defaults/main.yml

---
keycloak_ver: '11.0.0'
keycloak_environment: "production"
keycloak_mirror: https://downloads.jboss.org/keycloak

keycloak_parent_install_dir: /opt
keycloak_home: "{{ keycloak_parent_install_dir }}/keycloak"

keycloak_java_packages: openjdk-11-jre

keycloak_admin_username: admin

keycloak_log_dir: "/var/log/keycloak"

postgresql_driver_jar_mirror: https://jdbc.postgresql.org/download/
postgresql_driver_jar_name: postgresql-42.2.12.jre6
keycloak_postgresql_user: "keycloak"
keycloak_postgresql_user_role_attr_flags: "LOGIN"

keycloak_clustered_mode: false
keycloak_postgresql_port: 5432

keycloak_start_command: "{{ keycloak_home }}/bin/standalone.sh -b={{ ansible_default_ipv4.address }}"
keycloak_clustered_start_command: "{{ keycloak_home }}/bin/standalone.sh -c standalone-ha.xml -b={{ ansible_default_ipv4.address }} -Djboss.bind.address.private={{ ansible_default_ipv4.address }}"

keycloak_config_file: "{{ 'standalone-ha.xml' if keycloak_clustered_mode else 'standalone.xml' }}"

# Certbot
keycloak_certbot_site_names: ["{{ keycloak_site_name }}"]
keycloak_certbot_mail_address: ""
keycloak_certs_from_letsencrypt: "{{ not keycloak_clustered_mode }}"

# NGINX
keycloak_nginx_ssl_src_dir: "/etc/letsencrypt/live/{{ keycloak_site_name }}"
keycloak_nginx_ssl_cert_file: "fullchain.pem"
keycloak_nginx_ssl_key_file: "privkey.pem"

keycloak_nginx_http_site: "{{ keycloak_site_name }}-http"
keycloak_nginx_https_site: "{{ keycloak_site_name }}-https"


keycloak_nginx_proxy_buffer_size: "128k"
keycloak_nginx_proxy_buffers: "4 256k"
keycloak_nginx_proxy_busy_buffers_size: "256k"
keycloak_nginx_ssl_remote_src: "{{ not keycloak_clustered_mode }}"
keycloak_nginx_ssl_create_symlink: "{{ not keycloak_clustered_mode }}"
keycloak_nginx_ssl_dir: "{{ nginx_dir }}/ssl/{{ site.server.server_name }}"
keycloak_nginx_upstream_url: "https://localhost:{{ keycloak_https_port }}"
keycloak_nginx_server_names_hash_bucket_size: 64
keycloak_nginx_sites:
  - server:
      name: "{{ keycloak_nginx_http_site }}"
      __listen: "80;\n  listen [::]:80;\n"
      server_name: "{{ keycloak_site_name }}"
      return: "301 https://$server_name$request_uri"
      ssl:
        enabled: false

  - server:
      name:  "{{ keycloak_nginx_https_site }}"
      __listen: "443;\n  listen [::]:443;\n"
      server_name: "{{ keycloak_site_name }}"
      client_max_body_size: "{{ keycloak_nginx_max_filesize }}"
      large_client_header_buffers: "8 64k"
      ssl:
        enabled: true
        cert: "{{ keycloak_nginx_ssl_cert_file }}"
        key:  "{{ keycloak_nginx_ssl_key_file }}"
        src_dir: "{{ keycloak_nginx_ssl_src_dir }}"
        conf: "{{ keycloak_site_name }}-ssl.conf"
        remote_src: "{{ keycloak_nginx_ssl_remote_src }}"
        create_symlink: "{{ keycloak_nginx_ssl_create_symlink }}"
        access_log_format: "timed_combined"

      location1:
        name: "/"
        proxy_pass: "{{ keycloak_nginx_upstream_url }}"
        proxy_read_timeout: "86400s"
        proxy_next_upstream: "error timeout invalid_header http_502 http_503 http_504"
        proxy_set_header:
          - Host $host
          - X-Real-IP $remote_addr
          - X-Forwarded-For $proxy_add_x_forwarded_for
          - X-Forwarded-Host $server_name
          - X-Forwarded-Proto https
        proxy_buffer_size: "{{ keycloak_nginx_proxy_buffer_size }}"
        proxy_buffers: "{{ keycloak_nginx_proxy_buffers }}"
        proxy_busy_buffers_size: "{{ keycloak_nginx_proxy_busy_buffers_size }}"
          
keycloak_nginx_log_dir: "/var/log/nginx"
keycloak_nginx_enabled_sites:
  - "{{ keycloak_nginx_http_site }}"
  - "{{ keycloak_nginx_https_site }}"
keycloak_nginx_disabled_sites:
  - default
keycloak_nginx_access_logs:
  - name: "timed_combined"
    format: "'$http_x_forwarded_for - $remote_user [$time_local]  \"$request\" $status $body_bytes_sent \"$http_referer\" \"$http_user_agent\" $request_time $upstream_response_time $gzip_ratio' $request_length"
    options: null
    filename: "access.log"

# Logstash
keycloak_install_logstash: true
keycloak_logstash_gelf_server: 127.0.0.1
keycloak_logstash_gelf_port: "12204"
keycloak_logstash_input_config_suffix: "{{ keycloak_site_name }}"
keycloak_clear_logstash_config: false
keycloak_logstash_plugins:
  - name: logstash-output-gelf
    state: present
keycloak_logstash_custom_outputs:
  - output: 'gelf'
    lines:
      - 'host => "{{ keycloak_logstash_gelf_server }}"'
      - 'port => "{{ keycloak_logstash_gelf_port }}"'
      - 'sender => "%{host}"'
keycloak_nginx_logstash_log: "{{ keycloak_nginx_log_dir }}/{{ keycloak_nginx_https_site }}-ssl-access.log"
keycloak_logstash_custom_inputs:
  - input: 'file'
    lines:
      - 'path => ["{{ keycloak_nginx_logstash_log }}"]'
      - 'start_position => "end"'
      - 'add_field => {'
      - '  ssl => true'
      - '  nginx_access => true'
      - '  from_nginx => true'
      - '  from_host => "%{host}"'
      - '  from_domain => "{{ keycloak_site_name }}"'
      - '  from_keycloak => true'
      - '  git_version => "{{ keycloak_ver }}"'
      - '  environment => "{{ keycloak_environment }}"'
      - '}'

# Cheksums
keycloak_checksums:
  # https://downloads.jboss.org/keycloak/9.0.0/keycloak-9.0.0.tar.gz.sha1
  '9.0.0': sha1:a667600d9e849a13e14e1bcb3b9821e28ce4ae9c
  # https://downloads.jboss.org/keycloak/11.0.0/keycloak-11.0.0.tar.gz.sha1
  '11.0.0': sha1:398a328a180682ee58b06df148938f5de710f89f
  