gador/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

keycloak: 25.0.6 -> 26.0.0 (#346439)

Browse Source
This commit is contained in:
Nick Cao
2024-10-05 18:14:45 -04:00
committed by GitHub
parent 2996f32a94 6069dde181
commit 5f821de20c
3 changed files with 27 additions and 37 deletions
Download Patch File Download Diff File Expand all files Collapse all files

49
nixos/modules/services/web-apps/keycloak.nix
View File

@@ -249,12 +249,14 @@ in
package = mkPackageOption pkgs "keycloak" { };
initialAdminPassword = mkOption {
type = str;
default = "changeme";
type = nullOr str;
default = null;
description = ''
Initial password set for the `admin`
user. The password is not stored safely and should be changed
Initial password set for the temporary `admin` user.
The password is not stored safely and should be changed
immediately in the admin panel.
See [Admin bootstrap and recovery](https://www.keycloak.org/server/bootstrap-admin-recovery) for details.
'';
};
@@ -351,35 +353,12 @@ in
for more information about hostname configuration.
'';
};
proxy = mkOption {
type = enum [ "edge" "reencrypt" "passthrough" "none" ];
default = "none";
example = "edge";
description = ''
The proxy address forwarding mode if the server is
behind a reverse proxy.
- `edge`:
Enables communication through HTTP between the
proxy and Keycloak.
- `reencrypt`:
Requires communication through HTTPS between the
proxy and Keycloak.
- `passthrough`:
Enables communication through HTTP or HTTPS between
the proxy and Keycloak.
See <https://www.keycloak.org/server/reverseproxy> for more information.
'';
};
};
};
example = literalExpression ''
{
hostname = "keycloak.example.com";
proxy = "reencrypt";
https-key-store-file = "/path/to/file";
https-key-store-password = { _secret = "/run/keys/store_password"; };
}
@@ -497,6 +476,16 @@ in
See [New Hostname options](https://www.keycloak.org/docs/25.0.0/upgrading/#new-hostname-options) for details.
'';
}
{
assertion = cfg.settings.proxy or null == null;
message = ''
The option `services.keycloak.settings.proxy' has been removed.
Set `services.keycloak.settings.proxy-headers` in combination
with other hostname options as needed instead.
See [Proxy option removed](https://www.keycloak.org/docs/latest/upgrading/index.html#proxy-option-removed)
for more information.
'';
}
];
environment.systemPackages = [ keycloakBuild ];
@@ -633,6 +622,9 @@ in
environment = {
KC_HOME_DIR = "/run/keycloak";
KC_CONF_DIR = "/run/keycloak/conf";
} // lib.optionalAttrs (cfg.initialAdminPassword != null) {
KC_BOOTSTRAP_ADMIN_USERNAME = "admin";
KC_BOOTSTRAP_ADMIN_PASSWORD = cfg.initialAdminPassword;
};
serviceConfig = {
LoadCredential =
@@ -658,6 +650,7 @@ in
ln -s ${themesBundle} /run/keycloak/themes
ln -s ${keycloakBuild}/providers /run/keycloak/
ln -s ${keycloakBuild}/lib /run/keycloak/
install -D -m 0600 ${confFile} /run/keycloak/conf/keycloak.conf
@@ -672,8 +665,6 @@ in
mkdir -p /run/keycloak/ssl
cp $CREDENTIALS_DIRECTORY/ssl_{cert,key} /run/keycloak/ssl/
'' + ''
export KEYCLOAK_ADMIN=admin
export KEYCLOAK_ADMIN_PASSWORD=${escapeShellArg cfg.initialAdminPassword}
kc.sh --verbose start --optimized
'';
};

11
nixos/tests/keycloak.nix
View File

@@ -20,6 +20,8 @@ let
nodes = {
keycloak = { config, ... }: {
virtualisation.memorySize = 2047;
security.pki.certificateFiles = [
certs.ca.cert
];
@@ -48,8 +50,7 @@ let
];
};
environment.systemPackages = with pkgs; [
xmlstarlet
html-tidy
htmlq
jq
];
};
@@ -151,16 +152,14 @@ let
# post url.
keycloak.succeed(
"curl -sSf -c cookie '${frontendUrl}/realms/${realm.realm}/protocol/openid-connect/auth?client_id=${client.name}&redirect_uri=urn%3Aietf%3Awg%3Aoauth%3A2.0%3Aoob&scope=openid+email&response_type=code&response_mode=query&nonce=qw4o89g3qqm' >login_form",
"tidy -asxml -q -m login_form || true",
"xml sel -T -t -m \"_:html/_:body/_:div/_:div/_:div/_:div/_:div/_:div/_:form[@id='kc-form-login']\" -v @action login_form >form_post_url",
"htmlq '#kc-form-login' --attribute action --filename login_form --output form_post_url"
)
# Post the login form and save the response. Once again tidy up
# the HTML, then extract the authorization code.
keycloak.succeed(
"curl -sSf -L -b cookie -d 'username=${user.username}' -d 'password=${password}' -d 'credentialId=' \"$(<form_post_url)\" >auth_code_html",
"tidy -asxml -q -m auth_code_html || true",
"xml sel -T -t -m \"_:html/_:body/_:div/_:div/_:div/_:div/_:div/_:input[@id='code']\" -v @value auth_code_html >auth_code",
"htmlq '#code' --attribute value --filename auth_code_html --output auth_code"
)
# Exchange the authorization code for an access token.

4
pkgs/servers/keycloak/default.nix
View File

@@ -18,11 +18,11 @@ let
'';
in stdenv.mkDerivation rec {
pname = "keycloak";
version = "25.0.6";
version = "26.0.0";
src = fetchzip {
url = "https://github.com/keycloak/keycloak/releases/download/${version}/keycloak-${version}.zip";
hash = "sha256-1VHixRgErao/1ZEJv+rlnNmUd2NT35X89D8wuUhYF08=";
hash = "sha256-BWkF5iiR4J7NskrJUFmlP0N+HEkyZLnLJbMmbXCROxo=";
};
nativeBuildInputs = [ makeWrapper jre ];