feat(keycloak): add, broken

docs/network.adoc

@@ -28,6 +28,7 @@ mediabox:: `10.1.1.44`
 reimu:: `10.1.1.45`
 idp:: `10.1.1.46`
 aya:: `10.1.1.47`
+keycloak:: `10.1.1.48`
 
 nue:: `10.1.1.62`
 koishi:: `10.1.1.63`

nixos/keycloak.nix

@@ -0,0 +1,25 @@
+{config, ...}: {
+  sops.secrets = let
+    commonSecret = {
+      sopsFile = ./secrets/keycloak.yaml;
+      owner = "keycloak";
+    };
+  in {
+    keycloak_db_password = commonSecret;
+  };
+
+  services.keycloak = {
+    enable = true;
+
+    database = {
+      host = "postgresql.local.${config.networking.domain}";
+      passwordFile = config.sops.secrets.keycloak_db_password.path;
+      createLocally = false;
+    };
+
+    settings = {
+        hostname = "sso.gensokyo.zone";
+        proxy = "edge";
+    };
+  };
+}

nixos/secrets/keycloak.yaml

@@ -0,0 +1,102 @@
+keycloak_db_password: ENC[AES256_GCM,data:NXYdwfMVzTTJukul3/g4LmddTQwAEBkSNHtMBElNIzE=,iv:MOTA4B7DH/WVVRVTTSGmLnYvqXXtZ7NkvgewJdsIzNs=,tag:XwVWTUU/IXuymSMr7r9ZuA==,type:str]
+sops:
+    shamir_threshold: 1
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age12ze362pu5mza6ef9akrptr7hfe4auaqul4rkta7kyy2tnrstqensgmujeq
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3YjhmK0s5dGwzNklSL240
+            aDBJejRSbStMSmR2WUhRY3VWR1czNGZhTGdnCnNMQnFnY1BQSXVBeUxRUHpYZ040
+            Q0xRd1lWNURhbXkyeC93aGhtdFpNQkEKLS0tIFpKQ0VDZUVpQVZ2SGh5aG1HQmY2
+            NkJKMWx5UW9XcEdCS1VWMHVjOUN3UHMKPGiOa99tAp9cL+lxPwxz3M8fQXEw+pBi
+            5t6eSA8l+m23M0A6Vo5YVANuCr1+eqiTIlTOUN4eAlnPml0DQAafoQ==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age176uyyyk7veqnzmm8xzwfhf0u23m6hm02cldlfkldunqe6std0gcq6lg057
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTdE9IZXRacEo1UDFTVU9I
+            Vk9Lekd2dzNQSVJEdGJ1N3ByZ1R5Y1dOS2prCkNsbUJaUXNhaXhnM0h2RjdrV21Z
+            aHdkdUNyY2dpREZ5cFd2eC81RlA4VWMKLS0tIHdHT3NlU0R0VVpCVUZESE42b0lG
+            bVExOHVnUVpYV3NEdjB3b2wvc3BiR00KyuIiR1dt/sQQBzBJgDj0+4KX9iRL2T/g
+            8sO62nqhJF15/Db9zfY+vxMfhUNIDpZZI0n5cwUaXmW33bfuNk8QmQ==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age10t6kc5069cyky929vvxk8aznqyxpkx3k5h5rmlyz83xtjmr22ahqe8mzes
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKd1VDYW1QWHZ4MVI0aUpN
+            NVh0MTk4TzRGZzNsa096NFRXYXdFQzBURHdBCng4d1dsaFBWbml6djFsbEtTVkRI
+            enlLa01aTFE1MUNuMlVwMFllakVqc2sKLS0tIDFDSldKQ05TR2lUbVJtQTd1Q055
+            Vnltak1STTh3dXhkdTdTTE9zWGlhakUK3tJvWGVu5oJNMkFK/jx9lVNu46Kcl/RO
+            3MYsDowGsSP3v5A1HSnezyXCK1aH35H/8LpIdgBCBkygiW9yekRiIA==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1a2quf2ekkj94ygu7wgvhrvh44fwn32c0l2cwvgvjh23wst90s54szdsvgr
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvYmhKQnpFTHdqNTBRcVkz
+            OEVVOU9VbFNzK011NXhza2pQNjg4WWVFTlc4Cnc0b3E5TmJmSkVpY0hWR255SGs4
+            SjVWZFBTUEY2WlR4N2VNRXRncEcrNzgKLS0tIGhuVlBha1pRZUc0UkZmUlVybjd6
+            OFFqVU1UNytZRDFjQlZINkdmSW5UOWsKL+FNUPVTkYoacYlphA69dcI7GY2wjau6
+            1RwM/TaKbRr1SGHShAVLumOfYUfafq9POXaFWe9TXKRdODb94E5szA==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age16klpkaut5759dut8mdm3jn0rnp8w6kxyvs9n6ntqrdsayjtd7upqlvw489
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVZWxzWkwrMkpXTDVBVXd0
