Skip to content

Keycloak

services.keycloak.database.caCert

The SSL / TLS CA certificate that verifies the identity of the database server.

Required when PostgreSQL is used and SSL is turned on.

For MySQL, if left at null, the default Java keystore is used, which should suffice if the server certificate is issued by an official CA.

Type: null or path

Default

null

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/web-apps/keycloak.nix

services.keycloak.database.createLocally

Whether a database should be automatically created on the local host. Set this to false if you plan on provisioning a local database yourself. This has no effect if services.keycloak.database.host is customized.

Type: boolean

Default

true

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/web-apps/keycloak.nix

services.keycloak.database.host

Hostname of the database to connect to.

Type: string

Default

"localhost"

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/web-apps/keycloak.nix

services.keycloak.database.name

Database name to use when connecting to an external or manually provisioned database; has no effect when a local database is automatically provisioned.

To use this with a local database, set to false and create the database and user manually.

Type: string

Default

"keycloak"

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/web-apps/keycloak.nix

services.keycloak.database.passwordFile

The path to a file containing the database password.

Type: path

Example

"/run/keys/db_password"

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/web-apps/keycloak.nix

services.keycloak.database.port

Port of the database to connect to.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default

default port of selected database

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/web-apps/keycloak.nix

services.keycloak.database.type

The type of database Keycloak should connect to.

Type: one of "mysql", "mariadb", "postgresql"

Default

"postgresql"

Example

"mariadb"

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/web-apps/keycloak.nix

services.keycloak.database.useSSL

Whether the database connection should be secured by SSL / TLS.

Type: boolean

Default

config.services.keycloak.database.host != "localhost"

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/web-apps/keycloak.nix

services.keycloak.database.username

Username to use when connecting to an external or manually provisioned database; has no effect when a local database is automatically provisioned.

To use this with a local database, set to false and create the database and user manually.

Type: string

Default

"keycloak"

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/web-apps/keycloak.nix

services.keycloak.enable

Whether to enable the Keycloak identity and access management server.

Type: boolean

Default

false

Example

true

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/web-apps/keycloak.nix

services.keycloak.initialAdminPassword

Initial password set for the admin user. The password is not stored safely and should be changed immediately in the admin panel.

Type: string

Default

"changeme"

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/web-apps/keycloak.nix

services.keycloak.package

The keycloak package to use. Type: package

Default

pkgs.keycloak

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/web-apps/keycloak.nix

services.keycloak.plugins

Keycloak plugin jar, ear files or derivations containing them. Packaged plugins are available through pkgs.keycloak.plugins.

Type: list of path

Default

[ ]

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/web-apps/keycloak.nix

services.keycloak.settings

Configuration options corresponding to parameters set in {file}conf/keycloak.conf.

Most available options are documented at https://www.keycloak.org/server/all-config.

Options containing secret data should be set to an attribute set containing the attribute _secret - a string pointing to a file containing the value the option should be set to. See the example to get a better picture of this: in the resulting {file}conf/keycloak.conf file, the https-key-store-password key will be set to the contents of the {file}/run/keys/store_password file.

Type: attribute set of (null or string or signed integer or boolean or attribute set of path)

Example

{hostname = "keycloak.example.com";proxy = "reencrypt";https-key-store-file = "/path/to/file";https-key-store-password = { _secret = "/run/keys/store_password"; };}

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/web-apps/keycloak.nix

services.keycloak.settings.hostname

The hostname part of the public URL used as base for all frontend requests.

See https://www.keycloak.org/server/hostname for more information about hostname configuration.

Type: null or string

Example

"keycloak.example.com"

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/web-apps/keycloak.nix

services.keycloak.settings.hostname-backchannel-dynamic

Enables dynamic resolving of backchannel URLs, including hostname, scheme, port and context path.

See https://www.keycloak.org/server/hostname for more information about hostname configuration.

Type: boolean

Default

false

Example

true

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/web-apps/keycloak.nix

services.keycloak.settings.http-host

On which address Keycloak should accept new connections.

Type: string

Default

"0.0.0.0"

Example

"127.0.0.1"

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/web-apps/keycloak.nix

services.keycloak.settings.http-port

On which port Keycloak should listen for new HTTP connections.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default

80

Example

8080

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/web-apps/keycloak.nix

services.keycloak.settings.http-relative-path

The path relative to / for serving resources.

::: {.note} In versions of Keycloak using Wildfly (<17), this defaulted to /auth. If upgrading from the Wildfly version of Keycloak, i.e. a NixOS version before 22.05, you'll likely want to set this to /auth to keep compatibility with your clients.

See https://www.keycloak.org/migration/migrating-to-quarkus for more information on migrating from Wildfly to Quarkus. :::

Type: string

Default

"/"

Example

"/auth"

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/web-apps/keycloak.nix

services.keycloak.settings.https-port

On which port Keycloak should listen for new HTTPS connections.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default

443

Example

8443

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/web-apps/keycloak.nix

services.keycloak.settings.proxy

The proxy address forwarding mode if the server is behind a reverse proxy.

  • edge: Enables communication through HTTP between the proxy and Keycloak.
  • reencrypt: Requires communication through HTTPS between the proxy and Keycloak.
  • passthrough: Enables communication through HTTP or HTTPS between the proxy and Keycloak.

See https://www.keycloak.org/server/reverseproxy for more information.

Type: one of "edge", "reencrypt", "passthrough", "none"

Default

"none"

Example

"edge"

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/web-apps/keycloak.nix

services.keycloak.sslCertificate

The path to a PEM formatted certificate to use for TLS/SSL connections.

Type: null or path

Default

null

Example

"/run/keys/ssl_cert"

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/web-apps/keycloak.nix

services.keycloak.sslCertificateKey

The path to a PEM formatted private key to use for TLS/SSL connections.

Type: null or path

Default

null

Example

"/run/keys/ssl_key"

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/web-apps/keycloak.nix

services.keycloak.themes

Additional theme packages for Keycloak. Each theme is linked into subdirectory with a corresponding attribute name.

Theme packages consist of several subdirectories which provide different theme types: for example, account, login etc. After adding a theme to this option you can select it by its name in Keycloak administration console.

Type: attribute set of package

Default

{ }

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/web-apps/keycloak.nix