nixos/keycloak: Use LoadCredential to load secrets

Use systemd's LoadCredential mechanism to make the secret files
available to the service.

This gets rid of the privileged part of the ExecPreStart script which
only served to copy these files and assign the correct
permissions. There's been issues with this approach when used in
combination with DynamicUser, where sometimes the user isn't created
before the ExecPreStart script runs, causing the error

install: invalid user ‘keycloak’

This should fix that issue.

Unfortunately, all of the ExecPreStart script had to be moved to
ExecStart, since credentials aren't provided to ExecPreStart. See
https://github.com/systemd/systemd/issues/19604.
This commit is contained in:
talyz 2022-01-17 11:46:51 +01:00
parent 1ea75adb02
commit 5010f4fff9
No known key found for this signature in database
GPG Key ID: 2DED2151F4671A2B

View File

@ -735,52 +735,16 @@ in
JBOSS_MODULEPATH = "${cfg.package}/modules"; JBOSS_MODULEPATH = "${cfg.package}/modules";
}; };
serviceConfig = { serviceConfig = {
ExecStartPre = let LoadCredential = [
startPreFullPrivileges = '' "db_password:${cfg.database.passwordFile}"
set -o errexit -o pipefail -o nounset -o errtrace ] ++ lib.optionals (cfg.sslCertificate != null && cfg.sslCertificateKey != null) [
shopt -s inherit_errexit "ssl_cert:${cfg.sslCertificate}"
"ssl_key:${cfg.sslCertificateKey}"
umask u=rwx,g=,o=
install -T -m 0400 -o keycloak -g keycloak '${cfg.database.passwordFile}' /run/keycloak/secrets/db_password
'' + lib.optionalString (cfg.sslCertificate != null && cfg.sslCertificateKey != null) ''
install -T -m 0400 -o keycloak -g keycloak '${cfg.sslCertificate}' /run/keycloak/secrets/ssl_cert
install -T -m 0400 -o keycloak -g keycloak '${cfg.sslCertificateKey}' /run/keycloak/secrets/ssl_key
'';
startPre = ''
set -o errexit -o pipefail -o nounset -o errtrace
shopt -s inherit_errexit
umask u=rwx,g=,o=
install -m 0600 ${cfg.package}/standalone/configuration/*.properties /run/keycloak/configuration
install -T -m 0600 ${keycloakConfig} /run/keycloak/configuration/standalone.xml
replace-secret '@db-password@' '/run/keycloak/secrets/db_password' /run/keycloak/configuration/standalone.xml
export JAVA_OPTS=-Djboss.server.config.user.dir=/run/keycloak/configuration
add-user-keycloak.sh -u admin -p '${cfg.initialAdminPassword}'
'' + lib.optionalString (cfg.sslCertificate != null && cfg.sslCertificateKey != null) ''
pushd /run/keycloak/ssl/
cat /run/keycloak/secrets/ssl_cert <(echo) \
/run/keycloak/secrets/ssl_key <(echo) \
/etc/ssl/certs/ca-certificates.crt \
> allcerts.pem
openssl pkcs12 -export -in /run/keycloak/secrets/ssl_cert -inkey /run/keycloak/secrets/ssl_key -chain \
-name "${cfg.frontendUrl}" -out certificate_private_key_bundle.p12 \
-CAfile allcerts.pem -passout pass:notsosecretpassword
popd
'';
in [
"+${pkgs.writeShellScript "keycloak-start-pre-full-privileges" startPreFullPrivileges}"
"${pkgs.writeShellScript "keycloak-start-pre" startPre}"
]; ];
ExecStart = "${cfg.package}/bin/standalone.sh";
User = "keycloak"; User = "keycloak";
Group = "keycloak"; Group = "keycloak";
DynamicUser = true; DynamicUser = true;
RuntimeDirectory = map (p: "keycloak/" + p) [ RuntimeDirectory = map (p: "keycloak/" + p) [
"secrets"
"configuration" "configuration"
"deployments" "deployments"
"data" "data"
@ -792,6 +756,32 @@ in
LogsDirectory = "keycloak"; LogsDirectory = "keycloak";
AmbientCapabilities = "CAP_NET_BIND_SERVICE"; AmbientCapabilities = "CAP_NET_BIND_SERVICE";
}; };
script = ''
set -o errexit -o pipefail -o nounset -o errtrace
shopt -s inherit_errexit
umask u=rwx,g=,o=
install -m 0600 ${cfg.package}/standalone/configuration/*.properties /run/keycloak/configuration
install -T -m 0600 ${keycloakConfig} /run/keycloak/configuration/standalone.xml
replace-secret '@db-password@' "$CREDENTIALS_DIRECTORY/db_password" /run/keycloak/configuration/standalone.xml
export JAVA_OPTS=-Djboss.server.config.user.dir=/run/keycloak/configuration
add-user-keycloak.sh -u admin -p '${cfg.initialAdminPassword}'
'' + lib.optionalString (cfg.sslCertificate != null && cfg.sslCertificateKey != null) ''
pushd /run/keycloak/ssl/
cat "$CREDENTIALS_DIRECTORY/ssl_cert" <(echo) \
"$CREDENTIALS_DIRECTORY/ssl_key" <(echo) \
/etc/ssl/certs/ca-certificates.crt \
> allcerts.pem
openssl pkcs12 -export -in "$CREDENTIALS_DIRECTORY/ssl_cert" -inkey "$CREDENTIALS_DIRECTORY/ssl_key" -chain \
-name "${cfg.frontendUrl}" -out certificate_private_key_bundle.p12 \
-CAfile allcerts.pem -passout pass:notsosecretpassword
popd
'' + ''
${cfg.package}/bin/standalone.sh
'';
}; };
services.postgresql.enable = lib.mkDefault createLocalPostgreSQL; services.postgresql.enable = lib.mkDefault createLocalPostgreSQL;