gensokyo-zone/infrastructure
1
0
Fork 0
mirror of https://github.com/gensokyo-zone/infrastructure.git synced 2026-02-09 12:29:19 -08:00
Code Issues Projects Releases Packages Wiki Activity Actions

feat(keycloak): local sso

Browse source
This commit is contained in:
arcnmx 2024-03-22 14:23:46 -07:00
parent b16d6faee7
commit f0b5811915
3 changed files with 27 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

14
nixos/keycloak.nix
View file

@ -1,5 +1,6 @@
{config, lib, ...}: let
{inputs, system, config, lib, ...}: let
inherit (lib.modules) mkIf mkForce mkDefault;
inherit (lib.lists) optional;
inherit (config.lib.access) mkSnakeOil;
cfg = config.services.keycloak;
cert = mkSnakeOil {
@ -7,7 +8,14 @@
domain = hostname;
};
hostname = "sso.${config.networking.domain}";
hostname-strict = false;
inherit (inputs.self.legacyPackages.${system.system}) patchedNixpkgs;
keycloakModulePath = "services/web-apps/keycloak.nix";
in {
# upstream keycloak makes an incorrect assumption in its assertions, so we patch it
disabledModules = optional (!hostname-strict) keycloakModulePath;
imports = optional (!hostname-strict) (patchedNixpkgs + "/nixos/modules/${keycloakModulePath}");
sops.secrets = let
commonSecret = {
sopsFile = ./secrets/keycloak.yaml;
@ -41,8 +49,10 @@ in {
};
settings = {
hostname = mkDefault hostname;
hostname = mkDefault (if hostname-strict then hostname else null);
proxy = mkDefault (if cfg.sslCertificate != null then "reencrypt" else "edge");
hostname-strict = mkDefault hostname-strict;
hostname-strict-https = mkDefault hostname-strict;
proxy-headers = mkDefault "xforwarded";
};