From a74054c7f1ca19b13d4a6014aab91644dbd58ce8 Mon Sep 17 00:00:00 2001
From: Evangelos Foutras <evangelos@foutrelis.com>
Date: Thu, 24 Mar 2022 23:42:31 +0200
Subject: [PATCH] keycloak: migrate to Quarkus distribution
---
roles/keycloak/defaults/main.yml | 3 +-
.../keycloak/files/create-keycloak-admin.conf | 2 +
roles/keycloak/handlers/main.yml | 4 +
roles/keycloak/tasks/main.yml | 82 +--
roles/keycloak/templates/admin-user.conf.j2 | 2 +
roles/keycloak/templates/keycloak.conf.j2 | 14 +
roles/keycloak/templates/nginx.d.conf.j2 | 6 +-
roles/keycloak/templates/standalone.xml.j2 | 569 ------------------
8 files changed, 69 insertions(+), 613 deletions(-)
create mode 100644 roles/keycloak/files/create-keycloak-admin.conf
create mode 100644 roles/keycloak/templates/admin-user.conf.j2
create mode 100644 roles/keycloak/templates/keycloak.conf.j2
delete mode 100644 roles/keycloak/templates/standalone.xml.j2
diff --git a/roles/keycloak/defaults/main.yml b/roles/keycloak/defaults/main.yml
index 7f2812bdd..05e23dde5 100644
--- a/roles/keycloak/defaults/main.yml
+++ b/roles/keycloak/defaults/main.yml
@@ -1,5 +1,4 @@
keycloak_db_name: keycloak
keycloak_domain: accounts.archlinux.org
-keycloak_home_dir: /opt/keycloak
-keycloak_port: "8443"
+keycloak_port: "8080"
keycloak_nginx_htpasswd: /etc/nginx/auth/prometheus
diff --git a/roles/keycloak/files/create-keycloak-admin.conf b/roles/keycloak/files/create-keycloak-admin.conf
new file mode 100644
index 000000000..8333aace5
--- /dev/null
+++ b/roles/keycloak/files/create-keycloak-admin.conf
@@ -0,0 +1,2 @@
+[Service]
+EnvironmentFile=-/etc/keycloak/admin-user.conf
diff --git a/roles/keycloak/handlers/main.yml b/roles/keycloak/handlers/main.yml
index 50b37eddd..c0b71fdbc 100644
--- a/roles/keycloak/handlers/main.yml
+++ b/roles/keycloak/handlers/main.yml
@@ -2,3 +2,7 @@
- name: restart keycloak
service: name=keycloak state=restarted
+
+- name: daemon reload
+ systemd:
+ daemon-reload: true
diff --git a/roles/keycloak/tasks/main.yml b/roles/keycloak/tasks/main.yml
index 29de56ee3..dddf804b3 100644
--- a/roles/keycloak/tasks/main.yml
+++ b/roles/keycloak/tasks/main.yml
@@ -1,37 +1,56 @@
---
- name: install keycloak
- pacman: name=jre11-openjdk,keycloak,keycloak-metrics-spi,python-passlib state=present
+ pacman: name=jre11-openjdk,keycloak,keycloak-archlinux-theme,keycloak-metrics-spi,python-passlib state=present
+
+- name: create postgres keycloak user
+ postgresql_user: name="{{ vault_keycloak_db_user }}" password="{{ vault_keycloak_db_password }}"
+ become: true
+ become_user: postgres
+ become_method: su
+ no_log: true
+
+- name: create keycloak db
+ postgresql_db: name="{{ keycloak_db_name }}" owner="{{ vault_keycloak_db_user }}"
+ become: true
+ become_user: postgres
+ become_method: su
- name: template keycloak config
- template: src=standalone.xml.j2 dest=/etc/keycloak/standalone.xml owner=keycloak group=keycloak mode=600
+ template: src=keycloak.conf.j2 dest=/etc/keycloak/keycloak.conf owner=root group=keycloak mode=640
+ no_log: true
notify:
- restart keycloak
-- name: copy custom theme
- copy: src=theme/archlinux dest=/opt/keycloak/themes owner=keycloak group=keycloak mode=755
- notify:
- - restart keycloak
+- name: create drop-in directory for keycloak.service
+ file: path=/etc/systemd/system/keycloak.service.d state=directory owner=root group=root mode=0755
+
+- name: get service facts
+ service_facts:
-- name: request a bearer token
- uri:
- url: http://127.0.0.1:8080/auth/realms/master/protocol/openid-connect/token
- method: POST
- body_format: form-urlencoded
- body:
- username: "{{ vault_keycloak_admin_user }}"
- password: "{{ vault_keycloak_admin_password }}"
- grant_type: password
- client_id: admin-cli
- ignore_errors: true
- register: token
-
-- name: create an admin user
- command: /opt/keycloak/bin/add-user-keycloak.sh -r master -u "{{ vault_keycloak_admin_user }}" -p "{{ vault_keycloak_admin_password }}"
