nixos/keycloak: add realmFiles option

rorosen · rorosen · commit 79862894befe · 2024-07-21T13:52:27.000+02:00
Add an option to import Keycloak realms during
startup from exported realm files.
diff --git a/nixos/doc/manual/release-notes/rl-2411.section.md b/nixos/doc/manual/release-notes/rl-2411.section.md
@@ -244,6 +244,8 @@
 
 - `nixosTests` now provide a working IPv6 setup for VLAN 1 by default.
 
+- The `keycloak` module provides now a `realmFiles` options that allows to import realms during startup.
+
 - To facilitate dependency injection, the `imgui` package now builds a static archive using vcpkg' CMake rules.
   The derivation now installs "impl" headers selectively instead of by a wildcard.
   Use `imgui.src` if you just want to access the unpacked sources.
diff --git a/nixos/modules/services/web-apps/keycloak.nix b/nixos/modules/services/web-apps/keycloak.nix
@@ -82,7 +82,8 @@ in
         path
         enum
         package
-        port;
+        port
+        listOf;
 
       assertStringPath = optionName: value:
         if isPath value then
@@ -272,6 +273,25 @@ in
         '';
       };
 
+      realmFiles = mkOption {
+        type = listOf path;
+        example = lib.literalExpression ''
+          [
+            ./some/realm.json
+            ./another/realm.json
+          ]
+        '';
+        default = [];
+        description = ''
+          Set of realm files that the server is going to try to import
+          during startup. If a realm already exists in the server, the import
+          operation is skipped. Importing the master realm is not supported.
+          All files are expected to be in `json` format. See the
+          [documentation](https://www.keycloak.org/server/importExport) for
+          further information.
+        '';
+      };
+
       settings = mkOption {
         type = lib.types.submodule {
           freeformType = attrsOf (nullOr (oneOf [ str int bool (attrsOf path) ]));
@@ -620,6 +640,12 @@ in
               replace-secret ${hashString "sha256" file} $CREDENTIALS_DIRECTORY/${baseNameOf file} /run/keycloak/conf/keycloak.conf
             '';
             secretReplacements = lib.concatMapStrings mkSecretReplacement secretPaths;
+            installRealmFile = file:
+              let
+                baseName = builtins.baseNameOf file;
+                target = if lib.hasSuffix ".json" baseName then baseName else "${baseName}.json";
+              in
+              "install -D -m 0600 ${file} /run/keycloak/data/import/${target}";
           in
           {
             after = databaseServices;
@@ -671,10 +697,12 @@ in
             '' + optionalString (cfg.sslCertificate != null && cfg.sslCertificateKey != null) ''
               mkdir -p /run/keycloak/ssl
               cp $CREDENTIALS_DIRECTORY/ssl_{cert,key} /run/keycloak/ssl/
+            '' + ''
+              ${concatStringsSep "\n" (map installRealmFile cfg.realmFiles)}
             '' + ''
               export KEYCLOAK_ADMIN=admin
               export KEYCLOAK_ADMIN_PASSWORD=${escapeShellArg cfg.initialAdminPassword}
-              kc.sh --verbose start --optimized
+              kc.sh --verbose start --optimized ${lib.optionalString (cfg.realmFiles != []) "--import-realm"}
             '';
           };
 
