merge config with unit for keycloak

2023-01-14 18:00:37 -08:00 · 2023-01-14 18:00:37 -08:00 · 61bad67112
commit 61bad67112
parent a670d691bc
6 changed files with 133 additions and 199 deletions
--- a/all-packages.nix
+++ b/all-packages.nix
@ -34,10 +34,7 @@ let
    PHPFPMSiteConfig = callPackage ./php-fpm/siteconfig.nix {inherit utils;};
    mkPHPFPMSiteConfig = callPackage ./php-fpm/mksiteconfig.nix {inherit PHPFPMSiteConfig;};

-    KeycloakConfig = callPackage ./keycloak/config.nix {inherit utils;};
-    mkKeycloakConfig = callPackage ./keycloak/mkconfig.nix {inherit KeycloakConfig;};
-    KeycloakService = callPackage ./keycloak/unit.nix {inherit utils;};
-    mkKeycloakService = callPackage ./keycloak/mkunit.nix {inherit KeycloakService;};
+    mkKeycloakService = callPackage ./keycloak/unit.nix {inherit utils;};

    mkKeycloakHaproxyService = callPackage ./keycloak-haproxy/unit.nix {inherit utils;};

--- a/keycloak-cli-config/unit.nix
+++ b/keycloak-cli-config/unit.nix
@ -14,7 +14,8 @@
 , keys
 , debug ? false
 }:
-{...}:
+{ ...
+}:

 # https://github.com/adorsys/keycloak-config-cli

--- a/keycloak/config.nix
+++ b/keycloak/config.nix
@ -1,62 +0,0 @@
-{ stdenv
-, pkgs
-, lib
-, utils
-}:
-{ configDir ? "/etc/keycloak"
-, configFile ? "keycloak.conf"
-, logLevel ? "INFO"
-, metricsEnabled ? false
-, hostname
-
-, dbType ? "postgres"
-, dbUsername ? "keycloak"
-, dbHost ? x: "localhost"
-, dbPort ? "5432"
-, dbDatabase ? "keycloak"
-}:
-{ KeycloakPostgresDB
-}:
-
-assert lib.assertOneOf "dbType" dbType ["postgres"];
-
-utils.mkConfigFile {
-  name = configFile;
-  dir = configDir;
-  content = ''
-  # The password of the database user is given by an environment variable.
-  db=${dbType}
-  db-username=${dbUsername}
-  db-url-host=${dbHost {inherit KeycloakPostgresDB;}}
-  db-url-port=${dbPort}
-  db-url-database=${dbDatabase}
-  # db-url-properties=  # Would be used for ssl, see https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/services/web-apps/keycloak.nix#L491
-  
-  # Observability
-  
-  # If the server should expose metrics and healthcheck endpoints.
-  metrics-enabled=${if metricsEnabled then "true" else "false"}
-  
-  # HTTP
-  
-  # The file path to a server certificate or certificate chain in PEM format.
-  #https-certificate-file=''${kc.home.dir}conf/server.crt.pem
-  
-  # The file path to a private key in PEM format.
-  #https-certificate-key-file=''${kc.home.dir}conf/server.key.pem
-  
-  # The proxy address forwarding mode if the server is behind a reverse proxy.
-  # https://www.keycloak.org/server/reverseproxy
-  proxy=edge
-  
-  # Do not attach route to cookies and rely on the session affinity capabilities from reverse proxy
-  #spi-sticky-session-encoder-infinispan-should-attach-route=false
-  
-  # Hostname for the Keycloak server.
-  hostname=${hostname}
-  
-  spi-x509cert-lookup-provider=haproxy
-  
-  log-level=${logLevel}
-  '';
-}
--- a/keycloak/mkconfig.nix
+++ b/keycloak/mkconfig.nix
@ -1,32 +0,0 @@
-{ KeycloakConfig
-}:
-{ name
-, configDir ? "/etc/keycloak"
-, configFile ? "keycloak.conf"
-, logLevel ? "INFO"
-, metricsEnabled ? false
-, hostname ? "keycloak.hostname.com"
-
-, dbType ? "postgres"
-, dbUsername ? "keycloak"
-, dbHost ? x: "localhost"
-, dbPort ? "5432"
-, dbDatabase ? "keycloak"
-
-, dependsOn ? {}
-}:
-
-{
-  inherit name configDir configFile;
-
-  inherit hostname;
-
-  pkg = KeycloakConfig {
-    inherit configDir configFile hostname;
-    inherit logLevel metricsEnabled;
-    inherit dbType dbUsername dbHost dbPort dbDatabase;
-  };
-
-  inherit dependsOn;
-  type = "fileset";
-}
--- a/keycloak/mkunit.nix
+++ b/keycloak/mkunit.nix
@ -1,30 +0,0 @@
-{ KeycloakService
-}:
-{ name
-, configDir
-, configFile
-, user
-, group
-, postgresServiceName
-, initialAdminUsername ? "admin"
-, keys
-
-, dependsOn ? {}
-}:
-{
-  inherit name configDir configFile;
-
-  inherit initialAdminUsername;
-
-  pkg = KeycloakService {
-    inherit configDir configFile;
-    inherit user group;
-    inherit keys initialAdminUsername;
-    inherit postgresServiceName;
-  };
-
-  systemdUnitFile = "${name}.service";
-
-  inherit dependsOn;
-  type = "systemd-unit";
-}
--- a/keycloak/unit.nix
+++ b/keycloak/unit.nix
@ -3,16 +3,25 @@
 , lib
 , utils
 }:
-{ configDir ? "/etc/keycloak"
-, configFile ? "keycloak.conf"
+{ name
 , user ? "keycloak"
 , group ? "keycloak"
 , dbType ? "postgres"
 , postgresServiceName
 , initialAdminUsername ? null
 , keys
+
+, logLevel ? "INFO"
+, metricsEnabled ? false
+, hostname
+
+, dbUsername ? "keycloak"
+, dbHost ? x: "localhost"
+, dbPort ? "5432"
+, dbDatabase ? "keycloak"
+
+, KeycloakPostgresDB
 }:
-{ ... }:

