argument_specs: main: options: keycloak_quarkus_version: default: "24.0.3" description: "keycloak.org package version" type: "str" keycloak_quarkus_archive: default: "keycloak-{{ keycloak_quarkus_version }}.zip" description: "keycloak install archive filename" type: "str" keycloak_quarkus_download_url: default: "https://github.com/keycloak/keycloak/releases/download/{{ keycloak_quarkus_version }}/{{ keycloak_quarkus_archive }}" description: "Download URL for keycloak" type: "str" keycloak_quarkus_installdir: default: "{{ keycloak_quarkus_dest }}/keycloak-{{ keycloak_quarkus_version }}" description: "Installation path" type: "str" keycloak_quarkus_offline_install: default: false description: "Perform an offline install" type: "bool" keycloak_quarkus_jvm_package: default: "java-11-openjdk-headless" description: "RHEL java package runtime" type: "str" keycloak_quarkus_java_home: description: "JAVA_HOME of installed JRE, leave empty for using specified keycloak_jvm_package RPM path" type: "str" keycloak_quarkus_dest: default: "/opt/keycloak" description: "Installation root path" type: "str" keycloak_quarkus_home: default: "{{ keycloak_quarkus_installdir }}" description: "Installation work directory" type: "str" keycloak_quarkus_config_dir: default: "{{ keycloak_quarkus_home }}/conf" description: "Path for configuration" type: "str" keycloak_quarkus_service_user: default: "keycloak" description: "Posix account username" type: "str" keycloak_quarkus_service_group: default: "keycloak" description: "Posix account group" type: "str" keycloak_quarkus_service_pidfile: default: "/run/keycloak/keycloak.pid" description: "Pid file path for service" type: "str" keycloak_quarkus_configure_firewalld: default: false description: "Ensure firewalld is running and configure keycloak ports" type: "bool" keycloak_quarkus_configure_iptables: default: false description: "Ensure firewalld is running and configure keycloak ports" type: "bool" keycloak_service_restart_always: default: false description: "systemd restart always behavior of service; takes precedence over keycloak_service_restart_on_failure if true" type: "bool" keycloak_service_restart_on_failure: default: false description: "systemd restart on-failure behavior of service" type: "bool" keycloak_service_restartsec: default: "10s" description: "systemd RestartSec for service" type: "str" keycloak_quarkus_admin_user: default: "admin" description: "Administration console user account" type: "str" keycloak_quarkus_admin_pass: required: true description: "Password of console admin account" type: "str" keycloak_quarkus_master_realm: default: "master" description: "Name for rest authentication realm" type: "str" keycloak_quarkus_bind_address: default: "0.0.0.0" description: "Address for binding service ports" type: "str" keycloak_quarkus_host: default: "localhost" description: "Hostname for the Keycloak server" type: "str" keycloak_quarkus_port: default: -1 description: "The port used by the proxy when exposing the hostname" type: "int" keycloak_quarkus_path: required: false description: "This should be set if proxy uses a different context-path for Keycloak" type: "str" keycloak_quarkus_http_enabled: default: true description: "Enable listener on HTTP port" type: "bool" keycloak_quarkus_http_port: default: 8080 description: "HTTP port" type: "int" keycloak_quarkus_https_key_file_enabled: default: false description: "Enable configuration of HTTPS via files in PEM format" type: "bool" keycloak_quarkus_key_file: default: "{{ keycloak.home }}/conf/server.key.pem" description: "The file path to a private key in PEM format" type: "str" keycloak_quarkus_cert_file: default: "{{ keycloak.home }}/conf/server.crt.pem" description: "The file path to a server certificate or certificate chain in PEM format" type: "str" keycloak_quarkus_https_key_store_enabled: default: false description: "Enable configuration of HTTPS via a key store" type: "bool" keycloak_quarkus_key_store_file: default: "" description: "Deprecated, use `keycloak_quarkus_https_key_store_file` instead." type: "str" keycloak_quarkus_key_store_password: default: "" description: "Deprecated, use `keycloak_quarkus_https_key_store_password` instead." type: "str" keycloak_quarkus_https_key_store_file: default: "{{ keycloak.home }}/conf/key_store.p12" description: "The file path to the key store" type: "str" keycloak_quarkus_https_key_store_password: default: "" description: "Password for the key store" type: "str" keycloak_quarkus_https_trust_store_enabled: default: false description: "Enable configuration of the https trust store" type: "bool" keycloak_quarkus_https_trust_store_file: default: "{{ keycloak.home }}/conf/trust_store.p12" description: "The file path to the trust store" type: "str" keycloak_quarkus_https_trust_store_password: default: "" description: "Password for the trust store" type: "str" keycloak_quarkus_config_key_store_file: default: "{{ keycloak.home }}/conf/conf_store.p12" description: "Path to the configuration key store; only used if `keycloak_quarkus_keystore_password` is not empty" type: "str" keycloak_quarkus_config_key_store_password: default: "" description: "Password of the configuration key store; if non-empty, `keycloak_quarkus_db_pass` will be saved to the key store at `keycloak_quarkus_config_key_store_file` (instead of being written to the configuration file in clear text" type: "str" keycloak_quarkus_https_port: default: 8443 description: "HTTPS port" type: "int" keycloak_quarkus_ajp_port: default: 8009 description: "AJP port" type: "int" keycloak_quarkus_jgroups_port: default: 7800 description: "jgroups cluster tcp port" type: "int" keycloak_quarkus_java_heap_opts: default: "-Xms1024m -Xmx2048m" description: "Heap memory JVM setting" type: "str" keycloak_quarkus_java_jvm_opts: default: > -XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m -Dfile.encoding=UTF-8 -Dsun.stdout.encoding=UTF-8 -Dsun.err.encoding=UTF-8 -Dstdout.encoding=UTF-8 -Dstderr.encoding=UTF-8 -XX:+ExitOnOutOfMemoryError -Djava.security.egd=file:/dev/urandom -XX:+UseParallelGC -XX:GCTimeRatio=4 -XX:AdaptiveSizePolicyWeight=90 -XX:FlightRecorderOptions=stackdepth=512 description: "Other JVM settings" type: "str" keycloak_quarkus_java_opts: default: "{{ keycloak_quarkus_java_heap_opts + ' ' + keycloak_quarkus_java_jvm_opts }}" description: "JVM arguments, by default heap_opts + jvm_opts, if overriden it takes precedence over them" type: "str" keycloak_quarkus_ha_enabled: default: false description: "Enable auto configuration for database backend, clustering and remote caches on infinispan" type: "bool" keycloak_quarkus_ha_discovery: default: "TCPPING" description: "Discovery protocol for HA cluster members" type: "str" keycloak_quarkus_db_enabled: default: "{{ True if keycloak_quarkus_ha_enabled else False }}" description: "Enable auto configuration for database backend" type: "str" keycloak_quarkus_http_relative_path: required: false default: / description: "Set the path relative to / for serving resources. The path must start with a /" type: "str" keycloak_quarkus_frontend_url: required: false description: "Service public URL" type: "str" keycloak_quarkus_admin_url: required: false description: "Service URL for the admin console" type: "str" keycloak_quarkus_metrics_enabled: default: false description: "Whether to enable metrics" type: "bool" keycloak_quarkus_health_enabled: default: true description: "If the server should expose health check endpoints" type: "bool" keycloak_quarkus_ispn_user: default: "supervisor" description: "Username for connecting to infinispan" type: "str" keycloak_quarkus_ispn_pass: default: "supervisor" description: "Password for connecting to infinispan" type: "str" keycloak_quarkus_ispn_hosts: default: "localhost:11222" description: "host name/port for connecting to infinispan, eg. host1:11222;host2:11222" type: "str" keycloak_quarkus_ispn_sasl_mechanism: default: "SCRAM-SHA-512" description: "Infinispan auth mechanism" type: "str" keycloak_quarkus_ispn_use_ssl: default: false description: "Whether infinispan uses TLS connection" type: "bool" keycloak_quarkus_ispn_trust_store_path: default: "/etc/pki/java/cacerts" description: "Path to infinispan server trust certificate" type: "str" keycloak_quarkus_ispn_trust_store_password: default: "changeit" description: "Password for infinispan certificate keystore" type: "str" keycloak_quarkus_jdbc_engine: default: "postgres" description: "Database engine [mariadb,postres,mssql]" type: "str" keycloak_quarkus_db_user: default: "keycloak-user" description: "User for database connection" type: "str" keycloak_quarkus_db_pass: default: "keycloak-pass" description: "Password for database connection" type: "str" keycloak_quarkus_jdbc_url: default: "{{ keycloak_quarkus_default_jdbc[keycloak_quarkus_jdbc_engine].url }}" description: "JDBC URL for connecting to database" type: "str" keycloak_quarkus_jdbc_driver_version: default: "{{ keycloak_quarkus_default_jdbc[keycloak_quarkus_jdbc_engine].version }}" description: "Version for JDBC driver" type: "str" keycloak_quarkus_log: default: "file" type: "str" description: "Enable one or more log handlers in a comma-separated list" keycloak_quarkus_log_level: default: "info" type: "str" description: "The log level of the root category or a comma-separated list of individual categories and their