opendev/system-config
Code Issues Proposed changes
system-config/playbooks/roles/keycloak/tasks/main.yaml
Jeremy Stanley f1ad3c5198 Add backups for the new Keycloak server 
We should really be backing this up before it begins to get used by
additional services. Also, since our newer deployment uses a
separate RDBMS, back that up safely.

Change-Id: I4510dd05204f4b0f450d1925ed7be148d7d73e6e
2024-02-09 17:35:02 +00:00

124 lines
3.1 KiB
YAML
Raw Permalink Blame History

- name: Ensure docker-compose directory exists
file:
state: directory
path: /etc/keycloak-docker
- name: Write settings file
template:
src: docker-compose.yaml.j2
dest: /etc/keycloak-docker/docker-compose.yaml
owner: root
group: root
mode: "0600"
notify: keycloak restart containers
# This deliberately does not set owner/group/mode, as the mariadb container
# chowns this directory to be owned by a container-internal user and drops
# root privileges. We don't want to reset this from outside the container.
- name: Ensure data directory exists
file:
state: directory
path: /var/lib/keycloak/db
- name: Copy our MariaDB config stub overriding bind-address
copy:
src: 99-bind-address.cnf
dest: /var/lib/keycloak/99-bind-address.cnf
owner: root
group: root
mode: "0644"
notify: keycloak restart containers
- name: Install apache2
apt:
name:
- apache2
- apache2-utils
state: present
- name: Apache modules
apache2_module:
state: present
name: "{{ item }}"
loop:
- rewrite
- proxy
- proxy_http
- ssl
- headers
- proxy_wstunnel
notify: keycloak restart apache2
- name: Copy apache config
template:
src: keycloak.vhost.j2
dest: /etc/apache2/sites-enabled/000-default.conf
owner: root
group: root
mode: 0644
notify: keycloak reload apache2
- name: Run docker-compose pull
shell:
cmd: docker-compose pull
chdir: /etc/keycloak-docker/
- name: Run docker-compose up
shell:
cmd: docker-compose up -d
chdir: /etc/keycloak-docker/
register: keycloak_dcup
- name: Wait for keycloak to start
wait_for:
host: "::1"
port: 8080
timeout: 300
- name: Run docker prune to cleanup unneeded images
shell:
cmd: docker image prune -f
#### Database Backups ####
- name: Create db backup dest
file:
state: directory
path: /var/backups/keycloak-mariadb
mode: 0700
owner: root
group: root
- name: Set up cron job to backup the database
cron:
name: keycloak-db-backup
state: present
user: root
job: >
/usr/local/bin/docker-compose -f /etc/keycloak-docker/docker-compose.yaml exec -T mariadb
bash -c '/usr/bin/mysqldump --opt --databases keycloak --single-transaction -uroot -p"$MARIADB_ROOT_PASSWORD"' |
gzip -9 > /var/backups/keycloak-mariadb/keycloak-mariadb.sql.gz
minute: 14
hour: 5
- name: Rotate db backups
include_role:
name: logrotate
vars:
logrotate_file_name: /var/backups/keycloak-mariadb/keycloak-mariadb.sql.gz
logrotate_compress: false
- name: Setup db backup streaming job
block:
- name: Create backup streaming config dir
file:
path: /etc/borg-streams
state: directory
- name: Create db streaming file
copy:
content: >-
/usr/local/bin/docker-compose -f /etc/keycloak-docker/docker-compose.yaml exec -T mariadb
bash -c '/usr/bin/mysqldump --skip-extended-insert --databases keycloak --single-transaction -uroot -p"$MARIADB_ROOT_PASSWORD"'
dest: /etc/borg-streams/mysql
View Git Blame Copy Permalink