some minor keycloak changes

2022-09-06 14:00:29 +02:00 · 2022-09-06 14:00:29 +02:00 · 8649d4812d
parent 99c461e3dd
commit 8649d4812d
4 changed files with 53 additions and 12 deletions
--- a/flake.nix
+++ b/flake.nix
@ -59,6 +59,7 @@
          ./modules/base.nix
          ./modules/sops.nix
          ./modules/keycloak.nix
+  	  ./modules/nginx.nix
          {
            sops.defaultSopsFile = ./secrets/durian.yaml;
          }
--- a/hosts/durian/configuration.nix
+++ b/hosts/durian/configuration.nix
@ -106,7 +106,7 @@
  services.openssh.permitRootLogin = "yes";
  
  # Open ports in the firewall.
-  # networking.firewall.allowedTCPPorts = [ ... ];
+  networking.firewall.allowedTCPPorts = [ 443 80 ];
  # networking.firewall.allowedUDPPorts = [ ... ];
  # Or disable the firewall altogether.
  # networking.firewall.enable = false;
--- a/modules/keycloak.nix
+++ b/modules/keycloak.nix
@ -1,13 +1,31 @@
 {pkgs, config, lib, ...}: {
  
-  sops.secrets.postgres_keycloak.owner = config.systemd.services.postgres_keycloak.serviceConfig.User;
+  sops.secrets.postgres_keycloak = {
+    owner = config.systemd.services.keycloak.serviceConfig.User;
+    group = "keycloak";
+  };
+
+  users.users.keycloak = {
+    name = "keycloak";
+    isSystemUser = true;
+    group = "keycloak";
+  };
+
+  users.groups.keycloak = {
+    name = "keycloak";
+    members = [ "keycloak" ];
+  };

  services = {
    keycloak = {
      enable = true;

      settings = {
-        hostname = "keycloak.durian.tassilo-tanneberger.de";
+        hostname = "keycloak.quitte.tassilo-tanneberger.de";
+        http-host = "127.0.0.1";
+        http-port = 8000;
+	https-port = 8001;
+	proxy = "edge";
      };

      database = {
@ -16,19 +34,30 @@
        passwordFile = config.sops.secrets.postgres_keycloak.path;
        name = "keycloak";
        host = "localhost";
+	createLocally = true;
      };
    };
    postgresql = {
      enable = true;
-      ensureUsers = [
-        {
-          name = "keycloak";
-          ensurePermissions = {
-            "DATABASE keycloak" = "ALL PRIVILEGES";
    };
-        }
-      ];
-      ensureDatabases = [ "keycloak" ];
+    nginx = {
+	enable = true;
+      	recommendedProxySettings = true;
+      	virtualHosts = {
+	  "${config.services.keycloak.settings.hostname}" = {
+	    enableACME = true;
+	    forceSSL = true;
+	    http2 = true;
+	    locations = {
+	      "/" = 
+		let
+		  cfg = config.services.keycloak.settings;	
+		in {
+ 		proxyPass = "http://${cfg.http-host}:${toString cfg.http-port}";
+	      };
+	    };
+	 };
+       };
    };
  };
 }
--- a/modules/nginx.nix
+++ b/modules/nginx.nix
@ -0,0 +1,11 @@
+{ config, pkgs, ... }:
+{
+  services.nginx.enable = true;
+  security.acme = {
+    acceptTerms = true;
+    defaults = {
+      #server = "https://acme-staging-v02.api.letsencrypt.org/directory";
+      email = "root@ifsr.de";
+    };
+  };
+}