From 50bb2da5e76b93e1306b6fac07ed37d2b1d417aa Mon Sep 17 00:00:00 2001
From: ibizaman <ibizapeanut@gmail.com>
Date: Sat, 15 Oct 2022 21:57:21 -0700
Subject: [PATCH] add keycloak-cli-config to setup keycloak with two users

---
 all-packages.nix                 |   5 ++
 keycloak-cli-config/config.nix   |  15 +++++
 keycloak-cli-config/mkconfig.nix |  20 +++++++
 keycloak-cli-config/mkunit.nix   |  29 +++++++++
 keycloak-cli-config/unit.nix     | 100 +++++++++++++++++++++++++++++++
 keycloak/mkconfig.nix            |   2 +
 keycloak/unit.nix                |   2 +-
 7 files changed, 172 insertions(+), 1 deletion(-)
 create mode 100644 keycloak-cli-config/config.nix
 create mode 100644 keycloak-cli-config/mkconfig.nix
 create mode 100644 keycloak-cli-config/mkunit.nix
 create mode 100644 keycloak-cli-config/unit.nix

diff --git a/all-packages.nix b/all-packages.nix
index b24f455..8f0c831 100644
--- a/all-packages.nix
+++ b/all-packages.nix
@@ -43,6 +43,11 @@ let
     KeycloakService = callPackage ./keycloak/unit.nix {inherit utils;};
     mkKeycloakService = callPackage ./keycloak/mkunit.nix {inherit KeycloakService;};
 
