feat: add keycloak provisioning tasks

roles/keycloak/defaults/main.yml

@@ -33,3 +33,66 @@ keycloak_use_ssl: true
 keycloak_log_level: "INFO"
 keycloak_proxy_mode: "edge"
 keycloak_gzip_enabled: false  # Disable GZIP encoding to avoid MIME type issues
+
+# Provisioning configuration
+keycloak_provisioning_enabled: false
+
+# Realm configuration
+keycloak_realm: "default"
+keycloak_realm_display_name: "Default Realm"
+
+# Auth URL for API access (used by provisioning tasks)
+keycloak_auth_url: "{{ 'https' if keycloak_use_ssl else 'http' }}://{{ keycloak_domain }}"
+
+# Groups to provision
+keycloak_groups: []
+# - name: admins
+# - name: users
+
+# Local users to provision
+keycloak_local_users: []
+# - username: admin
+#   first_name: "Admin"
+#   last_name: "User"
+#   email: "admin@example.com"
+#   password: "changeme"
+#   groups:
+#     - name: admins
+
+# OIDC clients to provision
+keycloak_oidc_clients: []
+# - client_id: nextcloud
+#   name: "Nextcloud"
+#   client_secret: "changeme"
+#   redirect_uris:
+#     - "https://nextcloud.example.com/apps/user_oidc/code"
+#   default_client_scopes:
+#     - openid
+#     - email
+#     - profile
+
+# Identity providers (e.g., Entra ID, Google)
+keycloak_identity_providers: []
+# - alias: entra-id
+#   display_name: "Login with Microsoft"
+#   provider_id: oidc
+#   config:
+#     clientId: "{{ entra_client_id }}"
+#     clientSecret: "{{ entra_client_secret }}"
+#     authorizationUrl: "https://login.microsoftonline.com/common/oauth2/v2.0/authorize"
+#     tokenUrl: "https://login.microsoftonline.com/common/oauth2/v2.0/token"
+#     defaultScope: "openid profile email"
+
+# Resources to remove from Keycloak (cleanup)
+# Add names/aliases here when removing from the lists above
+keycloak_removed_users: []
+# - olduser
+
+keycloak_removed_groups: []
+# - oldgroup
+
+keycloak_removed_clients: []
+# - old-client
+
+keycloak_removed_identity_providers: []
+# - old-idp