selfhostblocks/_disnix/keycloak-cli-config/configcreator.nix

{ stdenv
, pkgs
, lib
}:
{ realm
, domain
, roles ? {}
, clients ? {}
, users ? {}
, groups ? []
}:

with builtins;
with (pkgs.lib.attrsets);
let
  mkRole = k: v:
    let
      iscomposite = (length v) > 0;
    in {
      name = k;
      composite = if iscomposite then true else false;
    } // optionalAttrs iscomposite {
      composites = {
        realm = v;
      };
    };

  mkClientRole =
    let
      roles = config: config.roles or [];

      c = v:
        {
          name = v;
          clientRole = true;
        };
    in k: config: map c (roles config);

  mkGroup = name: {
    inherit name;
    path = "/${name}";
    attributes = {};
    realmRoles = [];
    clientRoles = {};
    subGroups = [];
  };

  mkClient = k: config:
    let
      url = "https://${k}.${domain}";
    in
      {
        clientId = k;
        rootUrl = url;
        clientAuthenticatorType = "client-secret";
        redirectUris = ["${url}/oauth2/callback"];
        webOrigins = [url];
        authorizationServicesEnabled = true;
        serviceAccountsEnabled = true;
        protocol = "openid-connect";
        publicClient = false;
        protocolMappers = [
          {
            name = "Client ID";
            protocol = "openid-connect";
            protocolMapper = "oidc-usersessionmodel-note-mapper";
            consentRequired = false;
            config = {
              "user.session.note" = "clientId";
              "id.token.claim" = "true";
              "access.token.claim" = "true";
              "claim.name" = "clientId";
              "jsonType.label" = "String";
            };
          }
          {
            name = "Client Host";
            protocol = "openid-connect";
            protocolMapper = "oidc-usersessionmodel-note-mapper";
            consentRequired = false;
            config = {
              "user.session.note" = "clientHost";
              "id.token.claim" = "true";
              "access.token.claim" = "true";
              "claim.name" = "clientHost";
              "jsonType.label" = "String";
            };
          }
          {
            name = "Client IP Address";
            protocol = "openid-connect";
            protocolMapper = "oidc-usersessionmodel-note-mapper";
            consentRequired = false;
            config = {
              "user.session.note" = "clientAddress";
              "id.token.claim" = "true";
              "access.token.claim" = "true";
              "claim.name" = "clientAddress";
              "jsonType.label" = "String";
            };
          }
          {
            name = "Audience";
            protocol = "openid-connect";
            protocolMapper = "oidc-audience-mapper";
            config = {
              "included.client.audience" = k;
              "id.token.claim" = "false";
              "access.token.claim" = "true";
              "included.custom.audience" = k;
            };
          }
          {
            name = "Group";
            protocol = "openid-connect";
            protocolMapper = "oidc-group-membership-mapper";
            config = {
              "full.path" = "true";
              "id.token.claim" = "true";
              "access.token.claim" = "true";
              "claim.name" = "groups";
              "userinfo.token.claim" = "true";
            };
          }
        ];
        authorizationSettings = {
          policyEnforcementMode = "ENFORCING";

          resources =
            let
              mkResource = name: uris: {
                inherit name;
                type = "urn:${k}:resources:${name}";
                ownerManagedAccess = false;
                inherit uris;
              };
            in
              mapAttrsToList mkResource (config.resourcesUris or {});

          policies =
            let
              mkPolicyRole = role: {
                id = role;
                required = true;
              };

              mkPolicy = name: roles: {
                name = "${concatStringsSep "," roles} has access";
                type = "role";
                logic = "POSITIVE";
                decisionStrategy = "UNANIMOUS";
                config = {
                  roles = toJSON (map mkPolicyRole roles);
                };
              };

              mkPermission = name: roles: resources: {
                name = "${concatStringsSep "," roles} has access to ${concatStringsSep "," resources}";
                type = "resource";
                logic = "POSITIVE";
                decisionStrategy = "UNANIMOUS";
                config = {
                  resources = toJSON resources;
                  applyPolicies = toJSON (map (r: "${concatStringsSep "," roles} has access") roles);
                };
              };
            in
              (mapAttrsToList (name: {roles, ...}: mkPolicy name roles) (config.access or {}))
              ++ (mapAttrsToList (name: {roles, resources}: mkPermission name roles resources) (config.access or {}));
        };
      };

  mkUser = k: config:
    {
      username = k;
      enabled = true;
      emailVerified = true;

