search

NixOS / nixpkgs

Nix Packages collection & NixOS
MIT License
18.08k stars 14.13k forks source link

Module services.keycloak add support for plain database url connection. #323357

Open peigongdsd opened 4 months ago

peigongdsd commented 4 months ago

Issue description

The keycloak module in nixpkgs is lacking a way to directly appoint a db-url connection, namely

              "trustCertificateKeyStorePassword=notsosecretpassword"
            ]);
            dbProps = if cfg.database.type == "postgresql" then postgresParams else mariadbParams;
          in
          mkMerge [
            {
              db = if cfg.database.type == "postgresql" then "postgres" else cfg.database.type;
              db-username = if databaseActuallyCreateLocally then "keycloak" else cfg.database.username;
              db-password._secret = cfg.database.passwordFile;
              db-url-host = cfg.database.host;
              db-url-port = toString cfg.database.port;
              db-url-database = if databaseActuallyCreateLocally then "keycloak" else cfg.database.name;
              db-url-properties = prefixUnlessEmpty "?" dbProps;
              db-url = null;
            }
            (mkIf (cfg.sslCertificate != null && cfg.sslCertificateKey != null) {
              https-certificate-file = "/run/keycloak/ssl/ssl_cert";
              https-certificate-key-file = "/run/keycloak/ssl/ssl_key";
            })
          ];

which is very inconvenient to connect to a non-standard unix daemon socket for postgresql. This is common in containerized cases.

Maybe I should notify the maintainer @talyz

peigongdsd commented 4 months ago

Or at least we have a way for setting aditional JDBC url parameters? Maybe an extraConfig or overrideConfig is also good.

talyz commented 4 months ago

Last time I checked, db-url was simply composed from the other parameters, so they were basically interchangeable. I looked at using unix sockets with peer auth, but it wasn't supported then. If it is now, we should switch to it.

peigongdsd commented 4 months ago

Sorry I didn't quite get it, do you mean that keycloak does not support unix socket connection to postgresql, or just not supporting authentication in that case?

peigongdsd commented 4 months ago

I see that it's impossible to utilize a unix daemon socket connection due to a limitation of JDBC, but only on very early versions of JDBC. However this is not the case now, see [https://www.morling.dev/blog/talking-to-postgres-through-java-16-unix-domain-socket-channels/](). So maybe keycloak can benefit from the improvement?