- when: token.status == 401
-
-- name: start and enable keycloak
- service: name=keycloak enabled=yes state=started
+- name: create an admin user when first starting keycloak
+ block:
+ - name: install admin creation drop-in for keycloak.service
+ copy: src=create-keycloak-admin.conf dest=/etc/systemd/system/keycloak.service.d/ owner=root group=root mode=0644
+
+ - name: install temporary environment file with admin credentials
+ template: src=admin-user.conf.j2 dest=/etc/keycloak/admin-user.conf owner=root group=root mode=0600
+ no_log: true
+
+ - name: start and enable keycloak
+ service: name=keycloak enabled=yes daemon_reload=yes state=started
+
+ - name: wait for keycloak to initialize
+ wait_for: port={{ keycloak_port }}
+ always:
+ - name: remove admin credentials once keycloak is running
+ file: path=/etc/keycloak/admin-user.conf state=absent
+
+ - name: remove admin creation drop-in
+ file: path=/etc/systemd/system/keycloak.service.d/create-keycloak-admin.conf state=absent
+ notify:
+ - daemon reload
+ when: ansible_facts.services["keycloak.service"]["state"] != "running"
- name: open firewall hole
ansible.posix.firewalld: port={{ item }} permanent=true state=enabled immediate=yes
@@ -42,19 +61,6 @@
tags:
- firewall
-- name: create postgres keycloak user
- postgresql_user: name="{{ vault_keycloak_db_user }}" password="{{ vault_keycloak_db_password }}"
- become: true
- become_user: postgres
- become_method: su
- no_log: true
-
-- name: create keycloak db
- postgresql_db: name=keycloak owner="{{ vault_keycloak_db_user }}"
- become: true
- become_user: postgres
- become_method: su
-
- name: create htpasswd for nginx prometheus endpoint
htpasswd:
path: "{{ keycloak_nginx_htpasswd }}"
diff --git a/roles/keycloak/templates/admin-user.conf.j2 b/roles/keycloak/templates/admin-user.conf.j2
new file mode 100644
index 000000000..cf74d1991
--- /dev/null
+++ b/roles/keycloak/templates/admin-user.conf.j2
@@ -0,0 +1,2 @@
+KEYCLOAK_ADMIN="{{ vault_keycloak_admin_user }}"
+KEYCLOAK_ADMIN_PASSWORD="{{ vault_keycloak_admin_password }}"
diff --git a/roles/keycloak/templates/keycloak.conf.j2 b/roles/keycloak/templates/keycloak.conf.j2
new file mode 100644
index 000000000..0c11bff41
--- /dev/null
+++ b/roles/keycloak/templates/keycloak.conf.j2
@@ -0,0 +1,14 @@
+hostname={{ inventory_hostname }}
+spi-theme-welcome-theme=archlinux
+metrics-enabled=true
+
+http-enabled=true
+http-host=127.0.0.1
+http-port={{ keycloak_port }}
+http-relative-path=/auth
+proxy=edge
+
+db=postgres
+db-username={{ vault_keycloak_db_user }}
+db-password={{ vault_keycloak_db_password }}
+db-url=jdbc:postgresql://localhost/{{ keycloak_db_name }}
diff --git a/roles/keycloak/templates/nginx.d.conf.j2 b/roles/keycloak/templates/nginx.d.conf.j2
index 78672f4f8..1525e57c9 100644
--- a/roles/keycloak/templates/nginx.d.conf.j2
+++ b/roles/keycloak/templates/nginx.d.conf.j2
@@ -45,8 +45,7 @@ server {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
- proxy_ssl_verify off;
- proxy_pass https://localhost:{{ keycloak_port }};
+ proxy_pass http://127.0.0.1:{{ keycloak_port }};
}
location / {
@@ -56,8 +55,7 @@ server {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
- proxy_ssl_verify off;
- proxy_pass https://localhost:{{ keycloak_port }};
+ proxy_pass http://127.0.0.1:{{ keycloak_port }};
}
location = / {
diff --git a/roles/keycloak/templates/standalone.xml.j2 b/roles/keycloak/templates/standalone.xml.j2
deleted file mode 100644
index 409e1ff90..000000000
--- a/roles/keycloak/templates/standalone.xml.j2
+++ /dev/null
@@ -1,569 +0,0 @@
-<?xml version="1.0" ?>
-
-<server xmlns="urn:jboss:domain:19.0">
- <extensions>
- <extension module="org.jboss.as.clustering.infinispan"/>
- <extension module="org.jboss.as.connector"/>
- <extension module="org.jboss.as.deployment-scanner"/>
- <extension module="org.jboss.as.ee"/>
- <extension module="org.jboss.as.ejb3"/>
- <extension module="org.jboss.as.jaxrs"/>
