Unverified Commit 82a382ed authored by Jonas Heinrich's avatar Jonas Heinrich Committed by GitHub
Browse files

nixos/keycloak: add realmFiles option (#273833)

parents 5e666ef4 cd10f9a8

nixos/doc/manual/release-notes/rl-2505.section.md

+2 −0
Original line number Diff line number Diff line
@@ -614,6 +614,8 @@ 


- `services.soft-serve` now restarts upon config change.



- `services.keycloak` now provides a `realmFiles` option that allows to import realms during startup. See https://www.keycloak.org/server/importExport



- `bind.cacheNetworks` now only controls access for recursive queries, where it previously controlled access for all queries.



- [`services.mongodb.enableAuth`](#opt-services.mongodb.enableAuth) now uses the newer [mongosh](https://github.com/mongodb-js/mongosh) shell instead of the legacy shell to configure the initial superuser. You can configure the mongosh package to use through the [`services.mongodb.mongoshPackage`](#opt-services.mongodb.mongoshPackage) option.

nixos/modules/services/web-apps/keycloak.nix

+39 −1
Original line number Diff line number Diff line
@@ -90,6 +90,7 @@ in 
        enum

        package

        port

        listOf

        ;



      assertStringPath =
@@ -288,6 +289,25 @@ in 
        '';

      };



      realmFiles = mkOption {

        type = listOf path;

        example = lib.literalExpression ''

          [

            ./some/realm.json

            ./another/realm.json

          ]

        '';

        default = [ ];

        description = ''

          Realm files that the server is going to import during startup.

          If a realm already exists in the server, the import operation is

          skipped. Importing the master realm is not supported. All files are

          expected to be in `json` format. See the

          [documentation](https://www.keycloak.org/server/importExport) for

          further information.

        '';

      };



      settings = mkOption {

        type = lib.types.submodule {

          freeformType = attrsOf (
@@ -644,6 +664,24 @@ in 
        '';

      };



      systemd.tmpfiles.settings."10-keycloak" =

        let

          mkTarget =

            file:

            let

              baseName = builtins.baseNameOf file;

              name = if lib.hasSuffix ".json" baseName then baseName else "${baseName}.json";

            in

            "/run/keycloak/data/import/${name}";

          settingsList = map (f: {

            name = mkTarget f;

            value = {

              "L+".argument = "${f}";

            };

          }) cfg.realmFiles;

        in

        builtins.listToAttrs settingsList;



      systemd.services.keycloak =

        let

          databaseServices =
@@ -725,7 +763,7 @@ in 
              cp $CREDENTIALS_DIRECTORY/ssl_{cert,key} /run/keycloak/ssl/

            ''

            + ''

              kc.sh --verbose start --optimized

              kc.sh --verbose start --optimized ${lib.optionalString (cfg.realmFiles != [ ]) "--import-realm"}

            '';

        };