From afc0ea55bef99df28010da91c4fb6731ddcff7ca Mon Sep 17 00:00:00 2001
From: Rouven Seifert <rouven@rfive.de>
Date: Fri, 26 Apr 2024 10:39:49 +0200
Subject: [PATCH] keycloak: re-init

---
 hosts/nuc/default.nix                  |   1 +
 hosts/nuc/modules/keycloak/default.nix |  43 +++++++++++++++++++++++++
 secrets.nix                            |   1 +
 secrets/nuc/keycloak/db.age            | Bin 0 -> 339 bytes
 4 files changed, 45 insertions(+)
 create mode 100644 hosts/nuc/modules/keycloak/default.nix
 create mode 100644 secrets/nuc/keycloak/db.age

diff --git a/hosts/nuc/default.nix b/hosts/nuc/default.nix
index 624fd75..3de6f87 100644
--- a/hosts/nuc/default.nix
+++ b/hosts/nuc/default.nix
@@ -7,6 +7,7 @@
       ./modules/networks
       ./modules/adguard
       ./modules/backup
+      ./modules/keycloak
       ./modules/cache
       ./modules/matrix
       ./modules/mautrix-telegram
diff --git a/hosts/nuc/modules/keycloak/default.nix b/hosts/nuc/modules/keycloak/default.nix
new file mode 100644
index 0000000..0ace24b
--- /dev/null
+++ b/hosts/nuc/modules/keycloak/default.nix
@@ -0,0 +1,43 @@
+{ config, ... }:
+let
+  domain = "auth.${config.networking.domain}";
+in
+{
+  age.secrets.keycloak = {
+    file = ../../../../secrets/nuc/keycloak/db.age;
+  };
+  services.keycloak = {
+    enable = true;
+    settings = {
+      http-port = 8084;
+      https-port = 19000;
+      hostname = domain;
+      # proxy-headers = "forwarded";
+      proxy = "edge";
+    };
+    database = {
+      # host = "/var/run/postgresql/.s.PGSQL.5432";
+      # useSSL = false;
+      # createLocally = false;
+      passwordFile = config.age.secrets.keycloak.path;
+    };
+    initialAdminPassword = "plschangeme";
+  };
+  # services.postgresql = {
+  #   enable = true;
+  #   ensureUsers = [
+  #     {
+  #       name = "keycloak";
+  #       ensureDBOwnership = true;
+  #     }
+  #   ];
+  #   ensureDatabases = [ "keycloak" ];
+  # };
+  services.nginx.virtualHosts."${domain}" = {
+    enableACME = true;
+    forceSSL = true;
+    locations."/" = {
+      proxyPass = "http://127.0.0.1:${toString config.services.keycloak.settings.http-port}";
+    };
+  };
+}
diff --git a/secrets.nix b/secrets.nix
index afcde6c..f73f67b 100644
--- a/secrets.nix
+++ b/secrets.nix
@@ -20,6 +20,7 @@ in
   "secrets/nuc/matrix/sync.age".publicKeys = [ rouven nuc ];
   "secrets/nuc/mautrix-telegram/env.age".publicKeys = [ rouven nuc ];
   "secrets/nuc/vaultwarden.age".publicKeys = [ rouven nuc ];
+  "secrets/nuc/keycloak/db.age".publicKeys = [ rouven nuc ];
   "secrets/nuc/cache.age".publicKeys = [ rouven nuc ];
   "secrets/nuc/borg/passphrase.age".publicKeys = [ rouven nuc ];
   "secrets/nuc/borg/key.age".publicKeys = [ rouven nuc ];
diff --git a/secrets/nuc/keycloak/db.age b/secrets/nuc/keycloak/db.age
new file mode 100644
index 0000000000000000000000000000000000000000..1093a5bf5f6ea03cbdbdb1d3b8ec99964fadf213
GIT binary patch
literal 339
zcmZ9_yH0~p002-o6E+j$%;Z9_P@tvJnB4YKD1BI<E$w2$<AS%LydP2*<80#U?BwX+
zCm0jsYWxI0!Ng5x&kr2SM>GnZw2pHeg-229H%gYEPsuF1ppn}Y1hzvKrVSL0%nd(L
zq7gf!hBL#PH>lhw2OAinVO>Ef)7e6|Rj?G4K2O+zAvIk%PoNE&rU67V?Si#5)<jtm
zM;n$>7nPl2P>HMmTXUwnOP_>tVNtNg5Ssn%6!6hyhSj((Cv}Inr${u5+FFEYBW@W&
z;JIl_b9)`stz@b#bkKy+xAD?*@_3Vtk;ZWPyt|@2=WnBF(qvL+5EwOfCE&HoHAh7<
zr&WnQuGh9DVUIski@D;&u|&|p2jUM-ZlAtbyw5*_*SDR$>lVIy|GED@53}RXhuy=V
O#5cXi7mzT@)$A7^VsX3x

literal 0
HcmV?d00001