---
- name: Converge
  hosts: all
  vars:
    keycloak_quarkus_show_deprecation_warnings: false
    keycloak_quarkus_bootstrap_admin_password: "remembertochangeme"
    keycloak_quarkus_bootstrap_admin_user: "remembertochangeme"
    keycloak_realm: TestRealm
    keycloak_quarkus_hostname: https://instance:8443
    keycloak_quarkus_log: file
    keycloak_quarkus_log_level: debug # needed for the verify step
    keycloak_quarkus_https_key_file_enabled: true
    keycloak_quarkus_key_file_copy_enabled: true
    keycloak_quarkus_key_content: "{{ lookup('file', 'key.pem') }}"
    keycloak_quarkus_cert_file_copy_enabled: true
    keycloak_quarkus_cert_file_src: cert.pem
    keycloak_quarkus_log_target: /tmp/keycloak
    keycloak_quarkus_ks_vault_enabled: true
    keycloak_quarkus_ks_vault_file: "/opt/keycloak/vault/keystore.p12"
    keycloak_quarkus_ks_vault_pass: keystorepassword
    keycloak_quarkus_systemd_wait_for_port: true
    keycloak_quarkus_systemd_wait_for_timeout: 20
    keycloak_quarkus_systemd_wait_for_delay: 2
    keycloak_quarkus_systemd_wait_for_log: true
    keycloak_quarkus_restart_health_check: false # would fail because of self-signed cert
    keycloak_quarkus_version: 26.3.0
    keycloak_quarkus_java_heap_opts: "-Xms1024m -Xmx1024m"
    keycloak_quarkus_additional_env_vars:
      - key: KC_FEATURES_DISABLED
        value: impersonation,kerberos
    keycloak_quarkus_providers:
      - id: http-client
        spi: connections
        default: true
        restart: true
        properties:
          - key: default-connection-pool-size
            value: 10
      - id: spid-saml
        url: https://github.com/italia/spid-keycloak-provider/releases/download/24.0.2/spid-provider.jar
      - id: spid-saml-w-checksum
        url: https://github.com/italia/spid-keycloak-provider/releases/download/24.0.2/spid-provider.jar
        checksum: sha256:fbb50e73739d7a6d35b5bff611b1c01668b29adf6f6259624b95e466a305f377
      - id: keycloak-kerberos-federation
        maven:
          repository_url: https://repo1.maven.org/maven2/ # https://mvnrepository.com/artifact/org.keycloak/keycloak-kerberos-federation/24.0.4
          group_id: org.keycloak
          artifact_id: keycloak-kerberos-federation
          version: 26.3.0 # optional
          # username: myUser # optional
          # password: myPAT # optional
      # - id: my-static-theme
      #   local_path: /tmp/my-static-theme.jar
    keycloak_quarkus_policies:
      - name: "cain-and-abel.txt"
        url: "https://github.com/danielmiessler/SecLists/raw/master/Passwords/Software/cain-and-abel.txt"
      - name: "john-the-ripper.txt"
        url: "https://github.com/danielmiessler/SecLists/raw/master/Passwords/Software/john-the-ripper.txt"
        type: password-blacklists
  roles:
    - role: keycloak_quarkus
    - role: keycloak_realm
      keycloak_url: http://instance:8080
      keycloak_context: ''
      keycloak_admin_user: "{{ keycloak_quarkus_bootstrap_admin_user }}"
      keycloak_admin_password: "{{ keycloak_quarkus_bootstrap_admin_password }}"
      keycloak_client_default_roles:
        - TestRoleAdmin
        - TestRoleUser
      keycloak_client_users:
        - username: TestUser
          password: password
          client_roles:
            - client: TestClient
              role: TestRoleUser
              realm: "{{ keycloak_realm }}"
        - username: TestAdmin
          password: password
          client_roles:
            - client: TestClient
              role: TestRoleUser
              realm: "{{ keycloak_realm }}"
            - client: TestClient
              role: TestRoleAdmin
              realm: "{{ keycloak_realm }}"
      keycloak_realm: TestRealm
      keycloak_clients:
        - name: TestClient
          roles: "{{ keycloak_client_default_roles }}"
          realm: "{{ keycloak_realm }}"
          public_client: "{{ keycloak_client_public }}"
          web_origins: "{{ keycloak_client_web_origins }}"
          users: "{{ keycloak_client_users }}"
          client_id: TestClient