- <extension module="org.jboss.as.jmx"/>
- <extension module="org.jboss.as.jpa"/>
- <extension module="org.jboss.as.logging"/>
- <extension module="org.jboss.as.mail"/>
- <extension module="org.jboss.as.naming"/>
- <extension module="org.jboss.as.remoting"/>
- <extension module="org.jboss.as.transactions"/>
- <extension module="org.jboss.as.weld"/>
- <extension module="org.keycloak.keycloak-server-subsystem"/>
- <extension module="org.wildfly.extension.bean-validation"/>
- <extension module="org.wildfly.extension.core-management"/>
- <extension module="org.wildfly.extension.elytron"/>
- <extension module="org.wildfly.extension.health"/>
- <extension module="org.wildfly.extension.io"/>
- <extension module="org.wildfly.extension.metrics"/>
- <extension module="org.wildfly.extension.request-controller"/>
- <extension module="org.wildfly.extension.security.manager"/>
- <extension module="org.wildfly.extension.undertow"/>
- </extensions>
- <management>
- <audit-log>
- <formatters>
- <json-formatter name="json-formatter"/>
- </formatters>
- <handlers>
- <file-handler name="file" formatter="json-formatter" path="audit-log.log" relative-to="jboss.server.data.dir"/>
- </handlers>
- <logger log-boot="true" log-read-only="false" enabled="false">
- <handlers>
- <handler name="file"/>
- </handlers>
- </logger>
- </audit-log>
- <management-interfaces>
- <http-interface http-authentication-factory="management-http-authentication">
- <http-upgrade enabled="true" sasl-authentication-factory="management-sasl-authentication"/>
- <socket-binding http="management-http"/>
- </http-interface>
- </management-interfaces>
- <access-control provider="simple">
- <role-mapping>
- <role name="SuperUser">
- <include>
- <user name="$local"/>
- </include>
- </role>
- </role-mapping>
- </access-control>
- </management>
- <profile>
- <subsystem xmlns="urn:jboss:domain:logging:8.0">
- <console-handler name="CONSOLE">
- <level name="INFO"/>
- <formatter>
- <named-formatter name="COLOR-PATTERN"/>
- </formatter>
- </console-handler>
- <periodic-rotating-file-handler name="FILE" autoflush="true">
- <formatter>
- <named-formatter name="PATTERN"/>
- </formatter>
- <file relative-to="jboss.server.log.dir" path="server.log"/>
- <suffix value=".yyyy-MM-dd"/>
- <append value="true"/>
- </periodic-rotating-file-handler>
- <logger category="com.arjuna">
- <level name="WARN"/>
- </logger>
- <logger category="io.jaegertracing.Configuration">
- <level name="WARN"/>
- </logger>
- <logger category="org.jboss.as.config">
- <level name="DEBUG"/>
- </logger>
- <logger category="sun.rmi">
- <level name="WARN"/>
- </logger>
- <root-logger>
- <level name="INFO"/>
- <handlers>
- <handler name="CONSOLE"/>
- <handler name="FILE"/>
- </handlers>
- </root-logger>
- <formatter name="PATTERN">
- <pattern-formatter pattern="%d{yyyy-MM-dd HH:mm:ss,SSS} %-5p [%c] (%t) %s%e%n"/>
- </formatter>
- <formatter name="COLOR-PATTERN">
- <pattern-formatter pattern="%K{level}%d{HH:mm:ss,SSS} %-5p [%c] (%t) %s%e%n"/>
- </formatter>
- </subsystem>
- <subsystem xmlns="urn:jboss:domain:bean-validation:1.0"/>
- <subsystem xmlns="urn:jboss:domain:core-management:1.0"/>
- <subsystem xmlns="urn:jboss:domain:datasources:6.0">
- <datasources>
- <datasource jndi-name="java:jboss/datasources/KeycloakDS" pool-name="KeycloakDS" enabled="true" use-java-context="true" statistics-enabled="${wildfly.datasources.statistics-enabled:${wildfly.statistics-enabled:false}}">
- <connection-url>jdbc:postgresql://localhost:5432/{{ keycloak_db_name }}</connection-url>
- <driver>postgresql</driver>
- <security>
- <user-name>{{ vault_keycloak_db_user }}</user-name>
- <password>{{ vault_keycloak_db_password }}</password>
- </security>
- </datasource>
- <drivers>
- <driver name="postgresql" module="org.postgresql">
- <xa-datasource-class>org.postgresql.xa.PGXADataSource</xa-datasource-class>
- </driver>
- <driver name="h2" module="com.h2database.h2">
