From d5c396c6cef24522cbb23c3b3786a37a8ff81b9b Mon Sep 17 00:00:00 2001 From: Tobias Stenzel Date: Wed, 15 May 2024 11:51:59 +0200 Subject: [PATCH 1/2] Update nixpkgs (2024-05-15) Pull upstream NixOS changes, security fixes and package updates: - chromedriver: 124.0.6367.91 -> 124.0.6367.201 - chromium: 124.0.6367.118 -> 124.0.6367.201 - github-runner: 2.316.0 -> 2.316.1 - nss_latest: 3.99 -> 3.100 - php82: 8.2.18 -> 8.2.19 - php83: 8.3.6 -> 8.3.7 PL-132551 --- flake.lock | 12 ++++++------ release/package-versions.json | 28 ++++++++++++++-------------- release/versions.json | 4 ++-- 3 files changed, 22 insertions(+), 22 deletions(-) diff --git a/flake.lock b/flake.lock index a0dab0f83..83dfaeb8d 100644 --- a/flake.lock +++ b/flake.lock @@ -57,11 +57,11 @@ "pre-commit-hooks": "pre-commit-hooks" }, "locked": { - "lastModified": 1715162342, - "narHash": "sha256-EvmS45kBwvyPvjwcGdVlfJaAHnW3qAl2JkkbD/EuHXc=", + "lastModified": 1715593316, + "narHash": "sha256-S7XatU9uV3q9bVBcg/ER0VMQcnPZprrVlN209ne7LDw=", "owner": "cachix", "repo": "devenv", - "rev": "659f5fedef05407927ff760b5c2e5a8a93126bd8", + "rev": "725c90407ef53cc2a1b53701c6d2d0745cf2484f", "type": "github" }, "original": { @@ -411,11 +411,11 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1715185850, - "narHash": "sha256-5ETMfQmxrbG2PnaKDWEgbgfacjBOeO34h/Oljt9HmYc=", + "lastModified": 1715763972, + "narHash": "sha256-Xf/7fHwIykK+wdF8UjuA4hrzOrf4l3lvUvFVZTWmNyY=", "owner": "flyingcircusio", "repo": "nixpkgs", - "rev": "74af142a49fdd56119868d5d77cac55801b2953a", + "rev": "2b151fba3ac708c04ae98c0bd2e4efd18869e80d", "type": "github" }, "original": { diff --git a/release/package-versions.json b/release/package-versions.json index 36d722cd4..45f44f198 100644 --- a/release/package-versions.json +++ b/release/package-versions.json @@ -70,14 +70,14 @@ "version": "18.2.0" }, "chromedriver": { - "name": "chromedriver-124.0.6367.91", + "name": "chromedriver-124.0.6367.201", "pname": "chromedriver", - "version": "124.0.6367.91" + "version": "124.0.6367.201" }, "chromium": { - "name": "chromium-124.0.6367.118", + "name": "chromium-124.0.6367.201", "pname": "chromium", - "version": "124.0.6367.118" + "version": "124.0.6367.201" }, "cifs-utils": { "name": "cifs-utils-7.0", @@ -155,9 +155,9 @@ "version": "2.3.21" }, "element-web": { - "name": "element-web-1.11.65", + "name": "element-web-1.11.66", "pname": "element-web", - "version": "1.11.65" + "version": "1.11.66" }, "erlang": { "name": "erlang-25.3.2.7", @@ -225,9 +225,9 @@ "version": "16.10.5" }, "github-runner": { - "name": "github-runner-2.315.0", + "name": "github-runner-2.316.1", "pname": "github-runner", - "version": "2.315.0" + "version": "2.316.1" }, "gitlab": { "name": "gitlab-16.10.5", @@ -555,9 +555,9 @@ "version": "4.35" }, "nss_latest": { - "name": "nss-3.99", + "name": "nss-3.100", "pname": "nss", - "version": "3.99" + "version": "3.100" }, "openjdk": { "name": "openjdk-19.0.2+7", @@ -676,14 +676,14 @@ "version": "8.1.28" }, "php82": { - "name": "php-with-extensions-8.2.18", + "name": "php-with-extensions-8.2.19", "pname": "php-with-extensions", - "version": "8.2.18" + "version": "8.2.19" }, "php83": { - "name": "php-with-extensions-8.3.6", + "name": "php-with-extensions-8.3.7", "pname": "php-with-extensions", - "version": "8.3.6" + "version": "8.3.7" }, "phpPackages.composer": { "name": "composer-2.7.6", diff --git a/release/versions.json b/release/versions.json index