gensokyo-zone/infrastructure
1
0
Fork 0
mirror of https://github.com/gensokyo-zone/infrastructure.git synced 2026-02-09 12:29:19 -08:00
Code Issues Projects Releases Packages Wiki Activity Actions
infrastructure/config/services/keycloak.nix
kat witch 5b1e34f01a
Fix building in CI
2022-07-10 13:58:08 -07:00

74 lines
2.2 KiB
Nix
Raw Blame History

{ config, pkgs, lib, tf, ... }: with lib; let
keystore-pass = "zZX3eS";
in {
services.keycloak = {
enable = builtins.getEnv "CI_PLATFORM" == "impure";
bindAddress = "127.0.0.1";
httpPort = "8089";
httpsPort = "8445";
initialAdminPassword = "mewpymewlymewlies";
forceBackendUrlToFrontendUrl = true;
frontendUrl = "https://auth.${config.network.dns.domain}/auth";
database.passwordFile = config.secrets.files.keycloak-postgres-file.path;
extraConfig = {
"subsystem=undertow" = {
"server=default-server" = {
"http-listener=default" = {
"proxy-address-forwarding" = true;
};
};
};
"subsystem=keycloak-server" = {
"spi=truststore" = {
"provider=file" = {
enabled = true;
properties.password = keystore-pass;
properties.file = "/var/lib/acme/domain-auth/trust-store.jks";
properties.hostname-verification-policy = "WILDCARD";
properties.disabled = false;
};
};
};
};
};
network.extraCerts.domain-auth = "auth.${config.network.dns.domain}";
users.groups.domain-auth.members = [ "nginx" "openldap" "keycloak" ];
security.acme.certs.domain-auth = {
group = "domain-auth";
postRun = ''
${pkgs.adoptopenjdk-jre-bin}/bin/keytool -import -alias auth.${config.network.dns.domain} -noprompt -keystore trust-store.jks -keypass ${keystore-pass} -storepass ${keystore-pass} -file cert.pem
chown acme:domain-auth ./trust-store.jks
'';
};
users.groups.keycloak = { };
users.users.keycloak = {
isSystemUser = true;
group = "keycloak";
};
kw.secrets.variables.keycloak-postgres = {
path = "services/keycloak";
field = "postgres";
};
secrets.files.keycloak-postgres-file = {
text = "${tf.variables.keycloak-postgres.ref}";
owner = "postgres";
group = "keycloak";
};
services.nginx.virtualHosts."auth.${config.network.dns.domain}" = {
useACMEHost = "domain-auth";
forceSSL = true;
locations = { "/".proxyPass = "http://127.0.0.1:8089"; };
};
deploy.tf.dns.records.services_keycloak = {
inherit (config.network.dns) zone;
domain = "auth";
cname = { inherit (config.network.addresses.public) target; };
};
}
Reference in a new issue View git blame Copy permalink