Merge pull request #250638 from benley/keycloak-systemd-notify

nixos/keycloak: Add systemd startup notification
2024-05-15 14:13:20 -07:00 · 2024-05-15 14:13:20 -07:00 · f05ecf16e6
commit f05ecf16e6
parent da2910473e b45bb628ea
3 changed files with 36 additions and 15 deletions
--- a/nixos/modules/services/security/oauth2-proxy.nix
+++ b/nixos/modules/services/security/oauth2-proxy.nix
@ -577,20 +577,22 @@ in

    users.groups.oauth2-proxy = {};

-    systemd.services.oauth2-proxy = {
-      description = "OAuth2 Proxy";
-      path = [ cfg.package ];
-      wantedBy = [ "multi-user.target" ];
-      wants = [ "network-online.target" ];
-      after = [ "network-online.target" ];
+    systemd.services.oauth2-proxy =
+      let needsKeycloak = lib.elem cfg.provider ["keycloak" "keycloak-oidc"]
+                          && config.services.keycloak.enable;
+      in {
+        description = "OAuth2 Proxy";
+        path = [ cfg.package ];
+        wantedBy = [ "multi-user.target" ];
+        wants = [ "network-online.target" ] ++ lib.optionals needsKeycloak [ "keycloak.service" ];
+        after = [ "network-online.target" ] ++ lib.optionals needsKeycloak [ "keycloak.service" ];

-      serviceConfig = {
-        User = "oauth2-proxy";
-        Restart = "always";
-        ExecStart = "${cfg.package}/bin/oauth2-proxy ${configString}";
-        EnvironmentFile = lib.mkIf (cfg.keyFile != null) cfg.keyFile;
+        serviceConfig = {
+          User = "oauth2-proxy";
+          Restart = "always";
+          ExecStart = "${cfg.package}/bin/oauth2-proxy ${configString}";
+          EnvironmentFile = lib.mkIf (cfg.keyFile != null) cfg.keyFile;
+        };
      };
-    };
-
  };
 }
--- a/nixos/modules/services/web-apps/keycloak.nix
+++ b/nixos/modules/services/web-apps/keycloak.nix
@ -466,7 +466,8 @@ in
      confFile = pkgs.writeText "keycloak.conf" (keycloakConfig filteredConfig);
      keycloakBuild = cfg.package.override {
        inherit confFile;
-        plugins = cfg.package.enabledPlugins ++ cfg.plugins;
+        plugins = cfg.package.enabledPlugins ++ cfg.plugins ++
+                  (with cfg.package.plugins; [quarkus-systemd-notify quarkus-systemd-notify-deployment]);
      };
    in
    mkIf cfg.enable
@ -638,6 +639,8 @@ in
              RuntimeDirectory = "keycloak";
              RuntimeDirectoryMode = "0700";
              AmbientCapabilities = "CAP_NET_BIND_SERVICE";
+              Type = "notify";  # Requires quarkus-systemd-notify plugin
+              NotifyAccess = "all";
            };
            script = ''
              set -o errexit -o pipefail -o nounset -o errtrace
--- a/pkgs/servers/keycloak/all-plugins.nix
+++ b/pkgs/servers/keycloak/all-plugins.nix
@ -1,4 +1,4 @@
-{ callPackage }:
+{ callPackage, fetchMavenArtifact }:

 {
  scim-for-keycloak = callPackage ./scim-for-keycloak {};
@ -6,4 +6,20 @@
  keycloak-discord = callPackage ./keycloak-discord {};
  keycloak-metrics-spi = callPackage ./keycloak-metrics-spi {};
  keycloak-restrict-client-auth = callPackage ./keycloak-restrict-client-auth {};
+
+  # These could theoretically be used by something other than Keycloak, but
+  # there are no other quarkus apps in nixpkgs (as of 2023-08-21)
+  quarkus-systemd-notify = (fetchMavenArtifact {
+    groupId = "io.quarkiverse.systemd.notify";
+    artifactId = "quarkus-systemd-notify";
+    version = "1.0.1";
+    hash = "sha256-3I4j22jyIpokU4kdobkt6cDsALtxYFclA+DV+BqtmLY=";
+  }).passthru.jar;
+
+  quarkus-systemd-notify-deployment = (fetchMavenArtifact {
+    groupId = "io.quarkiverse.systemd.notify";
+    artifactId = "quarkus-systemd-notify-deployment";
+    version = "1.0.1";
+    hash = "sha256-xHxzBxriSd/OU8gEcDG00VRkJYPYJDfAfPh/FkQe+zg=";
+  }).passthru.jar;
 }