diff options
author | Nikolay Amiantov <ab@fmap.me> | 2022-01-10 00:43:45 +0300 |
---|---|---|
committer | Nikolay Amiantov <ab@fmap.me> | 2022-01-16 11:25:44 +0300 |
commit | 827267a27f300a8fe503986da2570bc3b9252e69 (patch) | |
tree | 2020cc2a5cba385d61f4fe8ca25437870903f6f7 | |
parent | 3c7e78cc6ab73ca9b0dbcb376122befa59098300 (diff) | |
download | nixpkgs-827267a27f300a8fe503986da2570bc3b9252e69.tar nixpkgs-827267a27f300a8fe503986da2570bc3b9252e69.tar.gz nixpkgs-827267a27f300a8fe503986da2570bc3b9252e69.tar.bz2 nixpkgs-827267a27f300a8fe503986da2570bc3b9252e69.tar.lz nixpkgs-827267a27f300a8fe503986da2570bc3b9252e69.tar.xz nixpkgs-827267a27f300a8fe503986da2570bc3b9252e69.tar.zst nixpkgs-827267a27f300a8fe503986da2570bc3b9252e69.zip |
keycloak service: update HTTPS configuration
Keycloak 16.1.0 uses different way to configure HTTPS. This requires us to order commands correctly, otherwise linked objects will fail.
-rw-r--r-- | nixos/modules/services/web-apps/keycloak.nix | 20 |
1 files changed, 16 insertions, 4 deletions
diff --git a/nixos/modules/services/web-apps/keycloak.nix b/nixos/modules/services/web-apps/keycloak.nix index 12111633919..2dce4b242a3 100644 --- a/nixos/modules/services/web-apps/keycloak.nix +++ b/nixos/modules/services/web-apps/keycloak.nix @@ -348,11 +348,23 @@ in }) (lib.optionalAttrs (cfg.sslCertificate != null && cfg.sslCertificateKey != null) { "socket-binding-group=standard-sockets"."socket-binding=https".port = cfg.httpsPort; - "core-service=management"."security-realm=UndertowRealm"."server-identity=ssl" = { - keystore-path = "/run/keycloak/ssl/certificate_private_key_bundle.p12"; - keystore-password = "notsosecretpassword"; + "subsystem=elytron" = lib.mkOrder 900 { + "key-store=httpsKS" = lib.mkOrder 900 { + path = "/run/keycloak/ssl/certificate_private_key_bundle.p12"; + credential-reference.clear-text = "notsosecretpassword"; + type = "JKS"; + }; + "key-manager=httpsKM" = lib.mkOrder 901 { + key-store = "httpsKS"; + credential-reference.clear-text = "notsosecretpassword"; + }; + "server-ssl-context=httpsSSC" = lib.mkOrder 902 { + key-manager = "httpsKM"; + }; + }; + "subsystem=undertow" = lib.mkOrder 901 { + "server=default-server"."https-listener=https".ssl-context = "httpsSSC"; }; - "subsystem=undertow"."server=default-server"."https-listener=https".security-realm = "UndertowRealm"; }) cfg.extraConfig ]; |