mirror of
https://github.com/ansible-middleware/keycloak.git
synced 2025-04-06 02:40:30 -07:00
320a5f0d9a
This change should avoid storing plain private keys on disk due to security risks. It also makes it easier to encrypt the data with SOPS.
152 lines
6.8 KiB
YAML
152 lines
6.8 KiB
YAML
---
|
|
### Configuration specific to keycloak
|
|
keycloak_quarkus_version: 24.0.3
|
|
keycloak_quarkus_archive: "keycloak-{{ keycloak_quarkus_version }}.zip"
|
|
keycloak_quarkus_download_url: "https://github.com/keycloak/keycloak/releases/download/{{ keycloak_quarkus_version }}/{{ keycloak_quarkus_archive }}"
|
|
keycloak_quarkus_installdir: "{{ keycloak_quarkus_dest }}/keycloak-{{ keycloak_quarkus_version }}"
|
|
|
|
# whether to install from local archive
|
|
keycloak_quarkus_offline_install: false
|
|
|
|
### Install location and service settings
|
|
keycloak_quarkus_java_home:
|
|
keycloak_quarkus_dest: /opt/keycloak
|
|
keycloak_quarkus_home: "{{ keycloak_quarkus_installdir }}"
|
|
keycloak_quarkus_config_dir: "{{ keycloak_quarkus_home }}/conf"
|
|
keycloak_quarkus_start_dev: false
|
|
keycloak_quarkus_service_user: keycloak
|
|
keycloak_quarkus_service_group: keycloak
|
|
keycloak_quarkus_service_restart_always: false
|
|
keycloak_quarkus_service_restart_on_failure: false
|
|
keycloak_quarkus_service_restartsec: "10s"
|
|
|
|
keycloak_quarkus_configure_firewalld: false
|
|
keycloak_quarkus_configure_iptables: false
|
|
|
|
### administrator console password
|
|
keycloak_quarkus_admin_user: admin
|
|
keycloak_quarkus_admin_pass:
|
|
keycloak_quarkus_master_realm: master
|
|
|
|
### Configuration settings
|
|
keycloak_quarkus_bind_address: 0.0.0.0
|
|
keycloak_quarkus_host: localhost
|
|
keycloak_quarkus_port: -1
|
|
keycloak_quarkus_path:
|
|
keycloak_quarkus_http_enabled: true
|
|
keycloak_quarkus_http_port: 8080
|
|
keycloak_quarkus_https_port: 8443
|
|
keycloak_quarkus_ajp_port: 8009
|
|
keycloak_quarkus_jgroups_port: 7800
|
|
keycloak_quarkus_java_heap_opts: "-Xms1024m -Xmx2048m"
|
|
keycloak_quarkus_java_jvm_opts: "-XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m -Dfile.encoding=UTF-8 -Dsun.stdout.encoding=UTF-8
|
|
-Dsun.err.encoding=UTF-8 -Dstdout.encoding=UTF-8 -Dstderr.encoding=UTF-8 -XX:+ExitOnOutOfMemoryError
|
|
-Djava.security.egd=file:/dev/urandom -XX:+UseParallelGC -XX:GCTimeRatio=4
|
|
-XX:AdaptiveSizePolicyWeight=90 -XX:FlightRecorderOptions=stackdepth=512"
|
|
keycloak_quarkus_java_opts: "{{ keycloak_quarkus_java_heap_opts + ' ' + keycloak_quarkus_java_jvm_opts }}"
|
|
|
|
### TLS/HTTPS configuration
|
|
keycloak_quarkus_https_key_file_enabled: false
|
|
keycloak_quarkus_key_file_copy_enabled: false
|
|
keycloak_quarkus_key_content: ""
|
|
keycloak_quarkus_key_file: "/etc/pki/tls/private/server.key.pem"
|
|
keycloak_quarkus_cert_file_copy_enabled: false
|
|
keycloak_quarkus_cert_file_src: ""
|
|
keycloak_quarkus_cert_file: "/etc/pki/tls/certs/server.crt.pem"
|
|
#### key store configuration
|
|
keycloak_quarkus_https_key_store_enabled: false
|
|
keycloak_quarkus_https_key_store_file: "{{ keycloak.home }}/conf/key_store.p12"
|
|
keycloak_quarkus_https_key_store_password: ''
|
|
##### trust store configuration
|
|
keycloak_quarkus_https_trust_store_enabled: false
|
|
keycloak_quarkus_https_trust_store_file: "{{ keycloak.home }}/conf/trust_store.p12"
|
|
keycloak_quarkus_https_trust_store_password: ''
|
|
### configuration key store configuration
|
|
keycloak_quarkus_config_key_store_file: "{{ keycloak.home }}/conf/conf_store.p12"
|
|
keycloak_quarkus_config_key_store_password: ''
|
|
|
|
### Enable configuration for database backend, clustering and remote caches on infinispan
|
|
keycloak_quarkus_ha_enabled: false
|
|
keycloak_quarkus_ha_discovery: "TCPPING"
|
|
### Enable database configuration, must be enabled when HA is configured
|
|
keycloak_quarkus_db_enabled: "{{ keycloak_quarkus_ha_enabled }}"
|
|
keycloak_quarkus_systemd_wait_for_port: "{{ keycloak_quarkus_ha_enabled }}"
|
|
keycloak_quarkus_systemd_wait_for_log: false
|
|
keycloak_quarkus_systemd_wait_for_timeout: 60
|
|
keycloak_quarkus_systemd_wait_for_delay: 10
|
|
|
|
### keycloak frontend url
|
|
keycloak_quarkus_frontend_url:
|
|
keycloak_quarkus_admin_url:
