Loading nixos/modules/hardware/uinput.nix +4 −3 Original line number Diff line number Diff line { config, pkgs, lib, ... }: { config, lib, ... }: let cfg = config.hardware.uinput; in { in { options.hardware.uinput = { enable = lib.mkEnableOption "uinput support"; }; Loading @@ -10,7 +11,7 @@ in { config = lib.mkIf cfg.enable { boot.kernelModules = [ "uinput" ]; users.groups.uinput = {}; users.groups.uinput.gid = config.ids.gids.uinput; services.udev.extraRules = '' SUBSYSTEM=="misc", KERNEL=="uinput", MODE="0660", GROUP="uinput", OPTIONS+="static_node=uinput" Loading nixos/modules/misc/ids.nix +4 −4 Original line number Diff line number Diff line Loading @@ -35,7 +35,6 @@ in }; config = { ids.uids = { Loading Loading @@ -666,6 +665,7 @@ in rstudio-server = 324; localtimed = 325; automatic-timezoned = 326; uinput = 327; # When adding a gid, make sure it doesn't match an existing # uid. Users and groups with the same name should have equal Loading nixos/modules/services/networking/bind.nix +1 −1 Original line number Diff line number Diff line Loading @@ -45,7 +45,7 @@ let default = [ "any" ]; }; extraConfig = lib.mkOption { type = lib.types.str; type = lib.types.lines; description = "Extra zone config to be appended at the end of the zone section."; default = ""; }; Loading nixos/modules/services/web-apps/keycloak.nix +20 −29 Original line number Diff line number Diff line Loading @@ -249,12 +249,14 @@ in package = mkPackageOption pkgs "keycloak" { }; initialAdminPassword = mkOption { type = str; default = "changeme"; type = nullOr str; default = null; description = '' Initial password set for the `admin` user. The password is not stored safely and should be changed Initial password set for the temporary `admin` user. The password is not stored safely and should be changed immediately in the admin panel. See [Admin bootstrap and recovery](https://www.keycloak.org/server/bootstrap-admin-recovery) for details. ''; }; Loading Loading @@ -351,35 +353,12 @@ in for more information about hostname configuration. ''; }; proxy = mkOption { type = enum [ "edge" "reencrypt" "passthrough" "none" ]; default = "none"; example = "edge"; description = '' The proxy address forwarding mode if the server is behind a reverse proxy. - `edge`: Enables communication through HTTP between the proxy and Keycloak. - `reencrypt`: Requires communication through HTTPS between the proxy and Keycloak. - `passthrough`: Enables communication through HTTP or HTTPS between the proxy and Keycloak. See <https://www.keycloak.org/server/reverseproxy> for more information. ''; }; }; }; example = literalExpression '' { hostname = "keycloak.example.com"; proxy = "reencrypt"; https-key-store-file = "/path/to/file"; https-key-store-password = { _secret = "/run/keys/store_password"; }; } Loading Loading @@ -497,6 +476,16 @@ in See [New Hostname options](https://www.keycloak.org/docs/25.0.0/upgrading/#new-hostname-options) for details. ''; } { assertion = cfg.settings.proxy or null == null; message = '' The option `services.keycloak.settings.proxy' has been removed. Set `services.keycloak.settings.proxy-headers` in combination with other hostname options as needed instead. See [Proxy option removed](https://www.keycloak.org/docs/latest/upgrading/index.html#proxy-option-removed) for more information. ''; } ]; environment.systemPackages = [ keycloakBuild ]; Loading Loading @@ -633,6 +622,9 @@ in environment = { KC_HOME_DIR = "/run/keycloak"; KC_CONF_DIR = "/run/keycloak/conf"; } // lib.optionalAttrs (cfg.initialAdminPassword != null) { KC_BOOTSTRAP_ADMIN_USERNAME = "admin"; KC_BOOTSTRAP_ADMIN_PASSWORD = cfg.initialAdminPassword; }; serviceConfig = { LoadCredential = Loading @@ -658,6 +650,7 @@ in ln -s ${themesBundle} /run/keycloak/themes ln -s ${keycloakBuild}/providers /run/keycloak/ ln -s ${keycloakBuild}/lib /run/keycloak/ install -D -m 0600 ${confFile} /run/keycloak/conf/keycloak.conf Loading @@ -672,8 +665,6 @@ in mkdir -p /run/keycloak/ssl cp $CREDENTIALS_DIRECTORY/ssl_{cert,key} /run/keycloak/ssl/ '' + '' export KEYCLOAK_ADMIN=admin export KEYCLOAK_ADMIN_PASSWORD=${escapeShellArg cfg.initialAdminPassword} kc.sh --verbose start --optimized ''; }; Loading nixos/tests/keycloak.nix +5 −6 Original line number Diff line number Diff line Loading @@ -20,6 +20,8 @@ let nodes = { keycloak = { config, ... }: { virtualisation.memorySize = 2047; security.pki.certificateFiles = [ certs.ca.cert ]; Loading Loading @@ -48,8 +50,7 @@ let ]; }; environment.systemPackages = with pkgs; [ xmlstarlet html-tidy htmlq jq ]; }; Loading Loading @@ -151,16 +152,14 @@ let # post url. keycloak.succeed( "curl -sSf -c cookie '${frontendUrl}/realms/${realm.realm}/protocol/openid-connect/auth?client_id=${client.name}&redirect_uri=urn%3Aietf%3Awg%3Aoauth%3A2.0%3Aoob&scope=openid+email&response_type=code&response_mode=query&nonce=qw4o89g3qqm' >login_form", "tidy -asxml -q -m login_form || true", "xml sel -T -t -m \"_:html/_:body/_:div/_:div/_:div/_:div/_:div/_:div/_:form[@id='kc-form-login']\" -v @action login_form >form_post_url", "htmlq '#kc-form-login' --attribute action --filename login_form --output form_post_url" ) # Post the login form and save the response. Once again tidy up # the HTML, then extract the authorization code. keycloak.succeed( "curl -sSf -L -b cookie -d 'username=${user.username}' -d 'password=${password}' -d 'credentialId=' \"$(<form_post_url)\" >auth_code_html", "tidy -asxml -q -m auth_code_html || true", "xml sel -T -t -m \"_:html/_:body/_:div/_:div/_:div/_:div/_:div/_:input[@id='code']\" -v @value auth_code_html >auth_code", "htmlq '#code' --attribute value --filename auth_code_html --output auth_code" ) # Exchange the authorization code for an access token. Loading Loading
nixos/modules/hardware/uinput.nix +4 −3 Original line number Diff line number Diff line { config, pkgs, lib, ... }: { config, lib, ... }: let cfg = config.hardware.uinput; in { in { options.hardware.uinput = { enable = lib.mkEnableOption "uinput support"; }; Loading @@ -10,7 +11,7 @@ in { config = lib.mkIf cfg.enable { boot.kernelModules = [ "uinput" ]; users.groups.uinput = {}; users.groups.uinput.gid = config.ids.gids.uinput; services.udev.extraRules = '' SUBSYSTEM=="misc", KERNEL=="uinput", MODE="0660", GROUP="uinput", OPTIONS+="static_node=uinput" Loading
nixos/modules/misc/ids.nix +4 −4 Original line number Diff line number Diff line Loading @@ -35,7 +35,6 @@ in }; config = { ids.uids = { Loading Loading @@ -666,6 +665,7 @@ in rstudio-server = 324; localtimed = 325; automatic-timezoned = 326; uinput = 327; # When adding a gid, make sure it doesn't match an existing # uid. Users and groups with the same name should have equal Loading
nixos/modules/services/networking/bind.nix +1 −1 Original line number Diff line number Diff line Loading @@ -45,7 +45,7 @@ let default = [ "any" ]; }; extraConfig = lib.mkOption { type = lib.types.str; type = lib.types.lines; description = "Extra zone config to be appended at the end of the zone section."; default = ""; }; Loading
nixos/modules/services/web-apps/keycloak.nix +20 −29 Original line number Diff line number Diff line Loading @@ -249,12 +249,14 @@ in package = mkPackageOption pkgs "keycloak" { }; initialAdminPassword = mkOption { type = str; default = "changeme"; type = nullOr str; default = null; description = '' Initial password set for the `admin` user. The password is not stored safely and should be changed Initial password set for the temporary `admin` user. The password is not stored safely and should be changed immediately in the admin panel. See [Admin bootstrap and recovery](https://www.keycloak.org/server/bootstrap-admin-recovery) for details. ''; }; Loading Loading @@ -351,35 +353,12 @@ in for more information about hostname