Compatibility with Keycloak 17+

files/org.postgresql.module.xml

-<?xml version="1.0" ?>
-<module xmlns="urn:jboss:module:1.3" name="org.postgresql">
-
-    <resources>
-        <resource-root path="postgresql.jar"/>
-    </resources>
-
-    <dependencies>
-        <module name="javax.api"/>
-        <module name="javax.transaction.api"/>
-    </dependencies>
-</module>

handlers/main.yml

 ---
+- name: build keycloak
+  ansible.builtin.command: bin/kc.sh build
+  args:
+    chdir: "{{ keycloak_jboss_home }}"
+  become_user: keycloak
+
 - name: restart keycloak
   ansible.builtin.systemd:
     daemon_reload: true

tasks/main.yml

@@ -14,8 +14,7 @@
   ansible.builtin.apt:
     name:
       - zulu-11
-      - libpostgresql-jdbc-java
-      - python-lxml
+      - git
     state: present
     update_cache: true
     cache_valid_time: 3600
@@ -46,55 +45,24 @@
     group: root
     remote_src: true
   when: not keycloak_directory.stat.exists
-  notify: restart keycloak
+  notify:
+    - build keycloak
+    - restart keycloak
 
-- name: Set folder permissions
+- name: Create keycloak log directory
   ansible.builtin.file:
+    state: directory
+    path: "/car/log/keycloak"
     owner: keycloak
     group: keycloak
-    path: "{{ keycloak_jboss_home }}/standalone"
-    recurse: true
-
-- name: Create postgresql module folder in keycloak
-  ansible.builtin.file:
-    path: "{{ keycloak_jboss_home }}/modules/system/layers/keycloak/org/postgresql/main/"
-    state: directory
     mode: 0755
 
-- name: Add postgresql jar to keycloak
+- name: Set folder permissions
   ansible.builtin.file:
-    src: /usr/share/java/postgresql.jar
-    dest: "{{ keycloak_jboss_home }}/modules/system/layers/keycloak/org/postgresql/main/postgresql.jar"
-    state: link
-
-- name: Add postgresql module definition to keycloak
-  ansible.builtin.copy:
-    src: org.postgresql.module.xml
-    dest: "{{ keycloak_jboss_home }}/modules/system/layers/keycloak/org/postgresql/main/module.xml"
-    mode: 0644
-
-- name: Check if postgresql module is already in JBoss
-  ansible.builtin.xml:
-    path: "{{ keycloak_jboss_home }}/standalone/configuration/standalone.xml"
-    xpath: /x:server/x:profile/y:subsystem/y:datasources/y:drivers/y:driver[@name='postgresql']
-    count: true
-    namespaces:
-      x: urn:jboss:domain:19.0
-      y: urn:jboss:domain:datasources:6.0
-  register: keycloak_postgresql_module_installed
-
-- name: Install postgresql module in JBoss
-  ansible.builtin.xml:
-    path: "{{ keycloak_jboss_home }}/standalone/configuration/standalone.xml"
-    xpath: /x:server/x:profile/y:subsystem/y:datasources/y:drivers
-    add_children:
-      - <driver name="postgresql" module="org.postgresql"><xa-datasource-class>org.postgresql.xa.PGXADataSource</xa-datasource-class></driver>
-    input_type: xml
-    namespaces:
-      x: urn:jboss:domain:19.0
-      y: urn:jboss:domain:datasources:6.0
-  notify: restart keycloak
-  when: keycloak_postgresql_module_installed.count == 0
+    owner: keycloak
+    group: keycloak
+    path: "{{ keycloak_jboss_home }}"
+    recurse: true
 
 - name: Create user and db on server
   ansible.builtin.import_role:
@@ -105,37 +73,16 @@
       password: "{{ keycloak_pgdb_pass }}"
     db_host: "{{ keycloak_pgdb_host }}"
 
-- name: Add postgresql config in JBoss
-  ansible.builtin.xml:
-    path: "{{ keycloak_jboss_home }}/standalone/configuration/standalone.xml"
-    xpath: /x:server/x:profile/y:subsystem/y:datasources/y:datasource[@pool-name='KeycloakDS']
-    set_children:
-      - "<connection-url>jdbc:postgresql://{{ hostvars[keycloak_pgdb_host]['ansible_default_ipv4']['address'] }}/{{ keycloak_pgdb_user }}</connection-url>"
-      - <driver>postgresql</driver>
-      - <pool><max-pool-size>10</max-pool-size></pool>
-      - "<security><user-name>{{ keycloak_pgdb_user }}</user-name><password>{{ keycloak_pgdb_pass }}</password></security>"
-      - <validation>
-        <valid-connection-checker class-name="org.jboss.jca.adapters.jdbc.extensions.postgres.PostgreSQLValidConnectionChecker"></valid-connection-checker>
-        <validate-on-match>true</validate-on-match>
-        <background-validation>false</background-validation>
-        <exception-sorter class-name="org.jboss.jca.adapters.jdbc.extensions.postgres.PostgreSQLExceptionSorter"/>
-        </validation>
-    input_type: xml
-    namespaces:
-      x: urn:jboss:domain:19.0
-      y: urn:jboss:domain:datasources:6.0
-  notify: restart keycloak
-
-- name: Make keycloak reverse proxy aware
-  ansible.builtin.xml:
-    path: "{{ keycloak_jboss_home }}/standalone/configuration/standalone.xml"
-    xpath: /x:server/x:profile/y:subsystem/y:server/y:http-listener
-    attribute: proxy-address-forwarding
-    value: "{{ keycloak_proxy_address_forwarding }}"
-    namespaces:
-      x: urn:jboss:domain:19.0
-      y: urn:jboss:domain:undertow:12.0
-  notify: restart keycloak
+- name: Copy Keycloak config file
+  ansible.builtin.template:
+    src: keycloak.conf.j2
+    dest: "{{ keycloak_jboss_home }}/conf/keycloak.conf"
+    owner: keycloak
+    group: keycloak
+    mode: 0644
+  notify:
+    - build keycloak
+    - restart keycloak
 
