hosts/plover: add Keycloak service

2025-01-31 04:58:01 +00:00 · 2022-12-12 20:32:21 +08:00 · 2022-12-12 20:32:21 +08:00 · 6c02598f35
commit 6c02598f35
parent 502fd34ead
2 changed files with 40 additions and 2 deletions
--- a/hosts/plover/default.nix
+++ b/hosts/plover/default.nix
@ -5,6 +5,7 @@ let
  domain = config.networking.domain;
  passwordManagerDomain = "pass.${domain}";
  codeForgeDomain = "code.${domain}";
+  identityDomain = "identity.${domain}";
  dbDomain = "db.${domain}";

  # This should be set from service module from nixpkgs.
@ -66,6 +67,7 @@ in
        "vaultwarden/env".owner = vaultwardenUserGroup;
        "borg/patterns/keys" = { };
        "borg/password" = { };
+        "keycloak/db/password" = { };
      }
    );

@ -150,6 +152,15 @@ in
          proxyPass = "http://localhost:${toString config.services.gitea.httpPort}";
        };
      };
+
+      # Keycloak instance.
+      "${identityDomain}" = {
+        forceSSL = true;
+        enableACME = true;
+        locations."/" = {
+          proxyPass = "http://localhost:${toString config.services.keycloak.settings.https-port}";
+        };
+      };
    };

    streamConfig = ''
@ -230,6 +241,30 @@ in
    ];
  };

+  # Hey, the hub for your application sign-in.
+  services.keycloak = {
+    enable = true;
+
+    # Pls change at first login.
+    initialAdminPassword = "wow what is this thing";
+
+    database = {
+      type = "postgresql";
+      createLocally = true;
+      passwordFile = config.sops.secrets."plover/keycloak/db/password".path;
+      caCert = "${config.security.acme.certs."${dbDomain}".directory}/chain.pem";
+    };
+
+    settings = {
+      hostname = identityDomain;
+      hostname-strict-backchannel = true;
+      proxy = "reencrypt";
+    };
+
+    sslCertificate = "${config.security.acme.certs."${identityDomain}".directory}/fullchain.pem";
+    sslCertificateKey = "${config.security.acme.certs."${identityDomain}".directory}/key.pem";
+  };
+
  # With a database comes a dumping.
  services.postgresqlBackup = {
    enable = true;
--- a/hosts/plover/secrets/secrets.yaml
+++ b/hosts/plover/secrets/secrets.yaml
@ -19,6 +19,9 @@ borg:
    password: ENC[AES256_GCM,data:Fxz36DGpjl5brWRPlzkqmhgwuDAw4BrqlHazjFkV,iv:qiII9yWbUfQggeO3KdPwNXAQBwVmx6YEa5YIID3AUIs=,tag:74IJEGAQ+PiHsw1RKb+iJg==,type:str]
    patterns:
        keys: ENC[AES256_GCM,data:rv1I75M+3Y4vR65aloXyPgD594n2U9zcOFg4853yeA/+jUpDUC+Is9SaKVo1AB90LgnPl5yhGNzQbM5q9INaq9SL,iv:xj/owX79CeWV2ztQ0DP5bQRBwLPZiCpHB/JAK5tCfH8=,tag:sgkrWI/PtxZjw70lQfD8Jg==,type:str]
+keycloak:
+    db:
+        password: ENC[AES256_GCM,data:oTqbholsgs6mcxNPTgq6Flk1yRlYHaHkiw3VtCcAAw==,iv:5f8nXJYylG4Px5YuFXFYbNpW4GzOK58TYxLTEuzfMuQ=,tag:/1ydKBAklDRIrqtKs2hOqw==,type:str]
 sops:
    kms: []
    gcp_kms: []
@ -34,8 +37,8 @@ sops:
            ZCtNbnFqdzNkVlBtNjVCdE4yNHMrRjQKfFV4GaReO0UO81xsTB0EuN5ibVsafXJY
            miBgZAZWbJjSBcM4X+Fym/DlxHRoB1a6iFEFN9yg+Z9WI8PfjKnbsA==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2022-12-11T00:10:04Z"
-    mac: ENC[AES256_GCM,data:QWn93hgGSmsapwQjd0yLz/b572NcHs78UJ8hCUKbuJl1tsHslQ2/lwTuBJafN05ZtsVcFoscDYmJcrezHwfDMDy1/swH/7PXRPDkIsOkq3ibIJXLA+MpA/zAN9h4m93zDrEP8ee14ulQCIx4Z+0Sx6dfPdakln/augOLuPXI0wc=,iv:SkwDx//eKPeYnDXX+POS72BgIfp1JgDEtZAz8B9+++E=,tag:uZznBjp5sL85m2WZ1lGGIQ==,type:str]
+    lastmodified: "2022-12-12T09:57:34Z"
+    mac: ENC[AES256_GCM,data:O8RVX5ibpttPlVbZ8DDFMXbGIGU1p5R30uOn5bNVtYoVJvTCmMUKYgbsddM5IJH7dDm7JIAROYkI2p+V0F0GwdKL95hFxbKDIjNmHzeWNVGXhpp960sDP3QZ2UdrhZr+njlaVR1NLaT3w9xvZ49XYIDrRDHSythVceJdymkIGzg=,iv:E9jvkXXw/ctvbiGPEvho0kuMrYkOPKnaCfkObBIy8vQ=,tag:v85Rlx7+8xH4tN88y27OYw==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
    version: 3.7.3