diff --git a/nixos/modules/services/web-apps/keycloak.nix b/nixos/modules/services/web-apps/keycloak.nix
index 72ef715c847..f0b9e60116d 100644
--- a/nixos/modules/services/web-apps/keycloak.nix
+++ b/nixos/modules/services/web-apps/keycloak.nix
@@ -85,13 +85,26 @@ in
'';
};
- certificatePrivateKeyBundle = lib.mkOption {
+ sslCertificate = lib.mkOption {
type = lib.types.nullOr lib.types.path;
default = null;
example = "/run/keys/ssl_cert";
description = ''
- The path to a PEM formatted bundle of the private key and
- certificate to use for TLS connections.
+ The path to a PEM formatted certificate to use for TLS/SSL
+ connections.
+
+ This should be a string, not a Nix path, since Nix paths are
+ copied into the world-readable Nix store.
+ '';
+ };
+
+ sslCertificateKey = lib.mkOption {
+ type = lib.types.nullOr lib.types.path;
+ default = null;
+ example = "/run/keys/ssl_key";
+ description = ''
+ The path to a PEM formatted private key to use for TLS/SSL
+ connections.
This should be a string, not a Nix path, since Nix paths are
copied into the world-readable Nix store.
@@ -329,7 +342,7 @@ in
});
};
})
- (lib.optionalAttrs (cfg.certificatePrivateKeyBundle != null) {
+ (lib.optionalAttrs (cfg.sslCertificate != null && cfg.sslCertificateKey != null) {
"socket-binding-group=standard-sockets"."socket-binding=https".port = cfg.httpsPort;
"core-service=management"."security-realm=UndertowRealm"."server-identity=ssl" = {
keystore-path = "/run/keycloak/ssl/certificate_private_key_bundle.p12";
@@ -662,8 +675,9 @@ in
umask u=rwx,g=,o=
install -T -m 0400 -o keycloak -g keycloak '${cfg.database.passwordFile}' /run/keycloak/secrets/db_password
- '' + lib.optionalString (cfg.certificatePrivateKeyBundle != null) ''
- install -T -m 0400 -o keycloak -g keycloak '${cfg.certificatePrivateKeyBundle}' /run/keycloak/secrets/ssl_cert_pk_bundle
+ '' + lib.optionalString (cfg.sslCertificate != null && cfg.sslCertificateKey != null) ''
+ install -T -m 0400 -o keycloak -g keycloak '${cfg.sslCertificate}' /run/keycloak/secrets/ssl_cert
+ install -T -m 0400 -o keycloak -g keycloak '${cfg.sslCertificateKey}' /run/keycloak/secrets/ssl_key
'';
startPre = ''
set -o errexit -o pipefail -o nounset -o errtrace
@@ -678,10 +692,13 @@ in
export JAVA_OPTS=-Djboss.server.config.user.dir=/run/keycloak/configuration
add-user-keycloak.sh -u admin -p '${cfg.initialAdminPassword}'
- '' + lib.optionalString (cfg.certificatePrivateKeyBundle != null) ''
+ '' + lib.optionalString (cfg.sslCertificate != null && cfg.sslCertificateKey != null) ''
pushd /run/keycloak/ssl/
- cat /run/keycloak/secrets/ssl_cert_pk_bundle <(echo) /etc/ssl/certs/ca-certificates.crt > allcerts.pem
- openssl pkcs12 -export -in /run/keycloak/secrets/ssl_cert_pk_bundle -chain \
+ cat /run/keycloak/secrets/ssl_cert <(echo) \
+ /run/keycloak/secrets/ssl_key <(echo) \
+ /etc/ssl/certs/ca-certificates.crt \
+ > allcerts.pem
+ openssl pkcs12 -export -in /run/keycloak/secrets/ssl_cert -inkey /run/keycloak/secrets/ssl_key -chain \
-name "${cfg.frontendUrl}" -out certificate_private_key_bundle.p12 \
-CAfile allcerts.pem -passout pass:notsosecretpassword
popd
diff --git a/nixos/modules/services/web-apps/keycloak.xml b/nixos/modules/services/web-apps/keycloak.xml
index b622735ca10..7ba656c20f1 100644
--- a/nixos/modules/services/web-apps/keycloak.xml
+++ b/nixos/modules/services/web-apps/keycloak.xml
@@ -115,17 +115,17 @@
- For HTTPS support, a TLS certificate and private key is
- required. They should be PEM
- formatted and concatenated into a single file. The path
- to this file should be configured in
- .
+ formatted. Their paths should be set through and .
- The path should be provided as a string, not a Nix path,
+ The paths should be provided as a strings, not a Nix paths,
since Nix paths are copied into the world readable Nix store.
@@ -195,7 +195,8 @@ services.keycloak = {
initialAdminPassword = "e6Wcm0RrtegMEHl"; # change on first login
frontendUrl = "https://keycloak.example.com/auth";
forceBackendUrlToFrontendUrl = true;
- certificatePrivateKeyBundle = "/run/keys/ssl_cert";
+ sslCertificate = "/run/keys/ssl_cert";
+ sslCertificateKey = "/run/keys/ssl_key";
database.passwordFile = "/run/keys/db_password";
};