Merge branch 'fc-23.11-dev' into fc-23.11-staging

pkgs/keycloak/COPYING.md

@@ -0,0 +1 @@
+The files in this directory are based on [MIT-licensed](https://github.com/NixOS/nixpkgs/blob/7a338b0febc1994ed42ee1aed8c752674abf0632/COPYING) work done by other Nixpkgs/NixOS contributors, taken from revision 7a338b0febc1994ed42ee1aed8c752674abf0632 in the [nixpkgs](https://github.com/NixOS/nixpkgs/) repository under the path [pkgs/servers/keycloak](https://github.com/NixOS/nixpkgs/blob/7a338b0febc1994ed42ee1aed8c752674abf0632/pkgs/servers/keycloak).

pkgs/keycloak/all-plugins.nix

@@ -0,0 +1,25 @@
+{ callPackage, fetchMavenArtifact }:
+
+{
+  scim-for-keycloak = callPackage ./scim-for-keycloak {};
+  scim-keycloak-user-storage-spi = callPackage ./scim-keycloak-user-storage-spi {};
+  keycloak-discord = callPackage ./keycloak-discord {};
+  keycloak-metrics-spi = callPackage ./keycloak-metrics-spi {};
+  keycloak-restrict-client-auth = callPackage ./keycloak-restrict-client-auth {};
+
+  # These could theoretically be used by something other than Keycloak, but
+  # there are no other quarkus apps in nixpkgs (as of 2023-08-21)
+  quarkus-systemd-notify = (fetchMavenArtifact {
+    groupId = "io.quarkiverse.systemd.notify";
+    artifactId = "quarkus-systemd-notify";
+    version = "1.0.1";
+    hash = "sha256-3I4j22jyIpokU4kdobkt6cDsALtxYFclA+DV+BqtmLY=";
+  }).passthru.jar;
+
+  quarkus-systemd-notify-deployment = (fetchMavenArtifact {
+    groupId = "io.quarkiverse.systemd.notify";
+    artifactId = "quarkus-systemd-notify-deployment";
+    version = "1.0.1";
+    hash = "sha256-xHxzBxriSd/OU8gEcDG00VRkJYPYJDfAfPh/FkQe+zg=";
+  }).passthru.jar;
+}

pkgs/keycloak/config_vars.patch

@@ -0,0 +1,15 @@
+diff --git a/quarkus/dist/src/main/content/bin/kc.sh b/quarkus/dist/src/main/content/bin/kc.sh
+index d7be862cde..16f9aa78e0 100644
+--- a/bin/kc.sh
++++ b/bin/kc.sh
+@@ -32,8 +32,8 @@ abs_path () {
+   fi
+ }
+
+-SERVER_OPTS="-Dkc.home.dir='$(abs_path '..')'"
+-SERVER_OPTS="$SERVER_OPTS -Djboss.server.config.dir='$(abs_path '../conf')'"
++SERVER_OPTS="-Dkc.home.dir=$KC_HOME_DIR"
++SERVER_OPTS="$SERVER_OPTS -Djboss.server.config.dir=$KC_CONF_DIR"
+ SERVER_OPTS="$SERVER_OPTS -Djava.util.logging.manager=org.jboss.logmanager.LogManager"
+ SERVER_OPTS="$SERVER_OPTS -Dquarkus-log-max-startup-records=10000"
+ CLASSPATH_OPTS="'$(abs_path "../lib/quarkus-run.jar"):$(abs_path "../lib/bootstrap/*")'"

