diff --git a/configurations/camelot/default.nix b/configurations/camelot/default.nix index c4b6e69..973c3cf 100644 --- a/configurations/camelot/default.nix +++ b/configurations/camelot/default.nix @@ -46,10 +46,16 @@ owner = config.users.users.gotosocial.name; group = config.users.users.gotosocial.group; }; + + keycloakDbPassword.file = ../../secrets/keycloak-db.age; }; my.server.blog.enable = true; my.server.papermc.enable = true; + my.server.sso = { + enable = true; + dbPasswordFile = config.age.secrets.keycloakDbPassword.path; + }; my.users = { dala = { diff --git a/flake.lock b/flake.lock index 6f9fd48..37203a7 100644 --- a/flake.lock +++ b/flake.lock @@ -79,11 +79,11 @@ }, "extra-config": { "locked": { - "lastModified": 1733060531, - "narHash": "sha256-lUPSW3t46rJQThatY2nP/JoKZ9SSfeaIGfBh8srh4MU=", + "lastModified": 1733857702, + "narHash": "sha256-Bo8w+Pi7tS5z3yAuaTkW9+Eh7+0YiSV+HuCAf2m2w1I=", "ref": "refs/heads/main", - "rev": "58022348c9436d1e0aa611a67b1efd1f092cab2a", - "revCount": 8, + "rev": "f6fed9c40dbea65d6aa80b53fc3c1be62c1d8ac2", + "revCount": 9, "type": "git", "url": "ssh://forgejo@git.dalaran.fr/dala/nixos-config-extra.git" }, diff --git a/modules/server/default.nix b/modules/server/default.nix index 277f76e..0d65666 100644 --- a/modules/server/default.nix +++ b/modules/server/default.nix @@ -5,5 +5,6 @@ ./nginx.nix ./blog.nix ./minecraft.nix + ./keycloak.nix ]; } diff --git a/modules/server/keycloak.nix b/modules/server/keycloak.nix new file mode 100644 index 0000000..aa14c4c --- /dev/null +++ b/modules/server/keycloak.nix @@ -0,0 +1,51 @@ +{ + lib, + config, + extraInfo, + ... +}: +let + cfg = config.my.server.sso; +in +with lib; +{ + options = { + my.server.sso = { + enable = mkEnableOption "SSO using Keycloak"; + dbPasswordFile = mkOption { + type = types.str; + description = "Path to the file containing the database password"; + }; + }; + }; + + config = mkIf cfg.enable { + services.keycloak = { + enable = true; + database = { + type = "postgresql"; + createLocally = true; + + passwordFile = cfg.dbPasswordFile; + }; + + settings = { + hostname = "https://${extraInfo.keycloakURI}"; + hostname-admin-url = "https://${extraInfo.keycloakURI}"; + http-port = 8081; + proxy-headers = "forwarded"; + http-enabled = true; + }; + }; + + services.nginx.virtualHosts.${extraInfo.keycloakURI} = mkIf config.services.nginx.enable { + forceSSL = true; + enableACME = true; + + locations."/" = { + recommendedProxySettings = true; + proxyPass = "http://localhost:${toString config.services.keycloak.settings.http-port}"; + }; + }; + }; +} diff --git a/secrets/keycloak-db.age b/secrets/keycloak-db.age new file mode 100644 index 0000000..a8eafa8 --- /dev/null +++ b/secrets/keycloak-db.age @@ -0,0 +1,5 @@ +age-encryption.org/v1 +-> ssh-ed25519 1urzmQ Kh6LceNk07sV7+nLKOZbVpMQfBmqmzLRwNgjfxvYaB0 +J7M/Z3Vh7LGDBfMk4HiCycJ0dDth0/0LA3WKBg0/USs +--- //E0cCHqAOwKYfKjm0lq73LQexIn+pxL14kyj/p3P1k +Mpë {n]-lxRWK )e1\_(tƜ(5wA \ No newline at end of file diff --git a/secrets/secrets.nix b/secrets/secrets.nix index d3733c8..5508188 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -21,6 +21,10 @@ in camelot ]; + "keycloak-db.age".publicKeys = [ + camelot + ]; + "okeanos-wg0.age".publicKeys = [ okeanos ];