docs(services/keycloak,modules/lib): simpler comment wording

  Trim and simplify the inline comments throughout the keycloak pairing
  and modules/lib/default.nix. Plain words over jargon: "wait for"
  instead of "gate on", "reuse a client" instead of "tolerate ... from
  a partial earlier bootstrap", "shared" instead of "provider-agnostic",
  drop the multi-paragraph file-header preamble in modules/lib, shorten
  every option description that ran to two or more sentences.

  Includes one small correctness fix: ldap_user_federations.blockAttrs
  now lists `kerberos` and `cache` so the nested sub-blocks emit as
  `[{ ... }]` -- previously the option type accepted them but the
  rendered JSON would have used the plain-object form. No fixture
  exercises this today, so the existing tests are byte-identical.

Author: kmein

modules/lib/default.nix

@@ -1,48 +1,42 @@
-# Shared, provider-agnostic helpers for the declarative-service pairings: the
-# .tf.json label/file helpers and the run-once OpenTofu reconciler unit.
-#
-# Provider-specific pieces — the provider-wrapped executor, the .tf.json
-# provider/resource generation, the token variable name — live in each pairing's
-# services/<svc>/lib.nix and are injected into the helpers below.
+# shared helpers for the pairings: tf-label/file helpers and the run-once
+# reconciler unit. provider-specific bits live in services/<svc>/lib.nix.
 { pkgs }:
 let
   inherit (pkgs) lib;
 in
 rec {
-  # Sanitize an arbitrary string into a valid Terraform block label
-  # ([A-Za-z_][A-Za-z0-9_-]*). Always prefixed, so the result starts with a
-  # letter regardless of the input.
+  # turn an arbitrary string into a valid Terraform block label. always
+  # prefixed so the result starts with a letter.
   tfLabel =
     prefix: name:
     "${prefix}_"
     + lib.stringAsChars (c: if builtins.match "[A-Za-z0-9_-]" c != null then c else "_") name;
 
-  # Render a config attrset to a .tf.json store file. Safe by construction: the
-  # config must carry no secrets (anything in the store is world-readable).
+  # write the config as a .tf.json file in the nix store. must contain no
+  # secrets -- the store is world-readable.
   tfJsonFile = name: config: pkgs.writeText "${name}.tf.json" (builtins.toJSON config);
 