levels" keycloak_quarkus_log_file: default: "data/log/keycloak.log" type: "str" description: "Set the log file path and filename relative to keycloak home" keycloak_quarkus_log_format: default: '%d{yyyy-MM-dd HH:mm:ss,SSS} %-5p [%c] (%t) %s%e%n' type: "str" description: "Set a format specific to file log entries" keycloak_quarkus_log_target: default: '/var/log/keycloak' type: "str" description: "Set the destination of the keycloak log folder link" keycloak_quarkus_log_max_file_size: default: 10M type: "str" description: > Set the maximum log file size before a log rotation happens; A size configuration option recognises string in this format (shown as a regular expression): [0-9]+[KkMmGgTtPpEeZzYy]?. If no suffix is given, assume bytes. keycloak_quarkus_log_max_backup_index: default: 10 type: "str" description: "Set the maximum number of archived log files to keep" keycloak_quarkus_log_file_suffix: default: '.yyyy-MM-dd.zip' type: "str" description: > Set the log file handler rotation file suffix. When used, the file will be rotated based on its suffix. Note: If the suffix ends with .zip or .gz, the rotation file will also be compressed. keycloak_quarkus_proxy_mode: default: 'edge' type: "str" description: "The proxy address forwarding mode if the server is behind a reverse proxy. Set to 'none' if not using a proxy" keycloak_quarkus_proxy_headers: default: "" type: "str" description: "Parse reverse proxy headers (`forwarded` or `xforwarded`), overrides the deprecated keycloak_quarkus_proxy_mode argument" keycloak_quarkus_start_dev: default: false type: "bool" description: "Whether to start the service in development mode (start-dev)" keycloak_quarkus_transaction_xa_enabled: default: true type: "bool" description: "Enable or disable XA transactions which may not be supported by some DBMS" keycloak_quarkus_hostname_strict: default: true type: "bool" description: > Disables dynamically resolving the hostname from request headers. Should always be set to true in production, unless proxy verifies the Host header. keycloak_quarkus_hostname_strict_backchannel: default: false type: "bool" description: > By default backchannel URLs are dynamically resolved from request headers to allow internal and external applications. If all applications use the public URL this option should be enabled. keycloak_quarkus_spi_sticky_session_encoder_infinispan_should_attach_route: default: true type: "bool" description: > If the route should be attached to cookies to reflect the node that owns a particular session. If false, route is not attached to cookies and we rely on the session affinity capabilities from reverse proxy keycloak_quarkus_ks_vault_enabled: default: false type: "bool" description: "Whether to enable vault SPI" keycloak_quarkus_ks_vault_file: default: "{{ keycloak_quarkus_config_dir }}/keystore.p12" type: "str" description: "The keystore path for the vault SPI" keycloak_quarkus_ks_vault_type: default: "PKCS12" type: "str" description: "Type of the keystore used for the vault SPI" keycloak_quarkus_ks_vault_pass: required: false type: "str" description: "The password for accessing the keystore vault SPI" downstream: options: rhbk_version: default: "22.0.10" description: "Red Hat Build of Keycloak version" type: "str" rhbk_archive: default: "rhbk-{{ rhbk_version }}.zip" description: "Red Hat Build of Keycloak install archive filename" type: "str" rhbk_dest: default: "/opt/rhbk" description: "Root installation directory" type: "str" rhbk_installdir: default: "{{ rhbk_dest }}/rhbk-{{ rhbk_version }}" description: "Installation path for Red Hat Build of Keycloak" type: "str" rhbk_apply_patches: default: false description: "Install Red Hat Build of Keycloak most recent cumulative patch" type: "bool" rhbk_enable: default: true description: "Enable Red Hat Build of Keycloak installation" type: "bool" rhbk_offline_install: default: false description: "Perform an offline install" type: "bool" rhbk_service_name: default: "rhbk" description: "systemd service name for Red Hat Build of Keycloak" type: "str" rhbk_service_desc: default: "Red Hat Build of Keycloak" description: "systemd description for Red Hat Build of Keycloak" type: "str" rhbk_patch_version: required: false description: "Red Hat Build of Keycloak latest cumulative patch version to apply; defaults to latest version when rhbk_apply_patches is True" type: "str" rhbk_patch_bundle: default: "rhbk-{{ rhbk_patch_version | default('[0-9]+[.][0-9]+[.][0-9]+') }}-patch.zip" description: "Red Hat Build of Keycloak patch archive filename" type: "str" rhbk_product_category: default: "rhbk" description: "JBossNetwork API category for Red Hat Build of Keycloak" type: "str"