From 525b92a65d5849eea98ceb620f3c8e0ff25784aa Mon Sep 17 00:00:00 2001 From: Rouven Seifert Date: Sat, 9 Mar 2024 12:39:16 +0100 Subject: [PATCH] nuc: add keycloak --- hosts/nuc/default.nix | 5 ++- hosts/nuc/modules/keycloak/default.nix | 43 +++++++++++++++++++++++++ secrets.nix | 1 + secrets/nuc/keycloak/db.age | Bin 0 -> 339 bytes 4 files changed, 46 insertions(+), 3 deletions(-) create mode 100644 hosts/nuc/modules/keycloak/default.nix create mode 100644 secrets/nuc/keycloak/db.age diff --git a/hosts/nuc/default.nix b/hosts/nuc/default.nix index 670f0ea..14f4e11 100644 --- a/hosts/nuc/default.nix +++ b/hosts/nuc/default.nix @@ -8,7 +8,8 @@ ./modules/backup ./modules/cache # ./modules/grafana - ./modules/hydra + # ./modules/hydra + ./modules/keycloak # ./modules/prometheus ./modules/matrix ./modules/mautrix-telegram @@ -69,8 +70,6 @@ programs.mosh.enable = true; - # firmware updates - services.fwupd.enable = true; users.users.root.initialHashedPassword = "$y$j9T$hYM7FT2hn3O7OWBn9uz8e0$XquxONcPSke6YjdRGwOzGxC0/92hgP7PIB0y0K.Qdr/"; users.users.root.openssh.authorizedKeys.keyFiles = [ ../../keys/ssh/rouven-thinkpad diff --git a/hosts/nuc/modules/keycloak/default.nix b/hosts/nuc/modules/keycloak/default.nix new file mode 100644 index 0000000..0ace24b --- /dev/null +++ b/hosts/nuc/modules/keycloak/default.nix @@ -0,0 +1,43 @@ +{ config, ... }: +let + domain = "auth.${config.networking.domain}"; +in +{ + age.secrets.keycloak = { + file = ../../../../secrets/nuc/keycloak/db.age; + }; + services.keycloak = { + enable = true; + settings = { + http-port = 8084; + https-port = 19000; + hostname = domain; + # proxy-headers = "forwarded"; + proxy = "edge"; + }; + database = { + # host = "/var/run/postgresql/.s.PGSQL.5432"; + # useSSL = false; + # createLocally = false; + passwordFile = config.age.secrets.keycloak.path; + }; + initialAdminPassword = "plschangeme"; + }; + # services.postgresql = { + # enable = true; + # ensureUsers = [ + # { + # name = "keycloak"; + # ensureDBOwnership = true; + # } + # ]; + # ensureDatabases = [ "keycloak" ]; + # }; + services.nginx.virtualHosts."${domain}" = { + enableACME = true; + forceSSL = true; + locations."/" = { + proxyPass = "http://127.0.0.1:${toString config.services.keycloak.settings.http-port}"; + }; + }; +} diff --git a/secrets.nix b/secrets.nix index afcde6c..f73f67b 100644 --- a/secrets.nix +++ b/secrets.nix @@ -20,6 +20,7 @@ in "secrets/nuc/matrix/sync.age".publicKeys = [ rouven nuc ]; "secrets/nuc/mautrix-telegram/env.age".publicKeys = [ rouven nuc ]; "secrets/nuc/vaultwarden.age".publicKeys = [ rouven nuc ]; + "secrets/nuc/keycloak/db.age".publicKeys = [ rouven nuc ]; "secrets/nuc/cache.age".publicKeys = [ rouven nuc ]; "secrets/nuc/borg/passphrase.age".publicKeys = [ rouven nuc ]; "secrets/nuc/borg/key.age".publicKeys = [ rouven nuc ]; diff --git a/secrets/nuc/keycloak/db.age b/secrets/nuc/keycloak/db.age new file mode 100644 index 0000000000000000000000000000000000000000..1093a5bf5f6ea03cbdbdb1d3b8ec99964fadf213 GIT binary patch literal 339 zcmZ9_yH0~p002-o6E+j$%;Z9_P@tvJnB4YKD1BIGnZw2pHeg-229H%gYEPsuF1ppn}Y1hzvKrVSL0%nd(L zq7gf!hBL#PH>lhw2OAinVO>Ef)7e6|Rj?G4K2O+zAvIk%PoNE&rU67V?Si#5)7nPl2P>HMmTXUwnOP_>tVNtNg5Ssn%6!6hyhSj((Cv}Inr${u5+FFEYBW@W& z;JIl_b9)`stz@b#bkKy+xAD?*@_3Vtk;ZWPyt|@2=WnBF(qvL+5EwOfCE&HoHAh7< zr&WnQuGh9DVUIski@D;&u|&|p2jUM-ZlAtbyw5*_*SDR$>lVIy|GED@53}RXhuy=V O#5cXi7mzT@)$A7^VsX3x literal 0 HcmV?d00001