As we had a handful of different websites and applications running on the server, I wanted to simplify everything with the use of an identity platform. This would then be the place that usernames and passwords are stored, thus governing authentication to any existing or new property.
Installing Keycloak itself with a supplied Ansible role didn't quite go to plan, mostly due to some minor differences in Ubuntu 20 and Keycloak 12. Eventually I worked my way around the error messages that Ansible kept throwing and created a pull request so we could share the love back.
Despite the fact that every single blog post and technical article claimed the only way to complete a Keycloak/Nginx integration was to use OpenResty (as it combines Nginx with LuaJIT), I didn't want to because I was extremely happy with the Ansible role I use to manage Nginx and a comparable role wasn't available for OpenResty. Using this role was also the reason I didn't want to have to install Nginx from source.
As a result, I needed to find a way to install Lua and other dependencies for me to be able to use access_by_lua in my Nginx configuation. Doing this by hand in the first isntance revealed that:
The versions of Lua and LuaRocks in default Ubuntu apt repos were not recent enough
The correct combination of each for a successful implementation was therefore:
All of the Lua modules except for lua-resty-string can be installed directly with LuaRocks. Because of the error mentioned above, I installed lua-resty-string from source. Converting this to Ansible and using roles to install Lua and LuaRocks gave me the following example playbook:
The final step from here was to extend the Nginx configuration from my previous blog post to use access_by_lua. The set $session_secret line was crucially important as without that I kept running into the following error:
The final working Nginx configuration looked like the below (with replacement values for session_secret, client_id and client_secret of course).
Hopefully this helps anyone else wanting to use Ansible to install Nginx and Keycloak!
You might also like...
Pretty damn secure self hosted Bitwarden
Every year I spend an afternoon reading through my credit card statement to see whether I've accidentally forgotten to unsubscribe
7 min read
Blackholing Domains with WireGuard
Short post incoming because it's not worthy of a longer one, but more interesting than dropping a tweet.
1 min read
My first NFT with ENS and IPFS
Ok, so this isn't my first NFT
[https://en.wikipedia.org/wiki/Non-fungible_token], but the current title hits a
7 min read
Running Ghost on Tor
Recently I've had the opportunity to play with some new and existing
technologies as a mechanism of both upskilling and
5 min read
Client certificates, Let's Encrypt, custom CAs and Cloudflare
Over the last week, I've been building a new server for some friends and I to
host our own NextCloud