nixos-config/modules/keycloak/default.nix

48 lines
1.1 KiB
Nix
Raw Normal View History

2023-06-01 16:59:19 +02:00
{ config, lib, ... }:
with lib;
let
cfg = config.eboskma.keycloak;
in
{
options.eboskma.keycloak = { enable = mkEnableOption "keycloak"; };
config = mkIf cfg.enable {
services.keycloak = {
enable = true;
database.passwordFile = config.sops.secrets.keycloak-db-password.path;
settings = {
hostname = "id.datarift.nl";
http-host = "127.0.0.1";
http-port = 8081;
proxy = "edge";
};
};
services.caddy = {
enable = true;
email = "erwin@datarift.nl";
virtualHosts = {
"${config.services.keycloak.settings.hostname}" = {
extraConfig = ''
@public_or_allowed_remote {
not {
not path /realms/* /resources/* /js/* /robots.txt
not remote_ip 100.64.0.0/10 86.85.243.40/32
}
}
reverse_proxy @public_or_allowed_remote ${config.services.keycloak.settings.http-host}:${toString config.services.keycloak.settings.http-port}
2023-06-01 16:59:19 +02:00
'';
};
};
};
security.acme.acceptTerms = true;
networking.firewall.allowedTCPPorts = [ 80 443 ];
};
}