feat: add kratos role

Release-As: 1.7.0

.ansible-lint-ignore

@@ -1,2 +1,3 @@
+roles/kratos/defaults/main.yml yaml[line-length]
 roles/promtail/defaults/main.yml yaml[line-length]
 roles/vmagent/defaults/main.yml yaml[line-length]

.gitignore

@@ -10,5 +10,4 @@
 .vagrant
 .secrets
 
-host_vars
 vars.yml

Vagrantfile

@@ -25,10 +25,10 @@ Vagrant.configure("2") do |config|
   # SHELL
 
   config.vm.provision "ansible" do |ansible|
-    ansible.playbook = "playbook.yml"
+    ansible.playbook = "vagrant.yml"
     ansible.compatibility_mode = "2.0"
     ansible.extra_vars = {
-      ansible_ssh_common_args: "-o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null"
+      ansible_ssh_common_args: "-o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o PasswordAuthentication=no",
     }
   end
 end

ansible.cfg

@@ -1,15 +1,17 @@
 [defaults]
-become=false
-log_path=/tmp/ansible.log
-gather_facts=false
+become = false
+cache_timeout = 3600
+deprecation_warnings = false
 fact_caching = ansible.builtin.jsonfile
 fact_caching_connection = /tmp/ansible_facts
-cache_timeout = 3600
+fact_caching_timeout = 604800
+gather_facts = false
+host_key_checking = false
 interpreter_python = auto_silent
-verbosity = 2
-ssh_common_args = -o ConnectTimeout=5 -o ControlPersist=yes
-deprecation_warnings = false
+log_path = /tmp/ansible.log
 roles_path = ./roles
+ssh_common_args = -o ConnectTimeout=5 -o ControlPersist=yes
+verbosity = 2
 
 [inventory]
 enable_plugins = 'host_list', 'script', 'auto', 'yaml', 'ini', 'toml', 'auto'

galaxy.yml

@@ -1,6 +1,6 @@
 namespace: meysam81
 name: general
-version: 1.5.5
+version: 1.7.0
 readme: README.md
 authors:
   - Meysam Azad <meysam@developer-friendly.blog>

playbook.yml

@@ -1,4 +1,4 @@
-- name: Demo
+- name: Test roles
   hosts: all
   gather_facts: true
   become: true
@@ -24,3 +24,5 @@
       tags: pushgateway
     - role: k8s_oidc_github_pages
       tags: k8s_oidc_github_pages
+    - role: kratos
+      tags: kratos

