download keycloak public keys

2022-12-17 21:38:22 -08:00 · 2022-12-17 21:38:22 -08:00 · f92f2f6cb6
commit f92f2f6cb6
parent 4b0274153c
4 changed files with 102 additions and 2 deletions
--- a/all-packages.nix
+++ b/all-packages.nix
@ -42,6 +42,8 @@ let
    KeycloakService = callPackage ./keycloak/unit.nix {inherit utils;};
    mkKeycloakService = callPackage ./keycloak/mkunit.nix {inherit KeycloakService;};

+    mkKeycloakHaproxyService = callPackage ./keycloak-haproxy/unit.nix {inherit utils;};
+
    KeycloakCliConfig = callPackage ./keycloak-cli-config/config.nix {inherit utils;};
    mkKeycloakCliConfig = callPackage ./keycloak-cli-config/mkconfig.nix {inherit KeycloakCliConfig;};
    KeycloakCliService = callPackage ./keycloak-cli-config/unit.nix {inherit utils;};
--- a/keycloak-haproxy/unit.nix
+++ b/keycloak-haproxy/unit.nix
@ -0,0 +1,96 @@
+{ stdenv
+, pkgs
+, utils
+}:
+{ name ? "keycloak-haproxy"
+, domain
+, realms ? []
+, every ? "10m"
+
+, HaproxyService
+, KeycloakService
+}:
+
+rec {
+  inherit name;
+
+  stateDir = "keycloak-public-keys";
+  downloadDir = "/var/lib/keycloak-public-keys";
+  
+  pkg =
+    with pkgs.lib;
+    let
+      bin = pkgs.writeShellApplication {
+        name = "get-realms.sh";
+        runtimeInputs = [ pkgs.coreutils pkgs.curl pkgs.jq ];
+        text = ''
+          set -euxo pipefail
+
+          realms="$1"
+
+          for realm in $realms; do
+            curl "${domain}/realms/$realm" | jq --raw-output .public_key > "${downloadDir}/$realm.pem"
+          done
+          '';
+      } ;
+    in
+      { HaproxyService
+      , KeycloakService
+      }: utils.systemd.mkService rec {
+        name = "keycloak-haproxy";
+
+        content = ''
+        [Unit]
+        Description=Get Keycloak realms for Haproxy
+
+        [Service]
+        ExecStart=${bin}/bin/get-realms.sh ${concatStringsSep " " realms}
+        DynamicUser=true
+
+        CapabilityBoundingSet=
+        AmbientCapabilities=
+        StateDirectory=${stateDir}
+        PrivateUsers=yes
+        NoNewPrivileges=yes
+        ProtectSystem=strict
+        ProtectHome=yes
+        PrivateTmp=yes
+        PrivateDevices=yes
+        ProtectHostname=yes
+        ProtectClock=yes
+        ProtectKernelTunables=yes
+        ProtectKernelModules=yes
+        ProtectKernelLogs=yes
+        ProtectControlGroups=yes
+        RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
+        RestrictNamespaces=yes
+        LockPersonality=yes
+        MemoryDenyWriteExecute=yes
+        RestrictRealtime=yes
+        RestrictSUIDSGID=yes
+        RemoveIPC=yes
+        
+        SystemCallFilter=@system-service
+        SystemCallFilter=~@privileged @resources
+        SystemCallArchitectures=native
+        '';
+
+        timer = ''
+        [Unit]
+        Description=Run ${name}
+        After=network.target ${KeycloakService.systemdUnitFile}
+
+        [Timer]
+        OnUnitActiveSec=${every}
+
+        [Install]
+        WantedBy=timers.target
+        ''; 
+      };
+
+  dependsOn = {
+    inherit HaproxyService;
+    inherit KeycloakService;
+  };
+  type = "systemd-unit";
+}
--- a/keycloak/mkunit.nix
+++ b/keycloak/mkunit.nix
@ -23,6 +23,8 @@
    inherit postgresServiceName;
  };

+  systemdUnitFile = "${name}.service";
+
  inherit dependsOn;
  type = "systemd-unit";
 }
--- a/vaultwarden/unit.nix
+++ b/vaultwarden/unit.nix
@ -56,8 +56,8 @@
    Environment=WEB_VAULT_FOLDER=${webvaultFolder}
    Environment=WEB_VAULT_ENABLED=${if webvaultEnabled then "true" else "false"}
  
-    Environment=SIGNUPS_ALLOWED=${signupsAllowed}
-    Environment=SIGNUPS_VERIFY=${signupsVerify}
+    Environment=SIGNUPS_ALLOWED=${if signupsAllowed then "true" else "false"}
+    Environment=SIGNUPS_VERIFY=${if signupsVerify then "true" else "false"}
    # Implies the /admin path is protected
    Environment=DISABLE_ADMIN_TOKEN=true
    Environment=INVITATIONS_ALLOWED=true