2022-10-09 08:52:41 +02:00
|
|
|
{ stdenv
|
|
|
|
, pkgs
|
|
|
|
, lib
|
|
|
|
, utils
|
|
|
|
}:
|
|
|
|
{ configDir ? "/etc/keycloak"
|
|
|
|
, configFile ? "keycloak.conf"
|
|
|
|
, user ? "keycloak"
|
|
|
|
, group ? "keycloak"
|
|
|
|
, dbType ? "postgres"
|
|
|
|
, dbPasswordFile
|
|
|
|
, postgresServiceName
|
2022-10-15 07:06:37 +02:00
|
|
|
, initialAdminUsername ? null
|
2022-10-09 08:52:41 +02:00
|
|
|
, initialAdminFile ? null
|
|
|
|
}:
|
|
|
|
{ ... }:
|
|
|
|
|
|
|
|
assert lib.assertOneOf "dbType" dbType ["postgres"];
|
|
|
|
|
|
|
|
let
|
|
|
|
keycloak = pkgs.keycloak.override {
|
|
|
|
# This is needed for keycloak to build with the correct driver.
|
|
|
|
confFile = pkgs.writeText "keycloak.conf" ''
|
|
|
|
db=${dbType}
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
in
|
|
|
|
|
|
|
|
utils.systemd.mkService rec {
|
|
|
|
name = "keycloak";
|
|
|
|
|
|
|
|
content = ''
|
|
|
|
[Unit]
|
|
|
|
Description=Keycloak server
|
|
|
|
After=network-online.target
|
|
|
|
Wants=network-online.target systemd-networkd-wait-online.service ${postgresServiceName}
|
|
|
|
|
|
|
|
[Service]
|
|
|
|
User=${user}
|
|
|
|
Group=${group}
|
|
|
|
|
|
|
|
EnvironmentFile=${dbPasswordFile}
|
2022-10-15 07:06:37 +02:00
|
|
|
${if initialAdminFile != null then "Environment=KEYCLOAK_ADMIN="+initialAdminUsername else ""}
|
2022-10-09 08:52:41 +02:00
|
|
|
${if initialAdminFile != null then "EnvironmentFile="+initialAdminFile else ""}
|
|
|
|
Environment=PATH=${pkgs.coreutils}/bin
|
|
|
|
Environment=KC_HOME_DIR="/run/keycloak"
|
|
|
|
|
|
|
|
# running the ExecStartPre as root is not ideal, but at the moment
|
|
|
|
# the only solution for Quarkus modifying the serialized
|
|
|
|
# data under <keycloak-home>/lib/quarkus
|
|
|
|
# Raised upstream as https://github.com/keycloak/keycloak/discussions/10323
|
|
|
|
# ExecStartPre=!${keycloak}/bin/kc.sh -cf ${configDir}/${configFile} build
|
|
|
|
ExecStart=${keycloak}/bin/kc.sh -cf ${configDir}/${configFile} start
|
|
|
|
|
|
|
|
# ReadWritePaths=/var/lib/keycloak
|
|
|
|
# ReadWritePaths=/var/log/keycloak
|
|
|
|
# ReadWritePaths=/usr/share/java/keycloak/lib/quarkus
|
|
|
|
# ReadOnlyPaths=${configDir}
|
|
|
|
RuntimeDirectory=keycloak
|
|
|
|
DynamicUser=true
|
|
|
|
|
|
|
|
# Disable timeout logic and wait until process is stopped
|
|
|
|
TimeoutStopSec=0
|
|
|
|
TimeoutStartSec=10min
|
|
|
|
|
|
|
|
# SIGTERM signal is used to stop the Java process
|
|
|
|
KillSignal=SIGTERM
|
|
|
|
|
|
|
|
# Send the signal only to the JVM rather than its control group
|
|
|
|
KillMode=process
|
|
|
|
|
|
|
|
# Java process is never killed
|
|
|
|
SendSIGKILL=no
|
|
|
|
|
|
|
|
# When a JVM receives a SIGTERM signal it exits with code 143
|
|
|
|
SuccessExitStatus=143
|
|
|
|
|
|
|
|
# Hardening options
|
|
|
|
# CapabilityBoundingSet=
|
|
|
|
# AmbientCapabilities=CAP_NET_BIND_SERVICES
|
|
|
|
# NoNewPrivileges=true
|
|
|
|
# Fails with:
|
|
|
|
# Failed to set up mount namespacing: /run/systemd/unit-root/var/lib/keycloak: No such file or directory
|
|
|
|
# ProtectHome=true
|
|
|
|
# ProtectSystem=strict
|
|
|
|
# ProtectKernelTunables=true
|
|
|
|
# ProtectKernelModules=true
|
|
|
|
# ProtectControlGroups=true
|
|
|
|
# PrivateTmp=true
|
|
|
|
# PrivateDevices=true
|
|
|
|
# LockPersonality=true
|
|
|
|
|
|
|
|
[Install]
|
|
|
|
WantedBy=multi-user.target
|
|
|
|
'';
|
|
|
|
}
|