- name: Create data-dir
  file:
    name: /data/
    state: directory

- name: Create keycloak psql mount
  file:
    name: /data/keycloak-postgres/
    state: directory

- name: Clone keycloak Themes
  git:
    repo: https://github.com/FAUSheppy/atlantis-keycloak-themes
    dest: "/data/atlantis-keycloak-themes/"
    version: master

- name: Create compose directory keycloak
  file:
    name: "/opt/keycloak/"
    state: directory

- name: Copy compose templates keycloak
  template:
    src: "keycloak.yaml"
    dest: "/opt/keycloak/"

- name: Copy compose environment files keycloak
  template:
    src: "{{ item }}"
    dest: "/opt/keycloak/"
  with_items:
    - postgres_password

- name: Deploy compose templates
  community.docker.docker_compose:
    project_src: "/opt/keycloak/"
    pull: true
    files:
      - "keycloak.yaml"

- name: Check/Wait for Keycloak to be up
  uri:
    url: https://keycloak.atlantishq.de/
    method: GET
    return_content: yes
    status_code: 200
    body_format: json
  register: result
  until: result.status == 200 and result.json.status == "UP"
  retries: 10
  delay: 20
  check_mode: false

- name: Create Keycloak Clients
  local_action:
    module: keycloak_client
    auth_client_id: admin-cli
    auth_keycloak_url: https://keycloak.atlantishq.de/
    auth_realm: master
    auth_username: admin
    auth_password: "{{ keycloak_admin_password }}"
    state: present
    realm: master
    client_id: '{{ keycloak_clients[item]["client_id"] }}'
    id: '{{ keycloak_clients[item]["keycloak_id"] }}'
    name: '{{ keycloak_clients[item]["client_id"] }}'
    description: '{{ keycloak_clients[item]["description"] }}'
    enabled: True
    client_authenticator_type: client-secret
    public_client: false
    secret: '{{ keycloak_clients[item]["client_secret"] }}'
    authorization_services_enabled: true
    service_accounts_enabled: true
    redirect_uris: '{{ keycloak_clients[item]["redirect_uris"] }}'
    web_origins: '{{ keycloak_clients[item]["redirect_uris"] }}'
    frontchannel_logout: False
    protocol: openid-connect
    protocol_mappers:
      - config:
            accesss.token.claim: true
            claim.name: "groups"
            id.token.claim: true
            userinfo.token.claim: true
            full.path: false
        id: "{{ keycloak_clients[item]['keycloak_id'] | regex_replace('^(?P<X>.{2})(.)', '\\g<X>' ~ '1') }}"
        consentRequired: false
        protocol: "openid-connect"
        protocolMapper: "oidc-group-membership-mapper"
        name: "client-group-mapper"
      - config:
            included.client.audience: '{{ keycloak_clients[item]["client_id"] }}'
            id.token.claim: false
            access.token.claim: true
        id: "{{ keycloak_clients[item]['keycloak_id'] | regex_replace('^(?P<X>.{2})(.)', '\\g<X>' ~ '2') }}"
        # ist das regex zu stark bist du zu schwach
        consentRequired: false
        protocol: "openid-connect"
        protocolMapper: "oidc-audience-mapper"
        name: "aud-mapper-client"
  with_items: "{{ keycloak_clients.keys() | list }}"

- name: Update master realm settings
  community.general.keycloak_realm:
    auth_client_id: admin-cli
    auth_keycloak_url: https://keycloak.atlantishq.de/
    auth_realm: master
    auth_username: admin
    auth_password: "{{ keycloak_admin_password }}"
    state: present
    realm: master
    loginTheme: "atlantis"
    resetPasswordAllowed: "true"
    smtpServer :
        password : "{{ smtp_service_pass }}"
        replyToDisplayName: ""
        starttls: "true"
        auth: "true"
        replyTo: ""
        envelopeFrom: ""
        from: "{{ smtp_service_user }}@atlantishq.de"
        fromDisplayName: ""
        host: "{{ smtp_internal_host }}"
        port: "{{ smtp_internal_host_port }}"
        ssl: "false"
        user: "{{ smtp_service_user }}@atlantishq.de"