- <xa-datasource-class>org.h2.jdbcx.JdbcDataSource</xa-datasource-class>
- </driver>
- </drivers>
- </datasources>
- </subsystem>
- <subsystem xmlns="urn:jboss:domain:deployment-scanner:2.0">
- <deployment-scanner path="deployments" relative-to="jboss.server.base.dir" scan-interval="5000" runtime-failure-causes-rollback="${jboss.deployment.scanner.rollback.on.failure:false}"/>
- </subsystem>
- <subsystem xmlns="urn:jboss:domain:ee:6.0">
- <spec-descriptor-property-replacement>false</spec-descriptor-property-replacement>
- <concurrent>
- <context-services>
- <context-service name="default" jndi-name="java:jboss/ee/concurrency/context/default" use-transaction-setup-provider="true"/>
- </context-services>
- <managed-thread-factories>
- <managed-thread-factory name="default" jndi-name="java:jboss/ee/concurrency/factory/default" context-service="default"/>
- </managed-thread-factories>
- <managed-executor-services>
- <managed-executor-service name="default" jndi-name="java:jboss/ee/concurrency/executor/default" context-service="default" hung-task-termination-period="0" hung-task-threshold="60000" keepalive-time="5000"/>
- </managed-executor-services>
- <managed-scheduled-executor-services>
- <managed-scheduled-executor-service name="default" jndi-name="java:jboss/ee/concurrency/scheduler/default" context-service="default" hung-task-termination-period="0" hung-task-threshold="60000" keepalive-time="3000"/>
- </managed-scheduled-executor-services>
- </concurrent>
- <default-bindings context-service="java:jboss/ee/concurrency/context/default" datasource="java:jboss/datasources/KeycloakDS" managed-executor-service="java:jboss/ee/concurrency/executor/default" managed-scheduled-executor-service="java:jboss/ee/concurrency/scheduler/default" managed-thread-factory="java:jboss/ee/concurrency/factory/default"/>
- </subsystem>
- <subsystem xmlns="urn:jboss:domain:ejb3:9.0">
- <session-bean>
- <stateless>
- <bean-instance-pool-ref pool-name="slsb-strict-max-pool"/>
- </stateless>
- <stateful default-access-timeout="5000" cache-ref="simple" passivation-disabled-cache-ref="simple"/>
- <singleton default-access-timeout="5000"/>
- </session-bean>
- <pools>
- <bean-instance-pools>
- <strict-max-pool name="mdb-strict-max-pool" derive-size="from-cpu-count" instance-acquisition-timeout="5" instance-acquisition-timeout-unit="MINUTES"/>
- <strict-max-pool name="slsb-strict-max-pool" derive-size="from-worker-pools" instance-acquisition-timeout="5" instance-acquisition-timeout-unit="MINUTES"/>
- </bean-instance-pools>
- </pools>
- <caches>
- <cache name="simple"/>
- <cache name="distributable" passivation-store-ref="infinispan" aliases="passivating clustered"/>
- </caches>
- <passivation-stores>
- <passivation-store name="infinispan" cache-container="ejb" max-size="10000"/>
- </passivation-stores>
- <async thread-pool-name="default"/>
- <timer-service thread-pool-name="default" default-data-store="default-file-store">
- <data-stores>
- <file-data-store name="default-file-store" path="timer-service-data" relative-to="jboss.server.data.dir"/>
- </data-stores>
- </timer-service>
- <remote cluster="ejb" connectors="http-remoting-connector" thread-pool-name="default">
- <channel-creation-options>
- <option name="MAX_OUTBOUND_MESSAGES" value="1234" type="remoting"/>
- </channel-creation-options>
- </remote>
- <thread-pools>
- <thread-pool name="default">
- <max-threads count="10"/>
- <keepalive-time time="60" unit="seconds"/>
- </thread-pool>
- </thread-pools>
- <default-security-domain value="other"/>
- <application-security-domains>
- <application-security-domain name="other" security-domain="ApplicationDomain"/>
- </application-security-domains>
- <default-missing-method-permissions-deny-access value="true"/>
- <statistics enabled="${wildfly.ejb3.statistics-enabled:${wildfly.statistics-enabled:false}}"/>
- <log-system-exceptions value="true"/>
- </subsystem>