-  # Build the run-once reconciler systemd service definition.
+  # build the run-once reconciler systemd service.
   #
-  #   name       unit + generated-config name (e.g. "declarative-forgejo")
-  #   tfConfig   the provider-specific config attrset to apply
-  #   afterUnits units to order/require after (the service's primary unit)
-  #   healthUrl  URL polled until the service answers, before applying
-  #   tokenFile  runtime path to the admin token, exposed via LoadCredential
-  #   executor   OpenTofu wrapped with the pairing's provider (offline mirror)
-  #   tokenVar   Terraform input variable carrying the token; also the
-  #              LoadCredential id, so `TF_VAR_<tokenVar>` is fed from it
-  #   credentials extra TF_VAR_<id> -> host file path pairs (per-resource
-  #              secrets); each is LoadCredential'd and exported like the token
-  #   user/group the base service's user/group the reconciler runs as
-  #   stateDir   the base service's primary state dir; Terraform state lives in
-  #              a `declarative-terraform` subdir of it, co-located with the service
-  #   dynamicUser  set when the base service runs as systemd DynamicUser (so
-  #                the `User=` name only exists per-unit). The reconciler then
-  #                runs with `DynamicUser=true` too, so systemd allocates the
-  #                same hashed UID as the primary unit, and the work dir is
-  #                created via `StateDirectory=` (derived from `stateDir`)
-  #                rather than `mkdir`. Requires `stateDir` to live under
-  #                `/var/lib`; enforced at eval time.
+  #   name        unit + generated-config name (e.g. "declarative-forgejo")
+  #   tfConfig    the .tf.json config to apply
+  #   afterUnits  units to order/require after (the service's main unit)
+  #   healthUrl   url polled until the service answers, before applying
+  #   tokenFile   path to the admin token on the host, read via LoadCredential
+  #   executor    OpenTofu wrapped with the pairing's provider (offline)
+  #   tokenVar    name of the sensitive tf variable carrying the token; also
+  #               the LoadCredential id -- exported as TF_VAR_<tokenVar>
+  #   credentials extra TF_VAR_<id> -> host path pairs for per-resource
+  #               secrets, handled the same way as tokenFile
+  #   user/group  the service's user/group; the reconciler runs as them
+  #   stateDir    base dir for the reconciler; tfstate lives in a
+  #               `declarative-terraform` subdir of it
+  #   dynamicUser set when the base service uses systemd DynamicUser=true
+  #               (the `User=` name only exists per-unit). the reconciler
+  #               then runs with DynamicUser=true too, so it picks up the
+  #               same hashed UID as the main unit, and systemd creates
+  #               the work dir via StateDirectory= (derived from stateDir).
+  #               requires stateDir to live under /var/lib.
   mkReconcileService =
     {
       name,
@@ -60,19 +54,17 @@ rec {
     }:
     let
       confFile = tfJsonFile name tfConfig;
-      # Admin token + any per-resource secret files, each kept out of the store
-      # and exposed to tofu as TF_VAR_<id> via systemd LoadCredential=.
+      # admin token + per-resource secrets, all read via LoadCredential
+      # so they never land in the world-readable store.
       allCredentials = {
         ${tokenVar} = tokenFile;
       }
       // credentials;
-      # Terraform state is co-located with the base service: a subdir of its
-      # primary state directory, created and owned by the service user.
+      # tfstate lives in this subdir of stateDir.
       workDir = "${stateDir}/declarative-terraform";
-      # Under DynamicUser= the absolute work dir is also expressed as a
-      # relative `StateDirectory=` so systemd creates and owns it. Deriving
-      # both from `stateDir` is the single source of truth: the path the
-      # script `cd`s into and the path the unit declares can never drift.
+      # under DynamicUser= systemd creates the dir via StateDirectory=
+      # (relative to /var/lib). derive both from stateDir so the script
+      # path and the unit declaration cannot drift.
       stateDirectoryRelative = lib.removePrefix "/var/lib/" workDir;
     in
     assert lib.assertMsg (!dynamicUser || lib.hasPrefix "/var/lib/" stateDir)
@@ -82,7 +74,7 @@ rec {
       after = afterUnits;
       requires = afterUnits;
       wantedBy = [ "multi-user.target" ];
-      # Re-apply whenever the generated configuration changes.
+      # re-apply when the generated config changes.
       restartTriggers = [ confFile ];
       path = [
         executor
@@ -96,17 +88,16 @@ rec {
       serviceConfig = {
         Type = "oneshot";
         RemainAfterExit = true;
-        # Run as the base service's user so Terraform state can live in (and be
-        # backed up alongside) that service's primary state directory.
+        # run as the service's own user so tfstate sits next to its data.
         User = user;
         Group = group;
-        # Secrets stay out of the store: read from the credentials dir at runtime.
+        # secrets stay out of the store; loaded into $CREDENTIALS_DIRECTORY at runtime.
         LoadCredential = lib.mapAttrsToList (id: path: "${id}:${path}") allCredentials;
       }
       // lib.optionalAttrs dynamicUser {
-        # Bases like Keycloak ship no persistent state dir and run as
-        # systemd DynamicUser=true; the `User=` name is hashed to a stable UID
-        # that's reused across units, and systemd creates/owns the state dir.
+        # services like Keycloak use DynamicUser=true and have no
+        # persistent state dir. systemd hashes the User= name to a
+        # stable UID that's shared across units and owns the state dir.
         DynamicUser = true;
         StateDirectory = stateDirectoryRelative;
         StateDirectoryMode = "0700";
@@ -115,23 +106,23 @@ rec {
         set -euo pipefail
         umask 077
 
-        # Work in a Terraform state dir under the base service's primary state
-        # directory, created 0700 on first run and owned by the service user.
+        # work in a subdir of the service's state dir; created 0700 on
+        # first run, owned by the service user.
         mkdir -p ${lib.escapeShellArg workDir}
         cd ${lib.escapeShellArg workDir}
 
-        # Refresh the generated config (state persists across runs).
+        # refresh the generated config (tfstate persists across runs).
         install -m 0600 ${confFile} ./main.tf.json
 