+    KeycloakCliConfig = callPackage ./keycloak-cli-config/config.nix {inherit utils;};
+    mkKeycloakCliConfig = callPackage ./keycloak-cli-config/mkconfig.nix {inherit KeycloakCliConfig;};
+    KeycloakCliService = callPackage ./keycloak-cli-config/unit.nix {inherit utils;};
+    mkKeycloakCliService = callPackage ./keycloak-cli-config/mkunit.nix {inherit KeycloakCliService;};
+
     TtrssEnvironment = callPackage ./ttrss/environment.nix {};
     TtrssConfig = callPackage ./ttrss/config.nix {};
     mkTtrssConfig = callPackage ./ttrss/mkconfig.nix {inherit TtrssConfig;};
diff --git a/keycloak-cli-config/config.nix b/keycloak-cli-config/config.nix
new file mode 100644
index 0000000..7216696
--- /dev/null
+++ b/keycloak-cli-config/config.nix
@@ -0,0 +1,15 @@
+{ stdenv
+, pkgs
+, lib
+, utils
+}:
+{ configDir ? "/etc/keycloak-cli-config"
+, configFile ? "config.json"
+, config ? {}
+}:
+
+utils.mkConfigFile {
+  name = configFile;
+  dir = configDir;
+  content = builtins.toJSON config;
+}
diff --git a/keycloak-cli-config/mkconfig.nix b/keycloak-cli-config/mkconfig.nix
new file mode 100644
index 0000000..40f6746
--- /dev/null
+++ b/keycloak-cli-config/mkconfig.nix
@@ -0,0 +1,20 @@
+{ KeycloakCliConfig
+}:
+{ name
+, configDir ? "/etc/keycloak-cli-config"
+, configFile ? "config.json"
+, config ? ""
+}:
+
+{
+  inherit name configDir configFile;
+
+  pkg = KeycloakCliConfig {
+    inherit configDir configFile;
+
+    inherit config;
+  };
+
+  type = "fileset";
+}
+    
diff --git a/keycloak-cli-config/mkunit.nix b/keycloak-cli-config/mkunit.nix
new file mode 100644
index 0000000..2c86ff6
--- /dev/null
+++ b/keycloak-cli-config/mkunit.nix
@@ -0,0 +1,29 @@
+{ KeycloakCliService
+}:
+{ name
+, configDir
+, configFile
+
+, keycloakServiceName
+, keycloakSecretsDir
+, keycloakAvailabilityTimeout ? "120s"
+, keycloakUrl
+, keycloakUser
+
+, dependsOn ? {}
+}:
+
+{
+  inherit name configDir configFile;
+  pkg = KeycloakCliService {
+    inherit configDir configFile;
+
+    inherit keycloakServiceName;
+    inherit keycloakSecretsDir
+      keycloakAvailabilityTimeout
+      keycloakUrl keycloakUser;
+  };
+
+  inherit dependsOn;
+  type = "systemd-unit";
+}
diff --git a/keycloak-cli-config/unit.nix b/keycloak-cli-config/unit.nix
new file mode 100644
index 0000000..dfa6080
--- /dev/null
+++ b/keycloak-cli-config/unit.nix
@@ -0,0 +1,100 @@
+{ stdenv
+, pkgs
+, lib
+, utils
+}:
+{ configDir ? "/etc/keycloak-cli-config"
+, configFile ? null
+
+, keycloakServiceName
+, keycloakSecretsDir
+, keycloakAvailabilityTimeout ? "120s"
+, keycloakUrl
+, keycloakUser
+, debug ? false
+}:
+{...}:
+
+# https://github.com/adorsys/keycloak-config-cli
+
+# Password must be given through a file name "keycloak.password" under keycloakSecretsDir.
+
+let
+
+  configFileLocation =
+    configDir + (if configFile != null then "/" + configFile else "");
+
+  envs = lib.concatMapStrings (x: "\nEnvironment=" + x) ([
+    "SPRING_CONFIG_IMPORT=configtree:${keycloakSecretsDir}/"
+    "KEYCLOAK_URL=${keycloakUrl}"
+    "KEYCLOAK_USER=${keycloakUser}"
+    "KEYCLOAK_AVAILABILITYCHECK_ENABLED=true"
+    "KEYCLOAK_AVAILABILITYCHECK_TIMEOUT=${keycloakAvailabilityTimeout}"
+    "IMPORT_FILES_LOCATIONS=${configFileLocation}"
+  ] ++ (if !debug then [] else [
+    "DEBUG=true"
+    "LOGGING_LEVEL_ROOT=debug"
+    "LOGGING_LEVEL_HTTP=debug"
+    "LOGGING_LEVEL_REALMCONFIG=debug"
+    "LOGGING_LEVEL_KEYCLOAKCONFIGCLI=debug"
+  ]));
+
+  keycloak-cli-config = pkgs.stdenv.mkDerivation rec {
+    pname = "keycloak-cli-config";
+    version = "5.3.1";
+    keycloakVersion = "18.0.2";
+
+    src = pkgs.fetchurl {
+      url = "https://github.com/adorsys/keycloak-config-cli/releases/download/v${version}/keycloak-config-cli-${keycloakVersion}.jar";
+      sha256 = "sha256-vC0d0g5TFddetpBwRDMokloTCr7ibFK//Yuvh+m77RA=";
+    };
+
+    buildInputs = [ pkgs.makeWrapper pkgs.jre ];
+
+    phases = [ "installPhase" ];
+
+    installPhase = ''
+    mkdir -p $out/bin
+    cp $src $out/bin/keycloak-cli-config.jar
+    '';
+  };
+
+in
+
+utils.systemd.mkService rec {
+  name = "keycloak-cli-config";
+
+  content = ''
+  [Unit]
+  Description=Keycloak Realm Config
+  After=${keycloakServiceName}
+  Wants=${keycloakServiceName}
+
+  [Service]
+  User=keycloakcli
+  Group=keycloakcli
+
+  Type=oneshot${envs}
+  ExecStart=${pkgs.jre}/bin/java -jar ${keycloak-cli-config}/bin/keycloak-cli-config.jar
+
+  RuntimeDirectory=keycloak-cli-config
+
+  PrivateDevices=true
+  LockPersonality=true
+  NoNewPrivileges=true
+  PrivateDevices=true
+  PrivateTmp=true
+  ProtectClock=true
+  ProtectControlGroups=true
+  ProtectHome=true
+  ProtectHostname=true
+  ProtectKernelLogs=true
+  ProtectKernelModules=true
+  ProtectKernelTunables=true
+  ProtectSystem=full
+  RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK AF_UNIX
+  RestrictNamespaces=true
+  RestrictRealtime=true
+  RestrictSUIDSGID=true
+  '';
+}
diff --git a/keycloak/mkconfig.nix b/keycloak/mkconfig.nix
index d8d7e9b..8456f24 100644
--- a/keycloak/mkconfig.nix
+++ b/keycloak/mkconfig.nix
@@ -19,6 +19,8 @@
 {
   inherit name configDir configFile;
 
+  inherit hostname;
+
   pkg = KeycloakConfig {
     inherit configDir configFile hostname;
     inherit logLevel metricsEnabled;
diff --git a/keycloak/unit.nix b/keycloak/unit.nix
index eacd94a..3bcaaa6 100644
--- a/keycloak/unit.nix
+++ b/keycloak/unit.nix
@@ -40,7 +40,7 @@ utils.systemd.mkService rec {
   Group=${group}
   
   EnvironmentFile=${dbPasswordFile}
-  ${if initialAdminFile != null then "Environment=KEYCLOAK_ADMIN="+initialAdminUsername else ""}
+  ${if initialAdminUsername != null then "Environment=KEYCLOAK_ADMIN="+initialAdminUsername else ""}
   ${if initialAdminFile != null then "EnvironmentFile="+initialAdminFile else ""}
   Environment=PATH=${pkgs.coreutils}/bin
   Environment=KC_HOME_DIR="/run/keycloak"