- <subsystem xmlns="urn:wildfly:elytron:15.0" final-providers="combined-providers" disallowed-providers="OracleUcrypto">
- <providers>
- <aggregate-providers name="combined-providers">
- <providers name="elytron"/>
- <providers name="openssl"/>
- </aggregate-providers>
- <provider-loader name="elytron" module="org.wildfly.security.elytron"/>
- <provider-loader name="openssl" module="org.wildfly.openssl"/>
- </providers>
- <audit-logging>
- <file-audit-log name="local-audit" path="audit.log" relative-to="jboss.server.log.dir" format="JSON"/>
- </audit-logging>
- <security-domains>
- <security-domain name="ManagementDomain" default-realm="ManagementRealm" permission-mapper="default-permission-mapper">
- <realm name="ManagementRealm" role-decoder="groups-to-roles"/>
- <realm name="local" role-mapper="super-user-mapper"/>
- </security-domain>
- <security-domain name="ApplicationDomain" default-realm="ApplicationRealm" permission-mapper="default-permission-mapper">
- <realm name="ApplicationRealm" role-decoder="groups-to-roles"/>
- <realm name="local"/>
- </security-domain>
- </security-domains>
- <security-realms>
- <identity-realm name="local" identity="$local"/>
- <properties-realm name="ApplicationRealm">
- <users-properties path="application-users.properties" relative-to="jboss.server.config.dir" digest-realm-name="ApplicationRealm"/>
- <groups-properties path="application-roles.properties" relative-to="jboss.server.config.dir"/>
- </properties-realm>
- <properties-realm name="ManagementRealm">
- <users-properties path="mgmt-users.properties" relative-to="jboss.server.config.dir" digest-realm-name="ManagementRealm"/>
- <groups-properties path="mgmt-groups.properties" relative-to="jboss.server.config.dir"/>
- </properties-realm>
- </security-realms>
- <mappers>
- <simple-permission-mapper name="default-permission-mapper" mapping-mode="first">
- <permission-mapping>
- <principal name="anonymous"/>
- <permission-set name="default-permissions"/>
- </permission-mapping>
- <permission-mapping match-all="true">
- <permission-set name="login-permission"/>
- <permission-set name="default-permissions"/>
- </permission-mapping>
- </simple-permission-mapper>
- <constant-realm-mapper name="local" realm-name="local"/>
- <simple-role-decoder name="groups-to-roles" attribute="groups"/>
- <constant-role-mapper name="super-user-mapper">
- <role name="SuperUser"/>
- </constant-role-mapper>
- </mappers>
- <permission-sets>
- <permission-set name="login-permission">
- <permission class-name="org.wildfly.security.auth.permission.LoginPermission"/>
- </permission-set>
- <permission-set name="default-permissions">
- <permission class-name="org.wildfly.extension.batch.jberet.deployment.BatchPermission" module="org.wildfly.extension.batch.jberet" target-name="*"/>
- <permission class-name="org.wildfly.transaction.client.RemoteTransactionPermission" module="org.wildfly.transaction.client"/>
- <permission class-name="org.jboss.ejb.client.RemoteEJBPermission" module="org.jboss.ejb-client"/>
- </permission-set>
- </permission-sets>
- <http>
- <http-authentication-factory name="management-http-authentication" security-domain="ManagementDomain" http-server-mechanism-factory="global">
- <mechanism-configuration>
- <mechanism mechanism-name="DIGEST">
- <mechanism-realm realm-name="ManagementRealm"/>
- </mechanism>
- </mechanism-configuration>
- </http-authentication-factory>
- <http-authentication-factory name="application-http-authentication" security-domain="ApplicationDomain" http-server-mechanism-factory="global">
- <mechanism-configuration>
- <mechanism mechanism-name="BASIC">
- <mechanism-realm realm-name="ApplicationRealm"/>
- </mechanism>
- </mechanism-configuration>
- </http-authentication-factory>
- <provider-http-server-mechanism-factory name="global"/>
- </http>
- <sasl>
- <sasl-authentication-factory name="management-sasl-authentication" sasl-server-factory="configured" security-domain="ManagementDomain">
