From fb24aaf668a5739e809cfb3aa7fa11379e9488f0 Mon Sep 17 00:00:00 2001
From: Jean-Marie Mineau <mineau.jean.marie@gmail.com>
Date: Wed, 27 Jan 2021 01:23:23 +0100
Subject: [PATCH] try and fail to reduce acces to the private key

---
 roles/install_gitea/tasks/main.yml            |  3 +--
 roles/install_keycloak/tasks/main.yml         | 19 +++++++++++++++++++
 .../templates/docker-compose.yml.j2           |  2 ++
 3 files changed, 22 insertions(+), 2 deletions(-)

diff --git a/roles/install_gitea/tasks/main.yml b/roles/install_gitea/tasks/main.yml
index 5b3b6e8..524540b 100644
--- a/roles/install_gitea/tasks/main.yml
+++ b/roles/install_gitea/tasks/main.yml
@@ -4,12 +4,11 @@
      path: /var/local/gitea
      state: directory
 
-- name: Ensure the user gitea exist
+- name: Ensure the user gitea exists
   user:
     name: gitea
     create_home: no
     password_lock: yes
-  register: gitea_user
 
 - name: Retrieve info about users
   getent:
diff --git a/roles/install_keycloak/tasks/main.yml b/roles/install_keycloak/tasks/main.yml
index 9d58842..b291cbc 100644
--- a/roles/install_keycloak/tasks/main.yml
+++ b/roles/install_keycloak/tasks/main.yml
@@ -4,6 +4,16 @@
      path: /var/local/keycloak
      state: directory
 
+- name: Ensure the user keycloak exists
+  user:
+    name: keycloak
+    create_home: no
+    password_lock: yes
+
+- name: Retrieve info about users
+  getent:
+    database: passwd
+
 - name: Warning
   debug:
     msg: This is a test server, do not use in production
@@ -26,12 +36,21 @@
     src: /var/certificates/{{ server_hostname }}_privkey.pem
     dest: /var/local/keycloak/certificates/tls.key
     remote_src: yes
+    owner: keycloak
+    group: keycloak
+    mode: 0644 # 0600 
+# I wanted to limite read access to the private key to one "keycloak" user,
+# but It doesn't works because the user running some script inside the container
+# has a fix uid (1000) and obviously this uid is taken on the host by the first
+# user created... I hope you're serveur is well protected...
 
 - name: Copy certificate
   copy:
     src: /var/certificates/{{ server_hostname }}_cert.pem
     dest: /var/local/keycloak/certificates/tls.crt
     remote_src: yes
+    owner: keycloak
+    group: keycloak
 
 - name: Copy docker-compose.yml
   template:
diff --git a/roles/install_keycloak/templates/docker-compose.yml.j2 b/roles/install_keycloak/templates/docker-compose.yml.j2
index b8b943c..44a756a 100644
--- a/roles/install_keycloak/templates/docker-compose.yml.j2
+++ b/roles/install_keycloak/templates/docker-compose.yml.j2
@@ -7,6 +7,8 @@ services:
     container_name: keycloak
     restart: always
     environment:
+      - USER_UID={{ getent_passwd["keycloak"].1 }}
+      - USER_GID={{ getent_passwd["keycloak"].2 }}
       - "KEYCLOAK_USER=${USERNAME}"
       - "KEYCLOAK_PASSWORD=${PASSWORD}"
     volumes: