nixos-config/modules/keycloak/default.nix

{ pkgs, config, lib, ... }:
with lib;
let
  cfg = config.eboskma.keycloak;

  keywindTheme = pkgs.stdenv.mkDerivation {
    pname = "keycloak-theme-keywind";
    version = "unstable-2023-12-13";

    src = pkgs.fetchFromGitHub {
      owner = "lukin";
      repo = "keywind";
      rev = "bdf966fdae0071ccd46dab4efdc38458a643b409";
      hash = "sha256-8N+OQ6Yg9RKxqGd8kgsbvrYuVgol49bo/iJeIJXr3Sg=";
    };

    doConfigure = false;
    doBuild = false;
    doCheck = false;

    installPhase = ''
      mkdir $out
      cp -r $src/theme/keywind/* $out/
    '';

  };
in
{
  options.eboskma.keycloak = { enable = mkEnableOption "keycloak"; };

  config = mkIf cfg.enable {
    services.keycloak = {
      enable = true;
      database.passwordFile = config.sops.secrets.keycloak-db-password.path;

      settings = {
        hostname = "id.datarift.nl";
        http-host = "127.0.0.1";
        http-port = 8081;
        proxy = "edge";
        features = "docker";
      };

      themes = {
        keywind = keywindTheme;
      };

      plugins = [
        (pkgs.callPackage ./keycloak-orgs.nix {
          inherit (pkgs) fetchFromGitHub;
          inherit (pkgs.maven) buildMavenPackage;
        })
        (pkgs.callPackage ./keycloak-admin-ui.nix {
          inherit (pkgs) fetchFromGitHub;
          inherit (pkgs.maven) buildMavenPackage;
          keycloak = config.services.keycloak.package;
        })
        (pkgs.callPackage ./phasetwo-admin-ui.nix {
          inherit (pkgs) stdenv fetchFromGitHub;
        })
      ];
    };

    services. caddy = {
      enable = true;

      email = "erwin@datarift.nl";

      virtualHosts = {
        "${config.services.keycloak.settings.hostname}" = {
          extraConfig = ''
            @public_or_allowed_remote {
              expression path('/realms/*', '/resources/*', '/js/*', '/robots.txt') || remote_ip('86.85.243.40/32', '2a02:a441:c959:1::/64', '100.64.0.0/10', 'fd7a:115c:a1e0:ab12:4843:cd96:6240:0000/106')
            }

            route {
                  reverse_proxy @public_or_allowed_remote ${config.services.keycloak.settings.http-host}:${toString config.services.keycloak.settings.http-port}

                  error "Nope." 401
            }
          '';
        };
      };
    };

    security.acme.acceptTerms = true;

    networking.firewall.allowedTCPPorts = [ 80 443 ];
  };
}
keycloak: Add keywind theme 2023-10-30 09:36:08 +01:00			`{ pkgs, config, lib, ... }:`
heimdall: Add Keycloak 2023-06-01 16:59:19 +02:00			`with lib;`
			`let`
			`cfg = config.eboskma.keycloak;`
keycloak: Add keywind theme 2023-10-30 09:36:08 +01:00
			`keywindTheme = pkgs.stdenv.mkDerivation {`
			`pname = "keycloak-theme-keywind";`
keycloak: Update plugins 2024-01-03 01:15:44 +01:00			`version = "unstable-2023-12-13";`
keycloak: Add keywind theme 2023-10-30 09:36:08 +01:00
			`src = pkgs.fetchFromGitHub {`
			`owner = "lukin";`
			`repo = "keywind";`
keycloak: Update plugins 2024-01-03 01:15:44 +01:00			`rev = "bdf966fdae0071ccd46dab4efdc38458a643b409";`
			`hash = "sha256-8N+OQ6Yg9RKxqGd8kgsbvrYuVgol49bo/iJeIJXr3Sg=";`
keycloak: Add keywind theme 2023-10-30 09:36:08 +01:00			`};`

			`doConfigure = false;`
			`doBuild = false;`
			`doCheck = false;`

			`installPhase = ''`
			`mkdir $out`
			`cp -r $src/theme/keywind/* $out/`
			`'';`

			`};`
heimdall: Add Keycloak 2023-06-01 16:59:19 +02:00			`in`
			`{`
			`options.eboskma.keycloak = { enable = mkEnableOption "keycloak"; };`

			`config = mkIf cfg.enable {`
			`services.keycloak = {`
			`enable = true;`
			`database.passwordFile = config.sops.secrets.keycloak-db-password.path;`

			`settings = {`
			`hostname = "id.datarift.nl";`
			`http-host = "127.0.0.1";`
			`http-port = 8081;`
			`proxy = "edge";`
keycloak: Add docker token auth 2023-11-01 09:31:30 +01:00			`features = "docker";`
heimdall: Add Keycloak 2023-06-01 16:59:19 +02:00			`};`
keycloak: Add keywind theme 2023-10-30 09:36:08 +01:00
			`themes = {`
			`keywind = keywindTheme;`
			`};`

keycloak: Add organizations plugin 2023-11-03 16:29:31 +01:00			`plugins = [`
			`(pkgs.callPackage ./keycloak-orgs.nix {`
			`inherit (pkgs) fetchFromGitHub;`
			`inherit (pkgs.maven) buildMavenPackage;`
			`})`
			`(pkgs.callPackage ./keycloak-admin-ui.nix {`
			`inherit (pkgs) fetchFromGitHub;`
			`inherit (pkgs.maven) buildMavenPackage;`
			`keycloak = config.services.keycloak.package;`
			`})`
keycloak: Add Phase Two admin ui 2023-11-08 09:30:22 +01:00			`(pkgs.callPackage ./phasetwo-admin-ui.nix {`
			`inherit (pkgs) stdenv fetchFromGitHub;`
			`})`
keycloak: Add organizations plugin 2023-11-03 16:29:31 +01:00			`];`
heimdall: Add Keycloak 2023-06-01 16:59:19 +02:00			`};`

keycloak: Add organizations plugin 2023-11-03 16:29:31 +01:00			`services. caddy = {`
heimdall: Add Keycloak 2023-06-01 16:59:19 +02:00			`enable = true;`

			`email = "erwin@datarift.nl";`

			`virtualHosts = {`
			`"${config.services.keycloak.settings.hostname}" = {`
			`extraConfig = ''`
keycloak: Limit access to management console 2023-06-08 10:03:58 +02:00			`@public_or_allowed_remote {`
keycloak: Fix IP filter for admin interface 2023-10-23 08:09:38 +02:00			`expression path('/realms/', '/resources/', '/js/*', '/robots.txt') \|\| remote_ip('86.85.243.40/32', '2a02:a441:c959:1::/64', '100.64.0.0/10', 'fd7a:115c:a1e0:ab12:4843:cd96:6240:0000/106')`
keycloak: Limit access to management console 2023-06-08 10:03:58 +02:00			`}`

Tweak some stuff, clean up some other stuff 2023-07-04 20:29:59 +02:00			`route {`
			`reverse_proxy @public_or_allowed_remote ${config.services.keycloak.settings.http-host}:${toString config.services.keycloak.settings.http-port}`

			`error "Nope." 401`
			`}`
heimdall: Add Keycloak 2023-06-01 16:59:19 +02:00			`'';`
			`};`
			`};`
			`};`

			`security.acme.acceptTerms = true;`

			`networking.firewall.allowedTCPPorts = [ 80 443 ];`
			`};`
			`}`