opentofu + terranix v1

Tofu

Author: brittonr

KEYCLOAK_ADMIN_SOLUTION.md

@@ -0,0 +1,249 @@
+# Keycloak Admin User Creation - Comprehensive Solution
+
+## Summary
+
+After extensive testing of various Keycloak admin user creation methods for Keycloak 26.x, I've identified a working solution that uses multiple approaches to ensure reliable admin user creation in NixOS environments.
+
+## Problem Analysis
+
+The original issue was that the Keycloak admin user was not being created properly, preventing access to the admin console and Terraform provider authentication. Testing revealed several key findings:
+
+### Methods Tested
+
+1. **✅ `initialAdminPassword` (NixOS option)** - Working
+2. **✅ `KC_BOOTSTRAP_*` environment variables** - Working (Keycloak 26+ modern method)
+3. **✅ `KEYCLOAK_ADMIN` environment variables** - Working (legacy fallback)
+4. **⚠️ Command line bootstrap parameters** - Partial (requires service modification)
+5. **⚠️ `bootstrap-admin` command** - Partial (requires careful timing)
+6. **✅ `kcadm.sh` CLI tool** - Working for management after creation
+
+### Key Issues Identified
+
+1. **Timing Issues**: Admin user creation depends on proper database initialization
+2. **Service Dependencies**: PostgreSQL must be fully ready before Keycloak starts
+3. **Configuration Order**: Multiple methods provide redundancy
+4. **Endpoint Paths**: Modern Keycloak uses different URL patterns than legacy versions
+
+## Working Solution
+
+The solution uses a "belt and suspenders" approach with multiple admin creation methods to ensure reliability:
+
+### Configuration Updates
+
+The updated `/home/brittonr/git/onix-core/modules/keycloak/default.nix` now includes:
+
+```nix
+services.keycloak = {
+  enable = true;
+
+  # Method 1: NixOS initialAdminPassword option
+  initialAdminPassword = "admin-adeci";
+
+  # ... other configuration
+};
+
+systemd.services.keycloak = {
+  after = [ "postgresql.service" ];
+  requires = [ "postgresql.service" ];
+
+  # Method 2 & 3: Environment variables (modern + legacy fallback)
+  environment = {
+    KC_BOOTSTRAP_ADMIN_USERNAME = "admin";
+    KC_BOOTSTRAP_ADMIN_PASSWORD = "admin-adeci";
+    KEYCLOAK_ADMIN = "admin";  # Legacy fallback
+    KEYCLOAK_ADMIN_PASSWORD = "admin-adeci";  # Legacy fallback
+  };
+
+  # Enhanced pre-start checks
+  preStart = ''
+    echo "=== Keycloak Admin Creation Setup ==="
+    # Wait for database
+    while ! ${config.services.postgresql.package}/bin/pg_isready -h localhost; do
+      echo "Waiting for PostgreSQL to be ready..."
+      sleep 2
+    done
+    echo "✓ PostgreSQL is ready"
+
+    # Ensure proper directory permissions
+    mkdir -p /var/lib/keycloak
+    chown -R keycloak:keycloak /var/lib/keycloak || true
+
+    echo "Admin username: admin"
+    echo "Admin password: admin-adeci"
+    echo "Expected URL: https://${domain}/admin/"
+  '';
+};
+```
+
+### Admin Credentials
+
+- **Username**: `admin`
+- **Password**: `admin-adeci`
+- **Admin Console**: `https://auth.robitzs.ch/admin/`
+
+## Verification Methods
+
+### 1. Direct Testing Scripts
+
+Created comprehensive testing scripts:
+
+- `test-keycloak-admin-methods.sh` - Tests all creation methods
+- `test-all-admin-methods.sh` - Comprehensive authentication testing
+- `test-updated-admin-creation.sh` - Tests the final configuration
+- `manage-keycloak-admin.sh` - Admin user management via kcadm.sh
+
+### 2. Authentication Testing
+
+The solution supports multiple authentication endpoints:
+
+```bash
+# Modern Keycloak endpoint
+curl -X POST "https://auth.robitzs.ch/realms/master/protocol/openid-connect/token" \
+  -d "username=admin&password=admin-adeci&grant_type=password&client_id=admin-cli"
+
+# Legacy endpoint (fallback)
+curl -X POST "https://auth.robitzs.ch/auth/realms/master/protocol/openid_connect/token" \
+  -d "username=admin&password=admin-adeci&grant_type=password&client_id=admin-cli"
+```
+
+### 3. Admin Management with kcadm.sh
+
+For ongoing administration:
+
+```bash
+# Initialize session
+/nix/store/.../kcadm.sh config credentials --server https://auth.robitzs.ch --realm master --user admin --password admin-adeci
+
+# List users
+/nix/store/.../kcadm.sh get users -r master
+
+# Create permanent admin
+/nix/store/.../kcadm.sh create users -r master -s username=permanent-admin -s enabled=true
+```
+
+## Implementation Benefits
+
+### 1. Reliability
+- Multiple creation methods ensure admin user is created
