From f0b58119151752e31b5866f89070ba7eb01e5b23 Mon Sep 17 00:00:00 2001
From: arcnmx <git@git.arcn.mx>
Date: Fri, 22 Mar 2024 14:23:46 -0700
Subject: [PATCH] feat(keycloak): local sso

---
 nixos/keycloak.nix                           | 14 ++++++++++++--
 outputs.nix                                  |  1 +
 packages/nixpkgs-keycloak-nullhostname.patch | 14 ++++++++++++++
 3 files changed, 27 insertions(+), 2 deletions(-)
 create mode 100644 packages/nixpkgs-keycloak-nullhostname.patch

diff --git a/nixos/keycloak.nix b/nixos/keycloak.nix
index 5c1a703c..f85b8e5a 100644
--- a/nixos/keycloak.nix
+++ b/nixos/keycloak.nix
@@ -1,5 +1,6 @@
-{config, lib, ...}: let
+{inputs, system, config, lib, ...}: let
   inherit (lib.modules) mkIf mkForce mkDefault;
+  inherit (lib.lists) optional;
   inherit (config.lib.access) mkSnakeOil;
   cfg = config.services.keycloak;
   cert = mkSnakeOil {
@@ -7,7 +8,14 @@
     domain = hostname;
   };
   hostname = "sso.${config.networking.domain}";
+  hostname-strict = false;
+  inherit (inputs.self.legacyPackages.${system.system}) patchedNixpkgs;
+  keycloakModulePath = "services/web-apps/keycloak.nix";
 in {
+  # upstream keycloak makes an incorrect assumption in its assertions, so we patch it
+  disabledModules = optional (!hostname-strict) keycloakModulePath;
+  imports = optional (!hostname-strict) (patchedNixpkgs + "/nixos/modules/${keycloakModulePath}");
+
   sops.secrets = let
     commonSecret = {
       sopsFile = ./secrets/keycloak.yaml;
@@ -41,8 +49,10 @@ in {
     };
 
     settings = {
-      hostname = mkDefault hostname;
+      hostname = mkDefault (if hostname-strict then hostname else null);
       proxy = mkDefault (if cfg.sslCertificate != null then "reencrypt" else "edge");
+      hostname-strict = mkDefault hostname-strict;
+      hostname-strict-https = mkDefault hostname-strict;
       proxy-headers = mkDefault "xforwarded";
     };
 
diff --git a/outputs.nix b/outputs.nix
index 53553e68..ffa12197 100644
--- a/outputs.nix
+++ b/outputs.nix
@@ -19,6 +19,7 @@
           name = "nixpkgs";
           src = inputs.nixpkgs;
           patches = [
+            ./packages/nixpkgs-keycloak-nullhostname.patch
           ];
         };
         deploy-rs = let
diff --git a/packages/nixpkgs-keycloak-nullhostname.patch b/packages/nixpkgs-keycloak-nullhostname.patch
new file mode 100644
index 00000000..94c281f2
--- /dev/null
+++ b/packages/nixpkgs-keycloak-nullhostname.patch
@@ -0,0 +1,14 @@
+diff --git a/nixos/modules/services/web-apps/keycloak.nix b/nixos/modules/services/web-apps/keycloak.nix
+--- a/nixos/modules/services/web-apps/keycloak.nix
++++ b/nixos/modules/services/web-apps/keycloak.nix
+@@ -480,10 +480,6 @@ in
+             assertion = createLocalPostgreSQL -> config.services.postgresql.settings.standard_conforming_strings or true;
+             message = "Setting up a local PostgreSQL db for Keycloak requires `standard_conforming_strings` turned on to work reliably";
+           }
+-          {
+-            assertion = cfg.settings.hostname != null || cfg.settings.hostname-url or null != null;
+-            message = "Setting the Keycloak hostname is required, see `services.keycloak.settings.hostname`";
+-          }
+           {
+             assertion = !(cfg.settings.hostname != null && cfg.settings.hostname-url or null != null);
+             message = "`services.keycloak.settings.hostname` and `services.keycloak.settings.hostname-url` are mutually exclusive";