value: "{{ item.value.admin.password }}"
+  - name: KEYCLOAK_FRONTEND_URL
+    value: "https://{{ item.value.hostname }}"
+  ports:
+  - containerPort: 8080
+    hostPort: {{ item.value.port }}
+    hostIP: 127.0.0.1
+- name: database
+  image: "mariadb:{{ item.value.database.version }}"
+  securityContext:
+    runAsUser: {{ keycloak_db_uid }}
+    runAsGroup: {{ keycloak_db_gid }}
+  resources:
+    limits:
+      memory: "512Mi"
+{% if 'new' in item.value and item.value.new %}
+  env:
+  - name: MYSQL_RANDOM_ROOT_PASSWORD
+    value: "true"
+  - name: MYSQL_DATABASE
+    value: keycloak
+  - name: MYSQL_USER
+    value: keycloak
+  - name: MYSQL_PASSWORD
+    value: "{{ item.value.database.password }}"
+{% endif %}
+  volumeMounts:
+  - name: database
+    mountPath: /var/lib/mysql
+volumes:
+- name: database
+  hostPath:
+    path: "{{ keycloak_base_path }}/{{ item.key }}/{{ item.value.database.type }}"
+    type: Directory
diff --git a/roles/apps/nextcloud/defaults/main.yml b/roles/apps/nextcloud/defaults/main.yml
index f028713f..db186b53 100644
--- a/roles/apps/nextcloud/defaults/main.yml
+++ b/roles/apps/nextcloud/defaults/main.yml
@@ -19,15 +19,15 @@ nextcloud_db_gid: "951"
 #     version: 17.0.0
 #     port: 8100
 #     hostnames:
-#       - wolke.example.com
-#       - cloud.example.com
+#     - wolke.example.com
+#     - cloud.example.com
 #     zfs_properties:
 #       quota: 100G
-#    database:
-#      type: mariadb
-#      version: 10.4.8
-#      password: "{{ vault_nextcloud_database_passwords['example'] }}"
-#    custom_image:        # optional
-#      from: foo/bar:1.0  # optional
-#      dockerfile: |
-#        RUN apt-get install ...
+#     database:
+#       type: mariadb
+#       version: 10.4.8
+#       password: "{{ vault_nextcloud_database_passwords['example'] }}"
+#     custom_image:        # optional
+#       from: foo/bar:1.0  # optional
+#       dockerfile: |
+#         RUN apt-get install ...