mirror of
https://github.com/kittywitch/nixfiles.git
synced 2026-02-09 20:39:18 -08:00
65 lines
2.1 KiB
Nix
65 lines
2.1 KiB
Nix
{ config, pkgs, lib, tf, ... }: with lib; let
|
|
keystore-pass = "zZX3eS";
|
|
in {
|
|
services.keycloak = {
|
|
enable = builtins.getEnv "CI_PLATFORM" == "impure";
|
|
package = (pkgs.keycloak.override {
|
|
jre = pkgs.openjdk11;
|
|
});
|
|
initialAdminPassword = "mewpymewlymewlies";
|
|
database.passwordFile = config.secrets.files.keycloak-postgres-file.path;
|
|
settings = {
|
|
http-enabled = true;
|
|
http-host = "127.0.0.1";
|
|
http-port = 8089;
|
|
https-port = 8445;
|
|
proxy = "edge";
|
|
hostname = "auth.kittywit.ch";
|
|
http-relative-path = "/auth";
|
|
hostname-strict-backchannel = true;
|
|
https-key-store-file = "/var/lib/acme/domain-auth/trust-store.jks";
|
|
https-key-store-password = keystore-pass;
|
|
};
|
|
};
|
|
|
|
|
|
network.extraCerts.domain-auth = "auth.${config.network.dns.domain}";
|
|
users.groups.domain-auth.members = [ "nginx" "openldap" "keycloak" ];
|
|
security.acme.certs.domain-auth = {
|
|
group = "domain-auth";
|
|
postRun = ''
|
|
${pkgs.adoptopenjdk-jre-bin}/bin/keytool -delete -alias auth.kittywit.ch -keypass ${keystore-pass} -storepass ${keystore-pass} -keystore ./trust-store.jks
|
|
${pkgs.adoptopenjdk-jre-bin}/bin/keytool -import -alias auth.${config.network.dns.domain} -noprompt -keystore trust-store.jks -keypass ${keystore-pass} -storepass ${keystore-pass} -file cert.pem
|
|
chown acme:domain-auth ./trust-store.jks
|
|
'';
|
|
};
|
|
|
|
users.groups.keycloak = { };
|
|
users.users.keycloak = {
|
|
isSystemUser = true;
|
|
group = "keycloak";
|
|
};
|
|
|
|
kw.secrets.variables.keycloak-postgres = {
|
|
path = "services/keycloak";
|
|
field = "postgres";
|
|
};
|
|
|
|
secrets.files.keycloak-postgres-file = {
|
|
text = "${tf.variables.keycloak-postgres.ref}";
|
|
owner = "postgres";
|
|
group = "keycloak";
|
|
};
|
|
|
|
services.nginx.virtualHosts."auth.${config.network.dns.domain}" = {
|
|
useACMEHost = "domain-auth";
|
|
forceSSL = true;
|
|
locations = { "/".proxyPass = "http://127.0.0.1:8089"; };
|
|
};
|
|
|
|
deploy.tf.dns.records.services_keycloak = {
|
|
inherit (config.network.dns) zone;
|
|
domain = "auth";
|
|
cname = { inherit (config.network.addresses.public) target; };
|
|
};
|
|
}
|