From 64c94bd40ad53df26d1c2b4b8e769262422e8e66 Mon Sep 17 00:00:00 2001 From: Benjamin Staffin Date: Mon, 21 Aug 2023 18:16:06 -0400 Subject: nixos/keycloak: Add systemd startup notification This makes it possible for other systemd units to depend on keycloak.service using `after` and `wants` relationships, and systemd will actually wait for Keycloak to finish its initialization before starting any dependent units. This can be important for services like oauth2-proxy, which (when configured to use Keycloak as its auth provider) will fail to start until Keycloak's `.well-known/openid-configuration` endpoint is available. --- nixos/modules/services/web-apps/keycloak.nix | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) (limited to 'nixos') diff --git a/nixos/modules/services/web-apps/keycloak.nix b/nixos/modules/services/web-apps/keycloak.nix index 201085daa74a8..6d472cf48cd01 100644 --- a/nixos/modules/services/web-apps/keycloak.nix +++ b/nixos/modules/services/web-apps/keycloak.nix @@ -466,7 +466,8 @@ in confFile = pkgs.writeText "keycloak.conf" (keycloakConfig filteredConfig); keycloakBuild = cfg.package.override { inherit confFile; - plugins = cfg.package.enabledPlugins ++ cfg.plugins; + plugins = cfg.package.enabledPlugins ++ cfg.plugins ++ + (with cfg.package.plugins; [quarkus-systemd-notify quarkus-systemd-notify-deployment]); }; in mkIf cfg.enable @@ -638,6 +639,8 @@ in RuntimeDirectory = "keycloak"; RuntimeDirectoryMode = "0700"; AmbientCapabilities = "CAP_NET_BIND_SERVICE"; + Type = "notify"; # Requires quarkus-systemd-notify plugin + NotifyAccess = "all"; }; script = '' set -o errexit -o pipefail -o nounset -o errtrace -- cgit 1.4.1