Skip to content

Instantly share code, notes, and snippets.

@Spirit-act

Spirit-act/install_keycloak.sh

Created June 19, 2024 15:24
Show Gist options
  • Save Spirit-act/e791e62317a133602ea6968c39fd66eb to your computer and use it in GitHub Desktop.
Save Spirit-act/e791e62317a133602ea6968c39fd66eb to your computer and use it in GitHub Desktop.
Download ZIP
Raw
install_keycloak.sh
#!/bin/bash
# most of the work was done by Archlinux
# source: https://gitlab.archlinux.org/archlinux/packaging/packages/keycloak/-/tree/main?ref_type=heads
pkgname=keycloak
pkgver=25.0.0
_java=21
deps="openjdk-$_java-jre-headless"
src="https://github.com/keycloak/keycloak/releases/download/$pkgver/$pkgname-$pkgver.tar.gz"
if [ $(id -u) != 0 ]; then
echo "you need to be root"
exit 1;
fi
rm -r /tmp/$pkgname-$pkgver
apt install -y $deps
#workdir
mkdir /tmp/$pkgname-$pkgver
cd /tmp/$pkgname-$pkgver
wget $src
# create folders
install -vdm 755 /{usr/share/java,var/log}/"${pkgname}"
install -vdm 755 /var/lib/"${pkgname}"/{deployments,data}
install -vdm 755 /usr/bin
#unpack
tar xf ${pkgname}-${pkgver}.tar.gz --strip 1 \
-C "/usr/share/java/${pkgname}"
# Clean up unwanted files
rm -rvf "/usr/share/java/${pkgname}"/LICENSE.txt
rm -rvf "/usr/share/java/${pkgname}"/bin/*.bat
# Fix permissions from untar
chown -R root:root "/usr/share/java/${pkgname}"
#configuration files
install -vdm 755 "/etc"
mv -v "/usr/share/java/${pkgname}/conf" "/etc/${pkgname}"
#symlink shit
ln -svf /var/log/keycloak "/usr/share/java/${pkgname}/log"
ln -svf /var/lib/keycloak/deployments "/usr/share/java/${pkgname}/deployments"
ln -svf /var/lib/keycloak/data "/usr/share/java/${pkgname}/data"
#setup user
echo "u keycloak - "keycloak user" /var/lib/keycloak -" > /usr/lib/sysusers.d/keycloak.conf
chmod 644 /usr/lib/sysusers.d/keycloak.conf
# tmpfiles
echo "z /var/log/keycloak - keycloak keycloak -
z /var/lib/keycloak/data - keycloak keycloak -
Z /var/lib/keycloak/deployments - keycloak keycloak -" > /usr/lib/tmpfiles.d/keycloak.conf
chmod 644 /usr/lib/tmpfiles.d/keycloak.conf
#create systemd service
echo "
[Unit]
Description=Keycloak server
After=network-online.target
Wants=network-online.target systemd-networkd-wait-online.service
[Service]
User=keycloak
Group=keycloak
# Running the ExecStartPre as root is not ideal, but at the moment
# the only solution for Quarkus modifying the serialized
# data under <keycloak-home>/lib/quarkus
# Raised upstream as https://github.com/keycloak/keycloak/discussions/10323
ExecStartPre=!/usr/bin/kc.sh -cf /etc/keycloak/keycloak.conf build
ExecStart=/usr/bin/kc.sh -cf /etc/keycloak/keycloak.conf start --optimized
ReadWritePaths=/var/lib/keycloak
ReadWritePaths=/var/log/keycloak
ReadWritePaths=/usr/share/java/keycloak/lib/quarkus
ReadOnlyPaths=/etc/keycloak
# Disable timeout logic and wait until process is stopped
TimeoutStopSec=0
# SIGTERM signal is used to stop the Java process
KillSignal=SIGTERM
# Send the signal only to the JVM rather than its control group
KillMode=process
# Java process is never killed
SendSIGKILL=no
# When a JVM receives a SIGTERM signal it exits with code 143
SuccessExitStatus=143
# Hardening options
CapabilityBoundingSet=
AmbientCapabilities=
NoNewPrivileges=true
ProtectHome=true
ProtectSystem=strict
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectControlGroups=true
PrivateTmp=true
PrivateDevices=true
LockPersonality=true
[Install]
WantedBy=multi-user.target
" > /usr/lib/systemd/system/keycloak.service
chmod 644 /usr/lib/systemd/system/keycloak.service
ln -svf /usr/share/java/keycloak/bin/kc.sh /usr/bin/kc.sh
ln -svf /usr/share/java/keycloak/bin/kcadm.sh /usr/bin/kcadm.sh
ln -svf /usr/share/java/keycloak/bin/kcreg.sh /usr/bin/kcreg.sh
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment