movefasta/nixpkgs
1
0
Fork 0
mirror of https://github.com/NixOS/nixpkgs.git synced 2025-06-10 03:23:29 +03:00
Code Issues Projects Releases Packages Wiki Activity

nixos/keycloak: enable strict shell checks in systemd units

Browse source
This commit is contained in:
Jean-François Roche 2025-05-20 13:36:16 +02:00
parent 8d4a156eb1
commit 6abb0d239d
1 changed files with 5 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

7
nixos/modules/services/web-apps/keycloak.nix
View file

@ -631,6 +631,7 @@ in
psql -tAc "SELECT 1 FROM pg_roles WHERE rolname='keycloak'" | grep -q 1 || psql -tA --file="$create_role"
psql -tAc "SELECT 1 FROM pg_database WHERE datname = 'keycloak'" | grep -q 1 || psql -tAc 'CREATE DATABASE "keycloak" OWNER "keycloak"'
'';
enableStrictShellChecks = true;
};
systemd.services.keycloakMySQLInit = mkIf createLocalMySQL {
@ -662,6 +663,7 @@ in
echo "GRANT ALL PRIVILEGES ON keycloak.* TO 'keycloak'@'localhost';"
) | mysql -N
'';
enableStrictShellChecks = true;
};
systemd.tmpfiles.settings."10-keycloak" =
@ -699,7 +701,7 @@ in
[ ];
secretPaths = catAttrs "_secret" (collect isSecret cfg.settings);
mkSecretReplacement = file: ''
replace-secret ${hashString "sha256" file} $CREDENTIALS_DIRECTORY/${baseNameOf file} /run/keycloak/conf/keycloak.conf
replace-secret ${hashString "sha256" file} "$CREDENTIALS_DIRECTORY/${baseNameOf file}" /run/keycloak/conf/keycloak.conf
'';
secretReplacements = lib.concatMapStrings mkSecretReplacement secretPaths;
in
@ -760,11 +762,12 @@ in
''
+ optionalString (cfg.sslCertificate != null && cfg.sslCertificateKey != null) ''
mkdir -p /run/keycloak/ssl
cp $CREDENTIALS_DIRECTORY/ssl_{cert,key} /run/keycloak/ssl/
cp "$CREDENTIALS_DIRECTORY"/ssl_{cert,key} /run/keycloak/ssl/
''
+ ''
kc.sh --verbose start --optimized ${lib.optionalString (cfg.realmFiles != [ ]) "--import-realm"}
'';
enableStrictShellChecks = true;
};
services.postgresql.enable = mkDefault createLocalPostgreSQL;