pkgs/keycloak/default.nix

@@ -0,0 +1,90 @@
+{ stdenv
+, lib
+, fetchzip
+, makeWrapper
+, jre
+, nixosTests
+, callPackage
+, confFile ? null
+, plugins ? [ ]
+, extraFeatures ? [ ]
+, disabledFeatures ? [ ]
+}:
+
+let
+  featuresSubcommand = ''
+    ${lib.optionalString (extraFeatures != [ ]) "--features=${lib.concatStringsSep "," extraFeatures}"} \
+    ${lib.optionalString (disabledFeatures != [ ]) "--features-disabled=${lib.concatStringsSep "," disabledFeatures}"}
+  '';
+in stdenv.mkDerivation rec {
+  pname = "keycloak";
+  version = "24.0.4";
+
+  src = fetchzip {
+    url = "https://github.com/keycloak/keycloak/releases/download/${version}/keycloak-${version}.zip";
+    hash = "sha256-tqY3rYFRsRpbvms8DVtCp8nXl0hlX1CzuOVFCE+23o4=";
+  };
+
+  nativeBuildInputs = [ makeWrapper jre ];
+
+  patches = [
+    # Make home.dir and config.dir configurable through the
+    # KC_HOME_DIR and KC_CONF_DIR environment variables.
+    ./config_vars.patch
+  ];
+
+  buildPhase = ''
+    runHook preBuild
+  '' + lib.optionalString (confFile != null) ''
+    install -m 0600 ${confFile} conf/keycloak.conf
+  '' + ''
+    install_plugin() {
+      if [ -d "$1" ]; then
+        find "$1" -type f \( -iname \*.ear -o -iname \*.jar \) -exec install -m 0500 "{}" "providers/" \;
+      else
+        install -m 0500 "$1" "providers/"
+      fi
+    }
+    ${lib.concatMapStringsSep "\n" (pl: "install_plugin ${lib.escapeShellArg pl}") plugins}
+  '' + ''
+    patchShebangs bin/kc.sh
+    export KC_HOME_DIR=$(pwd)
+    export KC_CONF_DIR=$(pwd)/conf
+    bin/kc.sh build ${featuresSubcommand}
+
+    runHook postBuild
+  '';
+
+  installPhase = ''
+    runHook preInstall
+
+    mkdir $out
+    cp -r * $out
+
+    rm $out/bin/*.{ps1,bat}
+
+    runHook postInstall
+  '';
+
+  postFixup = ''
+    for script in $(find $out/bin -type f -executable); do
+      wrapProgram "$script" --set JAVA_HOME ${jre} --prefix PATH : ${jre}/bin
+    done
+  '';
+
+  passthru = {
+    tests = nixosTests.keycloak;
+    plugins = callPackage ./all-plugins.nix { };
+    enabledPlugins = plugins;
+  };
+
+  meta = with lib; {
+    homepage = "https://www.keycloak.org/";
+    description = "Identity and access management for modern applications and services";
+    sourceProvenance = with sourceTypes; [ binaryBytecode ];
+    license = licenses.asl20;
+    platforms = jre.meta.platforms;
+    maintainers = with maintainers; [ ngerstle talyz nickcao ];
+  };
+
+}

pkgs/keycloak/keycloak-discord/default.nix

@@ -0,0 +1,31 @@
+{ stdenv
+, lib
+, fetchurl
+}:
+
+stdenv.mkDerivation rec {
+  pname = "keycloak-discord";
+  version = "0.5.0";
+
+  src = fetchurl {
+    url = "https://github.com/wadahiro/keycloak-discord/releases/download/v${version}/keycloak-discord-${version}.jar";
+    hash = "sha256-radvUu2a6t0lbo5f/ADqy7+I/ONXB7/8pk2d1BtYzQA=";
+  };
+
+  dontUnpack = true;
+  dontBuild = true;
+
+  installPhase = ''
+    runHook preInstall
+    install -Dm444 "$src" "$out/keycloak-discord-$version.jar"
+    runHook postInstall
+  '';
+
+  meta = with lib; {
+    homepage = "https://github.com/wadahiro/keycloak-discord";
+    description = "Keycloak Social Login extension for Discord";
+    license = licenses.asl20;
+    maintainers = with maintainers; [ mkg20001 ];
+    sourceProvenance = with sourceTypes; [ binaryBytecode ];
+  };
+}

pkgs/keycloak/keycloak-metrics-spi/default.nix

@@ -0,0 +1,33 @@
+{ maven, stdenv, lib, fetchFromGitHub }:
+
+maven.buildMavenPackage rec {
+  pname = "keycloak-metrics-spi";
+  version = "5.0.0";
+
+  src = fetchFromGitHub {
+    owner = "aerogear";
+    repo = pname;
+    rev = "refs/tags/${version}";
+    hash = "sha256-iagXbsKsU4vNP9eg05bwXEo67iij3N2FF0BW50MjRGE=";
+  };
+
+  mvnHash = {
+    aarch64-linux = "sha256-zO79pRrY8TqrSK4bB8l4pl6834aFX2pidyk1j9Itz1E=`";
+    x86_64-linux = "sha256-+ySBrQ9yQ5ZxuVUh/mnHNEmugru3n8x5VR/RYEDCLAo=";
+  }.${stdenv.hostPlatform.system} or (throw "Unsupported system ${stdenv.hostPlatform.system} for ${pname}");
+
+
+  installPhase = ''
+    runHook preInstall
+    install -Dm444 -t "$out" target/keycloak-metrics-spi-*.jar
+    runHook postInstall
+  '';
+
+  meta = with lib; {
+    homepage = "https://github.com/aerogear/keycloak-metrics-spi";
+    description = "Keycloak Service Provider that adds a metrics endpoint";
+    license = licenses.asl20;
+    maintainers = with maintainers; [ benley ];
+    platforms = [ "aarch64-linux" "x86_64-linux" ];
+  };
+}