+            bWN4NWVhdHFoaWp1SDF0eXRZWnNBMlEvQnhVCjQwbE4yblovSW1jR1NJMUI5cDRk
+            Y3N3WWV3RnJFUk5lREF3enhvNDNLaG8KLS0tICtzMWFyeW91b0duMStMcUptOUEy
+            OS9vazcwc1AxcFRKcVVxb2ZyQmtNZ3cKD25yeHHtUS5bkgdyakr/EwC7jynoQO98
+            sggQFnKDoP3RtyH7D5NRKvlEr3keqGwabrJSakNjgR5+goZxOP/NDQ==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age13qgddr326g5je0fpq2r3k940vsr3fh9nlvl9xtcxk3xg2x0k3vsq7pvzaj
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjc3F4NDJUSk03bXo1RkZG
+            TWs5WVJBL1JoNjhtOWoxNzAwLzl0Sk9RaEJ3CkE5WWZJNE42aHJQaEgvWnQ1Qm9x
+            bXpDM1hMbG9XbFJuNGxRVjBwNWtEVnMKLS0tIGJuVmxnR2x5YUFQWEpoY2YyNjA1
+            Mjk4WDJtKzNZSERXY1BQa29EN3ZXZzQKY9oVaH3r3bKN5XPa2+7nRwXawqKJ764r
+            445sPSy+qJ8259hEbPsB2JmsLnGMX5FznTV2jLDgLmnAoINO5Z4Jeg==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-03-13T22:02:55Z"
+    mac: ENC[AES256_GCM,data:q1h4LUioWwInrLw5bc3GyYxdAbiUgtm/mBE+rcdSSw+XOEPq5lrhJjlXFzS3CxsTxphhbNpYJZEsgiEI6uJ25mvW1s0jqCACvIyW6KcitME63m7WEctUWzJCFghY5xRIpnUg0Z6l6H+g1lZNfNCgbiHSXYbp1UvlFkA8gd+kWvI=,iv:clSMHC+h/BebuEtbaciqOUrSVKjkY8tIuhwRr9kvXwU=,tag:Mre6I4gH1NBkFvIUfArLYg==,type:str]
+    pgp:
+        - created_at: "2024-03-13T21:57:29Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA82M54yws73UAQ/+LmF+Uwy+i4i6EYoPAOqsoEnRre2aww4GafP6hDqU1o+f
+            XI45/GGsP8RZqpo8GuGDQnJaUHxxZQnpkoQzVSzg648GptuvTpCqcneR9ucVKgtt
+            rIWi6YaR9ju/kSRN1woxQkerE5C/OfRUMdgC1pAkULzQBd5j9/3zaY3BJX+UpfZ/
+            EFTCmlG33xBGo60WuB1L0wRCaQvJ908pp7AsKnZ/czI+mmn/FeqT0W3e/cJ8RDIc
+            nfVfXIsmjbfxedpSMzkZu0YqFj2TDEyS+b8Bw7MIojb6xLHT6cvX8rk3WSSswXwM
+            /fdiHI2DWicIiuDdFotqAR2saBKHULq+lf81G97V64fzR4SfcWLQEtUMQAr3A1qX
+            TM18MvRgBAdp4LbJ6llve53hosqKTu7DSmoIneTROrygE92JQeIV8o3Qhykb5Z09
+            4nm3m0x78wTWyhwHFBBt+Gy6oXfjC3IzMQdT+3yconqBkP5UFFqEljt2KQ8zIQwZ
+            7GkujP8NfOikThmPnnG5oDQ6O9uoKiS6zzL8SYgOb39aR9akmTKzGBeTtydD53dq
+            3vgb59xiLzeUfBy/bY2F+CJ4J1nICPeKa91J7UmtlCTASwK2FUes3HvdozXUCcQm
+            QBCh/u99lW4uD8AO8TUtag5OSh3mTE+qmkMAOkiHxQQkntwcBYFzsDoYMOKNZqXS
+            XAFgRThoOhK8z5BxH8Xvn34PcgUvRv17a3HGwI/5+TOgV048AV7P1I42pzeuFjBd
+            fd7/ybp6M3+/FXCin27s3XGV5mBFEwxYSeCjLSYvWpNCKsjAWihFFnUAytU4
+            =LsWx
+            -----END PGP MESSAGE-----
+          fp: CD8CE78CB0B3BDD4
+        - created_at: "2024-03-13T21:57:29Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQEMA2W9MER3HLb7AQgA3GJSAxJZvZf7ymoszCEW13Pmx+Y0tfiaV2IyCN2b3GFl
+            dRplZHAx8eudQva558YJeDpepDIVAsfLzrUXjQznKiJo11svg5+SI0ZVVGl8qj/r
+            vGgvqYpnoFSQw+GI7H22dclbfWlLY18JZ8vYU1y9Kf0fxNqTQa9ubbeX05k1+t0N
+            Bfle8SQdaZzHg0qUSU8E6UxRatJ1MuDvhFgjeOFGuZvogQXDZ5tN6itl+zBIc4CO
+            dQSZ7PRu7sniNn5kngGWOad9FB51vOn/O0DXOX6n3smg4FdMETj7RHPuI88hpe/a
+            Uws5ekbgskMhMyKXvWMsnZkQEmdKPpFxNtpsmCzxTtJcAYI5yxjfbrobgs+BZNbH
+            G41v+UDfi/9p8rdg1UZFN49wLZ3t7zTg3J1uxgUu+eVn31NWcKHkTQJZAHfHGKLX
+            JNDtiPGdz9SV0VmN+dnV03gKjC3KovnT4rG6vpo=
+            =kp1X
+            -----END PGP MESSAGE-----
+          fp: 65BD3044771CB6FB
+    unencrypted_suffix: _unencrypted
+    version: 3.8.1