 assert lib.assertOneOf "dbType" dbType ["postgres"];

@ -25,8 +34,54 @@ let
  };
 in

-with lib.attrsets;
-utils.systemd.mkService rec {
+{
+  inherit name;
+
+  inherit initialAdminUsername;
+
+  systemdUnitFile = "${name}.service";
+
+  pkg = { KeycloakPostgresDB }:
+    let
+      configFile = pkgs.writeText "keycloak.conf" ''
+      # The password of the database user is given by an environment variable.
+      db=${dbType}
+      db-username=${dbUsername}
+      db-url-host=${dbHost {inherit KeycloakPostgresDB;}}
+      db-url-port=${dbPort}
+      db-url-database=${dbDatabase}
+      # db-url-properties=  # Would be used for ssl, see https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/services/web-apps/keycloak.nix#L491
+
+      # Observability
+
+      # If the server should expose metrics and healthcheck endpoints.
+      metrics-enabled=${if metricsEnabled then "true" else "false"}
+
+      # HTTP
+
+      # The file path to a server certificate or certificate chain in PEM format.
+      #https-certificate-file=''${kc.home.dir}conf/server.crt.pem
+
+      # The file path to a private key in PEM format.
+      #https-certificate-key-file=''${kc.home.dir}conf/server.key.pem
+
+      # The proxy address forwarding mode if the server is behind a reverse proxy.
+      # https://www.keycloak.org/server/reverseproxy
+      proxy=edge
+
+      # Do not attach route to cookies and rely on the session affinity capabilities from reverse proxy
+      #spi-sticky-session-encoder-infinispan-should-attach-route=false
+
+      # Hostname for the Keycloak server.
+      hostname=${hostname}
+
+      spi-x509cert-lookup-provider=haproxy
+
+      log-level=${logLevel}
+      '';
+    in
+    with lib.attrsets;
+    utils.systemd.mkService rec {
      name = "keycloak";

      content = ''
@ -51,13 +106,12 @@ utils.systemd.mkService rec {
      # the only solution for Quarkus modifying the serialized
      # data under <keycloak-home>/lib/quarkus
      # Raised upstream as https://github.com/keycloak/keycloak/discussions/10323
-  # ExecStartPre=!${keycloak}/bin/kc.sh -cf ${configDir}/${configFile} build
-  ExecStart=${keycloak}/bin/kc.sh -cf ${configDir}/${configFile} start
+      # ExecStartPre=!${keycloak}/bin/kc.sh -cf ${configFile} build
+      ExecStart=${keycloak}/bin/kc.sh -cf ${configFile} start

      # ReadWritePaths=/var/lib/keycloak
      # ReadWritePaths=/var/log/keycloak
      # ReadWritePaths=/usr/share/java/keycloak/lib/quarkus
-  # ReadOnlyPaths=${configDir}
      RuntimeDirectory=keycloak
      DynamicUser=true

@ -95,4 +149,10 @@ utils.systemd.mkService rec {
      [Install]
      WantedBy=multi-user.target
      '';
+    };
+
+  dependsOn = {
+    inherit KeycloakPostgresDB;
+  };
+  type = "systemd-unit";
 }