diff options
author | midchildan <git@midchildan.org> | 2022-02-28 00:11:41 +0900 |
---|---|---|
committer | midchildan <git@midchildan.org> | 2022-02-28 00:54:26 +0900 |
commit | dc5bd4b375fce716050adc8a3487227012dd8faa (patch) | |
tree | 0bc3f3496c9a8b58d01e034b8ef5e4ba7c38b7fe | |
parent | 07ea91713431e6614849f6ff5824f076fffe9e9c (diff) | |
download | nixpkgs-dc5bd4b375fce716050adc8a3487227012dd8faa.tar nixpkgs-dc5bd4b375fce716050adc8a3487227012dd8faa.tar.gz nixpkgs-dc5bd4b375fce716050adc8a3487227012dd8faa.tar.bz2 nixpkgs-dc5bd4b375fce716050adc8a3487227012dd8faa.tar.lz nixpkgs-dc5bd4b375fce716050adc8a3487227012dd8faa.tar.xz nixpkgs-dc5bd4b375fce716050adc8a3487227012dd8faa.tar.zst nixpkgs-dc5bd4b375fce716050adc8a3487227012dd8faa.zip |
nixos/keycloak: fix database provisioning issues
This fixes the following issues with the database provisioning script included in the services.keycloak module: - It lacked permission to access the DB password file specified in the module option 'services.keycloak.database.passwordFile'. - It prevented Keycloak from starting after the second time if the user chose MySQL for the database.
-rw-r--r-- | nixos/modules/services/web-apps/keycloak.nix | 10 |
1 files changed, 6 insertions, 4 deletions
diff --git a/nixos/modules/services/web-apps/keycloak.nix b/nixos/modules/services/web-apps/keycloak.nix index a01f0049b2c..22c16be7613 100644 --- a/nixos/modules/services/web-apps/keycloak.nix +++ b/nixos/modules/services/web-apps/keycloak.nix @@ -693,6 +693,7 @@ in RemainAfterExit = true; User = "postgres"; Group = "postgres"; + LoadCredential = [ "db_password:${cfg.database.passwordFile}" ]; }; script = '' set -o errexit -o pipefail -o nounset -o errtrace @@ -701,7 +702,8 @@ in create_role="$(mktemp)" trap 'rm -f "$create_role"' ERR EXIT - echo "CREATE ROLE keycloak WITH LOGIN PASSWORD '$(<'${cfg.database.passwordFile}')' CREATEDB" > "$create_role" + db_password="$(<"$CREDENTIALS_DIRECTORY/db_password")" + echo "CREATE ROLE keycloak WITH LOGIN PASSWORD '$db_password' CREATEDB" > "$create_role" psql -tAc "SELECT 1 FROM pg_roles WHERE rolname='keycloak'" | grep -q 1 || psql -tA --file="$create_role" psql -tAc "SELECT 1 FROM pg_database WHERE datname = 'keycloak'" | grep -q 1 || psql -tAc 'CREATE DATABASE "keycloak" OWNER "keycloak"' ''; @@ -717,14 +719,14 @@ in RemainAfterExit = true; User = config.services.mysql.user; Group = config.services.mysql.group; + LoadCredential = [ "db_password:${cfg.database.passwordFile}" ]; }; script = '' set -o errexit -o pipefail -o nounset -o errtrace shopt -s inherit_errexit - - db_password="$(<'${cfg.database.passwordFile}')" + db_password="$(<"$CREDENTIALS_DIRECTORY/db_password")" ( echo "CREATE USER IF NOT EXISTS 'keycloak'@'localhost' IDENTIFIED BY '$db_password';" - echo "CREATE DATABASE keycloak CHARACTER SET utf8 COLLATE utf8_unicode_ci;" + echo "CREATE DATABASE IF NOT EXISTS keycloak CHARACTER SET utf8 COLLATE utf8_unicode_ci;" echo "GRANT ALL PRIVILEGES ON keycloak.* TO 'keycloak'@'localhost';" ) | mysql -N ''; |