e1999a4c8..c895716de 100644 --- a/release/versions.json +++ b/release/versions.json @@ -8,9 +8,9 @@ "url": "https://gitlab.flyingcircus.io/flyingcircus/nixos-mailserver.git/" }, "nixpkgs": { - "hash": "sha256-5ETMfQmxrbG2PnaKDWEgbgfacjBOeO34h/Oljt9HmYc=", + "hash": "sha256-Xf/7fHwIykK+wdF8UjuA4hrzOrf4l3lvUvFVZTWmNyY=", "owner": "flyingcircusio", "repo": "nixpkgs", - "rev": "74af142a49fdd56119868d5d77cac55801b2953a" + "rev": "2b151fba3ac708c04ae98c0bd2e4efd18869e80d" } } From cb3c83a99f5586a5c72f329f150209e60fe0ee5f Mon Sep 17 00:00:00 2001 From: Oliver Schmidt Date: Thu, 16 May 2024 23:37:39 +0200 Subject: [PATCH 2/2] keycloak: 23.0.6 -> 24.0.4 temporarily vendored from nixpkgs unstable, as the 23.x branch present in release-23.11 is marked as insecure Note: The major release change contains a breaking change to the User Profile SPI API https://www.keycloak.org/docs/24.0.4/upgrading/#breaking-changes-to-the-user-profile-spi PL-132551 --- pkgs/keycloak/COPYING.md | 1 + pkgs/keycloak/all-plugins.nix | 25 ++++++ pkgs/keycloak/config_vars.patch | 15 ++++ pkgs/keycloak/default.nix | 90 +++++++++++++++++++ pkgs/keycloak/keycloak-discord/default.nix | 31 +++++++ .../keycloak/keycloak-metrics-spi/default.nix | 33 +++++++ .../keycloak-restrict-client-auth/default.nix | 28 ++++++ pkgs/keycloak/scim-for-keycloak/default.nix | 33 +++++++ .../default.nix | 32 +++++++ pkgs/overlay.nix | 1 + release/package-versions.json | 4 +- 11 files changed, 291 insertions(+), 2 deletions(-) create mode 100644 pkgs/keycloak/COPYING.md create mode 100644 pkgs/keycloak/all-plugins.nix create mode 100644 pkgs/keycloak/config_vars.patch create mode 100644 pkgs/keycloak/default.nix create mode 100644 pkgs/keycloak/keycloak-discord/default.nix create mode 100644 pkgs/keycloak/keycloak-metrics-spi/default.nix create mode 100644 pkgs/keycloak/keycloak-restrict-client-auth/default.nix create mode 100644 pkgs/keycloak/scim-for-keycloak/default.nix create mode 100644 pkgs/keycloak/scim-keycloak-user-storage-spi/default.nix diff --git a/pkgs/keycloak/COPYING.md b/pkgs/keycloak/COPYING.md new file mode 100644 index 000000000..2afbc4c42 --- /dev/null +++ b/pkgs/keycloak/COPYING.md @@ -0,0 +1 @@ +The files in this directory are based on [MIT-licensed](https://github.com/NixOS/nixpkgs/blob/7a338b0febc1994ed42ee1aed8c752674abf0632/COPYING) work done by other Nixpkgs/NixOS contributors, taken from revision 7a338b0febc1994ed42ee1aed8c752674abf0632 in the [nixpkgs](https://github.com/NixOS/nixpkgs/) repository under the path [pkgs/servers/keycloak](https://github.com/NixOS/nixpkgs/blob/7a338b0febc1994ed42ee1aed8c752674abf0632/pkgs/servers/keycloak). diff --git a/pkgs/keycloak/all-plugins.nix b/pkgs/keycloak/all-plugins.nix new file mode 100644 index 000000000..2e4c97ea1 --- /dev/null +++ b/pkgs/keycloak/all-plugins.nix @@ -0,0 +1,25 @@ +{ callPackage, fetchMavenArtifact }: + +{ + scim-for-keycloak = callPackage ./scim-for-keycloak {}; + scim-keycloak-user-storage-spi = callPackage ./scim-keycloak-user-storage-spi {}; + keycloak-discord = callPackage ./keycloak-discord {}; + keycloak-metrics-spi = callPackage ./keycloak-metrics-spi {}; + keycloak-restrict-client-auth = callPackage ./keycloak-restrict-client-auth {}; + + # These could theoretically be used by something other than Keycloak, but + # there are no other quarkus apps in nixpkgs (as of 2023-08-21) + quarkus-systemd-notify = (fetchMavenArtifact { + groupId = "io.quarkiverse.systemd.notify"; + artifactId = "quarkus-systemd-notify"; + version = "1.0.1"; + hash = "sha256-3I4j22jyIpokU4kdobkt6cDsALtxYFclA+DV+BqtmLY="; + }).passthru.jar; + + quarkus-systemd-notify-deployment = (fetchMavenArtifact { + groupId = "io.quarkiverse.systemd.notify"; + artifactId = "quarkus-systemd-notify-deployment"; + version = "1.0.1"; + hash = "sha256-xHxzBxriSd/OU8gEcDG00VRkJYPYJDfAfPh/FkQe+zg="; + }).passthru.jar; +} diff --git a/pkgs/keycloak/config_vars.patch b/pkgs/keycloak/config_vars.patch new file mode 100644 index 000000000..be2d54790 --- /dev/null +++ b/pkgs/keycloak/config_vars.patch @@ -0,0 +1,15 @@ +diff --git a/quarkus/dist/src/main/content/bin/kc.sh b/quarkus/dist/src/main/content/bin/kc.sh +index d7be862cde..16f9aa78e0 100644 +--- a/bin/kc.sh ++++ b/bin/kc.sh +@@ -32,8 +32,8 @@ abs_path () { + fi + } + +-SERVER_OPTS="-Dkc.home.dir='$(abs_path '..')'" +-SERVER_OPTS="$SERVER_OPTS -Djboss.server.config.dir='$(abs_path '../conf')'" ++SERVER_OPTS="-Dkc.home.dir=$KC_HOME_DIR" ++SERVER_OPTS="$SERVER_OPTS -Djboss.server.config.dir=$KC_CONF_DIR" + SERVER_OPTS="$SERVER_OPTS -Djava.util.logging.manager=org.jboss.logmanager.LogManager" + SERVER_OPTS="$SERVER_OPTS -Dquarkus-log-max-startup-records=10000" + CLASSPATH_OPTS="'$(abs_path "../lib/quarkus-run.jar"):$(abs_path "../lib/bootstrap/*")'" diff --git a/pkgs/keycloak/default.nix b/pkgs/keycloak/default.nix new file mode 100644 index 000000000..1792b51ab --- /dev/null +++ b/pkgs/keycloak/default.nix @@ -0,0 +1,90 @@ +{ stdenv +, lib +, fetchzip +, makeWrapper +, jre +, nixosTests +, callPackage +, confFile ? null +, plugins ? [ ] +, extraFeatures ? [ ] +, disabledFeatures ? [ ] +}: + +let + featuresSubcommand = '' + ${lib.optionalString (extraFeatures != [ ]) "--features=${lib.concatStringsSep "," extraFeatures}"} \ + ${lib.optionalString (disabledFeatures != [ ]) "--features-disabled=${lib.concatStringsSep "," disabledFeatures}"} + ''; +in stdenv.mkDerivation rec { + pname = "keycloak"; + version = "24.0.4"; + + src = fetchzip { + url = "https://github.com/keycloak/keycloak/releases/download/${version}/keycloak-${version}.zip"; + hash = "sha256-tqY3rYFRsRpbvms8DVtCp8nXl0hlX1CzuOVFCE+23o4="; + }; + + nativeBuildInputs = [ makeWrapper jre ]; + + patches = [ + # Make home.dir and config.dir configurable through the + # KC_HOME_DIR and KC_CONF_DIR environment variables. + ./config_vars.patch + ]; + + buildPhase = '' + runHook preBuild + '' + lib.optionalString (confFile != null) '' + install -m 0600 ${confFile} conf/keycloak.conf + '' + '' + install_plugin() { + if [ -d "$1" ]; then + find "$1" -type f \( -iname \*.ear -o -iname \*.jar \) -exec install -m 0500 "{}" "providers/" \; + else + install -m 0500 "$1" "providers/" + fi + } + ${lib.concatMapStringsSep "\n" (pl: "install_plugin ${lib.escapeShellArg pl}") plugins} + '' + '' + patchShebangs bin/kc.sh + export KC_HOME_DIR=$(pwd) + export KC_CONF_DIR=$(pwd)/conf + bin/kc.sh build ${featuresSubcommand} + + runHook postBuild + ''; + + installPhase = '' + runHook preInstall + + mkdir $out + cp -r * $out + + rm $out/bin/*.