chore: run nix fmt
This commit is contained in:
parent
d3f5308eaf
commit
3bc699fccf
|
@ -111,7 +111,8 @@
|
|||
devShells.ci = pkgs.mkShell { buildInputs = with pkgs; [ nodejs ]; };
|
||||
};
|
||||
|
||||
flake = let
|
||||
flake =
|
||||
let
|
||||
username = "barkeeper";
|
||||
in
|
||||
{
|
||||
|
|
|
@ -1,8 +1,7 @@
|
|||
{ flake, lib, ... }:
|
||||
|
||||
{
|
||||
imports =
|
||||
[
|
||||
imports = [
|
||||
./backups.nix
|
||||
./apps/nginx.nix
|
||||
|
||||
|
|
|
@ -7,7 +7,8 @@
|
|||
{
|
||||
# Configuration common to all Linux systems
|
||||
flake = {
|
||||
lib = let
|
||||
lib =
|
||||
let
|
||||
callLibs = file: import file { inherit lib; };
|
||||
in
|
||||
rec {
|
||||
|
|
|
@ -4,11 +4,17 @@
|
|||
lib,
|
||||
pkgs,
|
||||
...
|
||||
}: let
|
||||
utils = import "${flake.inputs.nixpkgs}/nixos/lib/utils.nix" { inherit lib; inherit config; inherit pkgs; };
|
||||
}:
|
||||
let
|
||||
utils = import "${flake.inputs.nixpkgs}/nixos/lib/utils.nix" {
|
||||
inherit lib;
|
||||
inherit config;
|
||||
inherit pkgs;
|
||||
};
|
||||
# Type for a valid systemd unit option. Needed for correctly passing "timerConfig" to "systemd.timers"
|
||||
inherit (utils.systemdUtils.unitOptions) unitOption;
|
||||
in {
|
||||
in
|
||||
{
|
||||
options.pub-solar-os.backups = {
|
||||
stores =
|
||||
with lib;
|
||||
|
|
|
@ -59,9 +59,7 @@
|
|||
"pub.solar" =
|
||||
flake.inputs.keycloak-theme-pub-solar.legacyPackages.${pkgs.system}.keycloak-theme-pub-solar;
|
||||
};
|
||||
plugins = [
|
||||
flake.inputs.keycloak-event-listener.packages.${pkgs.system}.keycloak-event-listener
|
||||
];
|
||||
plugins = [ flake.inputs.keycloak-event-listener.packages.${pkgs.system}.keycloak-event-listener ];
|
||||
};
|
||||
|
||||
pub-solar-os.backups.backups.keycloak = {
|
||||
|
|
|
@ -1,4 +1,10 @@
|
|||
{ config, options, pkgs, lib, ... }:
|
||||
{
|
||||
config,
|
||||
options,
|
||||
pkgs,
|
||||
lib,
|
||||
...
|
||||
}:
|
||||
|
||||
let
|
||||
cfg = config.services.keycloak;
|
||||
|
@ -40,34 +46,78 @@ let
|
|||
prefixUnlessEmpty = prefix: string: optionalString (string != "") "${prefix}${string}";
|
||||
in
|
||||
{
|
||||
imports =
|
||||
imports = [
|
||||
(mkRenamedOptionModule
|
||||
[
|
||||
"services"
|
||||
"keycloak"
|
||||
"bindAddress"
|
||||
]
|
||||
[
|
||||
"services"
|
||||
"keycloak"
|
||||
"settings"
|
||||
"http-host"
|
||||
]
|
||||
)
|
||||
(mkRenamedOptionModule
|
||||
[ "services" "keycloak" "bindAddress" ]
|
||||
[ "services" "keycloak" "settings" "http-host" ])
|
||||
(mkRenamedOptionModule
|
||||
[ "services" "keycloak" "forceBackendUrlToFrontendUrl"]
|
||||
[ "services" "keycloak" "settings" "hostname-strict-backchannel"])
|
||||
[
|
||||
"services"
|
||||
"keycloak"
|
||||
"forceBackendUrlToFrontendUrl"
|
||||
]
|
||||
[
|
||||
"services"
|
||||
"keycloak"
|
||||
"settings"
|
||||
"hostname-strict-backchannel"
|
||||
]
|
||||
)
|
||||
(mkChangedOptionModule
|
||||
[ "services" "keycloak" "httpPort" ]
|
||||
[ "services" "keycloak" "settings" "http-port" ]
|
||||
(config:
|
||||
