chore(keycloak): cloudflared and vouch

2026-02-10 04:49:19 -08:00 · 2024-03-18 19:10:43 -07:00 · 2024-03-18 19:10:43 -07:00 · 2eef6e5508
commit 2eef6e5508
parent b8714cc674
15 changed files with 303 additions and 229 deletions
--- a/systems/keycloak/lxc.json
+++ b/systems/keycloak/lxc.json
@ -0,0 +1,19 @@
+{
+	"lxc": {
+		"lxc.mount.entry": [
+			"/dev/net/tun dev/net/tun none bind,optional,create=file"
+		],
+		"lxc.idmap": [
+			"u 0 100000 8000",
+			"g 0 100000 8000",
+			"u 8000 8000 128",
+			"g 8000 8000 256",
+			"u 8128 108128 57406",
+			"g 8256 108256 57278",
+			"u 65534 65534 1",
+			"g 65534 65534 1",
+			"u 65535 165535 1",
+			"g 65535 165535 1"
+		]
+	}
+}
--- a/systems/keycloak/nixos.nix
+++ b/systems/keycloak/nixos.nix
@ -1,4 +1,4 @@
-{meta, ...}: {
+{meta, config, ...}: {
  imports = let
    inherit (meta) nixos;
  in [
@ -6,8 +6,33 @@
    nixos.base
    nixos.reisen-ct
    nixos.keycloak
+    nixos.cloudflared
+    nixos.vouch
  ];

+  services.cloudflared = let
+    tunnelId = "c9a4b8c9-42d9-4566-8cff-eb63ca26809d";
+    inherit (config.services) keycloak vouch-proxy;
+  in {
+    tunnels.${tunnelId} = {
+      default = "http_status:404";
+      credentialsFile = config.sops.secrets.cloudflared-tunnel-keycloak.path;
+      ingress = {
+        ${keycloak.settings.hostname} = assert keycloak.enable; let
+          scheme = if keycloak.sslCertificate != null then "https" else "http";
+          port = keycloak.settings."${scheme}-port";
+        in {
+          service = "${scheme}://localhost:${toString port}";
+          originRequest.${if scheme == "https" then "noTLSVerify" else null} = true;
+        };
+        ${vouch-proxy.domain}.service = assert vouch-proxy.enable; "http://localhost:${toString vouch-proxy.settings.vouch.port}";
+      };
+    };
+  };
+  sops.secrets.cloudflared-tunnel-keycloak = {
+    owner = config.services.cloudflared.user;
+  };
+
  sops.defaultSopsFile = ./secrets.yaml;

  systemd.network.networks.eth0 = {
--- a/systems/keycloak/secrets.yaml
+++ b/systems/keycloak/secrets.yaml
@ -1,4 +1,4 @@
-hello: ENC[AES256_GCM,data:RUCrfjPq790szP+p/etEBYjsJbVq+wGaquYc5EBEEeGH6lrxo7mQwmgtDtxEOQ==,iv:aNOzr8HjPVTADpWZS1J7LlSGM5cWW2dgYUPvsrQuOvM=,tag:aQoPsIqUmVaa6pEBAdxxxw==,type:str]
+cloudflared-tunnel-keycloak: ENC[AES256_GCM,data:nXqz6gys7c9UsOy1oiFGFIl/ra/Cf2hb+LLjXI4agEy9mXCAJlKKg7YzuNaHGAXkTKlrpp2lC0P7qNmI3zryTQKBa+LHTq5Lcj9ZSbSW9zhVVS6e155RcdDv/7j1lcZnVmynX+Dz5m8bz490IEuVme985+L9W/5/ksCnjNzUFiCkaxKwe/w2gGv6GdBVYqCFv1j4XBTNAA9D62uZLM5IATtbaam3yZvygWcDLZLpnI+D1Cd5UvOMpgEvdyvKxfaZEzbgkX6BP2mcw+jC9XM=,iv:1rJgyfj+0vIO9hi5U1IarWlaK/tlpAFHn/q7bhtqogg=,tag:fCCY9lxnFt/ImqDeBH0hvw==,type:str]
 sops:
    shamir_threshold: 1
    kms: []
@ -15,8 +15,8 @@ sops:
            WkhIeEh1amh5K0hIb2FKZ0ppSGpBZlEKjF9ysJCX40H5vH4UuZSXryAThk3ipdlP
            RML2if3bz+uMXgw+zdEx8Ac6IcOM25K0gco6g/6r20WYbKz9og5JuA==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-03-13T22:39:15Z"
-    mac: ENC[AES256_GCM,data:14X+ClZ3Rsvi9aETzjSvjIiKKq6cPOe7t3LrB+ln3FTB4Wf7Fsbhd8aOdYff3yKqTfcnZU2VzEAEFJGNNlkCLQe9PgbKwzfKMH2i5dc9WpgJ6wY2btAUMRp3ocLwGwiRj0Nx8XsvTBL/8qzccHZL0A7I/MmwMiqsIyVWycj679c=,iv:zL8/3+XdVbvWrC5ODKurwtVoY921kQqwocc/hPgDLWI=,tag:HSDA4nCyoKaYBdNNg0+9bA==,type:str]
+    lastmodified: "2024-03-19T02:38:20Z"
+    mac: ENC[AES256_GCM,data:OqqsVE2xKsCpIZqszpdBWl9jEToImVW/Vdb5p0HyqjUOL1NSdyRThxx7fft7RlL9Iqd340WrQ/F4kmQHr+4pIEBsKkwrWUh0sbVNz1uLXFasr1nXuhB32zCu6/gxW9fofT11aHBjnH6rLy6KTnXK56jiyaXKPc25EgzKC9aomR4=,iv:hmADJiouxO4dznlSbKXJcAJgRJKtiR5QlypWt3/I7o0=,tag:HBP0G5o30rZsj+2YpM5gkw==,type:str]
    pgp:
        - created_at: "2024-03-13T22:39:09Z"
          enc: |-