pub-solar/infra
7
1
Fork 3
Code Issues 16 Pull requests 10 Actions Packages Projects 1 Releases Wiki Activity

chore: run nix fmt

Browse source
This commit is contained in:
b12f 2024-08-27 13:17:30 +02:00
parent d3f5308eaf
commit 3bc699fccf
Signed by: b12f
GPG key ID: 729956E1124F8F26
11 changed files with 410 additions and 301 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
flake.nix
View file

@ -111,7 +111,8 @@
devShells.ci = pkgs.mkShell { buildInputs = with pkgs; [ nodejs ]; };
};
flake = let
flake =
let
username = "barkeeper";
in
{

3
hosts/nachtigall/test-vm.nix
View file

@ -1,8 +1,7 @@
{ flake, lib, ... }:
{
imports =
[
imports = [
./backups.nix
./apps/nginx.nix

3
lib/default.nix
View file

@ -7,7 +7,8 @@
{
# Configuration common to all Linux systems
flake = {
lib = let
lib =
let
callLibs = file: import file { inherit lib; };
in
rec {

12
modules/backups/default.nix
View file

@ -4,11 +4,17 @@
lib,
pkgs,
...
}: let
utils = import "${flake.inputs.nixpkgs}/nixos/lib/utils.nix" { inherit lib; inherit config; inherit pkgs; };
}:
let
utils = import "${flake.inputs.nixpkgs}/nixos/lib/utils.nix" {
inherit lib;
inherit config;
inherit pkgs;
};
# Type for a valid systemd unit option. Needed for correctly passing "timerConfig" to "systemd.timers"
inherit (utils.systemdUtils.unitOptions) unitOption;
in {
in
{
options.pub-solar-os.backups = {
stores =
with lib;

4
modules/keycloak/default.nix
View file

@ -59,9 +59,7 @@
"pub.solar" =
flake.inputs.keycloak-theme-pub-solar.legacyPackages.${pkgs.system}.keycloak-theme-pub-solar;
};
plugins = [
flake.inputs.keycloak-event-listener.packages.${pkgs.system}.keycloak-event-listener
];
plugins = [ flake.inputs.keycloak-event-listener.packages.${pkgs.system}.keycloak-event-listener ];
};
pub-solar-os.backups.backups.keycloak = {