roles/kratos/README.md

@@ -0,0 +1,161 @@
+# kratos
+
+Ansible role for deploying Ory Kratos Identity Server
+
+## Table of content
+
+- [Requirements](#requirements)
+- [Default Variables](#default-variables)
+  - [kratos_arch](#kratos_arch)
+  - [kratos_checksum_url](#kratos_checksum_url)
+  - [kratos_configuration](#kratos_configuration)
+  - [kratos_download_url](#kratos_download_url)
+  - [kratos_envs](#kratos_envs)
+  - [kratos_exec_cmd](#kratos_exec_cmd)
+  - [kratos_group](#kratos_group)
+  - [kratos_libmusl](#kratos_libmusl)
+  - [kratos_os](#kratos_os)
+  - [kratos_sqlite](#kratos_sqlite)
+  - [kratos_user](#kratos_user)
+  - [kratos_version](#kratos_version)
+- [Dependencies](#dependencies)
+- [License](#license)
+- [Author](#author)
+
+---
+
+## Requirements
+
+- Minimum Ansible version: `2.17`
+
+## Default Variables
+
+### kratos_arch
+
+#### Default value
+
+```YAML
+kratos_arch: "{{ (ansible_architecture | default('amd64')) | replace('x86_64', '64bit')
+  | replace('aarch64', 'arm64') }}"
+```
+
+### kratos_checksum_url
+
+#### Default value
+
+```YAML
+kratos_checksum_url: https://github.com/ory/kratos/releases/download/v{{ kratos_version
+  | regex_replace('^v', '') }}/checksums.txt
+```
+
+### kratos_configuration
+
+#### Default value
+
+```YAML
+kratos_configuration: |
+  dsn: memory
+
+  courier:
+    smtp:
+      # checkov:skip=CKV_SECRET_4:Basic Auth Credentials
+      connection_uri: smtps://test:test@mailslurper:1025/?skip_ssl_verify=true
+
+  selfservice:
+    default_browser_return_url: http://example.com
+
+  identity:
+    schemas:
+      - id: default
+        url: https://github.com/ory/kratos/raw/refs/tags/v{{ kratos_version | regex_replace('^v', '') }}/contrib/quickstart/kratos/email-password/identity.schema.json
+```
+
+### kratos_download_url
+
+#### Default value
+
+```YAML
+kratos_download_url: >-
+  https://github.com/ory/kratos/releases/download/v{{ kratos_version | regex_replace('^v',
+  '') }}/kratos_{{ kratos_version | regex_replace('^v', '') }}-{{ kratos_os }}{{ kratos_sqlite
+  | ternary('_sqlite', '') }}{{ kratos_libmusl | ternary('_libmusl', '') }}_{{ kratos_arch
+  }}.tar.gz
+```
+
+### kratos_envs
+
+#### Default value
+
+```YAML
+kratos_envs: {}
+```
+
+### kratos_exec_cmd
+
+#### Default value
+
+```YAML
+kratos_exec_cmd: /usr/local/bin/kratos serve
+```
+
+### kratos_group
+
+#### Default value
+
+```YAML
+kratos_group: kratos
+```
+
+### kratos_libmusl
+
+#### Default value
+
+```YAML
+kratos_libmusl: false
+```
+
+### kratos_os
+
+#### Default value
+
+```YAML
+kratos_os: linux
+```
+
+### kratos_sqlite
+
+#### Default value
+
+```YAML
+kratos_sqlite: true
+```
+
+### kratos_user
+
+#### Default value
+
+```YAML
+kratos_user: kratos
+```
+
+### kratos_version
+
+#### Default value
+
+```YAML
+kratos_version: 1.3.1
+```
+
+
+
+## Dependencies
+
+None.
+
+## License
+
+Apache-2.0
+
+## Author
+
+Meysam Azad

roles/kratos/defaults/main.yml

@@ -0,0 +1,28 @@
+---
+kratos_arch: "{{ (ansible_architecture | default('amd64')) | replace('x86_64', '64bit') | replace('aarch64', 'arm64') }}"
+kratos_checksum_url: https://github.com/ory/kratos/releases/download/v{{ kratos_version | regex_replace('^v', '') }}/checksums.txt
+kratos_configuration: |
+  dsn: memory
+
+  courier:
+    smtp:
+      # checkov:skip=CKV_SECRET_4:Basic Auth Credentials
+      connection_uri: smtps://test:test@mailslurper:1025/?skip_ssl_verify=true
+
+  selfservice:
+    default_browser_return_url: http://example.com
+
+  identity:
+    schemas:
+      - id: default
+        url: https://github.com/ory/kratos/raw/refs/tags/v{{ kratos_version | regex_replace('^v', '') }}/contrib/quickstart/kratos/email-password/identity.schema.json
+kratos_download_url: >-
+  https://github.com/ory/kratos/releases/download/v{{ kratos_version | regex_replace('^v', '') }}/kratos_{{ kratos_version | regex_replace('^v', '') }}-{{ kratos_os }}{{ kratos_sqlite | ternary('_sqlite', '') }}{{ kratos_libmusl | ternary('_libmusl', '') }}_{{ kratos_arch }}.tar.gz
+kratos_envs: {}
+kratos_exec_cmd: /usr/local/bin/kratos serve
+kratos_group: kratos
+kratos_libmusl: false
+kratos_os: linux
+kratos_sqlite: true
+kratos_user: kratos
+kratos_version: 1.3.1

roles/kratos/handlers/main.yml

@@ -0,0 +1,6 @@
+---
+- name: Restart kratos
+  ansible.builtin.systemd:
+    name: kratos
+    state: restarted
+    enabled: true