-        # Gate on the service actually answering before applying.
+        # wait for the service to actually answer before applying.
         for _ in $(seq 1 60); do
           if curl -fsS -o /dev/null "${healthUrl}"; then
             break
           fi
           sleep 2
         done
 
-        # Feed every credential to tofu as TF_VAR_<id>, read from the creds dir.
+        # pass each credential to tofu as TF_VAR_<id>.
         for id in ${lib.escapeShellArgs (lib.attrNames allCredentials)}; do
           export "TF_VAR_$id=$(cat "$CREDENTIALS_DIRECTORY/$id")"
         done

services/keycloak/checks.nix

@@ -1,13 +1,12 @@
-# Per-resource-family keycloak tests. The `keycloak` test is a full VM
-# (specialisations only work in QEMU nodes); the rest are nspawn containers
-# for faster boot and tighter focus.
+# keycloak tests, one per resource family. the `keycloak` test boots a
+# full VM (specialisations need QEMU). the rest run as nspawn containers.
 { pkgs, self }:
 let
   inherit (pkgs) lib;
   keycloakAdminPassword = "hackme";
 
-  # Python helpers; each takes the machine reference (`machine` for VMs,
-  # `keycloak` for containers) so the body is identical across both shapes.
+  # python helpers; each takes the machine reference (`machine` in the VM
+  # test, `keycloak` in the container tests) so bodies match.
   pyHelpers = ''
     import json
     def admin_token(m):
@@ -28,8 +27,8 @@ let
         return admin_get(m, realm)
   '';
 
-  # Common keycloak service config every test reuses. `runtime` carries
-  # the per-test resource fixture; `extraEtc` mocks operator secret files.
+  # shared keycloak host config. `runtime` is the per-test fixture;
+  # `extraEtc` mocks operator-supplied secret files.
   mkHost =
     {
       runtime,
@@ -58,7 +57,7 @@ let
         settings = {
           hostname = "keycloak";
           http-port = 8080;
-          http-enabled = true; # HTTP-only test deployment
+          http-enabled = true; # http-only test deployment
           hostname-strict = false;
         };
 
@@ -72,8 +71,8 @@ let
     };
 in
 {
-  # Core test: full VM proving the boot -> bootstrap -> reconcile chain
-  # plus config-change reconciliation via a specialisation.
+  # core test: full vm covering boot -> bootstrap -> reconcile, plus a
+  # specialisation switch that adds a second realm.
   keycloak = pkgs.testers.runNixOSTest {
     name = "declarative-keycloak";
 
@@ -87,7 +86,7 @@ in
           };
         } args)
         {
-          # keycloak is thicc -- only VMs accept memorySize.
+          # keycloak is thicc; only VMs accept memorySize.
           virtualisation.memorySize = 3072;
           specialisation.addRealm.configuration.services.keycloak.runtime.realms.delta = {
             display_name = "Delta Realm";
@@ -98,7 +97,7 @@ in
       ${pyHelpers}
       machine.start()
 
-      # whole chain (keycloak -> bootstrap -> reconciler) must converge.
+      # wait for the chain: keycloak -> bootstrap -> reconciler.
       machine.wait_for_unit("declarative-keycloak.service")
 
       with subtest("declared realm exists with display_name applied"):
@@ -138,7 +137,7 @@ in
     '';
   };
 
-  # RBAC: roles, groups, users + bindings via managed-key list refs.
+  # roles, groups, users + bindings via managed-key list refs.
   keycloak-rbac = pkgs.testers.runNixOSTest {
     name = "declarative-keycloak-rbac";
 
@@ -243,7 +242,7 @@ in
     '';
   };
 
-  # OpenID clients + scopes + a protocol mapper + default-scope binding.
+  # openid clients + scopes + protocol mapper + default-scope binding.
   keycloak-clients = pkgs.testers.runNixOSTest {
     name = "declarative-keycloak-clients";
 
@@ -284,7 +283,7 @@ in
           ];
         };
 
