···

       
482
       
 
       
            assertion = (cfg.database.useSSL && cfg.database.type == "postgresql") -> (cfg.database.caCert != null);

     

       
483
       
 
       
            message = "A CA certificate must be specified (in 'services.keycloak.database.caCert') when PostgreSQL is used with SSL";

     

       
484
       
 
       
          }

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
485
       
 
       
        ];

     

       
486
       
 
       


     

       
487
       
 
       
        environment.systemPackages = [ keycloakBuild ];

     
···

       
544
       
 
       
            create_role="$(mktemp)"

     

       
545
       
 
       
            trap 'rm -f "$create_role"' EXIT

     

       
546
       
 
       


     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
547
       
 
       
            db_password="$(<"$CREDENTIALS_DIRECTORY/db_password")"

     

       
0
       
 
       

     

       
0
       
 
       

     

       
548
       
 
       
            echo "CREATE ROLE keycloak WITH LOGIN PASSWORD '$db_password' CREATEDB" > "$create_role"

     

       
549
       
 
       
            psql -tAc "SELECT 1 FROM pg_roles WHERE rolname='keycloak'" | grep -q 1 || psql -tA --file="$create_role"

     

       
550
       
 
       
            psql -tAc "SELECT 1 FROM pg_database WHERE datname = 'keycloak'" | grep -q 1 || psql -tAc 'CREATE DATABASE "keycloak" OWNER "keycloak"'

     
···

       
566
       
 
       
          script = ''

     

       
567
       
 
       
            set -o errexit -o pipefail -o nounset -o errtrace

     

       
568
       
 
       
            shopt -s inherit_errexit

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
569
       
 
       
            db_password="$(<"$CREDENTIALS_DIRECTORY/db_password")"

     

       
570
       
-
       
            ( echo "CREATE USER IF NOT EXISTS 'keycloak'@'localhost' IDENTIFIED BY '$db_password';"

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
571
       
 
       
              echo "CREATE DATABASE IF NOT EXISTS keycloak CHARACTER SET utf8 COLLATE utf8_unicode_ci;"

     

       
572
       
 
       
              echo "GRANT ALL PRIVILEGES ON keycloak.* TO 'keycloak'@'localhost';"

     

       
573
       
 
       
            ) | mysql -N

     
···

       
632
       
 
       


     

       
633
       
 
       
              ${secretReplacements}

     

       
634
       
 
       


     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
635
       
 
       
            '' + optionalString (cfg.sslCertificate != null && cfg.sslCertificateKey != null) ''

     

       
636
       
 
       
              mkdir -p /run/keycloak/ssl

     

       
637
       
 
       
              cp $CREDENTIALS_DIRECTORY/ssl_{cert,key} /run/keycloak/ssl/

     

       
638
       
 
       
            '' + ''

     

       
639
       
 
       
              export KEYCLOAK_ADMIN=admin

     

       
640
       
-
       
              export KEYCLOAK_ADMIN_PASSWORD=${cfg.initialAdminPassword}

     

       
641
       
 
       
              kc.sh start --optimized

     

       
642
       
 
       
            '';

     

       
643
       
 
       
          };

     

···

       
482
       
 
       
            assertion = (cfg.database.useSSL && cfg.database.type == "postgresql") -> (cfg.database.caCert != null);

     

       
483
       
 
       
            message = "A CA certificate must be specified (in 'services.keycloak.database.caCert') when PostgreSQL is used with SSL";

     

       
484
       
 
       
          }

     

       
485
       
+
       
          {

     

       
486
       
+
       
            assertion = createLocalPostgreSQL -> config.services.postgresql.settings.standard_conforming_strings or true;

     

       
487
       
+
       
            message = "Setting up a local PostgreSQL db for Keycloak requires `standard_conforming_strings` turned on to work reliably";

     

       
488
       
+
       
          }

     

       
489
       
 
       
        ];

     

       
490
       
 
       


     

       
491
       
 
       
        environment.systemPackages = [ keycloakBuild ];

     
···

       
548
       
 
       
            create_role="$(mktemp)"

     

       
549
       
 
       
            trap 'rm -f "$create_role"' EXIT

     

       
550
       
 
       


     

       
551
       
+
       
            # Read the password from the credentials directory and

     

       
552
       
+
       
            # escape any single quotes by adding additional single

     

       
553
       
+
       
            # quotes after them, following the rules laid out here:

     

       
554
       
+
       
            # https://www.postgresql.org/docs/current/sql-syntax-lexical.html#SQL-SYNTAX-CONSTANTS

     

       
555
       
 
       
            db_password="$(<"$CREDENTIALS_DIRECTORY/db_password")"

     

       
556
       
+
       
            db_password="''${db_password//\'/\'\'}"

     

       
557
       
+
       


     

