always create pidfile folder

add keycloak_service_runas feature flag fix previous installs permissions
2025-04-05 10:20:27 -07:00 · 2023-08-29 21:41:38 +02:00 · 2023-08-29 21:41:38 +02:00 · 40c015d3e1
commit 40c015d3e1
parent c8ebbe72d2
3 changed files with 16 additions and 9 deletions
--- a/roles/keycloak/meta/argument_specs.yml
+++ b/roles/keycloak/meta/argument_specs.yml
@ -74,6 +74,11 @@ argument_specs:
                default: ""
                description: "Path to custom template for standalone.xml configuration"
                type: "str"
+            keycloak_service_runas: 
+                # line 20 of keycloak/defaults/main.yml
+                default: false
+                description: "Enable execution of service as `keycloak_service_user`"
+                type: "bool"
            keycloak_service_user:
                # line 29 of keycloak/defaults/main.yml
                default: "keycloak"
--- a/roles/keycloak/tasks/install.yml
+++ b/roles/keycloak/tasks/install.yml
@ -53,20 +53,14 @@
    group: "{{ keycloak_service_group }}"
    mode: 0750

- name: Check pidfile folder
-  ansible.builtin.stat:
-    path: "{{ keycloak_service_pidfile | dirname }}"
-  register: keycloak_service_pidfile_stat
 - name: Create pidfile folder
  become: yes
-  become_user: root
  ansible.builtin.file:
    dest: "{{ keycloak_service_pidfile | dirname }}"
    state: directory
-    owner: "{{ keycloak_service_user }}"
-    group: "{{ keycloak_service_group }}"
-    mode: "0750"
-  when: not keycloak_service_pidfile_stat.stat.exists
+    owner: "{{ keycloak_service_user if keycloak_service_runas else omit }}"
+    group: "{{ keycloak_service_group if keycloak_service_runas else omit }}"
+    mode: 0750

 ## check remote archive
 - name: Set download archive path
@ -209,6 +203,12 @@
  become: yes
  changed_when: false

+- name: Ensure permissions are correct on existing deploy
+  ansible.builtin.command: chown -R "{{ keycloak_service_user }}:{{ keycloak_service_group }}" "{{ keycloak.home }}"
+  when: keycloak_service_runas
+  become: yes
+  changed_when: false
+
 # driver and configuration
 - name: "Install {{ keycloak_jdbc_engine }} driver"
  ansible.builtin.include_tasks: jdbc_driver.yml
--- a/roles/keycloak/templates/keycloak.service.j2
+++ b/roles/keycloak/templates/keycloak.service.j2
@ -8,8 +8,10 @@ StartLimitBurst={{ keycloak_service_startlimitburst }}

 [Service]
 Type=forking
+{% if keycloak_service_runas %}
 User={{ keycloak_service_user }}
 Group={{ keycloak_service_group }}
+{% endif -%}
 EnvironmentFile=-/etc/sysconfig/keycloak
 PIDFile={{ keycloak_service_pidfile }}
 ExecStart={{ keycloak_dest }}/keycloak-service.sh start