From 40c015d3e170fc06f3ec6da1a8cca3f70609a86a Mon Sep 17 00:00:00 2001
From: Massimo Schiavon <schmaxit@users.noreply.github.com>
Date: Tue, 29 Aug 2023 21:41:38 +0200
Subject: [PATCH] always create pidfile folder add keycloak_service_runas
 feature flag fix previous installs permissions

---
 roles/keycloak/meta/argument_specs.yml       |  5 +++++
 roles/keycloak/tasks/install.yml             | 18 +++++++++---------
 roles/keycloak/templates/keycloak.service.j2 |  2 ++
 3 files changed, 16 insertions(+), 9 deletions(-)

diff --git a/roles/keycloak/meta/argument_specs.yml b/roles/keycloak/meta/argument_specs.yml
index daba3ba..db73f3f 100644
--- a/roles/keycloak/meta/argument_specs.yml
+++ b/roles/keycloak/meta/argument_specs.yml
@@ -74,6 +74,11 @@ argument_specs:
                 default: ""
                 description: "Path to custom template for standalone.xml configuration"
                 type: "str"
+            keycloak_service_runas: 
+                # line 20 of keycloak/defaults/main.yml
+                default: false
+                description: "Enable execution of service as `keycloak_service_user`"
+                type: "bool"
             keycloak_service_user:
                 # line 29 of keycloak/defaults/main.yml
                 default: "keycloak"
diff --git a/roles/keycloak/tasks/install.yml b/roles/keycloak/tasks/install.yml
index 13f4ef3..a2467d3 100644
--- a/roles/keycloak/tasks/install.yml
+++ b/roles/keycloak/tasks/install.yml
@@ -53,20 +53,14 @@
     group: "{{ keycloak_service_group }}"
     mode: 0750
 
-- name: Check pidfile folder
-  ansible.builtin.stat:
-    path: "{{ keycloak_service_pidfile | dirname }}"
-  register: keycloak_service_pidfile_stat
 - name: Create pidfile folder
   become: yes
-  become_user: root
   ansible.builtin.file:
     dest: "{{ keycloak_service_pidfile | dirname }}"
     state: directory
-    owner: "{{ keycloak_service_user }}"
-    group: "{{ keycloak_service_group }}"
-    mode: "0750"
-  when: not keycloak_service_pidfile_stat.stat.exists
+    owner: "{{ keycloak_service_user if keycloak_service_runas else omit }}"
+    group: "{{ keycloak_service_group if keycloak_service_runas else omit }}"
+    mode: 0750
 
 ## check remote archive
 - name: Set download archive path
@@ -209,6 +203,12 @@
   become: yes
   changed_when: false
 
+- name: Ensure permissions are correct on existing deploy
+  ansible.builtin.command: chown -R "{{ keycloak_service_user }}:{{ keycloak_service_group }}" "{{ keycloak.home }}"
+  when: keycloak_service_runas
+  become: yes
+  changed_when: false
+
 # driver and configuration
 - name: "Install {{ keycloak_jdbc_engine }} driver"
   ansible.builtin.include_tasks: jdbc_driver.yml
diff --git a/roles/keycloak/templates/keycloak.service.j2 b/roles/keycloak/templates/keycloak.service.j2
index 8a94c62..cc4f324 100644
--- a/roles/keycloak/templates/keycloak.service.j2
+++ b/roles/keycloak/templates/keycloak.service.j2
@@ -8,8 +8,10 @@ StartLimitBurst={{ keycloak_service_startlimitburst }}
 
 [Service]
 Type=forking
+{% if keycloak_service_runas %}
 User={{ keycloak_service_user }}
 Group={{ keycloak_service_group }}
+{% endif -%}
 EnvironmentFile=-/etc/sysconfig/keycloak
 PIDFile={{ keycloak_service_pidfile }}
 ExecStart={{ keycloak_dest }}/keycloak-service.sh start