       
558
       
 
       
            echo "CREATE ROLE keycloak WITH LOGIN PASSWORD '$db_password' CREATEDB" > "$create_role"

     

       
559
       
 
       
            psql -tAc "SELECT 1 FROM pg_roles WHERE rolname='keycloak'" | grep -q 1 || psql -tA --file="$create_role"

     

       
560
       
 
       
            psql -tAc "SELECT 1 FROM pg_database WHERE datname = 'keycloak'" | grep -q 1 || psql -tAc 'CREATE DATABASE "keycloak" OWNER "keycloak"'

     
···

       
576
       
 
       
          script = ''

     

       
577
       
 
       
            set -o errexit -o pipefail -o nounset -o errtrace

     

       
578
       
 
       
            shopt -s inherit_errexit

     

       
579
       
+
       


     

       
580
       
+
       
            # Read the password from the credentials directory and

     

       
581
       
+
       
            # escape any single quotes by adding additional single

     

       
582
       
+
       
            # quotes after them, following the rules laid out here:

     

       
583
       
+
       
            # https://dev.mysql.com/doc/refman/8.0/en/string-literals.html

     

       
584
       
 
       
            db_password="$(<"$CREDENTIALS_DIRECTORY/db_password")"

     

       
585
       
+
       
            db_password="''${db_password//\'/\'\'}"

     

       
586
       
+
       


     

       
587
       
+
       
            ( echo "SET sql_mode = 'NO_BACKSLASH_ESCAPES';"

     

       
588
       
+
       
              echo "CREATE USER IF NOT EXISTS 'keycloak'@'localhost' IDENTIFIED BY '$db_password';"

     

       
589
       
 
       
              echo "CREATE DATABASE IF NOT EXISTS keycloak CHARACTER SET utf8 COLLATE utf8_unicode_ci;"

     

       
590
       
 
       
              echo "GRANT ALL PRIVILEGES ON keycloak.* TO 'keycloak'@'localhost';"

     

       
591
       
 
       
            ) | mysql -N

     
···

       
650
       
 
       


     

       
651
       
 
       
              ${secretReplacements}

     

       
652
       
 
       


     

       
653
       
+
       
              # Escape any backslashes in the db parameters, since

     

       
654
       
+
       
              # they're otherwise unexpectedly read as escape

     

       
655
       
+
       
              # sequences.

     

       
656
       
+
       
              sed -i '/db-/ s|\\|\\\\|g' /run/keycloak/conf/keycloak.conf

     

       
657
       
+
       


     

       
658
       
 
       
            '' + optionalString (cfg.sslCertificate != null && cfg.sslCertificateKey != null) ''

     

       
659
       
 
       
              mkdir -p /run/keycloak/ssl

     

       
660
       
 
       
              cp $CREDENTIALS_DIRECTORY/ssl_{cert,key} /run/keycloak/ssl/

     

       
661
       
 
       
            '' + ''

     

       
662
       
 
       
              export KEYCLOAK_ADMIN=admin

     

       
663
       
+
       
              export KEYCLOAK_ADMIN_PASSWORD=${escapeShellArg cfg.initialAdminPassword}

     

       
664
       
 
       
              kc.sh start --optimized

     

       
665
       
 
       
            '';

     

       
666
       
 
       
          };

     

···

       
5
       
 
       
let

     

       
6
       
 
       
  certs = import ./common/acme/server/snakeoil-certs.nix;

     

       
7
       
 
       
  frontendUrl = "https://${certs.domain}";

     

       
8
       
-
       
  initialAdminPassword = "h4IhoJFnt2iQIR9";

     

       
9
       
 
       


     

       
10
       
 
       
  keycloakTest = import ./make-test-python.nix (

     

       
11
       
 
       
    { pkgs, databaseType, ... }:

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
12
       
 
       
    {

     

       
13
       
 
       
      name = "keycloak";

     

       
14
       
 
       
      meta = with pkgs.lib.maintainers; {

     
···

       
37
       
 
       
              type = databaseType;

     

       
38
       
 
       
              username = "bogus";

     

       
39
       
 
       
              name = "also bogus";

     

       
40
       
-
       
              passwordFile = "${pkgs.writeText "dbPassword" "wzf6vOCbPp6cqTH"}";

     

       
41
       
 
       
            };

     

       
42
       
 
       
            plugins = with config.services.keycloak.package.plugins; [

     

       
43
       
 
       
              keycloak-discord

     
···

       
111
       
 
       
          keycloak.succeed("""

     

       
112
       
 
       
              curl -sSf -d 'client_id=admin-cli' \

     

       
113
       
 
       
                   -d 'username=admin' \

     

       
114
       
-
       
                   -d 'password=${initialAdminPassword}' \

     

       
115
       
 
       
                   -d 'grant_type=password' \

     

       
116
       
 
       
