hosting/selfhostblocks
1
0
Fork 0
Code Issues Activity

add keycloak-cli-config to setup keycloak with two users

Browse source
This commit is contained in:
ibizaman 2022-10-15 21:57:21 -07:00
parent 5b7e7cd6a8
commit 50bb2da5e7
7 changed files with 172 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
all-packages.nix
View file

@ -43,6 +43,11 @@ let
KeycloakService = callPackage ./keycloak/unit.nix {inherit utils;}; KeycloakService = callPackage ./keycloak/unit.nix {inherit utils;};
mkKeycloakService = callPackage ./keycloak/mkunit.nix {inherit KeycloakService;}; mkKeycloakService = callPackage ./keycloak/mkunit.nix {inherit KeycloakService;};
KeycloakCliConfig = callPackage ./keycloak-cli-config/config.nix {inherit utils;};
mkKeycloakCliConfig = callPackage ./keycloak-cli-config/mkconfig.nix {inherit KeycloakCliConfig;};
KeycloakCliService = callPackage ./keycloak-cli-config/unit.nix {inherit utils;};
mkKeycloakCliService = callPackage ./keycloak-cli-config/mkunit.nix {inherit KeycloakCliService;};
TtrssEnvironment = callPackage ./ttrss/environment.nix {}; TtrssEnvironment = callPackage ./ttrss/environment.nix {};
TtrssConfig = callPackage ./ttrss/config.nix {}; TtrssConfig = callPackage ./ttrss/config.nix {};
mkTtrssConfig = callPackage ./ttrss/mkconfig.nix {inherit TtrssConfig;}; mkTtrssConfig = callPackage ./ttrss/mkconfig.nix {inherit TtrssConfig;};

15
keycloak-cli-config/config.nix Normal file
View file

@ -0,0 +1,15 @@
{ stdenv
, pkgs
, lib
, utils
}:
{ configDir ? "/etc/keycloak-cli-config"
, configFile ? "config.json"
, config ? {}
}:
utils.mkConfigFile {
name = configFile;
dir = configDir;
content = builtins.toJSON config;
}

20
keycloak-cli-config/mkconfig.nix Normal file
View file

@ -0,0 +1,20 @@
{ KeycloakCliConfig
}:
{ name
, configDir ? "/etc/keycloak-cli-config"
, configFile ? "config.json"
, config ? ""
}:
{
inherit name configDir configFile;
pkg = KeycloakCliConfig {
inherit configDir configFile;
inherit config;
};
type = "fileset";
}

29
keycloak-cli-config/mkunit.nix Normal file
View file

@ -0,0 +1,29 @@
{ KeycloakCliService
}:
{ name
, configDir
, configFile
, keycloakServiceName
, keycloakSecretsDir
, keycloakAvailabilityTimeout ? "120s"
, keycloakUrl
, keycloakUser
, dependsOn ? {}
}:
{
inherit name configDir configFile;
pkg = KeycloakCliService {
inherit configDir configFile;
inherit keycloakServiceName;
inherit keycloakSecretsDir
keycloakAvailabilityTimeout
keycloakUrl keycloakUser;
};
inherit dependsOn;
type = "systemd-unit";
}

100
keycloak-cli-config/unit.nix Normal file
View file

@ -0,0 +1,100 @@
{ stdenv
, pkgs
, lib
, utils
}:
{ configDir ? "/etc/keycloak-cli-config"
, configFile ? null
, keycloakServiceName
, keycloakSecretsDir
, keycloakAvailabilityTimeout ? "120s"
, keycloakUrl
, keycloakUser
, debug ? false
}:
{...}:
# https://github.com/adorsys/keycloak-config-cli
# Password must be given through a file name "keycloak.password" under keycloakSecretsDir.
let
configFileLocation =
configDir + (if configFile != null then "/" + configFile else "");
envs = lib.concatMapStrings (x: "\nEnvironment=" + x) ([
"SPRING_CONFIG_IMPORT=configtree:${keycloakSecretsDir}/"
"KEYCLOAK_URL=${keycloakUrl}"
"KEYCLOAK_USER=${keycloakUser}"
"KEYCLOAK_AVAILABILITYCHECK_ENABLED=true"
"KEYCLOAK_AVAILABILITYCHECK_TIMEOUT=${keycloakAvailabilityTimeout}"
"IMPORT_FILES_LOCATIONS=${configFileLocation}"
] ++ (if !debug then [] else [
"DEBUG=true"
"LOGGING_LEVEL_ROOT=debug"
"LOGGING_LEVEL_HTTP=debug"
"LOGGING_LEVEL_REALMCONFIG=debug"
"LOGGING_LEVEL_KEYCLOAKCONFIGCLI=debug"
]));
keycloak-cli-config = pkgs.stdenv.mkDerivation rec {
pname = "keycloak-cli-config";
version = "5.3.1";
keycloakVersion = "18.0.2";
src = pkgs.fetchurl {
url = "https://github.com/adorsys/keycloak-config-cli/releases/download/v${version}/keycloak-config-cli-${keycloakVersion}.jar";
sha256 = "sha256-vC0d0g5TFddetpBwRDMokloTCr7ibFK//Yuvh+m77RA=";
};
buildInputs = [ pkgs.makeWrapper pkgs.jre ];
phases = [ "installPhase" ];
installPhase = ''
mkdir -p $out/bin
cp $src $out/bin/keycloak-cli-config.jar
'';
};
in
utils.systemd.mkService rec {
name = "keycloak-cli-config";
content = ''
[Unit]
Description=Keycloak Realm Config
After=${keycloakServiceName}
Wants=${keycloakServiceName}
[Service]
User=keycloakcli
Group=keycloakcli
Type=oneshot${envs}
ExecStart=${pkgs.jre}/bin/java -jar ${keycloak-cli-config}/bin/keycloak-cli-config.jar
RuntimeDirectory=keycloak-cli-config
PrivateDevices=true
LockPersonality=true
NoNewPrivileges=true
PrivateDevices=true
PrivateTmp=true
ProtectClock=true
ProtectControlGroups=true
ProtectHome=true
ProtectHostname=true
ProtectKernelLogs=true
ProtectKernelModules=true
ProtectKernelTunables=true
ProtectSystem=full
RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK AF_UNIX
RestrictNamespaces=true
RestrictRealtime=true
RestrictSUIDSGID=true
'';
}

2
keycloak/mkconfig.nix
View file

@ -19,6 +19,8 @@
{ {
inherit name configDir configFile; inherit name configDir configFile;
inherit hostname;
pkg = KeycloakConfig { pkg = KeycloakConfig {
inherit configDir configFile hostname; inherit configDir configFile hostname;
inherit logLevel metricsEnabled; inherit logLevel metricsEnabled;

2
keycloak/unit.nix
View file

@ -40,7 +40,7 @@ utils.systemd.mkService rec {
Group=${group} Group=${group}
EnvironmentFile=${dbPasswordFile} EnvironmentFile=${dbPasswordFile}
${if initialAdminFile != null then "Environment=KEYCLOAK_ADMIN="+initialAdminUsername else ""} ${if initialAdminUsername != null then "Environment=KEYCLOAK_ADMIN="+initialAdminUsername else ""}
${if initialAdminFile != null then "EnvironmentFile="+initialAdminFile else ""} ${if initialAdminFile != null then "EnvironmentFile="+initialAdminFile else ""}
Environment=PATH=${pkgs.coreutils}/bin Environment=PATH=${pkgs.coreutils}/bin
Environment=KC_HOME_DIR="/run/keycloak" Environment=KC_HOME_DIR="/run/keycloak"