mirror of
https://github.com/gensokyo-zone/infrastructure.git
synced 2026-02-09 20:39:18 -08:00
72 lines
1.7 KiB
Nix
72 lines
1.7 KiB
Nix
{
|
|
access,
|
|
config,
|
|
lib,
|
|
...
|
|
}: let
|
|
inherit (lib.modules) mkIf mkForce mkDefault;
|
|
cfg = config.services.keycloak;
|
|
cert = access.mkSnakeOil {
|
|
name = "keycloak-selfsigned";
|
|
domain = hostname;
|
|
};
|
|
hostname = "sso.${config.networking.domain}";
|
|
in {
|
|
sops.secrets = let
|
|
commonSecret = {
|
|
sopsFile = ./secrets/keycloak.yaml;
|
|
owner = "keycloak";
|
|
};
|
|
in
|
|
mkIf cfg.enable {
|
|
keycloak_db_password = commonSecret;
|
|
};
|
|
users = mkIf cfg.enable {
|
|
users.keycloak = {
|
|
isSystemUser = true;
|
|
group = "keycloak";
|
|
};
|
|
groups.keycloak = {
|
|
};
|
|
};
|
|
|
|
networking.firewall.interfaces.lan.allowedTCPPorts = mkIf cfg.enable [
|
|
cfg.port
|
|
];
|
|
systemd.services.keycloak = mkIf cfg.enable {
|
|
serviceConfig.DynamicUser = mkForce false;
|
|
};
|
|
|
|
services.keycloak = {
|
|
enable = true;
|
|
|
|
database = let
|
|
system = access.systemForService "postgresql";
|
|
inherit (system.exports.services) postgresql;
|
|
in {
|
|
host = access.getAddressFor system.name "lan";
|
|
port = postgresql.ports.default.port;
|
|
passwordFile = config.sops.secrets.keycloak_db_password.path;
|
|
createLocally = false;
|
|
useSSL = postgresql.ports.default.ssl;
|
|
};
|
|
|
|
settings = let
|
|
hostname-strict = false;
|
|
in {
|
|
hostname = mkDefault (
|
|
if cfg.settings.hostname-strict
|
|
then hostname
|
|
else null
|
|
);
|
|
hostname-strict = mkDefault hostname-strict;
|
|
hostname-strict-https = mkDefault hostname-strict;
|
|
proxy-headers = mkDefault "xforwarded";
|
|
http-port = mkDefault 8080;
|
|
https-port = mkDefault 8443;
|
|
};
|
|
|
|
sslCertificate = mkDefault "${cert}/fullchain.pem";
|
|
sslCertificateKey = mkDefault "${cert}/key.pem";
|
|
};
|
|
}
|