builtins.fromJSON config.services.keycloak.httpPort))
|
||||
[
|
||||
"services"
|
||||
"keycloak"
|
||||
"httpPort"
|
||||
]
|
||||
[
|
||||
"services"
|
||||
"keycloak"
|
||||
"settings"
|
||||
"http-port"
|
||||
]
|
||||
(config: builtins.fromJSON config.services.keycloak.httpPort)
|
||||
)
|
||||
(mkChangedOptionModule
|
||||
[ "services" "keycloak" "httpsPort" ]
|
||||
[ "services" "keycloak" "settings" "https-port" ]
|
||||
(config:
|
||||
builtins.fromJSON config.services.keycloak.httpsPort))
|
||||
[
|
||||
"services"
|
||||
"keycloak"
|
||||
"httpsPort"
|
||||
]
|
||||
[
|
||||
"services"
|
||||
"keycloak"
|
||||
"settings"
|
||||
"https-port"
|
||||
]
|
||||
(config: builtins.fromJSON config.services.keycloak.httpsPort)
|
||||
)
|
||||
(mkRemovedOptionModule
|
||||
[ "services" "keycloak" "frontendUrl" ]
|
||||
[
|
||||
"services"
|
||||
"keycloak"
|
||||
"frontendUrl"
|
||||
]
|
||||
''
|
||||
Set `services.keycloak.settings.hostname' and `services.keycloak.settings.http-relative-path' instead.
|
||||
NOTE: You likely want to set 'http-relative-path' to '/auth' to keep compatibility with your clients.
|
||||
See its description for more information.
|
||||
'')
|
||||
(mkRemovedOptionModule
|
||||
[ "services" "keycloak" "extraConfig" ]
|
||||
"Use `services.keycloak.settings' instead.")
|
||||
''
|
||||
)
|
||||
(mkRemovedOptionModule [
|
||||
"services"
|
||||
"keycloak"
|
||||
"extraConfig"
|
||||
] "Use `services.keycloak.settings' instead.")
|
||||
];
|
||||
|
||||
options.services.keycloak =
|
||||
|
@ -82,9 +132,11 @@ in
|
|||
path
|
||||
enum
|
||||
package
|
||||
port;
|
||||
port
|
||||
;
|
||||
|
||||
assertStringPath = optionName: value:
|
||||
assertStringPath =
|
||||
optionName: value:
|
||||
if isPath value then
|
||||
throw ''
|
||||
services.keycloak.${optionName}:
|
||||
|
@ -92,7 +144,8 @@ in
|
|||
is a Nix path, but should be a string, since Nix
|
||||
paths are copied into the world-readable Nix store.
|
||||
''
|
||||
else value;
|
||||
else
|
||||
value;
|
||||
in
|
||||
{
|
||||
enable = mkOption {
|
||||
|
@ -139,7 +192,11 @@ in
|
|||
|
||||
database = {
|
||||
type = mkOption {
|
||||
type = enum [ "mysql" "mariadb" "postgresql" ];
|
||||
type = enum [
|
||||
"mysql"
|
||||
"mariadb"
|
||||
"postgresql"
|
||||
];
|
||||
default = "postgresql";
|
||||
example = "mariadb";
|
||||
description = ''
|
||||
|
@ -286,7 +343,14 @@ in
|
|||
|
||||
settings = mkOption {
|
||||
type = lib.types.submodule {
|
||||
freeformType = attrsOf (nullOr (oneOf [ str int bool (attrsOf path) ]));
|
||||
freeformType = attrsOf (
|
||||
nullOr (oneOf [
|
||||
str
|
||||
int
|
||||
bool
|
||||
(attrsOf path)
|
||||
])
|
||||
);
|
||||
|
||||
options = {
|
||||
http-host = mkOption {
|
||||
|
@ -365,7 +429,12 @@ in
|
|||
};
|
||||
|
||||
proxy = mkOption {
|
||||
type = enum [ "edge" "reencrypt" "passthrough" "none" ];
|
||||
type = enum [
|
||||
"edge"
|
||||
"reencrypt"
|
||||
"passthrough"
|
||||
"none"
|
||||
];
|
||||
default = "none";
|
||||
example = "edge";
|
||||
description = ''
