diff --git a/docs/network.adoc b/docs/network.adoc index 88e596eb..1412a039 100644 --- a/docs/network.adoc +++ b/docs/network.adoc @@ -28,6 +28,7 @@ mediabox:: `10.1.1.44` reimu:: `10.1.1.45` idp:: `10.1.1.46` aya:: `10.1.1.47` +keycloak:: `10.1.1.48` nue:: `10.1.1.62` koishi:: `10.1.1.63` diff --git a/nixos/keycloak.nix b/nixos/keycloak.nix new file mode 100644 index 00000000..1fa17b32 --- /dev/null +++ b/nixos/keycloak.nix @@ -0,0 +1,25 @@ +{config, ...}: { + sops.secrets = let + commonSecret = { + sopsFile = ./secrets/keycloak.yaml; + owner = "keycloak"; + }; + in { + keycloak_db_password = commonSecret; + }; + + services.keycloak = { + enable = true; + + database = { + host = "postgresql.local.${config.networking.domain}"; + passwordFile = config.sops.secrets.keycloak_db_password.path; + createLocally = false; + }; + + settings = { + hostname = "sso.gensokyo.zone"; + proxy = "edge"; + }; + }; +} diff --git a/nixos/secrets/keycloak.yaml b/nixos/secrets/keycloak.yaml new file mode 100644 index 00000000..a92cfc5c --- /dev/null +++ b/nixos/secrets/keycloak.yaml @@ -0,0 +1,102 @@ +keycloak_db_password: ENC[AES256_GCM,data:NXYdwfMVzTTJukul3/g4LmddTQwAEBkSNHtMBElNIzE=,iv:MOTA4B7DH/WVVRVTTSGmLnYvqXXtZ7NkvgewJdsIzNs=,tag:XwVWTUU/IXuymSMr7r9ZuA==,type:str] +sops: + shamir_threshold: 1 + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age12ze362pu5mza6ef9akrptr7hfe4auaqul4rkta7kyy2tnrstqensgmujeq + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3YjhmK0s5dGwzNklSL240 + aDBJejRSbStMSmR2WUhRY3VWR1czNGZhTGdnCnNMQnFnY1BQSXVBeUxRUHpYZ040 + Q0xRd1lWNURhbXkyeC93aGhtdFpNQkEKLS0tIFpKQ0VDZUVpQVZ2SGh5aG1HQmY2 + NkJKMWx5UW9XcEdCS1VWMHVjOUN3UHMKPGiOa99tAp9cL+lxPwxz3M8fQXEw+pBi + 5t6eSA8l+m23M0A6Vo5YVANuCr1+eqiTIlTOUN4eAlnPml0DQAafoQ== + -----END AGE ENCRYPTED FILE----- + - recipient: age176uyyyk7veqnzmm8xzwfhf0u23m6hm02cldlfkldunqe6std0gcq6lg057 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTdE9IZXRacEo1UDFTVU9I + Vk9Lekd2dzNQSVJEdGJ1N3ByZ1R5Y1dOS2prCkNsbUJaUXNhaXhnM0h2RjdrV21Z + aHdkdUNyY2dpREZ5cFd2eC81RlA4VWMKLS0tIHdHT3NlU0R0VVpCVUZESE42b0lG + bVExOHVnUVpYV3NEdjB3b2wvc3BiR00KyuIiR1dt/sQQBzBJgDj0+4KX9iRL2T/g + 8sO62nqhJF15/Db9zfY+vxMfhUNIDpZZI0n5cwUaXmW33bfuNk8QmQ== + -----END AGE ENCRYPTED FILE----- + - recipient: age10t6kc5069cyky929vvxk8aznqyxpkx3k5h5rmlyz83xtjmr22ahqe8mzes + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKd1VDYW1QWHZ4MVI0aUpN + NVh0MTk4TzRGZzNsa096NFRXYXdFQzBURHdBCng4d1dsaFBWbml6djFsbEtTVkRI + enlLa01aTFE1MUNuMlVwMFllakVqc2sKLS0tIDFDSldKQ05TR2lUbVJtQTd1Q055 + Vnltak1STTh3dXhkdTdTTE9zWGlhakUK3tJvWGVu5oJNMkFK/jx9lVNu46Kcl/RO + 3MYsDowGsSP3v5A1HSnezyXCK1aH35H/8LpIdgBCBkygiW9yekRiIA== + -----END AGE ENCRYPTED FILE----- + - recipient: age1a2quf2ekkj94ygu7wgvhrvh44fwn32c0l2cwvgvjh23wst90s54szdsvgr + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvYmhKQnpFTHdqNTBRcVkz + OEVVOU9VbFNzK011NXhza2pQNjg4WWVFTlc4Cnc0b3E5TmJmSkVpY0hWR255SGs4 + SjVWZFBTUEY2WlR4N2VNRXRncEcrNzgKLS0tIGhuVlBha1pRZUc0UkZmUlVybjd6 + OFFqVU1UNytZRDFjQlZINkdmSW5UOWsKL+FNUPVTkYoacYlphA69dcI7GY2wjau6 + 1RwM/TaKbRr1SGHShAVLumOfYUfafq9POXaFWe9TXKRdODb94E5szA== + -----END AGE ENCRYPTED FILE----- + - recipient: age16klpkaut5759dut8mdm3jn0rnp8w6kxyvs9n6ntqrdsayjtd7upqlvw489 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVZWxzWkwrMkpXTDVBVXd0 + bWN4NWVhdHFoaWp1SDF0eXRZWnNBMlEvQnhVCjQwbE4yblovSW1jR1NJMUI5cDRk + Y3N3WWV3RnJFUk5lREF3enhvNDNLaG8KLS0tICtzMWFyeW91b0duMStMcUptOUEy + OS9vazcwc1AxcFRKcVVxb2ZyQmtNZ3cKD25yeHHtUS5bkgdyakr/EwC7jynoQO98 + sggQFnKDoP3RtyH7D5NRKvlEr3keqGwabrJSakNjgR5+goZxOP/NDQ== + -----END AGE ENCRYPTED FILE----- + - recipient: age13qgddr326g5je0fpq2r3k940vsr3fh9nlvl9xtcxk3xg2x0k3vsq7pvzaj + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjc3F4NDJUSk03bXo1RkZG + TWs5WVJBL1JoNjhtOWoxNzAwLzl0Sk9RaEJ3CkE5WWZJNE42aHJQaEgvWnQ1Qm9x + bXpDM1hMbG9XbFJuNGxRVjBwNWtEVnMKLS0tIGJuVmxnR2x5YUFQWEpoY2YyNjA1 + Mjk4WDJtKzNZSERXY1BQa29EN3ZXZzQKY9oVaH3r3bKN5XPa2+7nRwXawqKJ764r + 445sPSy+qJ8259hEbPsB2JmsLnGMX5FznTV2jLDgLmnAoINO5Z4Jeg== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-03-13T22:02:55Z" + mac: ENC[AES256_GCM,data:q1h4LUioWwInrLw5bc3GyYxdAbiUgtm/mBE+rcdSSw+XOEPq5lrhJjlXFzS3CxsTxphhbNpYJZEsgiEI6uJ25mvW1s0jqCACvIyW6KcitME63m7WEctUWzJCFghY5xRIpnUg0Z6l6H+g1lZNfNCgbiHSXYbp1UvlFkA8gd+kWvI=,iv:clSMHC+h/BebuEtbaciqOUrSVKjkY8tIuhwRr9kvXwU=,tag:Mre6I4gH1NBkFvIUfArLYg==,type:str] + pgp: + - created_at: "2024-03-13T21:57:29Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA82M54yws73UAQ/+LmF+Uwy+i4i6EYoPAOqsoEnRre2aww4GafP6hDqU1o+f + XI45/GGsP8RZqpo8GuGDQnJaUHxxZQnpkoQzVSzg648GptuvTpCqcneR9ucVKgtt + rIWi6YaR9ju/kSRN1woxQkerE5C/OfRUMdgC1pAkULzQBd5j9/3zaY3BJX+UpfZ/ + EFTCmlG33xBGo60WuB1L0wRCaQvJ908pp7AsKnZ/czI+mmn/FeqT0W3e/cJ8RDIc + nfVfXIsmjbfxedpSMzkZu0YqFj2TDEyS+b8Bw7MIojb6xLHT6cvX8rk3WSSswXwM + /fdiHI2DWicIiuDdFotqAR2saBKHULq+lf81G97V64fzR4SfcWLQEtUMQAr3A1qX + TM18MvRgBAdp4LbJ6llve53hosqKTu7DSmoIneTROrygE92JQeIV8o3Qhykb5Z09 + 4nm3m0x78wTWyhwHFBBt+Gy6oXfjC3IzMQdT+3yconqBkP5UFFqEljt2KQ8zIQwZ + 7GkujP8NfOikThmPnnG5oDQ6O9uoKiS6zzL8SYgOb39aR9akmTKzGBeTtydD53dq + 3vgb59xiLzeUfBy/bY2F+CJ4J1nICPeKa91J7UmtlCTASwK2FUes3HvdozXUCcQm + QBCh/u99lW4uD8AO8TUtag5OSh3mTE+qmkMAOkiHxQQkntwcBYFzsDoYMOKNZqXS + XAFgRThoOhK8z5BxH8Xvn34PcgUvRv17a3HGwI/5+TOgV048AV7P1I42pzeuFjBd + fd7/ybp6M3+/FXCin27s3XGV5mBFEwxYSeCjLSYvWpNCKsjAWihFFnUAytU4 + =LsWx + -----END PGP MESSAGE----- + fp: CD8CE78CB0B3BDD4 + - created_at: "2024-03-13T21:57:29Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQEMA2W9MER3HLb7AQgA3GJSAxJZvZf7ymoszCEW13Pmx+Y0tfiaV2IyCN2b3GFl + dRplZHAx8eudQva558YJeDpepDIVAsfLzrUXjQznKiJo11svg5+SI0ZVVGl8qj/r + vGgvqYpnoFSQw+GI7H22dclbfWlLY18JZ8vYU1y9Kf0fxNqTQa9ubbeX05k1+t0N + Bfle8SQdaZzHg0qUSU8E6UxRatJ1MuDvhFgjeOFGuZvogQXDZ5tN6itl+zBIc4CO + dQSZ7PRu7sniNn5kngGWOad9FB51vOn/O0DXOX6n3smg4FdMETj7RHPuI88hpe/a + Uws5ekbgskMhMyKXvWMsnZkQEmdKPpFxNtpsmCzxTtJcAYI5yxjfbrobgs+BZNbH + G41v+UDfi/9p8rdg1UZFN49wLZ3t7zTg3J1uxgUu+eVn31NWcKHkTQJZAHfHGKLX + JNDtiPGdz9SV0VmN+dnV03gKjC3KovnT4rG6vpo= + =kp1X + -----END PGP MESSAGE----- + fp: 65BD3044771CB6FB + unencrypted_suffix: _unencrypted + version: 3.8.1 diff --git a/systems/keycloak/default.nix b/systems/keycloak/default.nix new file mode 100644 index 00000000..78928c62 --- /dev/null +++ b/systems/keycloak/default.nix @@ -0,0 +1,8 @@ +_: { + arch = "x86_64"; + type = "NixOS"; + modules = [ + ./nixos.nix + ]; + access.tailscale.enable = true; +} diff --git a/systems/keycloak/nixos.nix b/systems/keycloak/nixos.nix new file mode 100644 index 00000000..03a1853a --- /dev/null +++ b/systems/keycloak/nixos.nix @@ -0,0 +1,25 @@ +{meta, ...}: { + imports = let + inherit (meta) nixos; + in [ + #nixos.sops + nixos.base + nixos.reisen-ct + nixos.keycloak + ]; + + #sops.defaultSopsFile = ./secrets.yaml; + + systemd.network.networks.eth0 = { + name = "eth0"; + matchConfig = { + MACAddress = "BC:24:11:C4:66:AC"; + Type = "ether"; + }; + address = ["10.1.1.48/24"]; + gateway = ["10.1.1.1"]; + DHCP = "no"; + }; + + system.stateVersion = "23.11"; +} diff --git a/tf/proxmox_vms.tf b/tf/proxmox_vms.tf index dcfcc507..abe7e1e2 100644 --- a/tf/proxmox_vms.tf +++ b/tf/proxmox_vms.tf @@ -4,6 +4,7 @@ variable "proxmox_container_template" { } locals { + proxmox_keycloak_vm_id = 107 proxmox_litterbox_vm_id = 106 proxmox_litterbox_config = jsondecode(file("${path.root}/../systems/litterbox/lxc.json")) proxmox_aya_vm_id = 105 @@ -511,3 +512,64 @@ EOT ignore_changes = [started, description, operating_system[0], cdrom[0].enabled, cdrom[0].file_id] } } + +resource "proxmox_virtual_environment_container" "keycloak" { + node_name = "reisen" + vm_id = local.proxmox_keycloak_vm_id + tags = ["tf"] + description = <