systems/keycloak/default.nix

@@ -0,0 +1,8 @@
+_: {
+  arch = "x86_64";
+  type = "NixOS";
+  modules = [
+    ./nixos.nix
+  ];
+  access.tailscale.enable = true;
+}

systems/keycloak/nixos.nix

@@ -0,0 +1,25 @@
+{meta, ...}: {
+  imports = let
+    inherit (meta) nixos;
+  in [
+    #nixos.sops
+    nixos.base
+    nixos.reisen-ct
+    nixos.keycloak
+  ];
+
+  #sops.defaultSopsFile = ./secrets.yaml;
+
+  systemd.network.networks.eth0 = {
+    name = "eth0";
+    matchConfig = {
+      MACAddress = "BC:24:11:C4:66:AC";
+      Type = "ether";
+    };
+    address = ["10.1.1.48/24"];
+    gateway = ["10.1.1.1"];
+    DHCP = "no";
+  };
+
+  system.stateVersion = "23.11";
+}

tf/proxmox_vms.tf

@@ -4,6 +4,7 @@ variable "proxmox_container_template" {
 }
 
 locals {
+  proxmox_keycloak_vm_id = 107
   proxmox_litterbox_vm_id        = 106
   proxmox_litterbox_config       = jsondecode(file("${path.root}/../systems/litterbox/lxc.json"))
   proxmox_aya_vm_id        = 105
@@ -511,3 +512,64 @@ EOT
     ignore_changes = [started, description, operating_system[0], cdrom[0].enabled, cdrom[0].file_id]
   }
 }
+
+resource "proxmox_virtual_environment_container" "keycloak" {
+  node_name   = "reisen"
+  vm_id       = local.proxmox_keycloak_vm_id
+  tags        = ["tf"]
+  description = <<EOT
+keycloak
+EOT
+
+  memory {
+    dedicated = 512
+    swap      = 512
+  }
+
+  disk {
+    datastore_id = "local-zfs"
+    size         = 64
+  }
+
+  initialization {
+    hostname = "keycloak"
+    ip_config {
+      ipv6 {
+        address = "auto"
+      }
+      ipv4 {
+        address = "dhcp"
+      }
+    }
+  }
+
+  startup {
+    order      = 4
+    up_delay   = 0
+    down_delay = 0
+  }
+
+  network_interface {
+    name        = "eth0"
+    mac_address = "BC:24:11:C4:66:AC"
+  }
+
+  operating_system {
+    template_file_id = var.proxmox_container_template
+    type             = "nixos"
+  }
+
+  unprivileged = true
+  features {
+    nesting = true
+  }
+
+  console {
+    type = "console"
+  }
+  started = false
+
+  lifecycle {
+    ignore_changes = [started, unprivileged, initialization[0].dns, operating_system[0].template_file_id]
+  }
+}