- <mechanism-configuration>
- <mechanism mechanism-name="JBOSS-LOCAL-USER" realm-mapper="local"/>
- <mechanism mechanism-name="DIGEST-MD5">
- <mechanism-realm realm-name="ManagementRealm"/>
- </mechanism>
- </mechanism-configuration>
- </sasl-authentication-factory>
- <sasl-authentication-factory name="application-sasl-authentication" sasl-server-factory="configured" security-domain="ApplicationDomain">
- <mechanism-configuration>
- <mechanism mechanism-name="JBOSS-LOCAL-USER" realm-mapper="local"/>
- <mechanism mechanism-name="DIGEST-MD5">
- <mechanism-realm realm-name="ApplicationRealm"/>
- </mechanism>
- </mechanism-configuration>
- </sasl-authentication-factory>
- <configurable-sasl-server-factory name="configured" sasl-server-factory="elytron">
- <properties>
- <property name="wildfly.sasl.local-user.default-user" value="$local"/>
- <property name="wildfly.sasl.local-user.challenge-path" value="${jboss.server.temp.dir}/auth"/>
- </properties>
- </configurable-sasl-server-factory>
- <mechanism-provider-filtering-sasl-server-factory name="elytron" sasl-server-factory="global">
- <filters>
- <filter provider-name="WildFlyElytron"/>
- </filters>
- </mechanism-provider-filtering-sasl-server-factory>
- <provider-sasl-server-factory name="global"/>
- </sasl>
- <tls>
- <key-stores>
- <key-store name="applicationKS">
- <credential-reference clear-text="password"/>
- <implementation type="JKS"/>
- <file path="application.keystore" relative-to="jboss.server.config.dir"/>
- </key-store>
- </key-stores>
- <key-managers>
- <key-manager name="applicationKM" key-store="applicationKS" generate-self-signed-certificate-host="localhost">
- <credential-reference clear-text="password"/>
- </key-manager>
- </key-managers>
- <server-ssl-contexts>
- <server-ssl-context name="applicationSSC" key-manager="applicationKM"/>
- </server-ssl-contexts>
- </tls>
- </subsystem>
- <subsystem xmlns="urn:wildfly:health:1.0" security-enabled="false"/>
- <subsystem xmlns="urn:jboss:domain:infinispan:13.0">
- <cache-container name="ejb" default-cache="passivation" marshaller="PROTOSTREAM" aliases="sfsb" modules="org.wildfly.clustering.ejb.infinispan">
- <local-cache name="passivation">
- <locking isolation="REPEATABLE_READ"/>
- <transaction mode="BATCH"/>
- <file-store passivation="true" purge="false"/>
- </local-cache>
- </cache-container>
- <cache-container name="keycloak" marshaller="JBOSS" modules="org.keycloak.keycloak-model-infinispan">
- <local-cache name="realms">
- <heap-memory size="10000"/>
- </local-cache>
- <local-cache name="users">
- <heap-memory size="10000"/>
- </local-cache>
- <local-cache name="sessions"/>
- <local-cache name="authenticationSessions"/>
- <local-cache name="offlineSessions"/>
- <local-cache name="clientSessions"/>
- <local-cache name="offlineClientSessions"/>
- <local-cache name="loginFailures"/>
- <local-cache name="work"/>
- <local-cache name="authorization">
- <heap-memory size="10000"/>
- </local-cache>
- <local-cache name="keys">
- <heap-memory size="1000"/>
- <expiration max-idle="3600000"/>
- </local-cache>
- <local-cache name="actionTokens">
- <heap-memory size="-1"/>
- <expiration interval="300000" max-idle="-1"/>
- </local-cache>
- </cache-container>
- <cache-container name="server" default-cache="default" marshaller="PROTOSTREAM" modules="org.wildfly.clustering.server">
- <local-cache name="default">
- <transaction mode="BATCH"/>
- </local-cache>
- </cache-container>
- <cache-container name="web" default-cache="passivation" marshaller="PROTOSTREAM" modules="org.wildfly.clustering.web.infinispan">
- <local-cache name="passivation">
- <locking isolation="REPEATABLE_READ"/>
- <transaction mode="BATCH"/>
- <file-store passivation="true" purge="false"/>
- </local-cache>
- <local-cache name="sso">
- <locking isolation="REPEATABLE_READ"/>
- <transaction mode="BATCH"/>
- </local-cache>
- <local-cache name="routing"/>