 - name: Install systemd unit file
   ansible.builtin.template:
@@ -144,26 +91,38 @@
     mode: 0644
   notify: restart keycloak
 
-- name: Add master realm admin to keycloak
-  ansible.builtin.command: "{{ keycloak_jboss_home }}/bin/add-user-keycloak.sh -r master -u {{ keycloak_master_realm_admin_user }} -p {{ keycloak_master_realm_admin_pass }}"
-  args:
-    creates: "{{ keycloak_jboss_home }}/standalone/configuration/keycloak-add-user.json"
-  notify: restart keycloak
+- name: Inform about setting up admin user
+  ansible.builtin.debug:
+    msg: |
+      You can now set up the admin user by accessing Keycloak on localhost:8080
+      Use these credentials:
+      USER: {{ keycloak_master_realm_admin_user }}
+      PASSWORD: {{ keycloak_master_realm_admin_pass }}
   when: not keycloak_directory.stat.exists
 
+- name: Suppress Git safe directory warnings
+  community.general.git_config:
+    name: safe.directory
+    scope: global
+    value: "*"
+
 - name: Install custom keycloak themes
   ansible.builtin.git:
     dest: "{{ keycloak_jboss_home }}/themes/{{ item.name }}"
     repo: "{{ item.repository }}"
     version: master
   with_items: "{{ keycloak_custom_themes }}"
-  notify: restart keycloak
+  notify:
+    - build keycloak
+    - restart keycloak
 
 - name: Install custom keycloak deployments
   ansible.builtin.get_url:
-    dest: "{{ keycloak_jboss_home }}/standalone/deployments/{{ item.name }}"
+    dest: "{{ keycloak_jboss_home }}/providers/{{ item.name }}"
     url: "{{ item.url }}"
     force: true
     mode: 644
   with_items: "{{ keycloak_custom_deployments }}"
-  notify: restart keycloak
+  notify:
+    - build keycloak
+    - restart keycloak

templates/keycloak.conf.j2

+# Basic settings for running in production. Change accordingly before deploying the server.
+
+# Database
+db=postgres
+db-username={{ keycloak_pgdb_user }}
+db-password={{ keycloak_pgdb_pass }}
+db-url-database={{ keycloak_pgdb_user }}
+db-url-host={{ hostvars[keycloak_pgdb_host]['ansible_default_ipv4']['address'] }}
+
+# Observability
+
+# If the server should expose healthcheck endpoints.
+health-enabled=true
+# If the server should expose metrics endpoints.
+metrics-enabled=true
+
+# HTTP
+proxy=edge
+hostname={{ keycloak_hostname }}
+

templates/keycloak.service.j2

 [Unit]
-Description=Keycloak
-After=network.target
+Description=Keycloak server
+After=network-online.target
+Wants=network-online.target systemd-networkd-wait-online.service
 
 [Service]
-Type=simple
-Environment=LAUNCH_JBOSS_IN_BACKGROUND=1
-Environment=JBOSS_PIDFILE=/run/keycloak/keycloak.pid
-Environment=JBOSS_HOME={{ keycloak_jboss_home }}
-Environment=JBOSS_LOG_DIR={{ keycloak_log_dir }}
-Environment="JAVA_OPTS=-Xms1024m -Xmx1536m"
 User=keycloak
 Group=keycloak
-RuntimeDirectory=keycloak
-LimitNOFILE=102642
-PIDFile=/run/keycloak/keycloak.pid
-ExecStart={{ keycloak_jboss_home }}/bin/standalone.sh -b 0.0.0.0
+ExecStart={{ keycloak_jboss_home }}/bin/kc.sh start
 Restart=on-failure
+ReadWritePaths={{ keycloak_jboss_home }}
+ReadWritePaths=/var/log/keycloak
+# Disable timeout logic and wait until process is stopped
+TimeoutStopSec=0
+# SIGTERM signal is used to stop the Java process
+KillSignal=SIGTERM
+# Send the signal only to the JVM rather than its control group
+KillMode=process
+# Java process is never killed
+SendSIGKILL=no
+# When a JVM receives a SIGTERM signal it exits with code 143
+SuccessExitStatus=143
+
+# Hardening options
+CapabilityBoundingSet=
+AmbientCapabilities=
+NoNewPrivileges=true
+ProtectHome=true
+ProtectSystem=strict
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectControlGroups=true
+PrivateTmp=true
+PrivateDevices=true
+LockPersonality=true
 
 [Install]
 WantedBy=multi-user.target