From 8649d4812dc401694ef11863ee36af983e5a1f57 Mon Sep 17 00:00:00 2001
From: root <root@durian.ifsr.de>
Date: Tue, 6 Sep 2022 14:00:29 +0200
Subject: [PATCH] some minor keycloak changes

---
 flake.nix                      |  1 +
 hosts/durian/configuration.nix |  2 +-
 modules/keycloak.nix           | 51 ++++++++++++++++++++++++++--------
 modules/nginx.nix              | 11 ++++++++
 4 files changed, 53 insertions(+), 12 deletions(-)
 create mode 100644 modules/nginx.nix

diff --git a/flake.nix b/flake.nix
index 4879f2a..15da2a6 100755
--- a/flake.nix
+++ b/flake.nix
@@ -59,6 +59,7 @@
           ./modules/base.nix
           ./modules/sops.nix
           ./modules/keycloak.nix
+  	  ./modules/nginx.nix
           {
             sops.defaultSopsFile = ./secrets/durian.yaml;
           }
diff --git a/hosts/durian/configuration.nix b/hosts/durian/configuration.nix
index c66efd8..d0bbe07 100644
--- a/hosts/durian/configuration.nix
+++ b/hosts/durian/configuration.nix
@@ -106,7 +106,7 @@
   services.openssh.permitRootLogin = "yes";
   
   # Open ports in the firewall.
-  # networking.firewall.allowedTCPPorts = [ ... ];
+  networking.firewall.allowedTCPPorts = [ 443 80 ];
   # networking.firewall.allowedUDPPorts = [ ... ];
   # Or disable the firewall altogether.
   # networking.firewall.enable = false;
diff --git a/modules/keycloak.nix b/modules/keycloak.nix
index fcc59e8..617ce2d 100644
--- a/modules/keycloak.nix
+++ b/modules/keycloak.nix
@@ -1,13 +1,31 @@
 {pkgs, config, lib, ...}: {
   
-  sops.secrets.postgres_keycloak.owner = config.systemd.services.postgres_keycloak.serviceConfig.User;
+  sops.secrets.postgres_keycloak = {
+    owner = config.systemd.services.keycloak.serviceConfig.User;
+    group = "keycloak";
+  };
+
+  users.users.keycloak = {
+    name = "keycloak";
+    isSystemUser = true;
+    group = "keycloak";
+  };
+
+  users.groups.keycloak = {
+    name = "keycloak";
+    members = [ "keycloak" ];
+  };
 
   services = {
     keycloak = {
       enable = true;
 
       settings = {
-        hostname = "keycloak.durian.tassilo-tanneberger.de";
+        hostname = "keycloak.quitte.tassilo-tanneberger.de";
+        http-host = "127.0.0.1";
+        http-port = 8000;
+	https-port = 8001;
+	proxy = "edge";
       };
 
       database = {
@@ -16,19 +34,30 @@
         passwordFile = config.sops.secrets.postgres_keycloak.path;
         name = "keycloak";
         host = "localhost";
+	createLocally = true;
       };
     };
     postgresql = {
       enable = true;
-      ensureUsers = [
-        {
-          name = "keycloak";
-          ensurePermissions = {
-            "DATABASE keycloak" = "ALL PRIVILEGES";
-          };
-        }
-      ];
-      ensureDatabases = [ "keycloak" ];
+    };
+    nginx = {
+	enable = true;
+      	recommendedProxySettings = true;
+      	virtualHosts = {
+	  "${config.services.keycloak.settings.hostname}" = {
+	    enableACME = true;
+	    forceSSL = true;
+	    http2 = true;
+	    locations = {
+	      "/" = 
+		let
+		  cfg = config.services.keycloak.settings;	
+		in {
+ 		proxyPass = "http://${cfg.http-host}:${toString cfg.http-port}";
+	      };
+	    };
+	 };
+       };
     };
   };
 }
diff --git a/modules/nginx.nix b/modules/nginx.nix
new file mode 100644
index 0000000..c97c327
--- /dev/null
+++ b/modules/nginx.nix
@@ -0,0 +1,11 @@
+{ config, pkgs, ... }:
+{
+  services.nginx.enable = true;
+  security.acme = {
+    acceptTerms = true;
+    defaults = {
+      #server = "https://acme-staging-v02.api.letsencrypt.org/directory";
+      email = "root@ifsr.de";
+    };
+  };
+}