configuration. ''; }; proxy = mkOption { type = enum [ "edge" "reencrypt" "passthrough" "none" ]; default = "none"; example = "edge"; description = '' The proxy address forwarding mode if the server is behind a reverse proxy. - `edge`: Enables communication through HTTP between the proxy and Keycloak. - `reencrypt`: Requires communication through HTTPS between the proxy and Keycloak. - `passthrough`: Enables communication through HTTP or HTTPS between the proxy and Keycloak. See <https://www.keycloak.org/server/reverseproxy> for more information. ''; }; }; }; example = literalExpression '' { hostname = "keycloak.example.com"; proxy = "reencrypt"; https-key-store-file = "/path/to/file"; https-key-store-password = { _secret = "/run/keys/store_password"; }; } Loading Loading @@ -497,6 +476,16 @@ in See [New Hostname options](https://www.keycloak.org/docs/25.0.0/upgrading/#new-hostname-options) for details. ''; } { assertion = cfg.settings.proxy or null == null; message = '' The option `services.keycloak.settings.proxy' has been removed. Set `services.keycloak.settings.proxy-headers` in combination with other hostname options as needed instead. See [Proxy option removed](https://www.keycloak.org/docs/latest/upgrading/index.html#proxy-option-removed) for more information. ''; } ]; environment.systemPackages = [ keycloakBuild ]; Loading Loading @@ -633,6 +622,9 @@ in environment = { KC_HOME_DIR = "/run/keycloak"; KC_CONF_DIR = "/run/keycloak/conf"; } // lib.optionalAttrs (cfg.initialAdminPassword != null) { KC_BOOTSTRAP_ADMIN_USERNAME = "admin"; KC_BOOTSTRAP_ADMIN_PASSWORD = cfg.initialAdminPassword; }; serviceConfig = { LoadCredential = Loading @@ -658,6 +650,7 @@ in ln -s ${themesBundle} /run/keycloak/themes ln -s ${keycloakBuild}/providers /run/keycloak/ ln -s ${keycloakBuild}/lib /run/keycloak/ install -D -m 0600 ${confFile} /run/keycloak/conf/keycloak.conf Loading @@ -672,8 +665,6 @@ in mkdir -p /run/keycloak/ssl cp $CREDENTIALS_DIRECTORY/ssl_{cert,key} /run/keycloak/ssl/ '' + '' export KEYCLOAK_ADMIN=admin export KEYCLOAK_ADMIN_PASSWORD=${escapeShellArg cfg.initialAdminPassword} kc.sh --verbose start --optimized ''; }; Loading
nixos/tests/keycloak.nix +5 −6 Original line number Diff line number Diff line Loading @@ -20,6 +20,8 @@ let nodes = { keycloak = { config, ... }: { virtualisation.memorySize = 2047; security.pki.certificateFiles = [ certs.ca.cert ]; Loading Loading @@ -48,8 +50,7 @@ let ]; }; environment.systemPackages = with pkgs; [ xmlstarlet html-tidy htmlq jq ]; }; Loading Loading @@ -151,16 +152,14 @@ let # post url. keycloak.succeed( "curl -sSf -c cookie '${frontendUrl}/realms/${realm.realm}/protocol/openid-connect/auth?client_id=${client.name}&redirect_uri=urn%3Aietf%3Awg%3Aoauth%3A2.0%3Aoob&scope=openid+email&response_type=code&response_mode=query&nonce=qw4o89g3qqm' >login_form", "tidy -asxml -q -m login_form || true", "xml sel -T -t -m \"_:html/_:body/_:div/_:div/_:div/_:div/_:div/_:div/_:form[@id='kc-form-login']\" -v @action login_form >form_post_url", "htmlq '#kc-form-login' --attribute action --filename login_form --output form_post_url" ) # Post the login form and save the response. Once again tidy up # the HTML, then extract the authorization code. keycloak.succeed( "curl -sSf -L -b cookie -d 'username=${user.username}' -d 'password=${password}' -d 'credentialId=' \"$(<form_post_url)\" >auth_code_html", "tidy -asxml -q -m auth_code_html || true", "xml sel -T -t -m \"_:html/_:body/_:div/_:div/_:div/_:div/_:div/_:input[@id='code']\" -v @value auth_code_html >auth_code", "htmlq '#code' --attribute value --filename auth_code_html --output auth_code" ) # Exchange the authorization code for an access token. Loading
![github-actions[bot]'s avatar](https://secure.gravatar.com/avatar/e7cd911927c7d1acf6281b69d385990d8fadcd26871048bbcdbff2e88da7f607?s=48&d=identicon "github-actions[bot]")