Loading nixos/modules/services/web-apps/keycloak.nix +20 −29 Original line number Diff line number Diff line Loading @@ -249,12 +249,14 @@ in package = mkPackageOption pkgs "keycloak" { }; initialAdminPassword = mkOption { type = str; default = "changeme"; type = nullOr str; default = null; description = '' Initial password set for the `admin` user. The password is not stored safely and should be changed Initial password set for the temporary `admin` user. The password is not stored safely and should be changed immediately in the admin panel. See [Admin bootstrap and recovery](https://www.keycloak.org/server/bootstrap-admin-recovery) for details. ''; }; Loading Loading @@ -351,35 +353,12 @@ in for more information about hostname configuration. ''; }; proxy = mkOption { type = enum [ "edge" "reencrypt" "passthrough" "none" ]; default = "none"; example = "edge"; description = '' The proxy address forwarding mode if the server is behind a reverse proxy. - `edge`: Enables communication through HTTP between the proxy and Keycloak. - `reencrypt`: Requires communication through HTTPS between the proxy and Keycloak. - `passthrough`: Enables communication through HTTP or HTTPS between the proxy and Keycloak. See <https://www.keycloak.org/server/reverseproxy> for more information. ''; }; }; }; example = literalExpression '' { hostname = "keycloak.example.com"; proxy = "reencrypt"; https-key-store-file = "/path/to/file"; https-key-store-password = { _secret = "/run/keys/store_password"; }; } Loading Loading @@ -497,6 +476,16 @@ in See [New Hostname options](https://www.keycloak.org/docs/25.0.0/upgrading/#new-hostname-options) for details. ''; } { assertion = cfg.settings.proxy or null == null; message = '' The option `services.keycloak.settings.proxy' has been removed. Set `services.keycloak.settings.proxy-headers` in combination with other hostname options as needed instead. See [Proxy option removed](https://www.keycloak.org/docs/latest/upgrading/index.html#proxy-option-removed) for more information. ''; } ]; environment.systemPackages = [ keycloakBuild ]; Loading Loading @@ -633,6 +622,9 @@ in environment = { KC_HOME_DIR = "/run/keycloak"; KC_CONF_DIR = "/run/keycloak/conf"; } // lib.optionalAttrs (cfg.initialAdminPassword != null) { KC_BOOTSTRAP_ADMIN_USERNAME = "admin"; KC_BOOTSTRAP_ADMIN_PASSWORD = cfg.initialAdminPassword; }; serviceConfig = { LoadCredential = Loading @@ -658,6 +650,7 @@ in ln -s ${themesBundle} /run/keycloak/themes ln -s ${keycloakBuild}/providers /run/keycloak/ ln -s ${keycloakBuild}/lib /run/keycloak/ install -D -m 0600 ${confFile} /run/keycloak/conf/keycloak.conf Loading @@ -672,8 +665,6 @@ in mkdir -p /run/keycloak/ssl cp $CREDENTIALS_DIRECTORY/ssl_{cert,key} /run/keycloak/ssl/ '' + '' export KEYCLOAK_ADMIN=admin export KEYCLOAK_ADMIN_PASSWORD=${escapeShellArg cfg.initialAdminPassword} kc.sh --verbose start --optimized ''; }; Loading nixos/tests/keycloak.nix +5 −6 Original line number Diff line number Diff line Loading @@ -20,6 +20,8 @@ let nodes = { keycloak = { config, ... }: { virtualisation.memorySize = 2047; security.pki.certificateFiles = [ certs.ca.cert ]; Loading Loading @@ -48,8 +50,7 @@ let ]; }; environment.systemPackages = with pkgs; [ xmlstarlet html-tidy htmlq jq ]; }; Loading Loading @@ -151,16 +152,14 @@ let # post url. keycloak.succeed( "curl -sSf -c cookie '${frontendUrl}/realms/${realm.realm}/protocol/openid-connect/auth?client_id=${client.name}&redirect_uri=urn%3Aietf%3Awg%3Aoauth%3A2.0%3Aoob&scope=openid+email&response_type=code&response_mode=query&nonce=qw4o89g3qqm' >login_form", "tidy -asxml -q -m login_form || true", "xml sel -T -t -m \"_:html/_:body/_:div/_:div/_:div/_:div/_:div/_:div/_:form[@id='kc-form-login']\" -v @action login_form >form_post_url", "htmlq '#kc-form-login' --attribute action --filename login_form --output form_post_url" ) # Post the login form and save the response. Once again tidy up # the HTML, then extract the authorization code. keycloak.succeed( "curl -sSf -L -b cookie -d 'username=${user.username}' -d 'password=${password}' -d 'credentialId=' \"$(<form_post_url)\" >auth_code_html", "tidy -asxml -q -m auth_code_html || true", "xml sel -T -t -m \"_:html/_:body/_:div/_:div/_:div/_:div/_:div/_:input[@id='code']\" -v @value auth_code_html >auth_code", "htmlq '#code' --attribute value --filename auth_code_html --output auth_code" ) # Exchange the authorization code for an access token. Loading pkgs/servers/keycloak/default.nix +2 −2 Original line number Diff line number Diff line Loading @@ -18,11 +18,11 @@ let ''; in stdenv.mkDerivation rec { pname = "keycloak"; version = "25.0.6"; version = "26.0.0"; src = fetchzip { url = "https://github.com/keycloak/keycloak/releases/download/${version}/keycloak-${version}.zip"; hash = "sha256-1VHixRgErao/1ZEJv+rlnNmUd2NT35X89D8wuUhYF08="; hash = "sha256-BWkF5iiR4J7NskrJUFmlP0N+HEkyZLnLJbMmbXCROxo="; }; nativeBuildInputs = [ makeWrapper jre ]; Loading Loading
