add keycloak-cli-config to setup keycloak with two users

2022-10-15 21:57:21 -07:00 · 2022-10-15 21:57:21 -07:00 · 50bb2da5e7
commit 50bb2da5e7
parent 5b7e7cd6a8
7 changed files with 172 additions and 1 deletions
--- a/all-packages.nix
+++ b/all-packages.nix
@ -43,6 +43,11 @@ let
    KeycloakService = callPackage ./keycloak/unit.nix {inherit utils;};
    mkKeycloakService = callPackage ./keycloak/mkunit.nix {inherit KeycloakService;};

+    KeycloakCliConfig = callPackage ./keycloak-cli-config/config.nix {inherit utils;};
+    mkKeycloakCliConfig = callPackage ./keycloak-cli-config/mkconfig.nix {inherit KeycloakCliConfig;};
+    KeycloakCliService = callPackage ./keycloak-cli-config/unit.nix {inherit utils;};
+    mkKeycloakCliService = callPackage ./keycloak-cli-config/mkunit.nix {inherit KeycloakCliService;};
+
    TtrssEnvironment = callPackage ./ttrss/environment.nix {};
    TtrssConfig = callPackage ./ttrss/config.nix {};
    mkTtrssConfig = callPackage ./ttrss/mkconfig.nix {inherit TtrssConfig;};
--- a/keycloak-cli-config/config.nix
+++ b/keycloak-cli-config/config.nix
@ -0,0 +1,15 @@
+{ stdenv
+, pkgs
+, lib
+, utils
+}:
+{ configDir ? "/etc/keycloak-cli-config"
+, configFile ? "config.json"
+, config ? {}
+}:
+
+utils.mkConfigFile {
+  name = configFile;
+  dir = configDir;
+  content = builtins.toJSON config;
+}
--- a/keycloak-cli-config/mkconfig.nix
+++ b/keycloak-cli-config/mkconfig.nix
@ -0,0 +1,20 @@
+{ KeycloakCliConfig
+}:
+{ name
+, configDir ? "/etc/keycloak-cli-config"
+, configFile ? "config.json"
+, config ? ""
+}:
+
+{
+  inherit name configDir configFile;
+
+  pkg = KeycloakCliConfig {
+    inherit configDir configFile;
+
+    inherit config;
+  };
+
+  type = "fileset";
+}
+    
--- a/keycloak-cli-config/mkunit.nix
+++ b/keycloak-cli-config/mkunit.nix
@ -0,0 +1,29 @@
+{ KeycloakCliService
+}:
+{ name
+, configDir
+, configFile
+
+, keycloakServiceName
+, keycloakSecretsDir
+, keycloakAvailabilityTimeout ? "120s"
+, keycloakUrl
+, keycloakUser
+
+, dependsOn ? {}
+}:
+
+{
+  inherit name configDir configFile;
+  pkg = KeycloakCliService {
+    inherit configDir configFile;
+
+    inherit keycloakServiceName;
+    inherit keycloakSecretsDir
+      keycloakAvailabilityTimeout
+      keycloakUrl keycloakUser;
+  };
+
+  inherit dependsOn;
+  type = "systemd-unit";
+}
--- a/keycloak-cli-config/unit.nix
+++ b/keycloak-cli-config/unit.nix
@ -0,0 +1,100 @@
+{ stdenv
+, pkgs
+, lib
+, utils
+}:
+{ configDir ? "/etc/keycloak-cli-config"
+, configFile ? null
+
+, keycloakServiceName
+, keycloakSecretsDir
+, keycloakAvailabilityTimeout ? "120s"
+, keycloakUrl
+, keycloakUser
+, debug ? false
+}:
+{...}:
+
+# https://github.com/adorsys/keycloak-config-cli
+
+# Password must be given through a file name "keycloak.password" under keycloakSecretsDir.
+
+let
+
+  configFileLocation =
