hosting/selfhostblocks
1
0
Fork 0
Code Issues Activity

merge config with unit for keycloak

Browse source
This commit is contained in:
ibizaman 2023-01-14 18:00:37 -08:00
parent a670d691bc
commit 61bad67112
6 changed files with 133 additions and 199 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
all-packages.nix
View file

@ -34,10 +34,7 @@ let
PHPFPMSiteConfig = callPackage ./php-fpm/siteconfig.nix {inherit utils;}; PHPFPMSiteConfig = callPackage ./php-fpm/siteconfig.nix {inherit utils;};
mkPHPFPMSiteConfig = callPackage ./php-fpm/mksiteconfig.nix {inherit PHPFPMSiteConfig;}; mkPHPFPMSiteConfig = callPackage ./php-fpm/mksiteconfig.nix {inherit PHPFPMSiteConfig;};
KeycloakConfig = callPackage ./keycloak/config.nix {inherit utils;}; mkKeycloakService = callPackage ./keycloak/unit.nix {inherit utils;};
mkKeycloakConfig = callPackage ./keycloak/mkconfig.nix {inherit KeycloakConfig;};
KeycloakService = callPackage ./keycloak/unit.nix {inherit utils;};
mkKeycloakService = callPackage ./keycloak/mkunit.nix {inherit KeycloakService;};
mkKeycloakHaproxyService = callPackage ./keycloak-haproxy/unit.nix {inherit utils;}; mkKeycloakHaproxyService = callPackage ./keycloak-haproxy/unit.nix {inherit utils;};

3
keycloak-cli-config/unit.nix
View file

@ -14,7 +14,8 @@
, keys , keys
, debug ? false , debug ? false
}: }:
{...}: { ...
}:
# https://github.com/adorsys/keycloak-config-cli # https://github.com/adorsys/keycloak-config-cli

62
keycloak/config.nix
View file

@ -1,62 +0,0 @@
{ stdenv
, pkgs
, lib
, utils
}:
{ configDir ? "/etc/keycloak"
, configFile ? "keycloak.conf"
, logLevel ? "INFO"
, metricsEnabled ? false
, hostname
, dbType ? "postgres"
, dbUsername ? "keycloak"
, dbHost ? x: "localhost"
, dbPort ? "5432"
, dbDatabase ? "keycloak"
}:
{ KeycloakPostgresDB
}:
assert lib.assertOneOf "dbType" dbType ["postgres"];
utils.mkConfigFile {
name = configFile;
dir = configDir;
content = ''
# The password of the database user is given by an environment variable.
db=${dbType}
db-username=${dbUsername}
db-url-host=${dbHost {inherit KeycloakPostgresDB;}}
db-url-port=${dbPort}
db-url-database=${dbDatabase}
# db-url-properties= # Would be used for ssl, see https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/services/web-apps/keycloak.nix#L491
# Observability
# If the server should expose metrics and healthcheck endpoints.
metrics-enabled=${if metricsEnabled then "true" else "false"}
# HTTP
# The file path to a server certificate or certificate chain in PEM format.
#https-certificate-file=''${kc.home.dir}conf/server.crt.pem
# The file path to a private key in PEM format.
#https-certificate-key-file=''${kc.home.dir}conf/server.key.pem
# The proxy address forwarding mode if the server is behind a reverse proxy.
# https://www.keycloak.org/server/reverseproxy
proxy=edge
# Do not attach route to cookies and rely on the session affinity capabilities from reverse proxy
#spi-sticky-session-encoder-infinispan-should-attach-route=false
# Hostname for the Keycloak server.
hostname=${hostname}
spi-x509cert-lookup-provider=haproxy
log-level=${logLevel}
'';
}

32
keycloak/mkconfig.nix
View file

@ -1,32 +0,0 @@
{ KeycloakConfig
}:
{ name
, configDir ? "/etc/keycloak"
, configFile ? "keycloak.conf"
, logLevel ? "INFO"
, metricsEnabled ? false
, hostname ? "keycloak.hostname.com"
, dbType ? "postgres"
, dbUsername ? "keycloak"
, dbHost ? x: "localhost"
, dbPort ? "5432"
, dbDatabase ? "keycloak"
, dependsOn ? {}
}:
{
inherit name configDir configFile;
inherit hostname;
pkg = KeycloakConfig {
inherit configDir configFile hostname;
inherit logLevel metricsEnabled;
inherit dbType dbUsername dbHost dbPort dbDatabase;
};
inherit dependsOn;
type = "fileset";
}

