Verified Commit 25a41929 authored by Sven-Hendrik Haase's avatar Sven-Hendrik Haase
Browse files

Use archlinux realm for applications instead of master

parent 3e2b6934
......@@ -20,9 +20,9 @@ CLIENT_ID = "admin-cli"
KEYCLOAK_ADMIN_USERNAME = os.environ["KEYCLOAK_ADMIN_USERNAME"]
KEYCLOAK_ADMIN_PASSWORD = os.environ["KEYCLOAK_ADMIN_PASSWORD"]
KEYCLOAK_URL = "https://accounts.archlinux.org/auth"
KEYCLOAK_REALM = "master"
KEYCLOAK_REALM = "archlinux"
REALM_URL = f"{KEYCLOAK_URL}/realms/{KEYCLOAK_REALM}"
REALM_URL = f"{KEYCLOAK_URL}/realms/master"
FETCH_TOKEN_URL = f"{REALM_URL}/protocol/openid-connect/token"
API_BASE_URL = f"{KEYCLOAK_URL}/admin/realms/{KEYCLOAK_REALM}"
......
......@@ -9,7 +9,7 @@
- restart keycloak
- name: create an admin user
command: /opt/keycloak/bin/add-user-keycloak.sh -u "{{ vault_keycloak_admin_user }}" -p "{{ vault_keycloak_admin_password }}"
command: /opt/keycloak/bin/add-user-keycloak.sh -r master -u "{{ vault_keycloak_admin_user }}" -p "{{ vault_keycloak_admin_password }}"
args:
creates: /opt/keycloak/standalone/configuration/keycloak-add-user.json
......
......@@ -34,4 +34,8 @@ server {
proxy_set_header Host $host;
proxy_ssl_verify off;
}
location = / {
return 301 https://$server_name/auth/;
}
}
......@@ -34,8 +34,8 @@ variable "gitlab_instance" {
}
}
resource "keycloak_realm" "master" {
realm = "master"
resource "keycloak_realm" "archlinux" {
realm = "archlinux"
enabled = true
remember_me = true
display_name = "Arch Linux"
......@@ -59,7 +59,7 @@ resource "keycloak_realm" "master" {
}
resource "keycloak_saml_client" "saml_gitlab" {
realm_id = "master" // "${keycloak_realm.realm.id}"
realm_id = "archlinux" // "${keycloak_realm.realm.id}"
client_id = "saml_gitlab"
name = "Arch Linux Accounts"
......@@ -84,7 +84,7 @@ resource "keycloak_saml_client" "saml_gitlab" {
resource "keycloak_saml_user_property_protocol_mapper" "gitlab_saml_email" {
realm_id = "master"
realm_id = "archlinux"
client_id = keycloak_saml_client.saml_gitlab.id
name = "email"
......@@ -96,7 +96,7 @@ resource "keycloak_saml_user_property_protocol_mapper" "gitlab_saml_email" {
resource "keycloak_saml_user_property_protocol_mapper" "gitlab_saml_name" {
realm_id = "master"
realm_id = "archlinux"
client_id = keycloak_saml_client.saml_gitlab.id
name = "name"
......@@ -108,7 +108,7 @@ resource "keycloak_saml_user_property_protocol_mapper" "gitlab_saml_name" {
resource "keycloak_saml_user_property_protocol_mapper" "gitlab_saml_first_name" {
realm_id = "master"
realm_id = "archlinux"
client_id = keycloak_saml_client.saml_gitlab.id
name = "first_name"
......@@ -120,7 +120,7 @@ resource "keycloak_saml_user_property_protocol_mapper" "gitlab_saml_first_name"
resource "keycloak_saml_user_property_protocol_mapper" "gitlab_saml_last_name" {
realm_id = "master"
realm_id = "archlinux"
client_id = keycloak_saml_client.saml_gitlab.id
name = "last_name"
......@@ -138,18 +138,18 @@ variable "arch_groups" {
resource "keycloak_group" "arch_groups" {
for_each = var.arch_groups
realm_id = "master"
realm_id = "archlinux"
name = each.value
}
resource "keycloak_role" "devops" {
realm_id = "master"
realm_id = "archlinux"
name = "DevOps"
description = "DevOps role"
}
resource "keycloak_group_roles" "group_roles" {
realm_id = "master"
realm_id = "archlinux"
group_id = keycloak_group.arch_groups["DevOps"].id
role_ids = [
keycloak_role.devops.id
......@@ -161,7 +161,7 @@ output "gitlab_saml_configuration" {
issuer = keycloak_saml_client.saml_gitlab.client_id
assertion_consumer_service_url = var.gitlab_instance.saml_redirect_url
admin_groups = [keycloak_role.devops.name]
idp_sso_target_url = "https://accounts.archlinux.org/auth/realms/master/protocol/saml/clients/${keycloak_saml_client.saml_gitlab.client_id}"
idp_sso_target_url = "https://accounts.archlinux.org/auth/realms/archlinux/protocol/saml/clients/${keycloak_saml_client.saml_gitlab.client_id}"
signing_certificate_fingerprint = keycloak_saml_client.saml_gitlab.signing_certificate
}
}
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment