From bbb6bc35945f4c88271538287160719c5275c2fc Mon Sep 17 00:00:00 2001 From: "R. Ryantm" Date: Fri, 4 Oct 2024 14:09:21 +0000 Subject: [PATCH 1/7] keycloak: 25.0.6 -> 26.0.0 --- pkgs/servers/keycloak/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/servers/keycloak/default.nix b/pkgs/servers/keycloak/default.nix index 2ef6b0fdf399..edf194300676 100644 --- a/pkgs/servers/keycloak/default.nix +++ b/pkgs/servers/keycloak/default.nix @@ -18,11 +18,11 @@ let ''; in stdenv.mkDerivation rec { pname = "keycloak"; - version = "25.0.6"; + version = "26.0.0"; src = fetchzip { url = "https://github.com/keycloak/keycloak/releases/download/${version}/keycloak-${version}.zip"; - hash = "sha256-1VHixRgErao/1ZEJv+rlnNmUd2NT35X89D8wuUhYF08="; + hash = "sha256-BWkF5iiR4J7NskrJUFmlP0N+HEkyZLnLJbMmbXCROxo="; }; nativeBuildInputs = [ makeWrapper jre ]; From d2ec2d3c29c5d9f8fa09d00e56e3105f464f8701 Mon Sep 17 00:00:00 2001 From: Nick Cao Date: Fri, 4 Oct 2024 20:04:52 -0400 Subject: [PATCH 2/7] nixos/keycloak: link $out/lib to KC_HOME_DIR to fix loading optimized app image Reference: https://www.keycloak.org/docs/latest/upgrading/index.html#additional-validations-on-the-optimized-startup-option --- nixos/modules/services/web-apps/keycloak.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/nixos/modules/services/web-apps/keycloak.nix b/nixos/modules/services/web-apps/keycloak.nix index 5d429675bafc..5324d0ed652a 100644 --- a/nixos/modules/services/web-apps/keycloak.nix +++ b/nixos/modules/services/web-apps/keycloak.nix @@ -658,6 +658,7 @@ in ln -s ${themesBundle} /run/keycloak/themes ln -s ${keycloakBuild}/providers /run/keycloak/ + ln -s ${keycloakBuild}/lib /run/keycloak/ install -D -m 0600 ${confFile} /run/keycloak/conf/keycloak.conf From 16cd47369f1f90b994b2157fe7c87f972400d668 Mon Sep 17 00:00:00 2001 From: Nick Cao Date: Fri, 4 Oct 2024 20:08:06 -0400 Subject: [PATCH 3/7] nixos/keycloak: KEYCLOAK_ADMIN{,PASSWORD} -> KC_BOOTSTRAP_ADMIN_{USERNAME,PASSWORD} Reference: https://www.keycloak.org/docs/latest/upgrading/index.html#admin-bootstrapping-and-recovery --- nixos/modules/services/web-apps/keycloak.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/nixos/modules/services/web-apps/keycloak.nix b/nixos/modules/services/web-apps/keycloak.nix index 5324d0ed652a..26f249f26442 100644 --- a/nixos/modules/services/web-apps/keycloak.nix +++ b/nixos/modules/services/web-apps/keycloak.nix @@ -673,8 +673,8 @@ in mkdir -p /run/keycloak/ssl cp $CREDENTIALS_DIRECTORY/ssl_{cert,key} /run/keycloak/ssl/ '' + '' - export KEYCLOAK_ADMIN=admin - export KEYCLOAK_ADMIN_PASSWORD=${escapeShellArg cfg.initialAdminPassword} + export KC_BOOTSTRAP_ADMIN_USERNAME=admin + export KC_BOOTSTRAP_ADMIN_PASSWORD=${escapeShellArg cfg.initialAdminPassword} kc.sh --verbose start --optimized ''; }; From 0cdc3e2a0b6905607b30e4aba4ff8e5b7e0f3fdd Mon Sep 17 00:00:00 2001 From: Nick Cao Date: Fri, 4 Oct 2024 20:20:46 -0400 Subject: [PATCH 4/7] nixos/keycloak: drop removed proxy option Reference: https://www.keycloak.org/docs/latest/upgrading/index.html#proxy-option-removed --- nixos/modules/services/web-apps/keycloak.nix | 33 ++++++-------------- 1 file changed, 10 insertions(+), 23 deletions(-) diff --git a/nixos/modules/services/web-apps/keycloak.nix b/nixos/modules/services/web-apps/keycloak.nix index 26f249f26442..2d8d0f8923f9 100644 --- a/nixos/modules/services/web-apps/keycloak.nix +++ b/nixos/modules/services/web-apps/keycloak.nix @@ -351,35 +351,12 @@ in for more information about hostname configuration. ''; }; - - proxy = mkOption { - type = enum [ "edge" "reencrypt" "passthrough" "none" ]; - default = "none"; - example = "edge"; - description = '' - The proxy address forwarding mode if the server is - behind a reverse proxy. - - - `edge`: - Enables communication through HTTP between the - proxy and Keycloak. - - `reencrypt`: - Requires communication through HTTPS between the - proxy and Keycloak. - - `passthrough`: - Enables communication through HTTP or HTTPS between - the proxy and Keycloak. - - See for more information. - ''; - }; }; }; example = literalExpression '' { hostname = "keycloak.example.com"; - proxy = "reencrypt"; https-key-store-file = "/path/to/file"; https-key-store-password = { _secret = "/run/keys/store_password"; }; } @@ -497,6 +474,16 @@ in See [New Hostname options](https://www.keycloak.org/docs/25.0.0/upgrading/#new-hostname-options) for