gensokyo-zone/infrastructure
1
0
Fork 0
mirror of https://github.com/gensokyo-zone/infrastructure.git synced 2026-02-09 04:19:19 -08:00
Code Issues Projects Releases Packages Wiki Activity Actions

chore(keycloak): cloudflared and vouch

Browse source
This commit is contained in:
arcnmx 2024-03-18 19:10:43 -07:00
parent b8714cc674
commit 2eef6e5508
15 changed files with 303 additions and 229 deletions
Download patch file Download diff file Expand all files Collapse all files

31
nixos/keycloak.nix
View file

@ -1,5 +1,12 @@
{config, lib, ...}: let
inherit (lib.modules) mkForce;
inherit (lib.modules) mkIf mkForce mkDefault;
inherit (config.lib.access) mkSnakeOil;
cfg = config.services.keycloak;
cert = mkSnakeOil {
name = "keycloak-selfsigned";
domain = hostname;
};
hostname = "sso.${config.networking.domain}";
in {
sops.secrets = let
commonSecret = {
@ -9,13 +16,18 @@ in {
in {
keycloak_db_password = commonSecret;
};
users.users.keycloak = {
isSystemUser = true;
group = "keycloak";
users = mkIf cfg.enable {
users.keycloak = {
isSystemUser = true;
group = "keycloak";
};
groups.keycloak = {
};
};
networking.firewall.interfaces.local.allowedTCPPorts = [ 80 ];
users.groups.keycloak = {};
networking.firewall.interfaces.local.allowedTCPPorts = mkIf cfg.enable [
(if cfg.sslCertificate != null then 443 else 80)
];
systemd.services.keycloak.serviceConfig.DynamicUser = mkForce false;
services.keycloak = {
@ -29,8 +41,11 @@ in {
};
settings = {
hostname = "sso.${config.networking.domain}";
proxy = "edge";
hostname = mkDefault hostname;
proxy = mkDefault (if cfg.sslCertificate != null then "reencrypt" else "edge");
};
sslCertificate = mkDefault "${cert}/fullchain.pem";
sslCertificateKey = mkDefault "${cert}/key.pem";
};
}