-        # Protocol mapper attached to the managed scope via its key.
+        # protocol mapper attached to the managed scope by key.
         openid_user_attribute_protocol_mappers.team_claim = {
           realm = "acme";
           client_scope = "acme_profile";
@@ -322,7 +321,7 @@ in
               f"acme-profile not bound as default scope: {names}"
 
       with subtest("protocol mapper attached to client scope"):
-          # protocolMappers travel with the client-scope representation.
+          # protocolMappers ride along on the client-scope representation.
           scopes = admin_get(keycloak, "acme/client-scopes")
           s = next((x for x in scopes if x["name"] == "acme-profile"), None)
           assert s, f"acme-profile scope missing: {[x['name'] for x in scopes]}"
@@ -339,9 +338,9 @@ in
     '';
   };
 
-  # Realm extras: extended realm attrs, nested-secret smtp, security
-  # defenses (nested-in-nested), otp_policy, realm_user_profile (nested
-  # in list elements), a keystore, required_action, localization.
+  # realm extras: extended realm attrs, smtp with nested-secret,
+  # security_defenses (nested-in-nested), otp_policy, realm_user_profile
+  # (nested-in-list), a keystore, required_action, localization.
   keycloak-realm-extras = pkgs.testers.runNixOSTest {
     name = "declarative-keycloak-realm-extras";
 
@@ -351,7 +350,7 @@ in
         realms.acme = {
           display_name = "ACME Corp.";
           display_name_html = "<b>ACME</b> Corp.";
-          # extended attrs
+          # cross-section of the extended realm attrs.
           registration_allowed = true;
           login_theme = "keycloak";
           ssl_required = "external";
@@ -365,7 +364,7 @@ in
             ];
             default_locale = "en";
           };
-          # smtp_server with nested-secret indirection.
+          # smtp with a nested-secret indirection (auth.passwordFile).
           smtp_server = {
             host = "smtp.example.com";
             from = "noreply@example.com";
@@ -376,8 +375,8 @@ in
               passwordFile = "/etc/acme-smtp-password";
             };
           };
-          # nested-in-nested block-list wrap (security_defenses.headers,
-          # security_defenses.brute_force_detection).
+          # nested-in-nested block wrap (headers + brute_force_detection
+          # inside security_defenses).
           security_defenses = {
             headers = {
               x_frame_options = "DENY";
@@ -419,9 +418,9 @@ in
           texts.loginAccountTitle = "ACME";
         };
 
-        # realm_user_profile exercises a MaxItems:1 nested block inside a
-        # list element (attribute[].permissions). Keycloak refuses to drop
-        # the built-in attrs; declare them alongside the custom one.
+        # realm_user_profile exercises a nested MaxItems:1 block inside a
+        # list element (attribute[].permissions). keycloak refuses to drop
+        # the built-in attrs, so declare them alongside the custom one.
         realm_user_profiles.acme = {
           realm = "acme";
           unmanaged_attribute_policy = "ENABLED";
@@ -582,7 +581,7 @@ in
     '';
   };
 
-  # Identity providers + IdP mappers + an authentication flow.
+  # identity providers + IdP mappers + an authentication flow.
   keycloak-idp = pkgs.testers.runNixOSTest {
     name = "declarative-keycloak-idp";
 
@@ -591,14 +590,14 @@ in
       runtime = {
         realms.acme.display_name = "ACME";
 
-        # google IdP exercises realmAliasRef and secret-file indirection.
+        # google IdP exercises realm-alias resolution + secret-file indirection.
         oidc_google_identity_providers.acme_google = {
           realm = "acme";
           client_id = "fake-client-id";
           client_secretFile = "/etc/acme-google-secret";
         };
 
-        # IdP mapper exercises idpAliasRequiredRef across IdP collections.
+        # IdP mapper exercises the multi-target idp-alias ref.
         attribute_importer_identity_provider_mappers.google_email = {
           realm = "acme";
           identity_provider = "acme_google";
@@ -621,8 +620,8 @@ in
       keycloak.wait_for_unit("declarative-keycloak.service")
 
       with subtest("google IdP exists, client_secret kept out of .tf.json"):
-          # alias defaults to the collection key (`acme_google`) via nameAttr;
-          # the provider sets providerId="google".
+          # alias defaults to the collection key (`acme_google`);
+          # providerId is fixed to "google" by the resource type.
           idp = admin_get(keycloak, "acme/identity-provider/instances/acme_google")
           assert idp.get("providerId") == "google", f"idp: {idp}"
           assert idp.get("alias") == "acme_google"