|
|
|
|
### Set the path relative to / for serving resources. The path must start with a /
|
|
### (set to `/auth` for retrocompatibility with pre-quarkus releases)
|
|
keycloak_quarkus_http_relative_path: /
|
|
|
|
# Disables dynamically resolving the hostname from request headers.
|
|
# Should always be set to true in production, unless proxy verifies the Host header.
|
|
keycloak_quarkus_hostname_strict: true
|
|
# By default backchannel URLs are dynamically resolved from request headers to allow internal and external applications.
|
|
# If all applications use the public URL this option should be enabled.
|
|
keycloak_quarkus_hostname_strict_backchannel: false
|
|
|
|
# proxy address forwarding mode if the server is behind a reverse proxy. [none, edge, reencrypt, passthrough]
|
|
keycloak_quarkus_proxy_mode: edge
|
|
|
|
# disable xa transactions
|
|
keycloak_quarkus_transaction_xa_enabled: true
|
|
|
|
# If the route should be attached to cookies to reflect the node that owns a particular session.
|
|
# If false, route is not attached to cookies and we rely on the session affinity capabilities from reverse proxy
|
|
keycloak_quarkus_spi_sticky_session_encoder_infinispan_should_attach_route: true
|
|
|
|
keycloak_quarkus_metrics_enabled: false
|
|
keycloak_quarkus_health_enabled: true
|
|
|
|
### infinispan remote caches access (hotrod)
|
|
keycloak_quarkus_ispn_user: supervisor
|
|
keycloak_quarkus_ispn_pass: supervisor
|
|
keycloak_quarkus_ispn_hosts: "localhost:11222"
|
|
keycloak_quarkus_ispn_sasl_mechanism: SCRAM-SHA-512
|
|
keycloak_quarkus_ispn_use_ssl: false
|
|
# if ssl is enabled, import ispn server certificate here
|
|
keycloak_quarkus_ispn_trust_store_path: /etc/pki/java/cacerts
|
|
keycloak_quarkus_ispn_trust_store_password: changeit
|
|
|
|
### database backend engine: values [ 'postgres', 'mariadb' ]
|
|
keycloak_quarkus_jdbc_engine: postgres
|
|
### database backend credentials
|
|
keycloak_quarkus_db_user: keycloak-user
|
|
keycloak_quarkus_db_pass: keycloak-pass
|
|
keycloak_quarkus_jdbc_url: "{{ keycloak_quarkus_default_jdbc[keycloak_quarkus_jdbc_engine].url }}"
|
|
keycloak_quarkus_jdbc_driver_version: "{{ keycloak_quarkus_default_jdbc[keycloak_quarkus_jdbc_engine].version }}"
|
|
# override the variables above, following defaults show minimum supported versions
|
|
keycloak_quarkus_default_jdbc:
|
|
postgres:
|
|
url: 'jdbc:postgresql://localhost:5432/keycloak'
|
|
version: 9.4.1212
|
|
mariadb:
|
|
url: 'jdbc:mariadb://localhost:3306/keycloak'
|
|
version: 2.7.4
|
|
mssql:
|
|
url: 'jdbc:sqlserver://localhost:1433;databaseName=keycloak;'
|
|
version: 12.2.0
|
|
driver_jar_url: "https://repo1.maven.org/maven2/com/microsoft/sqlserver/mssql-jdbc/12.2.0.jre11/mssql-jdbc-12.2.0.jre11.jar"
|
|
# cf. https://access.redhat.com/documentation/en-us/red_hat_build_of_keycloak/22.0/html/server_guide/db-#db-installing-the-microsoft-sql-server-driver
|
|
### logging configuration
|
|
keycloak_quarkus_log: file
|
|
keycloak_quarkus_log_level: info
|
|
keycloak_quarkus_log_file: data/log/keycloak.log
|
|
keycloak_quarkus_log_format: '%d{yyyy-MM-dd HH:mm:ss,SSS} %-5p [%c] (%t) %s%e%n'
|
|
keycloak_quarkus_log_target: /var/log/keycloak
|
|
keycloak_quarkus_log_max_file_size: 10M
|
|
keycloak_quarkus_log_max_backup_index: 10
|
|
keycloak_quarkus_log_file_suffix: '.yyyy-MM-dd.zip'
|
|
|
|
# keystore-based vault
|
|
keycloak_quarkus_ks_vault_enabled: false
|
|
keycloak_quarkus_ks_vault_file: "{{ keycloak_quarkus_config_dir }}/keystore.p12"
|
|
keycloak_quarkus_ks_vault_type: PKCS12
|
|
keycloak_quarkus_ks_vault_pass:
|
|
|
|
keycloak_quarkus_providers: []
|