Add Keycloak service

docs/services/keycloak.md

@@ -0,0 +1,61 @@
+# Keycloak
+
+[Keycloak](https://keycloak.net/) is an open source identity and access management solution.
+
+**Warning**: this service is a new addition to the playbook. It may not fully work or be configured in a suboptimal manner.
+
+
+## Dependencies
+
+This service requires the following other services:
+
+- a [Postgres](postgres.md) database
+- a [Traefik](traefik.md) reverse-proxy server
+
+
+## Configuration
+
+To enable this service, add the following configuration to your `vars.yml` file and re-run the [installation](../installing.md) process:
+
+```yaml
+########################################################################
+#                                                                      #
+# keycloak                                                             #
+#                                                                      #
+########################################################################
+
+keycloak_enabled: true
+
+keycloak_hostname: mash.example.com
+keycloak_path_prefix: /keycloak
+
+keycloak_environment_variable_keycloak_admin: your_username_here
+# Generating a strong password (e.g. `pwgen -s 64 1`) is recommended
+keycloak_environment_variable_keycloak_admin_password: ''
+
+########################################################################
+#                                                                      #
+# /keycloak                                                            #
+#                                                                      #
+########################################################################
+```
+
+### URL
+
+In the example configuration above, we configure the service to be hosted at `https://mash.example.com/keycloak`.
+
+You can remove the `keycloak_path_prefix` variable definition, to make it default to `/`, so that the service is served at `https://mash.example.com/`.
+
+### Authentication
+
+On first start, the admin user account will be created as defined with the `keycloak_environment_variable_keycloak_admin` and `keycloak_environment_variable_keycloak_admin_password` variables.
+
+On each start after that, Keycloak will attempt to create the user again and report a non-fatal error (Keycloak will continue running).
+
+Subsequent changes to the password will not affect an existing user's password.
+
+## Usage
+
+After installation, you can go to the Keycloak URL, as defined in `keycloak_hostname` and `keycloak_path_prefix` and log in as described in [Authentication](#authentication).
+
+Follow the [Keycloak documentation](https://www.keycloak.org/documentation) or other guides for learning how to use Keycloak.

docs/supported-services.md

@@ -14,6 +14,7 @@
 | [Gitea](https://gitea.io/) | A painless self-hosted Git service. | [Link](services/gitea.md) |
 | [Grafana](https://grafana.com/) | An open and composable observability and data visualization platform, often used with [Prometheus](services/prometheus.md) | [Link](services/grafana.md) |
 | [Hubsite](https://github.com/moan0s/hubsite) | A simple, static site that shows an overview of the available services | [Link](services/hubsite.md) |
+| [Keycloak](https://keycloak.net/) | An open source identity and access management solution. | [Link](services/keycloak.md) |
 | [Miniflux](https://miniflux.app/) | Minimalist and opinionated feed reader. | [Link](services/miniflux.md) |
 | [NetBox](https://docs.netbox.dev/en/stable/) | Web application that provides [IP address management (IPAM)](https://en.wikipedia.org/wiki/IP_address_management) and [data center infrastructure management (DCIM)](https://en.wikipedia.org/wiki/Data_center_management#Data_center_infrastructure_management) functionality | [Link](services/netbox.md) |
 | [Nextcloud](https://nextcloud.com/) | The most popular self-hosted collaboration solution for tens of millions of users at thousands of organizations across the globe. | [Link](services/nextcloud.md) |