30
keycloak/mkunit.nix
View file

@ -1,30 +0,0 @@
{ KeycloakService
}:
{ name
, configDir
, configFile
, user
, group
, postgresServiceName
, initialAdminUsername ? "admin"
, keys
, dependsOn ? {}
}:
{
inherit name configDir configFile;
inherit initialAdminUsername;
pkg = KeycloakService {
inherit configDir configFile;
inherit user group;
inherit keys initialAdminUsername;
inherit postgresServiceName;
};
systemdUnitFile = "${name}.service";
inherit dependsOn;
type = "systemd-unit";
}

76
keycloak/unit.nix
View file

@ -3,16 +3,25 @@
, lib , lib
, utils , utils
}: }:
{ configDir ? "/etc/keycloak" { name
, configFile ? "keycloak.conf"
, user ? "keycloak" , user ? "keycloak"
, group ? "keycloak" , group ? "keycloak"
, dbType ? "postgres" , dbType ? "postgres"
, postgresServiceName , postgresServiceName
, initialAdminUsername ? null , initialAdminUsername ? null
, keys , keys
, logLevel ? "INFO"
, metricsEnabled ? false
, hostname
, dbUsername ? "keycloak"
, dbHost ? x: "localhost"
, dbPort ? "5432"
, dbDatabase ? "keycloak"
, KeycloakPostgresDB
}: }:
{ ... }:
assert lib.assertOneOf "dbType" dbType ["postgres"]; assert lib.assertOneOf "dbType" dbType ["postgres"];
@ -25,8 +34,54 @@ let
}; };
in in
with lib.attrsets; {
utils.systemd.mkService rec { inherit name;
inherit initialAdminUsername;
systemdUnitFile = "${name}.service";
pkg = { KeycloakPostgresDB }:
let
configFile = pkgs.writeText "keycloak.conf" ''
# The password of the database user is given by an environment variable.
db=${dbType}
db-username=${dbUsername}
db-url-host=${dbHost {inherit KeycloakPostgresDB;}}
db-url-port=${dbPort}
db-url-database=${dbDatabase}
# db-url-properties= # Would be used for ssl, see https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/services/web-apps/keycloak.nix#L491
# Observability
# If the server should expose metrics and healthcheck endpoints.
metrics-enabled=${if metricsEnabled then "true" else "false"}
# HTTP
# The file path to a server certificate or certificate chain in PEM format.
#https-certificate-file=''${kc.home.dir}conf/server.crt.pem
# The file path to a private key in PEM format.
#https-certificate-key-file=''${kc.home.dir}conf/server.key.pem
# The proxy address forwarding mode if the server is behind a reverse proxy.
# https://www.keycloak.org/server/reverseproxy
proxy=edge
# Do not attach route to cookies and rely on the session affinity capabilities from reverse proxy
#spi-sticky-session-encoder-infinispan-should-attach-route=false
# Hostname for the Keycloak server.
hostname=${hostname}
spi-x509cert-lookup-provider=haproxy
log-level=${logLevel}
'';
in
with lib.attrsets;
utils.systemd.mkService rec {
name = "keycloak"; name = "keycloak";
content = '' content = ''
@ -51,13 +106,12 @@ utils.systemd.mkService rec {
# the only solution for Quarkus modifying the serialized # the only solution for Quarkus modifying the serialized
# data under <keycloak-home>/lib/quarkus # data under <keycloak-home>/lib/quarkus
# Raised upstream as https://github.com/keycloak/keycloak/discussions/10323 # Raised upstream as https://github.com/keycloak/keycloak/discussions/10323
# ExecStartPre=!${keycloak}/bin/kc.sh -cf ${configDir}/${configFile} build # ExecStartPre=!${keycloak}/bin/kc.sh -cf ${configFile} build
ExecStart=${keycloak}/bin/kc.sh -cf ${configDir}/${configFile} start ExecStart=${keycloak}/bin/kc.sh -cf ${configFile} start
# ReadWritePaths=/var/lib/keycloak # ReadWritePaths=/var/lib/keycloak
# ReadWritePaths=/var/log/keycloak # ReadWritePaths=/var/log/keycloak
# ReadWritePaths=/usr/share/java/keycloak/lib/quarkus # ReadWritePaths=/usr/share/java/keycloak/lib/quarkus
# ReadOnlyPaths=${configDir}
RuntimeDirectory=keycloak RuntimeDirectory=keycloak
DynamicUser=true DynamicUser=true
@ -95,4 +149,10 @@ utils.systemd.mkService rec {
[Install] [Install]
WantedBy=multi-user.target WantedBy=multi-user.target
''; '';
};
dependsOn = {
inherit KeycloakPostgresDB;
};
type = "systemd-unit";
} }