      inherit (config) email firstName lastName;
    } // optionalAttrs (config ? "groups") {
      inherit (config) groups;
    } // optionalAttrs (config ? "roles") {
      realmRoles = config.roles;
    } // optionalAttrs (config ? "initialPassword") {
      credentials = [
        {
          type = "password";
          userLabel = "initial";
          value = "$(keycloak.users.${k}.password)";
        }
      ];
    };

in
{
  inherit realm;
  id = realm;
  enabled = true;

  clients = mapAttrsToList mkClient clients;

  roles = {
    realm = mapAttrsToList mkRole roles;
    client = mapAttrs mkClientRole clients;
  };

  groups = map mkGroup groups;

  users = mapAttrsToList mkUser users;
}
add more keycloak options and add config creator 2022-10-18 05:01:36 +02:00			`{ stdenv`
			`, pkgs`
			`, lib`
			`}:`
			`{ realm`
			`, domain`
			`, roles ? {}`
			`, clients ? {}`
			`, users ? {}`
protect vaultwarden with oauth2proxy 2023-02-12 06:28:00 +01:00			`, groups ? []`
add more keycloak options and add config creator 2022-10-18 05:01:36 +02:00			`}:`

			`with builtins;`
			`with (pkgs.lib.attrsets);`
			`let`
			`mkRole = k: v:`
			`let`
			`iscomposite = (length v) > 0;`
			`in {`
			`name = k;`
protect vaultwarden with oauth2proxy 2023-02-12 06:28:00 +01:00			`composite = if iscomposite then true else false;`
add more keycloak options and add config creator 2022-10-18 05:01:36 +02:00			`} // optionalAttrs iscomposite {`
			`composites = {`
			`realm = v;`
			`};`
			`};`

			`mkClientRole =`
			`let`
protect vaultwarden with oauth2proxy 2023-02-12 06:28:00 +01:00			`roles = config: config.roles or [];`
add more keycloak options and add config creator 2022-10-18 05:01:36 +02:00
			`c = v:`
			`{`
			`name = v;`
protect vaultwarden with oauth2proxy 2023-02-12 06:28:00 +01:00			`clientRole = true;`
add more keycloak options and add config creator 2022-10-18 05:01:36 +02:00			`};`
			`in k: config: map c (roles config);`

protect vaultwarden with oauth2proxy 2023-02-12 06:28:00 +01:00			`mkGroup = name: {`
			`inherit name;`
			`path = "/${name}";`
			`attributes = {};`
			`realmRoles = [];`
			`clientRoles = {};`
			`subGroups = [];`
			`};`

add more keycloak options and add config creator 2022-10-18 05:01:36 +02:00			`mkClient = k: config:`
			`let`
			`url = "https://${k}.${domain}";`
			`in`
			`{`
			`clientId = k;`
			`rootUrl = url;`
			`clientAuthenticatorType = "client-secret";`
protect vaultwarden with oauth2proxy 2023-02-12 06:28:00 +01:00			`redirectUris = ["${url}/oauth2/callback"];`
add more keycloak options and add config creator 2022-10-18 05:01:36 +02:00			`webOrigins = [url];`
protect vaultwarden with oauth2proxy 2023-02-12 06:28:00 +01:00			`authorizationServicesEnabled = true;`
			`serviceAccountsEnabled = true;`
add more keycloak options and add config creator 2022-10-18 05:01:36 +02:00			`protocol = "openid-connect";`
protect vaultwarden with oauth2proxy 2023-02-12 06:28:00 +01:00			`publicClient = false;`
			`protocolMappers = [`
			`{`
			`name = "Client ID";`
			`protocol = "openid-connect";`
			`protocolMapper = "oidc-usersessionmodel-note-mapper";`
			`consentRequired = false;`
			`config = {`
			`"user.session.note" = "clientId";`
			`"id.token.claim" = "true";`
			`"access.token.claim" = "true";`
			`"claim.name" = "clientId";`
			`"jsonType.label" = "String";`
			`};`
			`}`
			`{`
			`name = "Client Host";`
			`protocol = "openid-connect";`
			`protocolMapper = "oidc-usersessionmodel-note-mapper";`
			`consentRequired = false;`
			`config = {`
			`"user.session.note" = "clientHost";`
			`"id.token.claim" = "true";`
			`"access.token.claim" = "true";`
			`"claim.name" = "clientHost";`
			`"jsonType.label" = "String";`
			`};`
			`}`
			`{`
			`name = "Client IP Address";`
			`protocol = "openid-connect";`
			`protocolMapper = "oidc-usersessionmodel-note-mapper";`
			`consentRequired = false;`
			`config = {`
			`"user.session.note" = "clientAddress";`
			`"id.token.claim" = "true";`
			`"access.token.claim" = "true";`
			`"claim.name" = "clientAddress";`
			`"jsonType.label" = "String";`
			`};`
			`}`
			`{`
			`name = "Audience";`
			`protocol = "openid-connect";`
			`protocolMapper = "oidc-audience-mapper";`
			`config = {`
			`"included.client.audience" = k;`
			`"id.token.claim" = "false";`
			`"access.token.claim" = "true";`
			`"included.custom.audience" = k;`
			`};`
			`}`
			`{`
			`name = "Group";`
			`protocol = "openid-connect";`
			`protocolMapper = "oidc-group-membership-mapper";`
			`config = {`
			`"full.path" = "true";`
			`"id.token.claim" = "true";`
			`"access.token.claim" = "true";`
			`"claim.name" = "groups";`
			`"userinfo.token.claim" = "true";`
			`};`
			`}`
			`];`
			`authorizationSettings = {`
			`policyEnforcementMode = "ENFORCING";`

