camelot: add keycloak

configurations/camelot/default.nix

@@ -46,10 +46,16 @@
       owner = config.users.users.gotosocial.name;
       group = config.users.users.gotosocial.group;
     };
+
+    keycloakDbPassword.file = ../../secrets/keycloak-db.age;
   };
 
   my.server.blog.enable = true;
   my.server.papermc.enable = true;
+  my.server.sso = {
+    enable = true;
+    dbPasswordFile = config.age.secrets.keycloakDbPassword.path;
+  };
 
   my.users = {
     dala = {

flake.lock

@@ -79,11 +79,11 @@
     },
     "extra-config": {
       "locked": {
-        "lastModified": 1733060531,
-        "narHash": "sha256-lUPSW3t46rJQThatY2nP/JoKZ9SSfeaIGfBh8srh4MU=",
+        "lastModified": 1733857702,
+        "narHash": "sha256-Bo8w+Pi7tS5z3yAuaTkW9+Eh7+0YiSV+HuCAf2m2w1I=",
         "ref": "refs/heads/main",
-        "rev": "58022348c9436d1e0aa611a67b1efd1f092cab2a",
-        "revCount": 8,
+        "rev": "f6fed9c40dbea65d6aa80b53fc3c1be62c1d8ac2",
+        "revCount": 9,
         "type": "git",
         "url": "ssh://forgejo@git.dalaran.fr/dala/nixos-config-extra.git"
       },

modules/server/default.nix

@@ -5,5 +5,6 @@
     ./nginx.nix
     ./blog.nix
     ./minecraft.nix
+    ./keycloak.nix
   ];
 }

modules/server/keycloak.nix

@@ -0,0 +1,51 @@
+{
+  lib,
+  config,
+  extraInfo,
+  ...
+}:
+let
+  cfg = config.my.server.sso;
+in
+with lib;
+{
+  options = {
+    my.server.sso = {
+      enable = mkEnableOption "SSO using Keycloak";
+      dbPasswordFile = mkOption {
+        type = types.str;
+        description = "Path to the file containing the database password";
+      };
+    };
+  };
+
+  config = mkIf cfg.enable {
+    services.keycloak = {
+      enable = true;
+      database = {
+        type = "postgresql";
+        createLocally = true;
+
+        passwordFile = cfg.dbPasswordFile;
+      };
+
+      settings = {
+        hostname = "https://${extraInfo.keycloakURI}";
+        hostname-admin-url = "https://${extraInfo.keycloakURI}";
+        http-port = 8081;
+        proxy-headers = "forwarded";
+        http-enabled = true;
+      };
+    };
+
+    services.nginx.virtualHosts.${extraInfo.keycloakURI} = mkIf config.services.nginx.enable {
+      forceSSL = true;
+      enableACME = true;
+
+      locations."/" = {
+        recommendedProxySettings = true;
+        proxyPass = "http://localhost:${toString config.services.keycloak.settings.http-port}";
+      };
+    };
+  };
+}

secrets/keycloak-db.age

@@ -0,0 +1,5 @@
+age-encryption.org/v1
+-> ssh-ed25519 1urzmQ Kh6LceNk07sV7+nLKOZbVpMQfBmqmzLRwNgjfxvYaB0
+J7M/Z3Vh7LGDBfMk4HiCycJ0dDth0/0LA3WKBg0/USs
+--- //E0cCHqAOwKYfKjm0lq73LQexIn+pxL14kyj/p3P1k
+öÛMŽpñ눈å<0C>{½n„]­Æ-Õø¨lxšRWK¾)öeŸ1\_(tÆœ(½5w§A¹¹ñ

secrets/secrets.nix

@@ -21,6 +21,10 @@ in
     camelot
   ];
 
+  "keycloak-db.age".publicKeys = [
+    camelot
+  ];
+
   "okeanos-wg0.age".publicKeys = [
     okeanos
   ];