1 { config, lib, pkgs, ... }:
7 cfg = config.services.crowd;
9 pkg = cfg.package.override {
11 port = cfg.listenPort;
12 openidPassword = cfg.openidPassword;
13 } // (optionalAttrs cfg.proxy.enable {
14 proxyUrl = "${cfg.proxy.scheme}://${cfg.proxy.name}:${toString cfg.proxy.port}";
17 crowdPropertiesFile = pkgs.writeText "crowd.properties" ''
18 application.name crowd-openid-server
19 application.password @NIXOS_CROWD_OPENID_PW@
20 application.base.url http://localhost:${toString cfg.listenPort}/openidserver
21 application.login.url http://localhost:${toString cfg.listenPort}/openidserver
22 application.login.url.template http://localhost:${toString cfg.listenPort}/openidserver?returnToUrl=''${RETURN_TO_URL}
24 crowd.server.url http://localhost:${toString cfg.listenPort}/crowd/services/
26 session.isauthenticated session.isauthenticated
27 session.tokenkey session.tokenkey
28 session.validationinterval 0
29 session.lastvalidation session.lastvalidation
37 enable = mkEnableOption "Atlassian Crowd service";
42 description = "User which runs Crowd.";
48 description = "Group which runs Crowd.";
53 default = "/var/lib/crowd";
54 description = "Home directory of the Crowd instance.";
57 listenAddress = mkOption {
59 default = "127.0.0.1";
60 description = "Address to listen on.";
63 listenPort = mkOption {
66 description = "Port to listen on.";
69 openidPassword = mkOption {
71 default = "WILL_NEVER_BE_SET";
72 description = "Application password for OpenID server.";
75 openidPasswordFile = mkOption {
76 type = types.nullOr types.str;
78 description = "Path to the file containing the application password for OpenID server.";
81 catalinaOptions = mkOption {
82 type = types.listOf types.str;
84 example = [ "-Xms1024m" "-Xmx2048m" ];
85 description = "Java options to pass to catalina/tomcat.";
89 enable = mkEnableOption "reverse proxy support";
93 example = "crowd.example.com";
94 description = "Virtual hostname at the proxy";
101 description = "Port used at the proxy";
108 description = "Protocol used at the proxy.";
114 description = "Whether the connections to the proxy should be considered secure.";
118 package = mkPackageOption pkgs "atlassian-crowd" { };
120 jrePackage = mkPackageOption pkgs "oraclejre8" {
121 extraDescription = ''
123 Atlassian only supports the Oracle JRE (JRASERVER-46152).
130 config = mkIf cfg.enable {
131 users.users.${cfg.user} = {
136 users.groups.${cfg.group} = {};
138 systemd.tmpfiles.rules = [
139 "d '${cfg.home}' - ${cfg.user} ${cfg.group} - -"
140 "d /run/atlassian-crowd - - - - -"
142 "L+ /run/atlassian-crowd/database - - - - ${cfg.home}/database"
143 "L+ /run/atlassian-crowd/logs - - - - ${cfg.home}/logs"
144 "L+ /run/atlassian-crowd/work - - - - ${cfg.home}/work"
145 "L+ /run/atlassian-crowd/server.xml - - - - ${cfg.home}/server.xml"
148 systemd.services.atlassian-crowd = {
149 description = "Atlassian Crowd";
151 wantedBy = [ "multi-user.target" ];
152 requires = [ "postgresql.service" ];
153 after = [ "postgresql.service" ];
155 path = [ cfg.jrePackage ];
158 JAVA_HOME = "${cfg.jrePackage}";
159 CATALINA_OPTS = concatStringsSep " " cfg.catalinaOptions;
160 CATALINA_TMPDIR = "/tmp";
161 JAVA_OPTS = mkIf (cfg.openidPasswordFile != null) "-Dcrowd.properties=${cfg.home}/crowd.properties";
165 rm -rf ${cfg.home}/work
166 mkdir -p ${cfg.home}/{logs,database,work}
168 sed -e 's,port="8095",port="${toString cfg.listenPort}" address="${cfg.listenAddress}",' \
169 '' + (lib.optionalString cfg.proxy.enable ''
170 -e 's,compression="on",compression="off" protocol="HTTP/1.1" proxyName="${cfg.proxy.name}" proxyPort="${toString cfg.proxy.port}" scheme="${cfg.proxy.scheme}" secure="${boolToString cfg.proxy.secure}",' \
172 ${pkg}/apache-tomcat/conf/server.xml.dist > ${cfg.home}/server.xml
174 ${optionalString (cfg.openidPasswordFile != null) ''
175 install -m660 ${crowdPropertiesFile} ${cfg.home}/crowd.properties
176 ${pkgs.replace-secret}/bin/replace-secret \
177 '@NIXOS_CROWD_OPENID_PW@' \
178 ${cfg.openidPasswordFile} \
179 ${cfg.home}/crowd.properties
187 Restart = "on-failure";
189 ExecStart = "${pkg}/start_crowd.sh -fg";