|
||||
|
@ -422,7 +491,12 @@ in
|
|||
# connect to it.
|
||||
databaseActuallyCreateLocally = cfg.database.createLocally && cfg.database.host == "localhost";
|
||||
createLocalPostgreSQL = databaseActuallyCreateLocally && cfg.database.type == "postgresql";
|
||||
createLocalMySQL = databaseActuallyCreateLocally && elem cfg.database.type [ "mysql" "mariadb" ];
|
||||
createLocalMySQL =
|
||||
databaseActuallyCreateLocally
|
||||
&& elem cfg.database.type [
|
||||
"mysql"
|
||||
"mariadb"
|
||||
];
|
||||
|
||||
mySqlCaKeystore = pkgs.runCommand "mysql-ca-keystore" { } ''
|
||||
${pkgs.jre}/bin/keytool -importcert -trustcacerts -alias MySQLCACert -file ${cfg.database.caCert} -keystore $out -storepass notsosecretpassword -noprompt
|
||||
|
@ -454,39 +528,60 @@ in
|
|||
fi
|
||||
done
|
||||
|
||||
${concatStringsSep "\n" (mapAttrsToList (name: theme: "linkTheme ${theme} ${escapeShellArg name}") cfg.themes)}
|
||||
${concatStringsSep "\n" (
|
||||
mapAttrsToList (name: theme: "linkTheme ${theme} ${escapeShellArg name}") cfg.themes
|
||||
)}
|
||||
'';
|
||||
|
||||
keycloakConfig = lib.generators.toKeyValue {
|
||||
mkKeyValue = lib.flip lib.generators.mkKeyValueDefault "=" {
|
||||
mkValueString = v:
|
||||
if isInt v then toString v
|
||||
else if isString v then v
|
||||
else if true == v then "true"
|
||||
else if false == v then "false"
|
||||
else if isSecret v then hashString "sha256" v._secret
|
||||
else throw "unsupported type ${typeOf v}: ${(lib.generators.toPretty {}) v}";
|
||||
mkValueString =
|
||||
v:
|
||||
if isInt v then
|
||||
toString v
|
||||
else if isString v then
|
||||
v
|
||||
else if true == v then
|
||||
"true"
|
||||
else if false == v then
|
||||
"false"
|
||||
else if isSecret v then
|
||||
hashString "sha256" v._secret
|
||||
else
|
||||
throw "unsupported type ${typeOf v}: ${(lib.generators.toPretty { }) v}";
|
||||
};
|
||||
};
|
||||
|
||||
isSecret = v: isAttrs v && v ? _secret && isString v._secret;
|
||||
filteredConfig = lib.converge (lib.filterAttrsRecursive (_: v: ! elem v [{ } null])) cfg.settings;
|
||||
filteredConfig = lib.converge (lib.filterAttrsRecursive (
|
||||
_: v:
|
||||
!elem v [
|
||||
{ }
|
||||
null
|
||||
]
|
||||
)) cfg.settings;
|
||||
confFile = pkgs.writeText "keycloak.conf" (keycloakConfig filteredConfig);
|
||||
keycloakBuild = cfg.package.override {
|
||||
inherit confFile;
|
||||
plugins = cfg.package.enabledPlugins ++ cfg.plugins ++
|
||||
(with cfg.package.plugins; [quarkus-systemd-notify quarkus-systemd-notify-deployment]);
|
||||
plugins =
|
||||
cfg.package.enabledPlugins
|
||||
++ cfg.plugins
|
||||
++ (with cfg.package.plugins; [
|
||||
quarkus-systemd-notify
|
||||
quarkus-systemd-notify-deployment
|
||||
]);
|
||||
};
|
||||
in
|
||||
mkIf cfg.enable
|
||||
{
|
||||
mkIf cfg.enable {
|
||||
