diff options
author | Maciej Krüger <mkg20001@gmail.com> | 2022-03-25 15:08:44 +0100 |
---|---|---|
committer | GitHub <noreply@github.com> | 2022-03-25 15:08:44 +0100 |
commit | 511e56d76cf528afcbff2e5c7930a791e5484eee (patch) | |
tree | 36d7554a5c94c6f17743ef707ec3417f135ffa63 /nixos | |
parent | d6e2e39a6e5998e4ad4cbd9d422835b365dfa763 (diff) | |
parent | 6f5636223cf615d2c304c8335ee072726d775191 (diff) | |
download | nixlib-511e56d76cf528afcbff2e5c7930a791e5484eee.tar nixlib-511e56d76cf528afcbff2e5c7930a791e5484eee.tar.gz nixlib-511e56d76cf528afcbff2e5c7930a791e5484eee.tar.bz2 nixlib-511e56d76cf528afcbff2e5c7930a791e5484eee.tar.lz nixlib-511e56d76cf528afcbff2e5c7930a791e5484eee.tar.xz nixlib-511e56d76cf528afcbff2e5c7930a791e5484eee.tar.zst nixlib-511e56d76cf528afcbff2e5c7930a791e5484eee.zip |
Merge pull request #140406 from mkg20001/mvn
Diffstat (limited to 'nixos')
-rw-r--r-- | nixos/modules/services/web-apps/keycloak.nix | 20 | ||||
-rw-r--r-- | nixos/tests/keycloak.nix | 22 |
2 files changed, 38 insertions, 4 deletions
diff --git a/nixos/modules/services/web-apps/keycloak.nix b/nixos/modules/services/web-apps/keycloak.nix index 22c16be76139..c4a2127663a9 100644 --- a/nixos/modules/services/web-apps/keycloak.nix +++ b/nixos/modules/services/web-apps/keycloak.nix @@ -129,6 +129,14 @@ in ''; }; + plugins = lib.mkOption { + type = lib.types.listOf lib.types.path; + default = []; + description = '' + Keycloak plugin jar, ear files or derivations with them + ''; + }; + database = { type = mkOption { type = enum [ "mysql" "postgresql" ]; @@ -787,6 +795,14 @@ in umask u=rwx,g=,o= + install_plugin() { + if [ -d "$1" ]; then + find "$1" -type f \( -iname \*.ear -o -iname \*.jar \) -exec install -m 0500 -o keycloak -g keycloak "{}" "/run/keycloak/deployments/" \; + else + install -m 0500 -o keycloak -g keycloak "$1" "/run/keycloak/deployments/" + fi + } + install -m 0600 ${cfg.package}/standalone/configuration/*.properties /run/keycloak/configuration install -T -m 0600 ${keycloakConfig} /run/keycloak/configuration/standalone.xml @@ -794,7 +810,9 @@ in export JAVA_OPTS=-Djboss.server.config.user.dir=/run/keycloak/configuration add-user-keycloak.sh -u admin -p '${cfg.initialAdminPassword}' - '' + optionalString (cfg.sslCertificate != null && cfg.sslCertificateKey != null) '' + '' + + lib.optionalString (cfg.plugins != []) (lib.concatStringsSep "\n" (map (pl: "install_plugin ${lib.escapeShellArg pl}") cfg.plugins)) + "\n" + + optionalString (cfg.sslCertificate != null && cfg.sslCertificateKey != null) '' pushd /run/keycloak/ssl/ cat "$CREDENTIALS_DIRECTORY/ssl_cert" <(echo) \ "$CREDENTIALS_DIRECTORY/ssl_key" <(echo) \ diff --git a/nixos/tests/keycloak.nix b/nixos/tests/keycloak.nix index 6367ed808e06..fce8df2b7e3a 100644 --- a/nixos/tests/keycloak.nix +++ b/nixos/tests/keycloak.nix @@ -16,8 +16,7 @@ let }; nodes = { - keycloak = { ... }: { - + keycloak = { config, ... }: { security.pki.certificateFiles = [ certs.ca.cert ]; @@ -36,6 +35,10 @@ let username = "bogus"; passwordFile = pkgs.writeText "dbPassword" "wzf6vOCbPp6cqTH"; }; + plugins = with config.services.keycloak.package.plugins; [ + keycloak-discord + keycloak-metrics-spi + ]; }; environment.systemPackages = with pkgs; [ @@ -102,8 +105,21 @@ let ### Realm Setup ### # Get an admin interface access token + keycloak.succeed(""" + curl -sSf -d 'client_id=admin-cli' \ + -d 'username=admin' \ + -d 'password=${initialAdminPassword}' \ + -d 'grant_type=password' \ + '${frontendUrl}/realms/master/protocol/openid-connect/token' \ + | jq -r '"Authorization: bearer " + .access_token' >admin_auth_header + """) + + # Register the metrics SPI keycloak.succeed( - "curl -sSf -d 'client_id=admin-cli' -d 'username=admin' -d 'password=${initialAdminPassword}' -d 'grant_type=password' '${frontendUrl}/realms/master/protocol/openid-connect/token' | jq -r '\"Authorization: bearer \" + .access_token' >admin_auth_header" + "${pkgs.jre}/bin/keytool -import -alias snakeoil -file ${certs.ca.cert} -storepass aaaaaa -keystore cacert.jks -noprompt", + "KC_OPTS='-Djavax.net.ssl.trustStore=cacert.jks -Djavax.net.ssl.trustStorePassword=aaaaaa' ${pkgs.keycloak}/bin/kcadm.sh config credentials --server '${frontendUrl}' --realm master --user admin --password '${initialAdminPassword}'", + "KC_OPTS='-Djavax.net.ssl.trustStore=cacert.jks -Djavax.net.ssl.trustStorePassword=aaaaaa' ${pkgs.keycloak}/bin/kcadm.sh update events/config -s 'eventsEnabled=true' -s 'adminEventsEnabled=true' -s 'eventsListeners+=metrics-listener'", + "curl -sSf '${frontendUrl}/realms/master/metrics' | grep '^keycloak_admin_event_UPDATE'" ) # Publish the realm, including a test OIDC client and user |