|
249 | 249 | package = mkPackageOption pkgs "keycloak" { }; |
250 | 250 |
|
251 | 251 | initialAdminPassword = mkOption { |
252 | | - type = str; |
253 | | - default = "changeme"; |
| 252 | + type = nullOr str; |
| 253 | + default = null; |
254 | 254 | description = '' |
255 | | - Initial password set for the `admin` |
256 | | - user. The password is not stored safely and should be changed |
| 255 | + Initial password set for the temporary `admin` user. |
| 256 | + The password is not stored safely and should be changed |
257 | 257 | immediately in the admin panel. |
| 258 | +
|
| 259 | + See [Admin bootstrap and recovery](https://www.keycloak.org/server/bootstrap-admin-recovery) for details. |
258 | 260 | ''; |
259 | 261 | }; |
260 | 262 |
|
|
351 | 353 | for more information about hostname configuration. |
352 | 354 | ''; |
353 | 355 | }; |
354 | | - |
355 | | - proxy = mkOption { |
356 | | - type = enum [ "edge" "reencrypt" "passthrough" "none" ]; |
357 | | - default = "none"; |
358 | | - example = "edge"; |
359 | | - description = '' |
360 | | - The proxy address forwarding mode if the server is |
361 | | - behind a reverse proxy. |
362 | | -
|
363 | | - - `edge`: |
364 | | - Enables communication through HTTP between the |
365 | | - proxy and Keycloak. |
366 | | - - `reencrypt`: |
367 | | - Requires communication through HTTPS between the |
368 | | - proxy and Keycloak. |
369 | | - - `passthrough`: |
370 | | - Enables communication through HTTP or HTTPS between |
371 | | - the proxy and Keycloak. |
372 | | -
|
373 | | - See <https://www.keycloak.org/server/reverseproxy> for more information. |
374 | | - ''; |
375 | | - }; |
376 | 356 | }; |
377 | 357 | }; |
378 | 358 |
|
379 | 359 | example = literalExpression '' |
380 | 360 | { |
381 | 361 | hostname = "keycloak.example.com"; |
382 | | - proxy = "reencrypt"; |
383 | 362 | https-key-store-file = "/path/to/file"; |
384 | 363 | https-key-store-password = { _secret = "/run/keys/store_password"; }; |
385 | 364 | } |
|
497 | 476 | See [New Hostname options](https://www.keycloak.org/docs/25.0.0/upgrading/#new-hostname-options) for details. |
498 | 477 | ''; |
499 | 478 | } |
| 479 | + { |
| 480 | + assertion = cfg.settings.proxy or null == null; |
| 481 | + message = '' |
| 482 | + The option `services.keycloak.settings.proxy' has been removed. |
| 483 | + Set `services.keycloak.settings.proxy-headers` in combination |
| 484 | + with other hostname options as needed instead. |
| 485 | + See [Proxy option removed](https://www.keycloak.org/docs/latest/upgrading/index.html#proxy-option-removed) |
| 486 | + for more information. |
| 487 | + ''; |
| 488 | + } |
500 | 489 | ]; |
501 | 490 |
|
502 | 491 | environment.systemPackages = [ keycloakBuild ]; |
|
633 | 622 | environment = { |
634 | 623 | KC_HOME_DIR = "/run/keycloak"; |
635 | 624 | KC_CONF_DIR = "/run/keycloak/conf"; |
| 625 | + } // lib.optionalAttrs (cfg.initialAdminPassword != null) { |
| 626 | + KC_BOOTSTRAP_ADMIN_USERNAME = "admin"; |
| 627 | + KC_BOOTSTRAP_ADMIN_PASSWORD = cfg.initialAdminPassword; |
636 | 628 | }; |
637 | 629 | serviceConfig = { |
638 | 630 | LoadCredential = |
|
658 | 650 |
|
659 | 651 | ln -s ${themesBundle} /run/keycloak/themes |
660 | 652 | ln -s ${keycloakBuild}/providers /run/keycloak/ |
| 653 | + ln -s ${keycloakBuild}/lib /run/keycloak/ |
661 | 654 |
|
662 | 655 | install -D -m 0600 ${confFile} /run/keycloak/conf/keycloak.conf |
663 | 656 |
|
|
672 | 665 | mkdir -p /run/keycloak/ssl |
673 | 666 | cp $CREDENTIALS_DIRECTORY/ssl_{cert,key} /run/keycloak/ssl/ |
674 | 667 | '' + '' |
675 | | - export KEYCLOAK_ADMIN=admin |
676 | | - export KEYCLOAK_ADMIN_PASSWORD=${escapeShellArg cfg.initialAdminPassword} |
677 | 668 | kc.sh --verbose start --optimized |
678 | 669 | ''; |
679 | 670 | }; |
|
0 commit comments