assertions = [
|
||||
{
|
||||
assertion = (cfg.database.useSSL && cfg.database.type == "postgresql") -> (cfg.database.caCert != null);
|
||||
assertion =
|
||||
(cfg.database.useSSL && cfg.database.type == "postgresql") -> (cfg.database.caCert != null);
|
||||
message = "A CA certificate must be specified (in 'services.keycloak.database.caCert') when PostgreSQL is used with SSL";
|
||||
}
|
||||
{
|
||||
assertion = createLocalPostgreSQL -> config.services.postgresql.settings.standard_conforming_strings or true;
|
||||
assertion =
|
||||
createLocalPostgreSQL -> config.services.postgresql.settings.standard_conforming_strings or true;
|
||||
message = "Setting up a local PostgreSQL db for Keycloak requires `standard_conforming_strings` turned on to work reliably";
|
||||
}
|
||||
{
|
||||
|
@ -516,23 +611,24 @@ in
|
|||
services.keycloak.settings =
|
||||
let
|
||||
postgresParams = concatStringsSep "&" (
|
||||
optionals cfg.database.useSSL [
|
||||
"ssl=true"
|
||||
] ++ optionals (cfg.database.caCert != null) [
|
||||
optionals cfg.database.useSSL [ "ssl=true" ]
|
||||
++ optionals (cfg.database.caCert != null) [
|
||||
"sslrootcert=${cfg.database.caCert}"
|
||||
"sslmode=verify-ca"
|
||||
]
|
||||
);
|
||||
mariadbParams = concatStringsSep "&" ([
|
||||
"characterEncoding=UTF-8"
|
||||
] ++ optionals cfg.database.useSSL [
|
||||
mariadbParams = concatStringsSep "&" (
|
||||
[ "characterEncoding=UTF-8" ]
|
||||
++ optionals cfg.database.useSSL [
|
||||
"useSSL=true"
|
||||
"requireSSL=true"
|
||||
"verifyServerCertificate=true"
|
||||
] ++ optionals (cfg.database.caCert != null) [
|
||||
]
|
||||
++ optionals (cfg.database.caCert != null) [
|
||||
"trustCertificateKeyStoreUrl=file:${mySqlCaKeystore}"
|
||||
"trustCertificateKeyStorePassword=notsosecretpassword"
|
||||
]);
|
||||
]
|
||||
);
|
||||
dbProps = if cfg.database.type == "postgresql" then postgresParams else mariadbParams;
|
||||
in
|
||||
mkMerge [
|
||||
|
@ -618,15 +714,18 @@ in
|
|||
systemd.services.keycloak =
|
||||
let
|
||||
databaseServices =
|
||||
if createLocalPostgreSQL then [
|
||||
if createLocalPostgreSQL then
|
||||
[
|
||||
"keycloakPostgreSQLInit.service"
|
||||
"postgresql.service"
|
||||
]
|
||||
else if createLocalMySQL then [
|
||||
else if createLocalMySQL then
|
||||
[
|
||||
"keycloakMySQLInit.service"
|
||||
"mysql.service"
|
||||
]
|
||||
else [ ];
|
||||
else
|
||||
[ ];
|
||||
secretPaths = catAttrs "_secret" (collect isSecret cfg.settings);
|
||||
mkSecretReplacement = file: ''
|
||||
replace-secret ${hashString "sha256" file} $CREDENTIALS_DIRECTORY/${baseNameOf file} /run/keycloak/conf/keycloak.conf
|
||||
|
@ -663,7 +762,8 @@ in
|
|||
Type = "notify"; # Requires quarkus-systemd-notify plugin
|
||||
NotifyAccess = "all";
|
||||
};
|
||||
script = ''
|
||||
script =
|
||||
''
