dala/nixos-config
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

camelot: add keycloak

Browse source
This commit is contained in:
Victor Mignot 2024-12-10 20:04:20 +01:00
parent 1007ad99f4
commit c7e4e6b4a0
Signed by: dala
SSH key fingerprint: SHA256:+3O9MhlDc2tJL0n+E+Myr7nL+74DP9AXdIXHmIqZTkY
6 changed files with 71 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
configurations/camelot/default.nix
View file

@ -46,10 +46,16 @@
owner = config.users.users.gotosocial.name; owner = config.users.users.gotosocial.name;
group = config.users.users.gotosocial.group; group = config.users.users.gotosocial.group;
}; };
keycloakDbPassword.file = ../../secrets/keycloak-db.age;
}; };
my.server.blog.enable = true; my.server.blog.enable = true;
my.server.papermc.enable = true; my.server.papermc.enable = true;
my.server.sso = {
enable = true;
dbPasswordFile = config.age.secrets.keycloakDbPassword.path;
};
my.users = { my.users = {
dala = { dala = {

8
flake.lock
View file

@ -79,11 +79,11 @@
}, },
"extra-config": { "extra-config": {
"locked": { "locked": {
"lastModified": 1733060531, "lastModified": 1733857702,
"narHash": "sha256-lUPSW3t46rJQThatY2nP/JoKZ9SSfeaIGfBh8srh4MU=", "narHash": "sha256-Bo8w+Pi7tS5z3yAuaTkW9+Eh7+0YiSV+HuCAf2m2w1I=",
"ref": "refs/heads/main", "ref": "refs/heads/main",
"rev": "58022348c9436d1e0aa611a67b1efd1f092cab2a", "rev": "f6fed9c40dbea65d6aa80b53fc3c1be62c1d8ac2",
"revCount": 8, "revCount": 9,
"type": "git", "type": "git",
"url": "ssh://forgejo@git.dalaran.fr/dala/nixos-config-extra.git" "url": "ssh://forgejo@git.dalaran.fr/dala/nixos-config-extra.git"
}, },

1
modules/server/default.nix
View file

@ -5,5 +5,6 @@
./nginx.nix ./nginx.nix
./blog.nix ./blog.nix
./minecraft.nix ./minecraft.nix
./keycloak.nix
]; ];
} }

51
modules/server/keycloak.nix Normal file
View file

@ -0,0 +1,51 @@
{
lib,
config,
extraInfo,
...
}:
let
cfg = config.my.server.sso;
in
with lib;
{
options = {
my.server.sso = {
enable = mkEnableOption "SSO using Keycloak";
dbPasswordFile = mkOption {
type = types.str;
description = "Path to the file containing the database password";
};
};
};
config = mkIf cfg.enable {
services.keycloak = {
enable = true;
database = {
type = "postgresql";
createLocally = true;
passwordFile = cfg.dbPasswordFile;
};
settings = {
hostname = "https://${extraInfo.keycloakURI}";
hostname-admin-url = "https://${extraInfo.keycloakURI}";
http-port = 8081;
proxy-headers = "forwarded";
http-enabled = true;
};
};
services.nginx.virtualHosts.${extraInfo.keycloakURI} = mkIf config.services.nginx.enable {
forceSSL = true;
enableACME = true;
locations."/" = {
recommendedProxySettings = true;
proxyPass = "http://localhost:${toString config.services.keycloak.settings.http-port}";
};
};
};
}

5
secrets/keycloak-db.age Normal file
View file

@ -0,0 +1,5 @@
age-encryption.org/v1
-> ssh-ed25519 1urzmQ Kh6LceNk07sV7+nLKOZbVpMQfBmqmzLRwNgjfxvYaB0
J7M/Z3Vh7LGDBfMk4HiCycJ0dDth0/0LA3WKBg0/USs
--- //E0cCHqAOwKYfKjm0lq73LQexIn+pxL14kyj/p3P1k
öÛMŽpñ눈å <0C>{½n„]­Æ-Õø¨lxšRWK ¾)öeŸ1\_(tÆœ(½5w§A¹¹ñ

4
secrets/secrets.nix
View file

@ -21,6 +21,10 @@ in
camelot camelot
]; ];
"keycloak-db.age".publicKeys = [
camelot
];
"okeanos-wg0.age".publicKeys = [ "okeanos-wg0.age".publicKeys = [
okeanos okeanos
]; ];