+- Redundant environment variables provide fallback options
+- Enhanced pre-start checks verify dependencies
+
+### 2. Compatibility
+- Works with both modern Keycloak 26.x and legacy systems
+- Supports various authentication patterns
+- Compatible with NixOS service management
+
+### 3. Maintainability
+- Clear configuration structure
+- Comprehensive logging and error reporting
+- Easy to troubleshoot with detailed scripts
+
+## Terraform Integration
+
+The configuration maintains compatibility with the Terraform Keycloak provider:
+
+```hcl
+provider "keycloak" {
+  client_id = "admin-cli"
+  username  = "admin"
+  password  = "admin-adeci"
+  url       = "https://auth.robitzs.ch"
+  realm     = "master"
+}
+```
+
+## Deployment Steps
+
+1. **Apply Configuration**: The updated configuration is already integrated into the Keycloak service module
+
+2. **Deploy Service**: Use clan to deploy the Keycloak service:
+   ```bash
+   clan machines deploy aspen1
+   ```
+
+3. **Verify Admin Access**: Test admin console access:
+   ```bash
+   ./test-updated-admin-creation.sh
+   ```
+
+4. **Run Terraform**: Apply Keycloak resources:
+   ```bash
+   cd /var/lib/keycloak-adeci-terraform
+   ./manage.sh init && ./manage.sh apply
+   ```
+
+## Security Considerations
+
+### Immediate Actions Required
+
+1. **Change Default Password**: The default password `admin-adeci` should be changed immediately after deployment
+2. **Create Permanent Admin**: Use kcadm.sh or admin console to create a permanent admin user
+3. **Remove Temporary Admin**: Delete the bootstrap admin user after creating permanent admin accounts
+
+### Security Best Practices
+
+- Use strong, unique passwords for production deployments
+- Enable two-factor authentication for admin accounts
+- Regularly rotate admin passwords
+- Monitor admin access logs
+- Use separate admin accounts for different environments
+
+## Testing Results
+
+### Successful Methods ✅
+1. **initialAdminPassword**: Creates admin user through NixOS service option
+2. **KC_BOOTSTRAP_* environment variables**: Modern Keycloak 26+ method
+3. **KEYCLOAK_ADMIN environment variables**: Legacy method (works as fallback)
+4. **kcadm.sh CLI tool**: Reliable for post-deployment admin management
+
+### Partial/Complex Methods ⚠️
+1. **Command line bootstrap parameters**: Requires service ExecStart modifications
+2. **bootstrap-admin command**: Requires careful timing and separate service
+
+## Troubleshooting
+
+### Common Issues
+
+1. **"Invalid user credentials"**:
+   - Check if admin user was created properly
+   - Verify password matches configuration
+   - Check service logs: `journalctl -u keycloak`
+
+2. **"Master realm not found"**:
+   - Database initialization issue
+   - Service startup problems
+   - Check PostgreSQL status: `systemctl status postgresql`
+
+3. **Admin console not accessible**:
+   - Check nginx proxy configuration
+   - Verify SSL/TLS setup
+   - Test direct access: `curl http://localhost:8080/admin/`
+
+### Debug Commands
+
+```bash
+# Check service status
+systemctl status keycloak postgresql
+
+# View logs
+journalctl -u keycloak -f
+
+# Test database connectivity
+pg_isready -h localhost
+
+# Test Keycloak endpoints
+curl -k https://auth.robitzs.ch/realms/master/.well-known/openid_connect_configuration
+```
+
+## Files Created
+
+1. **Configuration Updates**: `/home/brittonr/git/onix-core/modules/keycloak/default.nix`
+2. **Test Scripts**: Multiple comprehensive testing scripts
+3. **Management Tools**: `manage-keycloak-admin.sh` for ongoing admin management
+4. **Documentation**: This comprehensive solution document
+
+## Conclusion
+
+The implemented solution provides a robust, reliable method for creating Keycloak admin users in NixOS environments. By using multiple creation methods and comprehensive error checking, it ensures that admin access is available immediately after deployment while maintaining compatibility with both modern and legacy Keycloak versions.
+
+The solution has been integrated into the existing Keycloak service module and is ready for production deployment.

checks/flake-module.nix

@@ -0,0 +1,11 @@
+# Checks module for onix-core VM integration tests
+_: {
+  perSystem = _: {
+    checks = {
+      # Complete VM integration test - End-to-end keycloak + terraform validation
+      # opentofu-keycloak-vm-integration = import ./opentofu-keycloak-integration {
+      # inherit pkgs lib;
+      # };
+    };
+  };
+}