nixos/modules/services/web-apps/keycloak.nix +20 −29 Original line number Diff line number Diff line Loading @@ -249,12 +249,14 @@ in package = mkPackageOption pkgs "keycloak" { }; initialAdminPassword = mkOption { type = str; default = "changeme"; type = nullOr str; default = null; description = '' Initial password set for the `admin` user. The password is not stored safely and should be changed Initial password set for the temporary `admin` user. The password is not stored safely and should be changed immediately in the admin panel. See [Admin bootstrap and recovery](https://www.keycloak.org/server/bootstrap-admin-recovery) for details. ''; }; Loading Loading @@ -351,35 +353,12 @@ in for more information about hostname configuration. ''; }; proxy = mkOption { type = enum [ "edge" "reencrypt" "passthrough" "none" ]; default = "none"; example = "edge"; description = '' The proxy address forwarding mode if the server is behind a reverse proxy. - `edge`: Enables communication through HTTP between the proxy and Keycloak. - `reencrypt`: Requires communication through HTTPS between the proxy and Keycloak. - `passthrough`: Enables communication through HTTP or HTTPS between the proxy and Keycloak. See <https://www.keycloak.org/server/reverseproxy> for more information. ''; }; }; }; example = literalExpression '' { hostname = "keycloak.example.com"; proxy = "reencrypt"; https-key-store-file = "/path/to/file"; https-key-store-password = { _secret = "/run/keys/store_password"; }; } Loading Loading @@ -497,6 +476,16 @@ in See [New Hostname options](https://www.keycloak.org/docs/25.0.0/upgrading/#new-hostname-options) for details. ''; } { assertion = cfg.settings.proxy or null == null; message = '' The option `services.keycloak.settings.proxy' has been removed. Set `services.keycloak.settings.proxy-headers` in combination with other hostname options as needed instead. See [Proxy option removed](https://www.keycloak.org/docs/latest/upgrading/index.html#proxy-option-removed) for more information. ''; } ]; environment.systemPackages = [ keycloakBuild ]; Loading Loading @@ -633,6 +622,9 @@ in environment = { KC_HOME_DIR = "/run/keycloak"; KC_CONF_DIR = "/run/keycloak/conf"; } // lib.optionalAttrs (cfg.initialAdminPassword != null) { KC_BOOTSTRAP_ADMIN_USERNAME = "admin"; KC_BOOTSTRAP_ADMIN_PASSWORD = cfg.initialAdminPassword; }; serviceConfig = { LoadCredential = Loading @@ -658,6 +650,7 @@ in ln -s ${themesBundle} /run/keycloak/themes ln -s ${keycloakBuild}/providers /run/keycloak/ ln -s ${keycloakBuild}/lib /run/keycloak/ install -D -m 0600 ${confFile} /run/keycloak/conf/keycloak.conf Loading @@ -672,8 +665,6 @@ in mkdir -p /run/keycloak/ssl cp $CREDENTIALS_DIRECTORY/ssl_{cert,key} /run/keycloak/ssl/ '' + '' export KEYCLOAK_ADMIN=admin export KEYCLOAK_ADMIN_PASSWORD=${escapeShellArg cfg.initialAdminPassword} kc.sh --verbose start --optimized ''; }; Loading
nixos/tests/keycloak.nix +5 −6 Original line number Diff line number Diff line Loading @@ -20,6 +20,8 @@ let nodes = { keycloak = { config, ... }: { virtualisation.memorySize = 2047; security.pki.certificateFiles = [ certs.ca.cert ]; Loading Loading @@ -48,8 +50,7 @@ let ]; }; environment.systemPackages = with pkgs; [ xmlstarlet html-tidy htmlq jq ]; }; Loading Loading @@ -151,16 +152,14 @@ let # post url. keycloak.succeed( "curl -sSf -c cookie '${frontendUrl}/realms/${realm.realm}/protocol/openid-connect/auth?client_id=${client.name}&redirect_uri=urn%3Aietf%3Awg%3Aoauth%3A2.0%3Aoob&scope=openid+email&response_type=code&response_mode=query&nonce=qw4o89g3qqm' >login_form", "tidy -asxml -q -m login_form || true", "xml sel -T -t -m \"_:html/_:body/_:div/_:div/_:div/_:div/_:div/_:div/_:form[@id='kc-form-login']\" -v @action login_form >form_post_url", "htmlq '#kc-form-login' --attribute action --filename login_form --output form_post_url" ) # Post the login form and save the response. Once again tidy up # the HTML, then extract the authorization code. keycloak.succeed( "curl -sSf -L -b cookie -d 'username=${user.username}' -d 'password=${password}' -d 'credentialId=' \"$(<form_post_url)\" >auth_code_html", "tidy -asxml -q -m auth_code_html || true", "xml sel -T -t -m \"_:html/_:body/_:div/_:div/_:div/_:div/_:div/_:input[@id='code']\" -v @value auth_code_html >auth_code", "htmlq '#code' --attribute value --filename auth_code_html --output auth_code" ) # Exchange the authorization code for an access token. Loading
pkgs/servers/keycloak/default.nix +2 −2 Original line number Diff line number Diff line Loading @@ -18,11 +18,11 @@ let ''; in stdenv.mkDerivation rec { pname = "keycloak"; version = "25.0.6"; version = "26.0.0"; src = fetchzip { url = "https://github.com/keycloak/keycloak/releases/download/${version}/keycloak-${version}.zip"; hash = "sha256-1VHixRgErao/1ZEJv+rlnNmUd2NT35X89D8wuUhYF08="; hash = "sha256-BWkF5iiR4J7NskrJUFmlP0N+HEkyZLnLJbMmbXCROxo="; }; nativeBuildInputs = [ makeWrapper jre ]; Loading