			`resources =`
			`let`
			`mkResource = name: uris: {`
			`inherit name;`
			`type = "urn:${k}:resources:${name}";`
			`ownerManagedAccess = false;`
			`inherit uris;`
			`};`
			`in`
			`mapAttrsToList mkResource (config.resourcesUris or {});`

			`policies =`
			`let`
			`mkPolicyRole = role: {`
			`id = role;`
			`required = true;`
			`};`

			`mkPolicy = name: roles: {`
			`name = "${concatStringsSep "," roles} has access";`
			`type = "role";`
			`logic = "POSITIVE";`
			`decisionStrategy = "UNANIMOUS";`
			`config = {`
			`roles = toJSON (map mkPolicyRole roles);`
			`};`
			`};`

			`mkPermission = name: roles: resources: {`
			`name = "${concatStringsSep "," roles} has access to ${concatStringsSep "," resources}";`
			`type = "resource";`
			`logic = "POSITIVE";`
			`decisionStrategy = "UNANIMOUS";`
			`config = {`
			`resources = toJSON resources;`
			`applyPolicies = toJSON (map (r: "${concatStringsSep "," roles} has access") roles);`
			`};`
			`};`
			`in`
			`(mapAttrsToList (name: {roles, ...}: mkPolicy name roles) (config.access or {}))`
			`++ (mapAttrsToList (name: {roles, resources}: mkPermission name roles resources) (config.access or {}));`
			`};`
add more keycloak options and add config creator 2022-10-18 05:01:36 +02:00			`};`

			`mkUser = k: config:`
			`{`
			`username = k;`
protect vaultwarden with oauth2proxy 2023-02-12 06:28:00 +01:00			`enabled = true;`
fix vaultwarden sign up process without verifying email 2023-02-20 05:12:03 +01:00			`emailVerified = true;`
add more keycloak options and add config creator 2022-10-18 05:01:36 +02:00
protect vaultwarden with oauth2proxy 2023-02-12 06:28:00 +01:00			`inherit (config) email firstName lastName;`
			`} // optionalAttrs (config ? "groups") {`
			`inherit (config) groups;`
			`} // optionalAttrs (config ? "roles") {`
			`realmRoles = config.roles;`
			`} // optionalAttrs (config ? "initialPassword") {`
add initial password to keycloak users 2022-10-19 09:29:14 +02:00			`credentials = [`
			`{`
			`type = "password";`
			`userLabel = "initial";`
			`value = "$(keycloak.users.${k}.password)";`
			`}`
			`];`
add more keycloak options and add config creator 2022-10-18 05:01:36 +02:00			`};`

			`in`
			`{`
			`inherit realm;`
			`id = realm;`
protect vaultwarden with oauth2proxy 2023-02-12 06:28:00 +01:00			`enabled = true;`
add more keycloak options and add config creator 2022-10-18 05:01:36 +02:00
			`clients = mapAttrsToList mkClient clients;`

			`roles = {`
			`realm = mapAttrsToList mkRole roles;`
			`client = mapAttrs mkClientRole clients;`
			`};`

protect vaultwarden with oauth2proxy 2023-02-12 06:28:00 +01:00			`groups = map mkGroup groups;`

add more keycloak options and add config creator 2022-10-18 05:01:36 +02:00			`users = mapAttrsToList mkUser users;`
			`}`