group_vars/mash_servers

@@ -95,6 +95,10 @@ devture_systemd_service_manager_services_list_auto: |
     +
     ([{'name': (grafana_identifier + '.service'), 'priority': 2000, 'groups': ['mash', 'grafana']}] if grafana_enabled else [])
     +
+    ([{'name': (keycloak_identifier + '.service'), 'priority': 2000, 'groups': ['mash', 'keycloak']}] if keycloak_enabled else [])
+    +
+    ([{'name': (miniflux_identifier + '.service'), 'priority': 2000, 'groups': ['mash', 'miniflux']}] if miniflux_enabled else [])
+    +
     ([{'name': (netbox_identifier + '.service'), 'priority': 2000, 'groups': ['mash', 'netbox', 'netbox-server']}] if netbox_enabled else [])
     +
     ([{'name': (netbox_identifier + '-worker.service'), 'priority': 2500, 'groups': ['mash', 'netbox', 'netbox-worker']}] if netbox_enabled else [])
@@ -105,8 +109,6 @@ devture_systemd_service_manager_services_list_auto: |
     +
     ([{'name': (nextcloud_identifier + '-cron.timer'), 'priority': 2500, 'groups': ['mash', 'nextcloud', 'nextcloud-cron']}] if nextcloud_enabled else [])
     +
-    ([{'name': (miniflux_identifier + '.service'), 'priority': 2000, 'groups': ['mash', 'miniflux']}] if miniflux_enabled else [])
-    +
     ([{'name': (peertube_identifier + '.service'), 'priority': 2000, 'groups': ['mash', 'peertube']}] if peertube_enabled else [])
     +
     ([{'name': (prometheus_identifier + '.service'), 'priority': 2000, 'groups': ['mash', 'metrics', 'prometheus']}] if prometheus_enabled else [])
@@ -182,6 +184,12 @@ devture_postgres_managed_databases_auto: |
       'password': devture_woodpecker_ci_server_database_datasource_password,
     }] if devture_woodpecker_ci_server_enabled else [])
     +
+    ([{
+      'name': keycloak_database_name,
+      'username': keycloak_database_username,
+      'password': keycloak_database_password,
+    }] if keycloak_enabled and keycloak_database_type == 'postgres' and keycloak_database_hostname == devture_postgres_identifier else [])
+    +
     ([{
       'name': miniflux_database_name,
       'username': miniflux_database_username,
@@ -682,6 +690,50 @@ grafana_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certResol
 
 
 
+########################################################################
+#                                                                      #
+# keycloak                                                             #
+#                                                                      #
+########################################################################
+
+keycloak_enabled: false
+
+keycloak_identifier: "{{ mash_playbook_service_identifier_prefix }}keycloak"
+
+keycloak_uid: "{{ mash_playbook_uid }}"
+keycloak_gid: "{{ mash_playbook_gid }}"
+
+keycloak_base_path: "{{ mash_playbook_base_path }}/{{ mash_playbook_service_base_directory_name_prefix }}keycloak"
+
+keycloak_systemd_required_systemd_services_list_auto: |
+  {{
+    ([devture_postgres_identifier ~ '.service'] if devture_postgres_enabled and keycloak_database_hostname == devture_postgres_identifier else [])
+  }}
+
+keycloak_container_additional_networks_auto: |
+  {{
+    ([mash_playbook_reverse_proxyable_services_additional_network] if mash_playbook_reverse_proxyable_services_additional_network else [])
+    +
+    ([devture_postgres_container_network] if devture_postgres_enabled and keycloak_database_hostname == devture_postgres_identifier and keycloak_container_network != devture_postgres_container_network else [])
+  }}
+
+keycloak_container_labels_traefik_enabled: "{{ mash_playbook_traefik_labels_enabled }}"
+keycloak_container_labels_traefik_docker_network: "{{ mash_playbook_reverse_proxyable_services_additional_network }}"
+keycloak_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}"
+keycloak_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certResolver_primary }}"
+
+keycloak_database_hostname: "{{ devture_postgres_identifier if devture_postgres_enabled else '' }}"
+keycloak_database_port: "{{ '5432' if devture_postgres_enabled else '' }}"
+keycloak_database_password: "{{ '%s' | format(mash_playbook_generic_secret_key) | password_hash('sha512', 'db.keycloak', rounds=655555) | to_uuid }}"
+
+########################################################################
+#                                                                      #
+# /keycloak                                                            #
+#                                                                      #
+########################################################################
+
+
+
 ########################################################################
 #                                                                      #
 # miniflux                                                             #

requirements.yml

@@ -73,6 +73,9 @@
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-gitea.git
   version: v1.19.0-0
   name: gitea
+- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-keycloak.git
+  version: v21.0.1-0
+  name: keycloak
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-netbox.git
   version: v3.4.6-2.5.1-0
   name: netbox

setup.yml

@@ -70,6 +70,8 @@
 
     - role: galaxy/grafana
 
+    - role: galaxy/keycloak
+
     - role: galaxy/miniflux
 
     - role: galaxy/hubsite