1
0
Fork 0
selfhostblocks/keycloak-cli-config/unit.nix

100 lines
2.4 KiB
Nix

{ stdenv
, pkgs
, lib
, utils
}:
{ configDir ? "/etc/keycloak-cli-config"
, configFile ? null
, keycloakServiceName
, keycloakSecretsDir
, keycloakAvailabilityTimeout ? "120s"
, keycloakUrl
, keycloakUser
, debug ? false
}:
{...}:
# https://github.com/adorsys/keycloak-config-cli
# Password must be given through a file name "keycloak.password" under keycloakSecretsDir.
let
configFileLocation =
configDir + (if configFile != null then "/" + configFile else "");
envs = lib.concatMapStrings (x: "\nEnvironment=" + x) ([
"SPRING_CONFIG_IMPORT=configtree:${keycloakSecretsDir}/"
"KEYCLOAK_URL=${keycloakUrl}"
"KEYCLOAK_USER=${keycloakUser}"
"KEYCLOAK_AVAILABILITYCHECK_ENABLED=true"
"KEYCLOAK_AVAILABILITYCHECK_TIMEOUT=${keycloakAvailabilityTimeout}"
"IMPORT_FILES_LOCATIONS=${configFileLocation}"
] ++ (if !debug then [] else [
"DEBUG=true"
"LOGGING_LEVEL_ROOT=debug"
"LOGGING_LEVEL_HTTP=debug"
"LOGGING_LEVEL_REALMCONFIG=debug"
"LOGGING_LEVEL_KEYCLOAKCONFIGCLI=debug"
]));
keycloak-cli-config = pkgs.stdenv.mkDerivation rec {
pname = "keycloak-cli-config";
version = "5.3.1";
keycloakVersion = "18.0.2";
src = pkgs.fetchurl {
url = "https://github.com/adorsys/keycloak-config-cli/releases/download/v${version}/keycloak-config-cli-${keycloakVersion}.jar";
sha256 = "sha256-vC0d0g5TFddetpBwRDMokloTCr7ibFK//Yuvh+m77RA=";
};
buildInputs = [ pkgs.makeWrapper pkgs.jre ];
phases = [ "installPhase" ];
installPhase = ''
mkdir -p $out/bin
cp $src $out/bin/keycloak-cli-config.jar
'';
};
in
utils.systemd.mkService rec {
name = "keycloak-cli-config";
content = ''
[Unit]
Description=Keycloak Realm Config
After=${keycloakServiceName}
Wants=${keycloakServiceName}
[Service]
User=keycloakcli
Group=keycloakcli
Type=oneshot${envs}
ExecStart=${pkgs.jre}/bin/java -jar ${keycloak-cli-config}/bin/keycloak-cli-config.jar
RuntimeDirectory=keycloak-cli-config
PrivateDevices=true
LockPersonality=true
NoNewPrivileges=true
PrivateDevices=true
PrivateTmp=true
ProtectClock=true
ProtectControlGroups=true
ProtectHome=true
ProtectHostname=true
ProtectKernelLogs=true
ProtectKernelModules=true
ProtectKernelTunables=true
ProtectSystem=full
RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK AF_UNIX
RestrictNamespaces=true
RestrictRealtime=true
RestrictSUIDSGID=true
'';
}