details. ''; } + { + assertion = cfg.settings.proxy or null == null; + message = '' + The option `services.keycloak.settings.proxy' has been removed. + Set `services.keycloak.settings.proxy-headers` in combination + with other hostname options as needed instead. + See [Proxy option removed](https://www.keycloak.org/docs/latest/upgrading/index.html#proxy-option-removed) + for more information. + ''; + } ]; environment.systemPackages = [ keycloakBuild ]; From 05caac302f10845f95dab68fbdb4e793da100d75 Mon Sep 17 00:00:00 2001 From: Nick Cao Date: Fri, 4 Oct 2024 20:39:33 -0400 Subject: [PATCH 5/7] nixos/keycloak: fixup login test after ui change --- nixos/tests/keycloak.nix | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/nixos/tests/keycloak.nix b/nixos/tests/keycloak.nix index 67b412c80961..8fbab8ffae21 100644 --- a/nixos/tests/keycloak.nix +++ b/nixos/tests/keycloak.nix @@ -48,8 +48,7 @@ let ]; }; environment.systemPackages = with pkgs; [ - xmlstarlet - html-tidy + htmlq jq ]; }; @@ -151,16 +150,14 @@ let # post url. keycloak.succeed( "curl -sSf -c cookie '${frontendUrl}/realms/${realm.realm}/protocol/openid-connect/auth?client_id=${client.name}&redirect_uri=urn%3Aietf%3Awg%3Aoauth%3A2.0%3Aoob&scope=openid+email&response_type=code&response_mode=query&nonce=qw4o89g3qqm' >login_form", - "tidy -asxml -q -m login_form || true", - "xml sel -T -t -m \"_:html/_:body/_:div/_:div/_:div/_:div/_:div/_:div/_:form[@id='kc-form-login']\" -v @action login_form >form_post_url", + "htmlq '#kc-form-login' --attribute action --filename login_form --output form_post_url" ) # Post the login form and save the response. Once again tidy up # the HTML, then extract the authorization code. keycloak.succeed( "curl -sSf -L -b cookie -d 'username=${user.username}' -d 'password=${password}' -d 'credentialId=' \"$(auth_code_html", - "tidy -asxml -q -m auth_code_html || true", - "xml sel -T -t -m \"_:html/_:body/_:div/_:div/_:div/_:div/_:div/_:input[@id='code']\" -v @value auth_code_html >auth_code", + "htmlq '#code' --attribute value --filename auth_code_html --output auth_code" ) # Exchange the authorization code for an access token. From 937d3964c905ce30cf227da1ccc826b6821214cc Mon Sep 17 00:00:00 2001 From: Nick Cao Date: Fri, 4 Oct 2024 21:32:49 -0400 Subject: [PATCH 6/7] nixos/keycloak: raise memory size in tests to 2047M --- nixos/tests/keycloak.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/nixos/tests/keycloak.nix b/nixos/tests/keycloak.nix index 8fbab8ffae21..baed9419061d 100644 --- a/nixos/tests/keycloak.nix +++ b/nixos/tests/keycloak.nix @@ -20,6 +20,8 @@ let nodes = { keycloak = { config, ... }: { + virtualisation.memorySize = 2047; + security.pki.certificateFiles = [ certs.ca.cert ]; From 6069dde181706e90e811d718715b89e33aa5d3b1 Mon Sep 17 00:00:00 2001 From: Nick Cao Date: Sat, 5 Oct 2024 08:37:41 -0400 Subject: [PATCH 7/7] nixos/keycloak: make initialAdminPassword optional --- nixos/modules/services/web-apps/keycloak.nix | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/nixos/modules/services/web-apps/keycloak.nix b/nixos/modules/services/web-apps/keycloak.nix index 2d8d0f8923f9..f7c7ea9ab1fb 100644 --- a/nixos/modules/services/web-apps/keycloak.nix +++ b/nixos/modules/services/web-apps/keycloak.nix @@ -249,12 +249,14 @@ in package = mkPackageOption pkgs "keycloak" { }; initialAdminPassword = mkOption { - type = str; - default = "changeme"; + type = nullOr str; + default = null; description = '' - Initial password set for the `admin` - user. The password is not stored safely and should be changed + Initial password set for the temporary `admin` user. + The password is not stored safely and should be changed immediately in the admin panel. + + See [Admin bootstrap and recovery](https://www.keycloak.org/server/bootstrap-admin-recovery) for details. ''; }; @@ -620,6 +622,9 @@ in environment = { KC_HOME_DIR = "/run/keycloak"; KC_CONF_DIR = "/run/keycloak/conf"; + } // lib.optionalAttrs (cfg.initialAdminPassword != null) { + KC_BOOTSTRAP_ADMIN_USERNAME = "admin"; + KC_BOOTSTRAP_ADMIN_PASSWORD = cfg.initialAdminPassword; }; serviceConfig = { LoadCredential = @@ -660,8 +665,6 @@ in mkdir -p /run/keycloak/ssl cp $CREDENTIALS_DIRECTORY/ssl_{cert,key} /run/keycloak/ssl/ '' + '' - export KC_BOOTSTRAP_ADMIN_USERNAME=admin - export KC_BOOTSTRAP_ADMIN_PASSWORD=${escapeShellArg cfg.initialAdminPassword} kc.sh --verbose start --optimized ''; };