214
modules/keycloak/keycloak.nix
View file

@ -1,4 +1,10 @@
{ config, options, pkgs, lib, ... }:
{
config,
options,
pkgs,
lib,
...
}:
let
cfg = config.services.keycloak;
@ -40,34 +46,78 @@ let
prefixUnlessEmpty = prefix: string: optionalString (string != "") "${prefix}${string}";
in
{
imports =
imports = [
(mkRenamedOptionModule
[
"services"
"keycloak"
"bindAddress"
]
[
"services"
"keycloak"
"settings"
"http-host"
]
)
(mkRenamedOptionModule
[ "services" "keycloak" "bindAddress" ]
[ "services" "keycloak" "settings" "http-host" ])
(mkRenamedOptionModule
[ "services" "keycloak" "forceBackendUrlToFrontendUrl"]
[ "services" "keycloak" "settings" "hostname-strict-backchannel"])
[
"services"
"keycloak"
"forceBackendUrlToFrontendUrl"
]
[
"services"
"keycloak"
"settings"
"hostname-strict-backchannel"
]
)
(mkChangedOptionModule
[ "services" "keycloak" "httpPort" ]
[ "services" "keycloak" "settings" "http-port" ]
(config:
builtins.fromJSON config.services.keycloak.httpPort))
[
"services"
"keycloak"
"httpPort"
]
[
"services"
"keycloak"
"settings"
"http-port"
]
(config: builtins.fromJSON config.services.keycloak.httpPort)
)
(mkChangedOptionModule
[ "services" "keycloak" "httpsPort" ]
[ "services" "keycloak" "settings" "https-port" ]
(config:
builtins.fromJSON config.services.keycloak.httpsPort))
[
"services"
"keycloak"
"httpsPort"
]
[
"services"
"keycloak"
"settings"
"https-port"
]
(config: builtins.fromJSON config.services.keycloak.httpsPort)
)
(mkRemovedOptionModule
[ "services" "keycloak" "frontendUrl" ]
[
"services"
"keycloak"
"frontendUrl"
]
''
Set `services.keycloak.settings.hostname' and `services.keycloak.settings.http-relative-path' instead.
NOTE: You likely want to set 'http-relative-path' to '/auth' to keep compatibility with your clients.
See its description for more information.
'')
(mkRemovedOptionModule
[ "services" "keycloak" "extraConfig" ]
"Use `services.keycloak.settings' instead.")
''
)
(mkRemovedOptionModule [
"services"
"keycloak"
"extraConfig"
] "Use `services.keycloak.settings' instead.")
];
options.services.keycloak =
@ -82,9 +132,11 @@ in
path
enum
package
port;
port
;
assertStringPath = optionName: value:
assertStringPath =
optionName: value:
if isPath value then
throw ''
services.keycloak.${optionName}:
@ -92,7 +144,8 @@ in
is a Nix path, but should be a string, since Nix
paths are copied into the world-readable Nix store.
''
else value;
else
value;
in
{
enable = mkOption {
@ -139,7 +192,11 @@ in
database = {
type = mkOption {
type = enum [ "mysql" "mariadb" "postgresql" ];
type = enum [
"mysql"
"mariadb"
"postgresql"
];
default = "postgresql";
example = "mariadb";
description = ''
@ -286,7 +343,14 @@ in
settings = mkOption {
type = lib.types.submodule {
freeformType = attrsOf (nullOr (oneOf [ str int bool (attrsOf path) ]));
freeformType = attrsOf (
nullOr (oneOf [
str
int
bool
(attrsOf path)
])
);
options = {
http-host = mkOption {
@ -365,7 +429,12 @@ in
};
proxy = mkOption {
type = enum [ "edge" "reencrypt" "passthrough" "none" ];
type = enum [
"edge"
"reencrypt"
"passthrough"
"none"
];
default = "none";
example = "edge";
description = ''
@ -422,7 +491,12 @@ in
# connect to it.
databaseActuallyCreateLocally = cfg.database.createLocally && cfg.database.host == "localhost";
createLocalPostgreSQL = databaseActuallyCreateLocally && cfg.database.type == "postgresql";
createLocalMySQL = databaseActuallyCreateLocally && elem cfg.database.type [ "mysql" "mariadb" ];
createLocalMySQL =
databaseActuallyCreateLocally
&& elem cfg.database.type [
"mysql"
"mariadb"
];
mySqlCaKeystore = pkgs.runCommand "mysql-ca-keystore" { } ''
${pkgs.jre}/bin/keytool -importcert -trustcacerts -alias MySQLCACert -file ${cfg.database.caCert} -keystore $out -storepass notsosecretpassword -noprompt
@ -454,39 +528,60 @@ in
fi
done
${concatStringsSep "\n" (mapAttrsToList (name: theme: "linkTheme ${theme} ${escapeShellArg name}") cfg.themes)}
${concatStringsSep "\n" (
mapAttrsToList (name: theme: "linkTheme ${theme} ${escapeShellArg name}") cfg.themes
)}
'';
keycloakConfig = lib.generators.toKeyValue {
mkKeyValue = lib.flip lib.generators.mkKeyValueDefault "=" {
mkValueString = v:
if isInt v then toString v
else if isString v then v
else if true == v then "true"
else if false == v then "false"
else if isSecret v then hashString "sha256" v._secret
else throw "unsupported type ${typeOf v}: ${(lib.generators.toPretty {}) v}";
mkValueString =
v:
if isInt v then
toString v
else if isString v then
v
else if true == v then
"true"
else if false == v then
"false"
else if isSecret v then
hashString "sha256" v._secret
else
throw "unsupported type ${typeOf v}: ${(lib.generators.toPretty { }) v}";
};
};
isSecret = v: isAttrs v && v ? _secret && isString v._secret;
filteredConfig = lib.converge (lib.filterAttrsRecursive (_: v: ! elem v [{ } null])) cfg.settings;
filteredConfig = lib.converge (lib.filterAttrsRecursive (
_: v:
!elem v [
{ }
null
]
)) cfg.settings;
confFile = pkgs.writeText "keycloak.conf" (keycloakConfig filteredConfig);
keycloakBuild = cfg.package.override {
inherit confFile;
plugins = cfg.package.enabledPlugins ++ cfg.plugins ++
(with cfg.package.plugins; [quarkus-systemd-notify quarkus-systemd-notify-deployment]);
plugins =
cfg.package.enabledPlugins
++ cfg.plugins
++ (with cfg.package.plugins; [
quarkus-systemd-notify
quarkus-systemd-notify-deployment
]);
};
in
mkIf cfg.enable
{
mkIf cfg.enable {
assertions = [
{
assertion = (cfg.database.useSSL && cfg.database.type == "postgresql") -> (cfg.database.caCert != null);
assertion =
(cfg.database.useSSL && cfg.database.type == "postgresql") -> (cfg.database.caCert != null);
message = "A CA certificate must be specified (in 'services.keycloak.database.caCert') when PostgreSQL is used with SSL";
}
{
assertion = createLocalPostgreSQL -> config.services.postgresql.settings.standard_conforming_strings or true;
assertion =
createLocalPostgreSQL -> config.services.postgresql.settings.standard_conforming_strings or true;
message = "Setting up a local PostgreSQL db for Keycloak requires `standard_conforming_strings` turned on to work reliably";
}
{
@ -516,23 +611,24 @@ in
services.keycloak.settings =
let
postgresParams = concatStringsSep "&" (
optionals cfg.database.useSSL [
"ssl=true"
] ++ optionals (cfg.database.caCert != null) [
optionals cfg.database.useSSL [ "ssl=true" ]
++ optionals (cfg.database.caCert != null) [
"sslrootcert=${cfg.database.caCert}"
"sslmode=verify-ca"
]
);
mariadbParams = concatStringsSep "&" ([
"characterEncoding=UTF-8"
] ++ optionals cfg.database.useSSL [
mariadbParams = concatStringsSep "&" (
[ "characterEncoding=UTF-8" ]
++ optionals cfg.database.useSSL [
"useSSL=true"
"requireSSL=true"
"verifyServerCertificate=true"
] ++ optionals (cfg.database.caCert != null) [
]
++ optionals (cfg.database.caCert != null) [
"trustCertificateKeyStoreUrl=file:${mySqlCaKeystore}"
"trustCertificateKeyStorePassword=notsosecretpassword"
]);
]
);
dbProps = if cfg.database.type == "postgresql" then postgresParams else mariadbParams;
in
mkMerge [
@ -618,15 +714,18 @@ in
systemd.services.keycloak =
let
databaseServices =
if createLocalPostgreSQL then [
if createLocalPostgreSQL then
[
"keycloakPostgreSQLInit.service"
"postgresql.service"
]
else if createLocalMySQL then [
else if createLocalMySQL then
[
"keycloakMySQLInit.service"
"mysql.service"
]
else [ ];
else
[ ];
secretPaths = catAttrs "_secret" (collect isSecret cfg.settings);
mkSecretReplacement = file: ''
replace-secret ${hashString "sha256" file} $CREDENTIALS_DIRECTORY/${baseNameOf file} /run/keycloak/conf/keycloak.conf
@ -663,7 +762,8 @@ in
Type = "notify"; # Requires quarkus-systemd-notify plugin
NotifyAccess = "all";
};
script = ''
script =
''
set -o errexit -o pipefail -o nounset -o errtrace
shopt -s inherit_errexit
@ -681,10 +781,12 @@ in
# sequences.
sed -i '/db-/ s|\\|\\\\|g' /run/keycloak/conf/keycloak.conf
'' + optionalString (cfg.sslCertificate != null && cfg.sslCertificateKey != null) ''
''
+ optionalString (cfg.sslCertificate != null && cfg.sslCertificateKey != null) ''
mkdir -p /run/keycloak/ssl
cp $CREDENTIALS_DIRECTORY/ssl_{cert,key} /run/keycloak/ssl/
'' + ''
''
+ ''
export KEYCLOAK_ADMIN=admin
export KEYCLOAK_ADMIN_PASSWORD=${escapeShellArg cfg.initialAdminPassword}
kc.sh --verbose start --optimized ${extraStartupFlags}