+    configDir + (if configFile != null then "/" + configFile else "");
+
+  envs = lib.concatMapStrings (x: "\nEnvironment=" + x) ([
+    "SPRING_CONFIG_IMPORT=configtree:${keycloakSecretsDir}/"
+    "KEYCLOAK_URL=${keycloakUrl}"
+    "KEYCLOAK_USER=${keycloakUser}"
+    "KEYCLOAK_AVAILABILITYCHECK_ENABLED=true"
+    "KEYCLOAK_AVAILABILITYCHECK_TIMEOUT=${keycloakAvailabilityTimeout}"
+    "IMPORT_FILES_LOCATIONS=${configFileLocation}"
+  ] ++ (if !debug then [] else [
+    "DEBUG=true"
+    "LOGGING_LEVEL_ROOT=debug"
+    "LOGGING_LEVEL_HTTP=debug"
+    "LOGGING_LEVEL_REALMCONFIG=debug"
+    "LOGGING_LEVEL_KEYCLOAKCONFIGCLI=debug"
+  ]));
+
+  keycloak-cli-config = pkgs.stdenv.mkDerivation rec {
+    pname = "keycloak-cli-config";
+    version = "5.3.1";
+    keycloakVersion = "18.0.2";
+
+    src = pkgs.fetchurl {
+      url = "https://github.com/adorsys/keycloak-config-cli/releases/download/v${version}/keycloak-config-cli-${keycloakVersion}.jar";
+      sha256 = "sha256-vC0d0g5TFddetpBwRDMokloTCr7ibFK//Yuvh+m77RA=";
+    };
+
+    buildInputs = [ pkgs.makeWrapper pkgs.jre ];
+
+    phases = [ "installPhase" ];
+
+    installPhase = ''
+    mkdir -p $out/bin
+    cp $src $out/bin/keycloak-cli-config.jar
+    '';
+  };
+
+in
+
+utils.systemd.mkService rec {
+  name = "keycloak-cli-config";
+
+  content = ''
+  [Unit]
+  Description=Keycloak Realm Config
+  After=${keycloakServiceName}
+  Wants=${keycloakServiceName}
+
+  [Service]
+  User=keycloakcli
+  Group=keycloakcli
+
+  Type=oneshot${envs}
+  ExecStart=${pkgs.jre}/bin/java -jar ${keycloak-cli-config}/bin/keycloak-cli-config.jar
+
+  RuntimeDirectory=keycloak-cli-config
+
+  PrivateDevices=true
+  LockPersonality=true
+  NoNewPrivileges=true
+  PrivateDevices=true
+  PrivateTmp=true
+  ProtectClock=true
+  ProtectControlGroups=true
+  ProtectHome=true
+  ProtectHostname=true
+  ProtectKernelLogs=true
+  ProtectKernelModules=true
+  ProtectKernelTunables=true
+  ProtectSystem=full
+  RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK AF_UNIX
+  RestrictNamespaces=true
+  RestrictRealtime=true
+  RestrictSUIDSGID=true
+  '';
+}
--- a/keycloak/mkconfig.nix
+++ b/keycloak/mkconfig.nix
@ -19,6 +19,8 @@
 {
  inherit name configDir configFile;

+  inherit hostname;
+
  pkg = KeycloakConfig {
    inherit configDir configFile hostname;
    inherit logLevel metricsEnabled;
--- a/keycloak/unit.nix
+++ b/keycloak/unit.nix
@ -40,7 +40,7 @@ utils.systemd.mkService rec {
  Group=${group}
  
  EnvironmentFile=${dbPasswordFile}
-  ${if initialAdminFile != null then "Environment=KEYCLOAK_ADMIN="+initialAdminUsername else ""}
+  ${if initialAdminUsername != null then "Environment=KEYCLOAK_ADMIN="+initialAdminUsername else ""}
  ${if initialAdminFile != null then "EnvironmentFile="+initialAdminFile else ""}
  Environment=PATH=${pkgs.coreutils}/bin
  Environment=KC_HOME_DIR="/run/keycloak"