                   '${frontendUrl}/realms/master/protocol/openid-connect/token' \

     

       
117
       
 
       
                   | jq -r '"Authorization: bearer " + .access_token' >admin_auth_header

     
···

       
119
       
 
       


     

       
120
       
 
       
          # Register the metrics SPI

     

       
121
       
 
       
          keycloak.succeed(

     

       
122
       
-
       
              "${pkgs.jre}/bin/keytool -import -alias snakeoil -file ${certs.ca.cert} -storepass aaaaaa -keystore cacert.jks -noprompt",

     

       
123
       
-
       
              "KC_OPTS='-Djavax.net.ssl.trustStore=cacert.jks -Djavax.net.ssl.trustStorePassword=aaaaaa' kcadm.sh config credentials --server '${frontendUrl}' --realm master --user admin --password '${initialAdminPassword}'",

     

       
124
       
-
       
              "KC_OPTS='-Djavax.net.ssl.trustStore=cacert.jks -Djavax.net.ssl.trustStorePassword=aaaaaa' kcadm.sh update events/config -s 'eventsEnabled=true' -s 'adminEventsEnabled=true' -s 'eventsListeners+=metrics-listener'",

     

       
125
       
-
       
              "curl -sSf '${frontendUrl}/realms/master/metrics' | grep '^keycloak_admin_event_UPDATE'"

     

       
126
       
 
       
          )

     

       
127
       
 
       


     

       
128
       
 
       
          # Publish the realm, including a test OIDC client and user

     

···

       
5
       
 
       
let

     

       
6
       
 
       
  certs = import ./common/acme/server/snakeoil-certs.nix;

     

       
7
       
 
       
  frontendUrl = "https://${certs.domain}";

     

       
0
       
 
       

     

       
8
       
 
       


     

       
9
       
 
       
  keycloakTest = import ./make-test-python.nix (

     

       
10
       
 
       
    { pkgs, databaseType, ... }:

     

       
11
       
+
       
    let

     

       
12
       
+
       
      initialAdminPassword = "h4Iho\"JFn't2>iQIR9";

     

       
13
       
+
       
      adminPasswordFile = pkgs.writeText "admin-password" "${initialAdminPassword}";

     

       
14
       
+
       
    in

     

       
15
       
 
       
    {

     

       
16
       
 
       
      name = "keycloak";

     

       
17
       
 
       
      meta = with pkgs.lib.maintainers; {

     
···

       
40
       
 
       
              type = databaseType;

     

       
41
       
 
       
              username = "bogus";

     

       
42
       
 
       
              name = "also bogus";

     

       
43
       
+
       
              passwordFile = "${pkgs.writeText "dbPassword" ''wzf6\"vO"Cb\nP>p#6;c&o?eu=q'THE'''H''''E''}";

     

       
44
       
 
       
            };

     

       
45
       
 
       
            plugins = with config.services.keycloak.package.plugins; [

     

       
46
       
 
       
              keycloak-discord

     
···

       
114
       
 
       
          keycloak.succeed("""

     

       
115
       
 
       
              curl -sSf -d 'client_id=admin-cli' \

     

       
116
       
 
       
                   -d 'username=admin' \

     

       
117
       
+
       
                   -d "password=$(<${adminPasswordFile})" \

     

       
118
       
 
       
                   -d 'grant_type=password' \

     

       
119
       
 
       
                   '${frontendUrl}/realms/master/protocol/openid-connect/token' \

     

       
120
       
 
       
                   | jq -r '"Authorization: bearer " + .access_token' >admin_auth_header

     
···

       
122
       
 
       


     

       
123
       
 
       
          # Register the metrics SPI

     

       
124
       
 
       
          keycloak.succeed(

     

       
125
       
+
       
              """${pkgs.jre}/bin/keytool -import -alias snakeoil -file ${certs.ca.cert} -storepass aaaaaa -keystore cacert.jks -noprompt""",

     

       
126
       
+
       
              """KC_OPTS='-Djavax.net.ssl.trustStore=cacert.jks -Djavax.net.ssl.trustStorePassword=aaaaaa' kcadm.sh config credentials --server '${frontendUrl}' --realm master --user admin --password "$(<${adminPasswordFile})" """,

     

       
127
       
+
       
              """KC_OPTS='-Djavax.net.ssl.trustStore=cacert.jks -Djavax.net.ssl.trustStorePassword=aaaaaa' kcadm.sh update events/config -s 'eventsEnabled=true' -s 'adminEventsEnabled=true' -s 'eventsListeners+=metrics-listener'""",

     

       
128
       
+
       
              """curl -sSf '${frontendUrl}/realms/master/metrics' | grep '^keycloak_admin_event_UPDATE'"""

     

       
129
       
 
       
          )

     

       
130
       
 
       


     

       
131
       
 
       
          # Publish the realm, including a test OIDC client and user