21
tests/default.nix
View file

@ -5,15 +5,22 @@ args@{
pkgs,
inputs,
...
}: let
}:
let
nixos-lib = import (inputs.nixpkgs + "/nixos/lib") { };
loadTestFiles = with lib; dir: mapAttrs' (name: _: let
loadTestFiles =
with lib;
dir:
mapAttrs' (
name: _:
let
test = ((import (dir + "/${name}")) args);
in {
in
{
name = "test-" + (lib.strings.removeSuffix ".nix" name);
value = nixos-lib.runTest test;
})
(filterAttrs (name: _: (hasSuffix ".nix" name) && name != "default.nix")
(builtins.readDir dir));
in loadTestFiles ./.
}
) (filterAttrs (name: _: (hasSuffix ".nix" name) && name != "default.nix") (builtins.readDir dir));
in
loadTestFiles ./.

10
tests/support/client.nix
View file

@ -3,10 +3,12 @@
lib,
config,
...
}: let
}:
let
puppeteer-socket = (pkgs.callPackage (import ./puppeteer-socket/puppeteer-socket.nix) { });
puppeteer-run = (pkgs.callPackage (import ./puppeteer-socket/puppeteer-run.nix) { });
in {
in
{
imports = [ ./global.nix ];
security.polkit.enable = true;
@ -18,9 +20,7 @@ in {
services.getty.autologinUser = config.pub-solar-os.authentication.username;
virtualisation.qemu.options = [
"-vga std"
];
virtualisation.qemu.options = [ "-vga std" ];
home-manager.users.${config.pub-solar-os.authentication.username} = {
programs.bash.profileExtra = ''

6
tests/support/puppeteer-socket/puppeteer-run.nix
View file

@ -1,7 +1,5 @@
{
writeShellScriptBin,
curl
}: writeShellScriptBin "puppeteer-run" ''
{ writeShellScriptBin, curl }:
writeShellScriptBin "puppeteer-run" ''
set -e
exec ${curl}/bin/curl --fail-with-body -X POST -d "$@" --unix-socket "/tmp/puppeteer.sock" http://puppeteer-socket

5
tests/support/puppeteer-socket/puppeteer-socket.nix
View file

@ -1,7 +1,4 @@
{
buildNpmPackage,
nodejs,
}:
{ buildNpmPackage, nodejs }:
buildNpmPackage rec {
src = ./.;
name = "puppeteer-socket";