From 5294cd68f86369fa07ee260afc1c8e74b9938a3a Mon Sep 17 00:00:00 2001 From: Rouven Seifert Date: Thu, 2 May 2024 13:21:16 +0200 Subject: [PATCH] keycloak: init --- modules/keycloak.nix | 27 +++++++++++++++++++++++++++ secrets/quitte.yaml | 8 +++++--- 2 files changed, 32 insertions(+), 3 deletions(-) create mode 100644 modules/keycloak.nix diff --git a/modules/keycloak.nix b/modules/keycloak.nix new file mode 100644 index 0000000..9073914 --- /dev/null +++ b/modules/keycloak.nix @@ -0,0 +1,27 @@ +{ config, ... }: +let + domain = "sso.${config.networking.domain}"; +in +{ + sops.secrets."keykloak/db" = { }; + services.keycloak = { + enable = true; + settings = { + http-port = 8086; + https-port = 19000; + hostname = domain; + proxy = "edge"; + }; + # The module requires a password for the DB and works best with its own DB config + # Does an automatic Postgresql configuration + database = { + passwordFile = config.sops.secrets."keycloak/db".path; + }; + initialAdminPassword = "plschangeme"; + }; + services.nginx.virtualHosts."${domain}" = { + locations."/" = { + proxyPass = "http://127.0.0.1:${toString config.services.keycloak.settings.http-port}"; + }; + }; +} diff --git a/secrets/quitte.yaml b/secrets/quitte.yaml index f8b8d4d..de196f8 100644 --- a/secrets/quitte.yaml +++ b/secrets/quitte.yaml @@ -1,7 +1,9 @@ nextcloud_adminpass: ENC[AES256_GCM,data:v6FYsO/RklPSz5uf6aYQDhdudHb0962I1WxJM3VGc0af6s/fEz2j+UTu,iv:WzS+jU7qmNQbd1RWDempdu4nv0ytWeybF/PKoc4mvTc=,tag:1CF3ZnQNDLv11j7UoyYsjg==,type:str] -hedgedoc_session_secret: ENC[AES256_GCM,data:WFbqr6VX12rpiPuIPlQnwOMdHM1B0yk2PYuuanbqREE=,iv:Iih4/GNs9qN+AM6fdaTJLmmPQIzxIwXHUZttP1Up6qs=,tag:IVZQId4yxbePVQqJB9+3iw==,type:str] +hedgedoc_session_secret: ENC[AES256_GCM,data:WO3j/Sp0LHyNC51jdzChKB46KLU7l57TBVNL3v92sjs=,iv:HVizKMCd+d9cTQEzRncRpv9scldg5Nn2fBRz0D58OOg=,tag:8HZttVgZs4Ah8JWTDaTySA==,type:str] nix-serve: key: ENC[AES256_GCM,data:GptsUgeXOOrwJctoMZ+mWXcw9DwJ0f0LOlLyMlH/877N4uA5/NtNKIaFHl3z2GWPRBnDLBzDEO1Q6EDuWbakr+Uq4zTJm2MOV6Qf4kM0BlNpXGIdjvh7tD2La7GV4ID+CT8U6p0E,iv:3A/Yy4PHsq9VdhW4SKIYdpd1enQ5cDiKLk5S9VrH0b4=,tag:WZzbct7LZmOhEvx9KVQ8WA==,type:str] +keycloak: + db: ENC[AES256_GCM,data:DVf/pVCHHUed2cQleECk0paBTZ/6Q3NE,iv:j3sWWNL0dqPJBLUx10+jJ7QvdAHvGM55KKDwG2aQEs0=,tag:6VTeE+Prsm+LPemzbEtVYg==,type:str] dex: environment: ENC[AES256_GCM,data:XpwG/q68wEis4lfrO9wKmKhXDAqzUaMSQHc0lA+Q5TDOzCdseQms9Y51qHD/IxVIcpx14W/hJxuD9jXas8/arD3ZUJ/sUYWDBqAVJGclMz9UjlmJip8Auoro4KIHjOfbO5asGJvStQZ2/pEwcjwwXOp27pMIIrJY6FiKy8ak+QWCLgRYYcosbohUOk9B15i0GvBUbeOX3SypHdNGg59yRnDBl5n9Jf4R0pugaL27zVCCTtFQIv2gQekkGOy62sx5DEocHM/IAHpD36/UerfIeAMZXYqFwIVWlcW4E7NsU/+QTFhtGrK3SdgBdZwFTxBDErh7PfzRS+eRB9eePO5G+Ow27PBOH/JLdy+N6zVB4tOjiNcBCIIzifpWozcxiHHqATUzN6cA85Pnb6icaAXA+pUk5Y7KTRvDqtZnRGraXkvfy+3fNgWFsErphLNIrHrVfOKxZHnF1myDltlre6BPoKoTH0T43CUriv8u7Z3sw/HziU991u72ZxqwBzWNEc6cYsSidKgVMWYcGyXX9zOl+nsRnIuEX5sZFB2z/VXqiuJoP8+agaUgKIU4eLtltOk=,iv:/it0Kg0+2BpdiJFI2GBiC2VJgeHC/GbjniDKVqL1xSo=,tag:Y06ICn5wHGV3jUZTRt1k4w==,type:str] portunus: @@ -48,8 +50,8 @@ sops: c2lzVGV6WnVQT1pOTTVwRUxlMWZobWsK0CrDl2ELoYOTrMt3uN3mgBSyaYqOQY4I vBK12PV9FR9GFpKN4kGB03PZ0gV0N1zlcCHpnPCUuHwbCvvF2+vCag== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-05-05T07:39:57Z" - mac: ENC[AES256_GCM,data:N4xRSkLgkdGRqHQVALMPM1n7P0je6l32ek7h0hYDanNQL9lurjA3SNCb0HUl/nWBSWdYqWgSYosnuzLuaq/6zDaE7T+3gUazXZ8A2qeBuzLUbGiH53lql3OwKZPtme1+ZMtM1EG+2wgGOdT2CXjlVWEY+9a3GaL/d0lHyJWwHjE=,iv:LCd1Xi8AE+7LVkBP9W+mfp4nfbsQ3fH4dsWKN3qw7uk=,tag:yVE1nCjvboApqDoMboRHng==,type:str] + lastmodified: "2024-05-06T09:24:11Z" + mac: ENC[AES256_GCM,data:yfIPRbPOMLbO70u4+/BENICJL2w1PSfWTEwYx4d807ZoKJFp/urHetRgSpkZuRy+MgooetNaHqQdR9y7+hv2L4rUqn8BXRvZCLSbrsUhoeszyYUgzbWFprDDJGpkpOc5RfBjOKCFckr05gc0Gdfh0Fg77dzOOzJ15B3TflGiLqY=,iv:J5q2kGzAQoHc0fcJgyeBY+LXudW9HS5Kc59IVf1w7As=,tag:aVFQxKXi6sdwmw+P3qvY+A==,type:str] pgp: - created_at: "2024-02-29T15:23:23Z" enc: |-