gensokyo-zone/infrastructure
1
0
Fork 0
mirror of https://github.com/gensokyo-zone/infrastructure.git synced 2026-02-09 04:19:19 -08:00
Code Issues Projects Releases Packages Wiki Activity Actions

feat(keycloak): local sso

Browse source
This commit is contained in:
arcnmx 2024-03-22 14:23:46 -07:00
parent b16d6faee7
commit f0b5811915
3 changed files with 27 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

14
nixos/keycloak.nix
View file

@ -1,5 +1,6 @@
{config, lib, ...}: let {inputs, system, config, lib, ...}: let
inherit (lib.modules) mkIf mkForce mkDefault; inherit (lib.modules) mkIf mkForce mkDefault;
inherit (lib.lists) optional;
inherit (config.lib.access) mkSnakeOil; inherit (config.lib.access) mkSnakeOil;
cfg = config.services.keycloak; cfg = config.services.keycloak;
cert = mkSnakeOil { cert = mkSnakeOil {
@ -7,7 +8,14 @@
domain = hostname; domain = hostname;
}; };
hostname = "sso.${config.networking.domain}"; hostname = "sso.${config.networking.domain}";
hostname-strict = false;
inherit (inputs.self.legacyPackages.${system.system}) patchedNixpkgs;
keycloakModulePath = "services/web-apps/keycloak.nix";
in { in {
# upstream keycloak makes an incorrect assumption in its assertions, so we patch it
disabledModules = optional (!hostname-strict) keycloakModulePath;
imports = optional (!hostname-strict) (patchedNixpkgs + "/nixos/modules/${keycloakModulePath}");
sops.secrets = let sops.secrets = let
commonSecret = { commonSecret = {
sopsFile = ./secrets/keycloak.yaml; sopsFile = ./secrets/keycloak.yaml;
@ -41,8 +49,10 @@ in {
}; };
settings = { settings = {
hostname = mkDefault hostname; hostname = mkDefault (if hostname-strict then hostname else null);
proxy = mkDefault (if cfg.sslCertificate != null then "reencrypt" else "edge"); proxy = mkDefault (if cfg.sslCertificate != null then "reencrypt" else "edge");
hostname-strict = mkDefault hostname-strict;
hostname-strict-https = mkDefault hostname-strict;
proxy-headers = mkDefault "xforwarded"; proxy-headers = mkDefault "xforwarded";
}; };

1
outputs.nix
View file

@ -19,6 +19,7 @@
name = "nixpkgs"; name = "nixpkgs";
src = inputs.nixpkgs; src = inputs.nixpkgs;
patches = [ patches = [
./packages/nixpkgs-keycloak-nullhostname.patch
]; ];
}; };
deploy-rs = let deploy-rs = let

14
packages/nixpkgs-keycloak-nullhostname.patch Normal file
View file

@ -0,0 +1,14 @@
diff --git a/nixos/modules/services/web-apps/keycloak.nix b/nixos/modules/services/web-apps/keycloak.nix
--- a/nixos/modules/services/web-apps/keycloak.nix
+++ b/nixos/modules/services/web-apps/keycloak.nix
@@ -480,10 +480,6 @@ in
assertion = createLocalPostgreSQL -> config.services.postgresql.settings.standard_conforming_strings or true;
message = "Setting up a local PostgreSQL db for Keycloak requires `standard_conforming_strings` turned on to work reliably";
}
- {
- assertion = cfg.settings.hostname != null || cfg.settings.hostname-url or null != null;
- message = "Setting the Keycloak hostname is required, see `services.keycloak.settings.hostname`";
- }
{
assertion = !(cfg.settings.hostname != null && cfg.settings.hostname-url or null != null);
message = "`services.keycloak.settings.hostname` and `services.keycloak.settings.hostname-url` are mutually exclusive";