|
||||
set -o errexit -o pipefail -o nounset -o errtrace
|
||||
shopt -s inherit_errexit
|
||||
|
||||
|
@ -681,10 +781,12 @@ in
|
|||
# sequences.
|
||||
sed -i '/db-/ s|\\|\\\\|g' /run/keycloak/conf/keycloak.conf
|
||||
|
||||
'' + optionalString (cfg.sslCertificate != null && cfg.sslCertificateKey != null) ''
|
||||
''
|
||||
+ optionalString (cfg.sslCertificate != null && cfg.sslCertificateKey != null) ''
|
||||
mkdir -p /run/keycloak/ssl
|
||||
cp $CREDENTIALS_DIRECTORY/ssl_{cert,key} /run/keycloak/ssl/
|
||||
'' + ''
|
||||
''
|
||||
+ ''
|
||||
export KEYCLOAK_ADMIN=admin
|
||||
export KEYCLOAK_ADMIN_PASSWORD=${escapeShellArg cfg.initialAdminPassword}
|
||||
kc.sh --verbose start --optimized ${extraStartupFlags}
|
||||
|
|
|
@ -5,15 +5,22 @@ args@{
|
|||
pkgs,
|
||||
inputs,
|
||||
...
|
||||
}: let
|
||||
}:
|
||||
let
|
||||
nixos-lib = import (inputs.nixpkgs + "/nixos/lib") { };
|
||||
|
||||
loadTestFiles = with lib; dir: mapAttrs' (name: _: let
|
||||
loadTestFiles =
|
||||
with lib;
|
||||
dir:
|
||||
mapAttrs' (
|
||||
name: _:
|
||||
let
|
||||
test = ((import (dir + "/${name}")) args);
|
||||
in {
|
||||
in
|
||||
{
|
||||
name = "test-" + (lib.strings.removeSuffix ".nix" name);
|
||||
value = nixos-lib.runTest test;
|
||||
})
|
||||
(filterAttrs (name: _: (hasSuffix ".nix" name) && name != "default.nix")
|
||||
(builtins.readDir dir));
|
||||
in loadTestFiles ./.
|
||||
}
|
||||
) (filterAttrs (name: _: (hasSuffix ".nix" name) && name != "default.nix") (builtins.readDir dir));
|
||||
in
|
||||
loadTestFiles ./.
|
||||
|
|
|
@ -3,10 +3,12 @@
|
|||
lib,
|
||||
config,
|
||||
...
|
||||
}: let
|
||||
}:
|
||||
let
|
||||
puppeteer-socket = (pkgs.callPackage (import ./puppeteer-socket/puppeteer-socket.nix) { });
|
||||
puppeteer-run = (pkgs.callPackage (import ./puppeteer-socket/puppeteer-run.nix) { });
|
||||
in {
|
||||
in
|
||||
{
|
||||
imports = [ ./global.nix ];
|
||||
|
||||
security.polkit.enable = true;
|
||||
|
@ -18,9 +20,7 @@ in {
|
|||
|
||||
services.getty.autologinUser = config.pub-solar-os.authentication.username;
|
||||
|
||||
virtualisation.qemu.options = [
|
||||
"-vga std"
|
||||
];
|
||||
virtualisation.qemu.options = [ "-vga std" ];
|
||||
|
||||
home-manager.users.${config.pub-solar-os.authentication.username} = {
|
||||
programs.bash.profileExtra = ''
|
||||
|
|
|
@ -1,7 +1,5 @@
|
|||
{
|
||||
writeShellScriptBin,
|
||||
curl
|
||||
}: writeShellScriptBin "puppeteer-run" ''
|
||||
{ writeShellScriptBin, curl }:
|
||||
writeShellScriptBin "puppeteer-run" ''
|
||||
set -e
|
||||
|
||||
exec ${curl}/bin/curl --fail-with-body -X POST -d "$@" --unix-socket "/tmp/puppeteer.sock" http://puppeteer-socket
|
||||
|
|
|
@ -1,7 +1,4 @@
|
|||
{
|
||||
buildNpmPackage,
|
||||
nodejs,
|
||||
}:
|
||||
{ buildNpmPackage, nodejs }:
|
||||
buildNpmPackage rec {
|
||||
src = ./.;
|
||||
name = "puppeteer-socket";
|
||||
|
|
Loading…
Reference in a new issue