{ps1,bat} + + runHook postInstall + ''; + + postFixup = '' + for script in $(find $out/bin -type f -executable); do + wrapProgram "$script" --set JAVA_HOME ${jre} --prefix PATH : ${jre}/bin + done + ''; + + passthru = { + tests = nixosTests.keycloak; + plugins = callPackage ./all-plugins.nix { }; + enabledPlugins = plugins; + }; + + meta = with lib; { + homepage = "https://www.keycloak.org/"; + description = "Identity and access management for modern applications and services"; + sourceProvenance = with sourceTypes; [ binaryBytecode ]; + license = licenses.asl20; + platforms = jre.meta.platforms; + maintainers = with maintainers; [ ngerstle talyz nickcao ]; + }; + +} diff --git a/pkgs/keycloak/keycloak-discord/default.nix b/pkgs/keycloak/keycloak-discord/default.nix new file mode 100644 index 000000000..9f00a292a --- /dev/null +++ b/pkgs/keycloak/keycloak-discord/default.nix @@ -0,0 +1,31 @@ +{ stdenv +, lib +, fetchurl +}: + +stdenv.mkDerivation rec { + pname = "keycloak-discord"; + version = "0.5.0"; + + src = fetchurl { + url = "https://github.com/wadahiro/keycloak-discord/releases/download/v${version}/keycloak-discord-${version}.jar"; + hash = "sha256-radvUu2a6t0lbo5f/ADqy7+I/ONXB7/8pk2d1BtYzQA="; + }; + + dontUnpack = true; + dontBuild = true; + + installPhase = '' + runHook preInstall + install -Dm444 "$src" "$out/keycloak-discord-$version.jar" + runHook postInstall + ''; + + meta = with lib; { + homepage = "https://github.com/wadahiro/keycloak-discord"; + description = "Keycloak Social Login extension for Discord"; + license = licenses.asl20; + maintainers = with maintainers; [ mkg20001 ]; + sourceProvenance = with sourceTypes; [ binaryBytecode ]; + }; +} diff --git a/pkgs/keycloak/keycloak-metrics-spi/default.nix b/pkgs/keycloak/keycloak-metrics-spi/default.nix new file mode 100644 index 000000000..82e616349 --- /dev/null +++ b/pkgs/keycloak/keycloak-metrics-spi/default.nix @@ -0,0 +1,33 @@ +{ maven, stdenv, lib, fetchFromGitHub }: + +maven.buildMavenPackage rec { + pname = "keycloak-metrics-spi"; + version = "5.0.0"; + + src = fetchFromGitHub { + owner = "aerogear"; + repo = pname; + rev = "refs/tags/${version}"; + hash = "sha256-iagXbsKsU4vNP9eg05bwXEo67iij3N2FF0BW50MjRGE="; + }; + + mvnHash = { + aarch64-linux = "sha256-zO79pRrY8TqrSK4bB8l4pl6834aFX2pidyk1j9Itz1E=`"; + x86_64-linux = "sha256-+ySBrQ9yQ5ZxuVUh/mnHNEmugru3n8x5VR/RYEDCLAo="; + }.${stdenv.hostPlatform.system} or (throw "Unsupported system ${stdenv.hostPlatform.system} for ${pname}"); + + + installPhase = '' + runHook preInstall + install -Dm444 -t "$out" target/keycloak-metrics-spi-*.jar + runHook postInstall + ''; + + meta = with lib; { + homepage = "https://github.com/aerogear/keycloak-metrics-spi"; + description = "Keycloak Service Provider that adds a metrics endpoint"; + license = licenses.asl20; + maintainers = with maintainers; [ benley ]; + platforms = [ "aarch64-linux" "x86_64-linux" ]; + }; +} diff --git a/pkgs/keycloak/keycloak-restrict-client-auth/default.nix b/pkgs/keycloak/keycloak-restrict-client-auth/default.nix new file mode 100644 index 000000000..16d376173 --- /dev/null +++ b/pkgs/keycloak/keycloak-restrict-client-auth/default.nix @@ -0,0 +1,28 @@ +{ maven, lib, fetchFromGitHub }: + +maven.buildMavenPackage rec { + pname = "keycloak-restrict-client-auth"; + version = "24.0.0"; + + src = fetchFromGitHub { + owner = "sventorben"; + repo = "keycloak-restrict-client-auth"; + rev = "v${version}"; + hash = "sha256-Pk0tj8cTHSBwVIzINE7GLA5b/eI97wuOTvO7UoXBStM="; + }; + + mvnHash = "sha256-Pk2yYuBqGs4k1KwaU06RQe1LpohZu0VI1pHEUBU3EUE="; + + installPhase = '' + runHook preInstall + install -Dm444 -t "$out" target/keycloak-restrict-client-auth.jar + runHook postInstall + ''; + + meta = with lib; { + homepage = "https://github.com/sventorben/keycloak-restrict-client-auth"; + description = "A Keycloak authenticator to restrict authorization on clients"; + license = licenses.mit; + maintainers = with maintainers; [ leona ]; + }; +} diff --git a/pkgs/keycloak/scim-for-keycloak/default.nix b/pkgs/keycloak/scim-for-keycloak/default.nix new file mode 100644 index 000000000..81686d2be --- /dev/null +++ b/pkgs/keycloak/scim-for-keycloak/default.nix @@ -0,0 +1,33 @@ +{ lib +, fetchFromGitHub +, maven +}: + +maven.buildMavenPackage rec { + pname = "scim-for-keycloak"; + version = "kc-20-b1"; # When updating also update mvnHash + + src = fetchFromGitHub { + owner = "Captain-P-Goldfish"; + repo = "scim-for-keycloak"; + rev = version; + hash = "sha256-kHjCVkcD8C0tIaMExDlyQmcWMhypisR1nyG93laB8WU="; + }; + + mvnHash = "sha256-cOuJSU57OuP+U7lI+pDD7g9HPIfZAoDPYLf+eO+XuF4="; + + installPhase = '' + install -D "scim-for-keycloak-server/target/scim-for-keycloak-${version}.jar" "$out/scim-for-keycloak-${version}.jar" + ''; + + meta = with lib; { + homepage = "https://github.com/Captain-P-Goldfish/scim-for-keycloak"; + description = "A third party module that extends Keycloak with SCIM functionality"; + sourceProvenance = with sourceTypes; [ + fromSource + binaryBytecode # dependencies + ]; + license = licenses.bsd3; + maintainers = with maintainers; [ mkg20001 ]; + }; +} diff --git a/pkgs/keycloak/scim-keycloak-user-storage-spi/default.nix b/pkgs/keycloak/scim-keycloak-user-storage-spi/default.nix new file mode 100644 index 000000000..6ecd3866b --- /dev/null +++ b/pkgs/keycloak/scim-keycloak-user-storage-spi/default.nix @@ -0,0 +1,32 @@ +{ lib +, fetchFromGitHub +, maven +}: + +maven.buildMavenPackage { + pname = "scim-keycloak-user-storage-spi"; + version = "unstable-2024-02-14"; + + src = fetchFromGitHub { + owner = "justin-stephenson"; + repo = "scim-keycloak-user-storage-spi"; + rev = "6c59915836d9a559983326bbb87f895324bb75e4"; + hash = "sha256-BSso9lU542Aroxu0RIX6NARc10lGZ04A/WIWOVtdxHw="; + }; + + mvnHash = "sha256-xbGlVZl3YtbF372kCDh+UdK5pLe6C6WnGgbEXahlyLw="; + + installPhase = '' + install -D "target/scim-user-spi-0.0.1-SNAPSHOT.jar" "$out/scim-user-spi-0.0.1-SNAPSHOT.jar" + ''; + + meta = with lib; { + homepage = "https://github.com/justin-stephenson/scim-keycloak-user-storage-spi"; + description = "A third party module that extends Keycloak, allow for user storage in an external scimv2 server"; + sourceProvenance = with sourceTypes; [ + fromSource + ]; + license = licenses.mit; + maintainers = with maintainers; [ s1341 ]; + }; +} diff --git a/pkgs/overlay.nix b/pkgs/overlay.nix index c9a73c467..79c057675 100644 --- a/pkgs/overlay.nix +++ b/pkgs/overlay.nix @@ -99,6 +99,7 @@ builtins.mapAttrs (_: patchPhps phpLogPermissionPatch) { ''; }); + keycloak = self.callPackage ./keycloak { }; # temporarily vendor from unstable, because 23.11 only has an insecure version kubernetes-dashboard = super.callPackage ./kubernetes-dashboard.nix { }; kubernetes-dashboard-metrics-scraper = super.callPackage ./kubernetes-dashboard-metrics-scraper.nix { }; diff --git a/release/package-versions.json b/release/package-versions.json index 45f44f198..7fef02da6 100644 --- a/release/package-versions.json +++ b/release/package-versions.json @@ -370,9 +370,9 @@ "version": "1.27.6+k3s1" }, "keycloak": { - "name": "keycloak-23.0.6", + "name": "keycloak-24.0.4", "pname": "keycloak", - "version": "23.0.6" + "version": "24.0.4" }, "kubernetes-helm": { "name": "kubernetes-helm-3.13.2",