foodogsquared/nixos-config
1
0
Fork 0
mirror of https://github.com/foo-dogsquared/nixos-config.git synced 2025-02-12 06:19:00 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

hosts/plover: add Keycloak service

Browse Source
This commit is contained in:
Gabriel Arazas 2022-12-12 20:32:21 +08:00
parent 502fd34ead
commit 6c02598f35
2 changed files with 40 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

35
hosts/plover/default.nix
View File

@ -5,6 +5,7 @@ let
domain = config.networking.domain; domain = config.networking.domain;
passwordManagerDomain = "pass.${domain}"; passwordManagerDomain = "pass.${domain}";
codeForgeDomain = "code.${domain}"; codeForgeDomain = "code.${domain}";
identityDomain = "identity.${domain}";
dbDomain = "db.${domain}"; dbDomain = "db.${domain}";
# This should be set from service module from nixpkgs. # This should be set from service module from nixpkgs.
@ -66,6 +67,7 @@ in
"vaultwarden/env".owner = vaultwardenUserGroup; "vaultwarden/env".owner = vaultwardenUserGroup;
"borg/patterns/keys" = { }; "borg/patterns/keys" = { };
"borg/password" = { }; "borg/password" = { };
"keycloak/db/password" = { };
} }
); );
@ -150,6 +152,15 @@ in
proxyPass = "http://localhost:${toString config.services.gitea.httpPort}"; proxyPass = "http://localhost:${toString config.services.gitea.httpPort}";
}; };
}; };
# Keycloak instance.
"${identityDomain}" = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://localhost:${toString config.services.keycloak.settings.https-port}";
};
};
}; };
streamConfig = '' streamConfig = ''
@ -230,6 +241,30 @@ in
]; ];
}; };
# Hey, the hub for your application sign-in.
services.keycloak = {
enable = true;
# Pls change at first login.
initialAdminPassword = "wow what is this thing";
database = {
type = "postgresql";
createLocally = true;
passwordFile = config.sops.secrets."plover/keycloak/db/password".path;
caCert = "${config.security.acme.certs."${dbDomain}".directory}/chain.pem";
};
settings = {
hostname = identityDomain;
hostname-strict-backchannel = true;
proxy = "reencrypt";
};
sslCertificate = "${config.security.acme.certs."${identityDomain}".directory}/fullchain.pem";
sslCertificateKey = "${config.security.acme.certs."${identityDomain}".directory}/key.pem";
};
# With a database comes a dumping. # With a database comes a dumping.
services.postgresqlBackup = { services.postgresqlBackup = {
enable = true; enable = true;

7
hosts/plover/secrets/secrets.yaml
View File

@ -19,6 +19,9 @@ borg:
password: ENC[AES256_GCM,data:Fxz36DGpjl5brWRPlzkqmhgwuDAw4BrqlHazjFkV,iv:qiII9yWbUfQggeO3KdPwNXAQBwVmx6YEa5YIID3AUIs=,tag:74IJEGAQ+PiHsw1RKb+iJg==,type:str] password: ENC[AES256_GCM,data:Fxz36DGpjl5brWRPlzkqmhgwuDAw4BrqlHazjFkV,iv:qiII9yWbUfQggeO3KdPwNXAQBwVmx6YEa5YIID3AUIs=,tag:74IJEGAQ+PiHsw1RKb+iJg==,type:str]
patterns: patterns:
keys: ENC[AES256_GCM,data:rv1I75M+3Y4vR65aloXyPgD594n2U9zcOFg4853yeA/+jUpDUC+Is9SaKVo1AB90LgnPl5yhGNzQbM5q9INaq9SL,iv:xj/owX79CeWV2ztQ0DP5bQRBwLPZiCpHB/JAK5tCfH8=,tag:sgkrWI/PtxZjw70lQfD8Jg==,type:str] keys: ENC[AES256_GCM,data:rv1I75M+3Y4vR65aloXyPgD594n2U9zcOFg4853yeA/+jUpDUC+Is9SaKVo1AB90LgnPl5yhGNzQbM5q9INaq9SL,iv:xj/owX79CeWV2ztQ0DP5bQRBwLPZiCpHB/JAK5tCfH8=,tag:sgkrWI/PtxZjw70lQfD8Jg==,type:str]
keycloak:
db:
password: ENC[AES256_GCM,data:oTqbholsgs6mcxNPTgq6Flk1yRlYHaHkiw3VtCcAAw==,iv:5f8nXJYylG4Px5YuFXFYbNpW4GzOK58TYxLTEuzfMuQ=,tag:/1ydKBAklDRIrqtKs2hOqw==,type:str]
sops: sops:
kms: [] kms: []
gcp_kms: [] gcp_kms: []
@ -34,8 +37,8 @@ sops:
ZCtNbnFqdzNkVlBtNjVCdE4yNHMrRjQKfFV4GaReO0UO81xsTB0EuN5ibVsafXJY ZCtNbnFqdzNkVlBtNjVCdE4yNHMrRjQKfFV4GaReO0UO81xsTB0EuN5ibVsafXJY
miBgZAZWbJjSBcM4X+Fym/DlxHRoB1a6iFEFN9yg+Z9WI8PfjKnbsA== miBgZAZWbJjSBcM4X+Fym/DlxHRoB1a6iFEFN9yg+Z9WI8PfjKnbsA==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2022-12-11T00:10:04Z" lastmodified: "2022-12-12T09:57:34Z"
mac: ENC[AES256_GCM,data:QWn93hgGSmsapwQjd0yLz/b572NcHs78UJ8hCUKbuJl1tsHslQ2/lwTuBJafN05ZtsVcFoscDYmJcrezHwfDMDy1/swH/7PXRPDkIsOkq3ibIJXLA+MpA/zAN9h4m93zDrEP8ee14ulQCIx4Z+0Sx6dfPdakln/augOLuPXI0wc=,iv:SkwDx//eKPeYnDXX+POS72BgIfp1JgDEtZAz8B9+++E=,tag:uZznBjp5sL85m2WZ1lGGIQ==,type:str] mac: ENC[AES256_GCM,data:O8RVX5ibpttPlVbZ8DDFMXbGIGU1p5R30uOn5bNVtYoVJvTCmMUKYgbsddM5IJH7dDm7JIAROYkI2p+V0F0GwdKL95hFxbKDIjNmHzeWNVGXhpp960sDP3QZ2UdrhZr+njlaVR1NLaT3w9xvZ49XYIDrRDHSythVceJdymkIGzg=,iv:E9jvkXXw/ctvbiGPEvho0kuMrYkOPKnaCfkObBIy8vQ=,tag:v85Rlx7+8xH4tN88y27OYw==,type:str]
pgp: [] pgp: []
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted
version: 3.7.3 version: 3.7.3