roles/kratos/meta/main.yml

@@ -0,0 +1,42 @@
+---
+galaxy_info:
+  # Ansible Galaxy role metadata
+  role_name: kratos
+  namespace: general
+  author: Meysam Azad
+  description: Ansible role for deploying Ory Kratos Identity Server
+
+  # Licensing information
+  license: Apache-2.0
+
+  # Minimum Ansible version
+  min_ansible_version: "2.17"
+
+  # Platform compatibility
+  platforms:
+    - name: Ubuntu
+      versions:
+        - jammy
+        - focal
+    - name: Debian
+      versions:
+        - bullseye
+        - bookworm
+
+  # Role categorization
+  galaxy_tags:
+    - security
+    - identity
+    - authentication
+    - iam
+    - kratos
+    - ory
+    - identitymanagement
+    - usermanagement
+    - accesscontrol
+
+  # Role-specific metadata
+  standalone: true
+
+# Dependencies management
+dependencies: []

roles/kratos/tasks/main.yml

@@ -0,0 +1,3 @@
+- name: Setup Debian
+  ansible.builtin.include_tasks: setup-Debian.yml
+  when: ansible_os_family == 'Debian'

roles/kratos/tasks/setup-Debian.yml

@@ -0,0 +1,80 @@
+---
+- name: Assert the kratos configuration var is set
+  ansible.builtin.assert:
+    that:
+      - kratos_configuration is defined
+- name: Create kratos group
+  ansible.builtin.group:
+    name: "{{ kratos_group }}"
+    state: present
+- name: Create kratos system user
+  ansible.builtin.user:
+    name: "{{ kratos_user }}"
+    group: "{{ kratos_group }}"
+    create_home: false
+    shell: /usr/sbin/nologin
+    system: true
+    state: present
+- name: Download kratos checksum
+  ansible.builtin.set_fact:
+    kratos_checksum: >-
+      {{ (lookup('ansible.builtin.url', kratos_checksum_url, split_lines=true, wantlist=true) |
+      select('search', kratos_download_url | basename) | list | first).split(' ')[0] }}
+- name: Download kratos {{ kratos_version }}
+  ansible.builtin.get_url:
+    url: "{{ kratos_download_url }}"
+    dest: /tmp/{{ kratos_download_url | basename }}
+    mode: "0644"
+    owner: "{{ ansible_user_id }}"
+    group: "{{ ansible_user_id }}"
+    checksum: "sha256:{{ kratos_checksum }}"
+  register: kratos_download
+- name: Extract kratos binary to /usr/local/bin
+  ansible.builtin.unarchive:
+    src: "{{ kratos_download.dest }}"
+    dest: /usr/local/bin
+    remote_src: true
+    extra_opts:
+      - kratos
+    mode: "0755"
+    owner: root
+    group: root
+  notify: Restart kratos
+- name: Copy kratos systemd service
+  ansible.builtin.template:
+    src: kratos.service.j2
+    dest: /etc/systemd/system/kratos.service
+    mode: "0644"
+    owner: root
+    group: root
+  notify: Restart kratos
+- name: Create kratos configuration directory
+  ansible.builtin.file:
+    path: /etc/kratos
+    state: directory
+    mode: "0755"
+    owner: "{{ kratos_user }}"
+    group: "{{ kratos_group }}"
+- name: Copy Kratos configuration
+  ansible.builtin.copy:
+    content: "{{ kratos_configuration }}"
+    dest: /etc/kratos/config.yml
+    mode: "0440"
+    owner: "{{ kratos_user }}"
+    group: "{{ kratos_group }}"
+  no_log: true
+  notify: Restart kratos
+- name: Copy environment file
+  ansible.builtin.template:
+    src: kratos.envs.j2
+    dest: /etc/kratos/kratos.env
+    mode: "0440"
+    owner: "{{ kratos_user }}"
+    group: "{{ kratos_group }}"
+  notify: Restart kratos
+- name: Start kratos service
+  ansible.builtin.systemd:
+    name: kratos
+    state: started
+    enabled: true
+  notify: Restart kratos

roles/kratos/templates/kratos.envs.j2

@@ -0,0 +1,3 @@
+{% for key, value in kratos_envs.items() %}
+{{ key }}={{ value }}
+{% endfor %}