diff --git a/nixos/modules/services/security/oauth2-proxy.nix b/nixos/modules/services/security/oauth2-proxy.nix index 78a772845a35..3079a1d030c5 100644 --- a/nixos/modules/services/security/oauth2-proxy.nix +++ b/nixos/modules/services/security/oauth2-proxy.nix @@ -577,20 +577,22 @@ in users.groups.oauth2-proxy = {}; - systemd.services.oauth2-proxy = { - description = "OAuth2 Proxy"; - path = [ cfg.package ]; - wantedBy = [ "multi-user.target" ]; - wants = [ "network-online.target" ]; - after = [ "network-online.target" ]; + systemd.services.oauth2-proxy = + let needsKeycloak = lib.elem cfg.provider ["keycloak" "keycloak-oidc"] + && config.services.keycloak.enable; + in { + description = "OAuth2 Proxy"; + path = [ cfg.package ]; + wantedBy = [ "multi-user.target" ]; + wants = [ "network-online.target" ] ++ lib.optionals needsKeycloak [ "keycloak.service" ]; + after = [ "network-online.target" ] ++ lib.optionals needsKeycloak [ "keycloak.service" ]; - serviceConfig = { - User = "oauth2-proxy"; - Restart = "always"; - ExecStart = "${cfg.package}/bin/oauth2-proxy ${configString}"; - EnvironmentFile = lib.mkIf (cfg.keyFile != null) cfg.keyFile; + serviceConfig = { + User = "oauth2-proxy"; + Restart = "always"; + ExecStart = "${cfg.package}/bin/oauth2-proxy ${configString}"; + EnvironmentFile = lib.mkIf (cfg.keyFile != null) cfg.keyFile; + }; }; - }; - }; } diff --git a/nixos/modules/services/web-apps/keycloak.nix b/nixos/modules/services/web-apps/keycloak.nix index 201085daa74a..6d472cf48cd0 100644 --- a/nixos/modules/services/web-apps/keycloak.nix +++ b/nixos/modules/services/web-apps/keycloak.nix @@ -466,7 +466,8 @@ in confFile = pkgs.writeText "keycloak.conf" (keycloakConfig filteredConfig); keycloakBuild = cfg.package.override { inherit confFile; - plugins = cfg.package.enabledPlugins ++ cfg.plugins; + plugins = cfg.package.enabledPlugins ++ cfg.plugins ++ + (with cfg.package.plugins; [quarkus-systemd-notify quarkus-systemd-notify-deployment]); }; in mkIf cfg.enable @@ -638,6 +639,8 @@ in RuntimeDirectory = "keycloak"; RuntimeDirectoryMode = "0700"; AmbientCapabilities = "CAP_NET_BIND_SERVICE"; + Type = "notify"; # Requires quarkus-systemd-notify plugin + NotifyAccess = "all"; }; script = '' set -o errexit -o pipefail -o nounset -o errtrace diff --git a/pkgs/servers/keycloak/all-plugins.nix b/pkgs/servers/keycloak/all-plugins.nix index f2f1117f2d84..2e4c97ea1cec 100644 --- a/pkgs/servers/keycloak/all-plugins.nix +++ b/pkgs/servers/keycloak/all-plugins.nix @@ -1,4 +1,4 @@ -{ callPackage }: +{ callPackage, fetchMavenArtifact }: { scim-for-keycloak = callPackage ./scim-for-keycloak {}; @@ -6,4 +6,20 @@ keycloak-discord = callPackage ./keycloak-discord {}; keycloak-metrics-spi = callPackage ./keycloak-metrics-spi {}; keycloak-restrict-client-auth = callPackage ./keycloak-restrict-client-auth {}; + + # These could theoretically be used by something other than Keycloak, but + # there are no other quarkus apps in nixpkgs (as of 2023-08-21) + quarkus-systemd-notify = (fetchMavenArtifact { + groupId = "io.quarkiverse.systemd.notify"; + artifactId = "quarkus-systemd-notify"; + version = "1.0.1"; + hash = "sha256-3I4j22jyIpokU4kdobkt6cDsALtxYFclA+DV+BqtmLY="; + }).passthru.jar; + + quarkus-systemd-notify-deployment = (fetchMavenArtifact { + groupId = "io.quarkiverse.systemd.notify"; + artifactId = "quarkus-systemd-notify-deployment"; + version = "1.0.1"; + hash = "sha256-xHxzBxriSd/OU8gEcDG00VRkJYPYJDfAfPh/FkQe+zg="; + }).passthru.jar; }