nixos/keycloak: add realmFiles option (#273833)

2025-03-24 09:35:04 +01:00 · 2025-03-24 09:35:04 +01:00 · 82a382ed09
commit 82a382ed09
parent 5e666ef4d3 cd10f9a874
2 changed files with 41 additions and 1 deletions
--- a/nixos/doc/manual/release-notes/rl-2505.section.md
+++ b/nixos/doc/manual/release-notes/rl-2505.section.md
@ -614,6 +614,8 @@

 - `services.soft-serve` now restarts upon config change.

+- `services.keycloak` now provides a `realmFiles` option that allows to import realms during startup. See https://www.keycloak.org/server/importExport
+
 - `bind.cacheNetworks` now only controls access for recursive queries, where it previously controlled access for all queries.

 - [`services.mongodb.enableAuth`](#opt-services.mongodb.enableAuth) now uses the newer [mongosh](https://github.com/mongodb-js/mongosh) shell instead of the legacy shell to configure the initial superuser. You can configure the mongosh package to use through the [`services.mongodb.mongoshPackage`](#opt-services.mongodb.mongoshPackage) option.
--- a/nixos/modules/services/web-apps/keycloak.nix
+++ b/nixos/modules/services/web-apps/keycloak.nix
@ -90,6 +90,7 @@ in
        enum
        package
        port
+        listOf
        ;

      assertStringPath =
@ -288,6 +289,25 @@ in
        '';
      };

+      realmFiles = mkOption {
+        type = listOf path;
+        example = lib.literalExpression ''
+          [
+            ./some/realm.json
+            ./another/realm.json
+          ]
+        '';
+        default = [ ];
+        description = ''
+          Realm files that the server is going to import during startup.
+          If a realm already exists in the server, the import operation is
+          skipped. Importing the master realm is not supported. All files are
+          expected to be in `json` format. See the
+          [documentation](https://www.keycloak.org/server/importExport) for
+          further information.
+        '';
+      };
+
      settings = mkOption {
        type = lib.types.submodule {
          freeformType = attrsOf (
@ -644,6 +664,24 @@ in
        '';
      };

+      systemd.tmpfiles.settings."10-keycloak" =
+        let
+          mkTarget =
+            file:
+            let
+              baseName = builtins.baseNameOf file;
+              name = if lib.hasSuffix ".json" baseName then baseName else "${baseName}.json";
+            in
+            "/run/keycloak/data/import/${name}";
+          settingsList = map (f: {
+            name = mkTarget f;
+            value = {
+              "L+".argument = "${f}";
+            };
+          }) cfg.realmFiles;
+        in
+        builtins.listToAttrs settingsList;
+
      systemd.services.keycloak =
        let
          databaseServices =
@ -725,7 +763,7 @@ in
              cp $CREDENTIALS_DIRECTORY/ssl_{cert,key} /run/keycloak/ssl/
            ''
            + ''
-              kc.sh --verbose start --optimized
+              kc.sh --verbose start --optimized ${lib.optionalString (cfg.realmFiles != [ ]) "--import-realm"}
            '';
        };