pkgs/keycloak/keycloak-restrict-client-auth/default.nix

@@ -0,0 +1,28 @@
+{ maven, lib, fetchFromGitHub }:
+
+maven.buildMavenPackage rec {
+  pname = "keycloak-restrict-client-auth";
+  version = "24.0.0";
+
+  src = fetchFromGitHub {
+    owner = "sventorben";
+    repo = "keycloak-restrict-client-auth";
+    rev = "v${version}";
+    hash = "sha256-Pk0tj8cTHSBwVIzINE7GLA5b/eI97wuOTvO7UoXBStM=";
+  };
+
+  mvnHash = "sha256-Pk2yYuBqGs4k1KwaU06RQe1LpohZu0VI1pHEUBU3EUE=";
+
+  installPhase = ''
+    runHook preInstall
+    install -Dm444 -t "$out" target/keycloak-restrict-client-auth.jar
+    runHook postInstall
+  '';
+
+  meta = with lib; {
+    homepage = "https://github.com/sventorben/keycloak-restrict-client-auth";
+    description = "A Keycloak authenticator to restrict authorization on clients";
+    license = licenses.mit;
+    maintainers = with maintainers; [ leona ];
+  };
+}

pkgs/keycloak/scim-for-keycloak/default.nix

@@ -0,0 +1,33 @@
+{ lib
+, fetchFromGitHub
+, maven
+}:
+
+maven.buildMavenPackage rec {
+  pname = "scim-for-keycloak";
+  version = "kc-20-b1"; # When updating also update mvnHash
+
+  src = fetchFromGitHub {
+    owner = "Captain-P-Goldfish";
+    repo = "scim-for-keycloak";
+    rev = version;
+    hash = "sha256-kHjCVkcD8C0tIaMExDlyQmcWMhypisR1nyG93laB8WU=";
+  };
+
+  mvnHash = "sha256-cOuJSU57OuP+U7lI+pDD7g9HPIfZAoDPYLf+eO+XuF4=";
+
+  installPhase = ''
+    install -D "scim-for-keycloak-server/target/scim-for-keycloak-${version}.jar" "$out/scim-for-keycloak-${version}.jar"
+  '';
+
+  meta = with lib; {
+    homepage = "https://github.com/Captain-P-Goldfish/scim-for-keycloak";
+    description = "A third party module that extends Keycloak with SCIM functionality";
+    sourceProvenance = with sourceTypes; [
+      fromSource
+      binaryBytecode  # dependencies
+    ];
+    license = licenses.bsd3;
+    maintainers = with maintainers; [ mkg20001 ];
+  };
+}

pkgs/keycloak/scim-keycloak-user-storage-spi/default.nix

@@ -0,0 +1,32 @@
+{ lib
+, fetchFromGitHub
+, maven
+}:
+
+maven.buildMavenPackage {
+  pname = "scim-keycloak-user-storage-spi";
+  version = "unstable-2024-02-14";
+
+  src = fetchFromGitHub {
+    owner = "justin-stephenson";
+    repo = "scim-keycloak-user-storage-spi";
+    rev = "6c59915836d9a559983326bbb87f895324bb75e4";
+    hash = "sha256-BSso9lU542Aroxu0RIX6NARc10lGZ04A/WIWOVtdxHw=";
+  };
+
+  mvnHash = "sha256-xbGlVZl3YtbF372kCDh+UdK5pLe6C6WnGgbEXahlyLw=";
+
+  installPhase = ''
+    install -D "target/scim-user-spi-0.0.1-SNAPSHOT.jar" "$out/scim-user-spi-0.0.1-SNAPSHOT.jar"
+  '';
+
+  meta = with lib; {
+    homepage = "https://github.com/justin-stephenson/scim-keycloak-user-storage-spi";
+    description = "A third party module that extends Keycloak, allow for user storage in an external scimv2 server";
+    sourceProvenance = with sourceTypes; [
+      fromSource
+    ];
+    license = licenses.mit;
+    maintainers = with maintainers; [ s1341 ];
+  };
+}

pkgs/overlay.nix

@@ -99,6 +99,7 @@ builtins.mapAttrs (_: patchPhps phpLogPermissionPatch) {
     '';
   });
 
+  keycloak = self.callPackage ./keycloak { };   # temporarily vendor from unstable, because 23.11 only has an insecure version
   kubernetes-dashboard = super.callPackage ./kubernetes-dashboard.nix { };
   kubernetes-dashboard-metrics-scraper = super.callPackage ./kubernetes-dashboard-metrics-scraper.nix { };