- </cache-container>
- <cache-container name="hibernate" marshaller="JBOSS" modules="org.infinispan.hibernate-cache">
- <local-cache name="entity">
- <heap-memory size="10000"/>
- <expiration max-idle="100000"/>
- </local-cache>
- <local-cache name="local-query">
- <heap-memory size="10000"/>
- <expiration max-idle="100000"/>
- </local-cache>
- <local-cache name="timestamps"/>
- </cache-container>
- </subsystem>
- <subsystem xmlns="urn:jboss:domain:io:3.0">
- <worker name="default"/>
- <buffer-pool name="default"/>
- </subsystem>
- <subsystem xmlns="urn:jboss:domain:jaxrs:2.0"/>
- <subsystem xmlns="urn:jboss:domain:jca:5.0">
- <archive-validation enabled="true" fail-on-error="true" fail-on-warn="false"/>
- <bean-validation enabled="true"/>
- <default-workmanager>
- <short-running-threads>
- <core-threads count="50"/>
- <queue-length count="50"/>
- <max-threads count="50"/>
- <keepalive-time time="10" unit="seconds"/>
- </short-running-threads>
- <long-running-threads>
- <core-threads count="50"/>
- <queue-length count="50"/>
- <max-threads count="50"/>
- <keepalive-time time="10" unit="seconds"/>
- </long-running-threads>
- </default-workmanager>
- <cached-connection-manager/>
- </subsystem>
- <subsystem xmlns="urn:jboss:domain:jmx:1.3">
- <expose-resolved-model/>
- <expose-expression-model/>
- <remoting-connector/>
- </subsystem>
- <subsystem xmlns="urn:jboss:domain:jpa:1.1">
- <jpa default-extended-persistence-inheritance="DEEP"/>
- </subsystem>
- <subsystem xmlns="urn:jboss:domain:keycloak-server:1.1">
- <web-context>auth</web-context>
- <providers>
- <provider>
- classpath:${jboss.home.dir}/providers/*
- </provider>
- </providers>
- <master-realm-name>master</master-realm-name>
- <scheduled-task-interval>900</scheduled-task-interval>
- <theme>
- <staticMaxAge>2592000</staticMaxAge>
- <cacheThemes>true</cacheThemes>
- <cacheTemplates>true</cacheTemplates>
- <welcomeTheme>archlinux</welcomeTheme>
- <dir>${jboss.home.dir}/themes</dir>
- </theme>
- <spi name="eventsStore">
- <provider name="jpa" enabled="true">
- <properties>
- <property name="exclude-events" value="["REFRESH_TOKEN"]"/>
- </properties>
- </provider>
- </spi>
- <spi name="userCache">
- <provider name="default" enabled="true"/>
- </spi>
- <spi name="userSessionPersister">
- <default-provider>jpa</default-provider>
- </spi>
- <spi name="timer">
- <default-provider>basic</default-provider>
- </spi>
- <spi name="connectionsHttpClient">
- <provider name="default" enabled="true"/>
- </spi>
- <spi name="connectionsJpa">
- <provider name="default" enabled="true">
- <properties>
- <property name="dataSource" value="java:jboss/datasources/KeycloakDS"/>
- <property name="initializeEmpty" value="true"/>
- <property name="migrationStrategy" value="update"/>
- <property name="migrationExport" value="${jboss.home.dir}/keycloak-database-update.sql"/>
- </properties>
- </provider>
- </spi>
- <spi name="realmCache">
- <provider name="default" enabled="true"/>
- </spi>
- <spi name="connectionsInfinispan">
- <default-provider>default</default-provider>
- <provider name="default" enabled="true">
- <properties>
- <property name="cacheContainer" value="java:jboss/infinispan/container/keycloak"/>
- </properties>
- </provider>
- </spi>
- <spi name="jta-lookup">
- <default-provider>${keycloak.jta.lookup.provider:jboss}</default-provider>
- <provider name="jboss" enabled="true"/>
- </spi>
- <spi name="publicKeyStorage">
- <provider name="infinispan" enabled="true">
- <properties>
- <property name="minTimeBetweenRequests" value="10"/>
- </properties>
- </provider>
- </spi>
- <spi name="x509cert-lookup">
- <default-provider>${keycloak.x509cert.lookup.provider:default}</default-provider>
- <provider name="default" enabled="true"/>
- </spi>
- <spi name="hostname">
- <default-provider>default</default-provider>
- <provider name="default" enabled="true">
- <properties>
- <property name="frontendUrl" value="${keycloak.frontendUrl:}"/>
