2022-10-08 23:52:41 -07:00
|
|
|
{ stdenv
|
|
|
|
, pkgs
|
|
|
|
, lib
|
|
|
|
, utils
|
|
|
|
}:
|
|
|
|
{ configDir ? "/etc/keycloak"
|
|
|
|
, configFile ? "keycloak.conf"
|
|
|
|
, logLevel ? "INFO"
|
|
|
|
, metricsEnabled ? false
|
2022-12-03 22:41:16 -08:00
|
|
|
, hostname
|
2022-10-08 23:52:41 -07:00
|
|
|
|
|
|
|
, dbType ? "postgres"
|
|
|
|
, dbUsername ? "keycloak"
|
|
|
|
, dbHost ? x: "localhost"
|
|
|
|
, dbPort ? "5432"
|
|
|
|
, dbDatabase ? "keycloak"
|
|
|
|
}:
|
|
|
|
{ KeycloakPostgresDB
|
|
|
|
}:
|
|
|
|
|
|
|
|
assert lib.assertOneOf "dbType" dbType ["postgres"];
|
|
|
|
|
|
|
|
utils.mkConfigFile {
|
|
|
|
name = configFile;
|
|
|
|
dir = configDir;
|
|
|
|
content = ''
|
|
|
|
# The password of the database user is given by an environment variable.
|
|
|
|
db=${dbType}
|
|
|
|
db-username=${dbUsername}
|
|
|
|
db-url-host=${dbHost {inherit KeycloakPostgresDB;}}
|
|
|
|
db-url-port=${dbPort}
|
|
|
|
db-url-database=${dbDatabase}
|
|
|
|
# db-url-properties= # Would be used for ssl, see https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/services/web-apps/keycloak.nix#L491
|
|
|
|
|
|
|
|
# Observability
|
|
|
|
|
|
|
|
# If the server should expose metrics and healthcheck endpoints.
|
|
|
|
metrics-enabled=${if metricsEnabled then "true" else "false"}
|
|
|
|
|
|
|
|
# HTTP
|
|
|
|
|
|
|
|
# The file path to a server certificate or certificate chain in PEM format.
|
|
|
|
#https-certificate-file=''${kc.home.dir}conf/server.crt.pem
|
|
|
|
|
|
|
|
# The file path to a private key in PEM format.
|
|
|
|
#https-certificate-key-file=''${kc.home.dir}conf/server.key.pem
|
|
|
|
|
|
|
|
# The proxy address forwarding mode if the server is behind a reverse proxy.
|
|
|
|
# https://www.keycloak.org/server/reverseproxy
|
|
|
|
proxy=edge
|
|
|
|
|
|
|
|
# Do not attach route to cookies and rely on the session affinity capabilities from reverse proxy
|
|
|
|
#spi-sticky-session-encoder-infinispan-should-attach-route=false
|
|
|
|
|
|
|
|
# Hostname for the Keycloak server.
|
|
|
|
hostname=${hostname}
|
|
|
|
|
|
|
|
spi-x509cert-lookup-provider=haproxy
|
|
|
|
|
|
|
|
log-level=${logLevel}
|
|
|
|
'';
|
|
|
|
}
|