some minor keycloak changes

This commit is contained in:
root 2022-09-06 14:00:29 +02:00
parent 99c461e3dd
commit 8649d4812d
4 changed files with 53 additions and 12 deletions

View file

@ -59,6 +59,7 @@
./modules/base.nix
./modules/sops.nix
./modules/keycloak.nix
./modules/nginx.nix
{
sops.defaultSopsFile = ./secrets/durian.yaml;
}

View file

@ -106,7 +106,7 @@
services.openssh.permitRootLogin = "yes";
# Open ports in the firewall.
# networking.firewall.allowedTCPPorts = [ ... ];
networking.firewall.allowedTCPPorts = [ 443 80 ];
# networking.firewall.allowedUDPPorts = [ ... ];
# Or disable the firewall altogether.
# networking.firewall.enable = false;

View file

@ -1,13 +1,31 @@
{pkgs, config, lib, ...}: {
sops.secrets.postgres_keycloak.owner = config.systemd.services.postgres_keycloak.serviceConfig.User;
sops.secrets.postgres_keycloak = {
owner = config.systemd.services.keycloak.serviceConfig.User;
group = "keycloak";
};
users.users.keycloak = {
name = "keycloak";
isSystemUser = true;
group = "keycloak";
};
users.groups.keycloak = {
name = "keycloak";
members = [ "keycloak" ];
};
services = {
keycloak = {
enable = true;
settings = {
hostname = "keycloak.durian.tassilo-tanneberger.de";
hostname = "keycloak.quitte.tassilo-tanneberger.de";
http-host = "127.0.0.1";
http-port = 8000;
https-port = 8001;
proxy = "edge";
};
database = {
@ -16,19 +34,30 @@
passwordFile = config.sops.secrets.postgres_keycloak.path;
name = "keycloak";
host = "localhost";
createLocally = true;
};
};
postgresql = {
enable = true;
ensureUsers = [
{
name = "keycloak";
ensurePermissions = {
"DATABASE keycloak" = "ALL PRIVILEGES";
};
}
];
ensureDatabases = [ "keycloak" ];
};
nginx = {
enable = true;
recommendedProxySettings = true;
virtualHosts = {
"${config.services.keycloak.settings.hostname}" = {
enableACME = true;
forceSSL = true;
http2 = true;
locations = {
"/" =
let
cfg = config.services.keycloak.settings;
in {
proxyPass = "http://${cfg.http-host}:${toString cfg.http-port}";
};
};
};
};
};
};
}

11
modules/nginx.nix Normal file
View file

@ -0,0 +1,11 @@
{ config, pkgs, ... }:
{
services.nginx.enable = true;
security.acme = {
acceptTerms = true;
defaults = {
#server = "https://acme-staging-v02.api.letsencrypt.org/directory";
email = "root@ifsr.de";
};
};
}