- <property name="forceBackendUrlToFrontendUrl" value="false"/>
- </properties>
- </provider>
- </spi>
- <spi name="eventsListeners">
- <provider name="metrics-listener" enabled="true"/>
- </spi>
- </subsystem>
- <subsystem xmlns="urn:jboss:domain:mail:4.0">
- <mail-session name="default" jndi-name="java:jboss/mail/Default">
- <smtp-server outbound-socket-binding-ref="mail-smtp"/>
- </mail-session>
- </subsystem>
- <subsystem xmlns="urn:wildfly:metrics:1.0" security-enabled="false" exposed-subsystems="*" prefix="${wildfly.metrics.prefix:wildfly}"/>
- <subsystem xmlns="urn:jboss:domain:naming:2.0">
- <remote-naming/>
- </subsystem>
- <subsystem xmlns="urn:jboss:domain:remoting:4.0">
- <http-connector name="http-remoting-connector" connector-ref="default" sasl-authentication-factory="application-sasl-authentication"/>
- </subsystem>
- <subsystem xmlns="urn:jboss:domain:request-controller:1.0"/>
- <subsystem xmlns="urn:jboss:domain:security-manager:1.0">
- <deployment-permissions>
- <maximum-set>
- <permission class="java.security.AllPermission"/>
- </maximum-set>
- </deployment-permissions>
- </subsystem>
- <subsystem xmlns="urn:jboss:domain:transactions:6.0">
- <core-environment node-identifier="${jboss.tx.node.id:1}">
- <process-id>
- <uuid/>
- </process-id>
- </core-environment>
- <recovery-environment socket-binding="txn-recovery-environment" status-socket-binding="txn-status-manager"/>
- <coordinator-environment statistics-enabled="${wildfly.transactions.statistics-enabled:${wildfly.statistics-enabled:false}}"/>
- <object-store path="tx-object-store" relative-to="jboss.server.data.dir"/>
- </subsystem>
- <subsystem xmlns="urn:jboss:domain:undertow:12.0" default-server="default-server" default-virtual-host="default-host" default-servlet-container="default" default-security-domain="other" statistics-enabled="${wildfly.undertow.statistics-enabled:${wildfly.statistics-enabled:false}}">
- <buffer-cache name="default"/>
- <server name="default-server">
- <http-listener name="default" socket-binding="http" redirect-socket="https" enable-http2="true"/>
- <https-listener name="https" socket-binding="https" ssl-context="applicationSSC" enable-http2="true"/>
- <host name="default-host" alias="localhost">
- <location name="/" handler="welcome-content"/>
- <http-invoker http-authentication-factory="application-http-authentication"/>
- </host>
- </server>
- <servlet-container name="default">
- <jsp-config/>
- <websockets/>
- </servlet-container>
- <handlers>
- <file name="welcome-content" path="${jboss.home.dir}/welcome-content"/>
- </handlers>
- <application-security-domains>
- <application-security-domain name="other" security-domain="ApplicationDomain"/>
- </application-security-domains>
- </subsystem>
- <subsystem xmlns="urn:jboss:domain:weld:4.0"/>
- </profile>
- <interfaces>
- <interface name="management">
- <inet-address value="${jboss.bind.address.management:127.0.0.1}"/>
- </interface>
- <interface name="public">
- <inet-address value="${jboss.bind.address:127.0.0.1}"/>
- </interface>
- </interfaces>
- <socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:0}">
- <socket-binding name="ajp" port="${jboss.ajp.port:8009}"/>
- <socket-binding name="http" port="${jboss.http.port:8080}"/>
- <socket-binding name="https" port="${jboss.https.port:8443}"/>
- <socket-binding name="management-http" interface="management" port="${jboss.management.http.port:9990}"/>
- <socket-binding name="management-https" interface="management" port="${jboss.management.https.port:9993}"/>
- <socket-binding name="txn-recovery-environment" port="4712"/>
- <socket-binding name="txn-status-manager" port="4713"/>
- <outbound-socket-binding name="mail-smtp">
- <remote-destination host="${jboss.mail.server.host:localhost}" port="${jboss.mail.server.port:25}"/>
- </outbound-socket-binding>
- </socket-binding-group>
-</server>
\ No newline at end of file
--
GitLab