nixos/keycloak: Add systemd startup notification

This makes it possible for other systemd units to depend on
keycloak.service using `after` and `wants` relationships, and systemd
will actually wait for Keycloak to finish its initialization before
starting any dependent units.  This can be important for services like
oauth2-proxy, which (when configured to use Keycloak as its auth
provider) will fail to start until Keycloak's
`.well-known/openid-configuration` endpoint is available.
This commit is contained in:
Benjamin Staffin 2023-08-21 18:16:06 -04:00 committed by Benjamin Staffin
parent 44615ede38
commit 64c94bd40a
2 changed files with 21 additions and 2 deletions

View File

@ -466,7 +466,8 @@ in
confFile = pkgs.writeText "keycloak.conf" (keycloakConfig filteredConfig);
keycloakBuild = cfg.package.override {
inherit confFile;
plugins = cfg.package.enabledPlugins ++ cfg.plugins;
plugins = cfg.package.enabledPlugins ++ cfg.plugins ++
(with cfg.package.plugins; [quarkus-systemd-notify quarkus-systemd-notify-deployment]);
};
in
mkIf cfg.enable
@ -638,6 +639,8 @@ in
RuntimeDirectory = "keycloak";
RuntimeDirectoryMode = "0700";
AmbientCapabilities = "CAP_NET_BIND_SERVICE";
Type = "notify"; # Requires quarkus-systemd-notify plugin
NotifyAccess = "all";
};
script = ''
set -o errexit -o pipefail -o nounset -o errtrace

View File

@ -1,4 +1,4 @@
{ callPackage }:
{ callPackage, fetchMavenArtifact }:
{
scim-for-keycloak = callPackage ./scim-for-keycloak {};
@ -6,4 +6,20 @@
keycloak-discord = callPackage ./keycloak-discord {};
keycloak-metrics-spi = callPackage ./keycloak-metrics-spi {};
keycloak-restrict-client-auth = callPackage ./keycloak-restrict-client-auth {};
# These could theoretically be used by something other than Keycloak, but
# there are no other quarkus apps in nixpkgs (as of 2023-08-21)
quarkus-systemd-notify = (fetchMavenArtifact {
groupId = "io.quarkiverse.systemd.notify";
artifactId = "quarkus-systemd-notify";
version = "1.0.1";
hash = "sha256-3I4j22jyIpokU4kdobkt6cDsALtxYFclA+DV+BqtmLY=";
}).passthru.jar;
quarkus-systemd-notify-deployment = (fetchMavenArtifact {
groupId = "io.quarkiverse.systemd.notify";
artifactId = "quarkus-systemd-notify-deployment";
version = "1.0.1";
hash = "sha256-xHxzBxriSd/OU8gEcDG00VRkJYPYJDfAfPh/FkQe+zg=";
}).passthru.jar;
}