mirror of
https://github.com/gensokyo-zone/infrastructure.git
synced 2026-02-09 20:39:18 -08:00
73 lines
2 KiB
Nix
73 lines
2 KiB
Nix
{ config, pkgs, lib, tf, ... }: with lib; let
|
|
keystore-pass = "zZX3eS";
|
|
in {
|
|
services.keycloak = {
|
|
enable = builtins.getEnv "CI_PLATFORM" == "impure";
|
|
package = (pkgs.keycloak.override {
|
|
jre = pkgs.openjdk11;
|
|
});
|
|
initialAdminPassword = "mewpymewlymewlies";
|
|
database.passwordFile = config.secrets.files.keycloak-postgres-file.path;
|
|
settings = {
|
|
http-enabled = true;
|
|
http-host = "127.0.0.1";
|
|
http-port = 8089;
|
|
https-port = 8445;
|
|
proxy = "edge";
|
|
hostname = "auth.kittywit.ch";
|
|
hostname-strict = false;
|
|
http-relative-path = "/auth";
|
|
hostname-strict-backchannel = true;
|
|
https-key-store-file = "/var/lib/acme/auth.kittywit.ch/trust-store.jks";
|
|
https-key-store-password = keystore-pass;
|
|
};
|
|
};
|
|
|
|
|
|
users.groups.domain-auth = {
|
|
gid = 10600;
|
|
members = [ "keycloak" ];
|
|
};
|
|
/*
|
|
security.acme.certs."auth.kittywit.ch" = {
|
|
group = "domain-auth";
|
|
postRun = ''
|
|
${pkgs.adoptopenjdk-jre-bin}/bin/keytool -delete -alias auth.kittywit.ch -keypass ${keystore-pass} -storepass ${keystore-pass} -keystore ./trust-store.jks
|
|
${pkgs.adoptopenjdk-jre-bin}/bin/keytool -import -alias auth.kittywit.ch -noprompt -keystore trust-store.jks -keypass ${keystore-pass} -storepass ${keystore-pass} -file cert.pem
|
|
chown acme:domain-auth ./trust-store.jks
|
|
'';
|
|
};*/
|
|
|
|
users.groups.keycloak = { };
|
|
users.users.keycloak = {
|
|
isSystemUser = true;
|
|
group = "keycloak";
|
|
};
|
|
|
|
kw.secrets.variables.keycloak-postgres = {
|
|
path = "services/keycloak";
|
|
field = "postgres";
|
|
};
|
|
|
|
secrets.files.keycloak-postgres-file = {
|
|
text = "${tf.variables.keycloak-postgres.ref}";
|
|
owner = "postgres";
|
|
group = "keycloak";
|
|
};
|
|
|
|
services.nginx.virtualHosts."auth.kittywit.ch" = {
|
|
forceSSL = true;
|
|
locations = {
|
|
"/".extraConfig = ''
|
|
return 301 /auth;
|
|
'';
|
|
"/auth".proxyPass = "http://127.0.0.1:8089/auth";
|
|
};
|
|
};
|
|
|
|
domains.kittywitch-keycloak = {
|
|
network = "internet";
|
|
type = "cname";
|
|
domain = "auth";
|
|
};
|
|
}
|