nixos-config/modules/keycloak/default.nix

{ config, lib, ... }:
with lib;
let
  cfg = config.eboskma.keycloak;
in
{
  options.eboskma.keycloak = { enable = mkEnableOption "keycloak"; };

  config = mkIf cfg.enable {
    services.keycloak = {
      enable = true;
      database.passwordFile = config.sops.secrets.keycloak-db-password.path;

      settings = {
        hostname = "id.datarift.nl";
        http-host = "127.0.0.1";
        http-port = 8081;
        proxy = "edge";
      };
    };

    services.caddy = {
      enable = true;

      email = "erwin@datarift.nl";

      virtualHosts = {
        "${config.services.keycloak.settings.hostname}" = {
          extraConfig = ''
            @public_or_allowed_remote {
              expression path('/realms/*', '/resources/*', '/js/*', '/robots.txt') || remote_ip('10.64.0.0/10', '86.85.243.40/32', '2a02:a441:c959:1::/64')
            }

            route {
                  reverse_proxy @public_or_allowed_remote ${config.services.keycloak.settings.http-host}:${toString config.services.keycloak.settings.http-port}

                  error "Nope." 401
            }
          '';
        };
      };
    };

    security.acme.acceptTerms = true;

    networking.firewall.allowedTCPPorts = [ 80 443 ];
  };
}
heimdall: Add Keycloak 2023-06-01 16:59:19 +02:00			`{ config, lib, ... }:`
			`with lib;`
			`let`
			`cfg = config.eboskma.keycloak;`
			`in`
			`{`
			`options.eboskma.keycloak = { enable = mkEnableOption "keycloak"; };`

			`config = mkIf cfg.enable {`
			`services.keycloak = {`
			`enable = true;`
			`database.passwordFile = config.sops.secrets.keycloak-db-password.path;`

			`settings = {`
			`hostname = "id.datarift.nl";`
			`http-host = "127.0.0.1";`
			`http-port = 8081;`
			`proxy = "edge";`
			`};`
			`};`

			`services.caddy = {`
			`enable = true;`

			`email = "erwin@datarift.nl";`

			`virtualHosts = {`
			`"${config.services.keycloak.settings.hostname}" = {`
			`extraConfig = ''`
keycloak: Limit access to management console 2023-06-08 10:03:58 +02:00			`@public_or_allowed_remote {`
Tweak some stuff, clean up some other stuff 2023-07-04 20:29:59 +02:00			`expression path('/realms/', '/resources/', '/js/*', '/robots.txt') \|\| remote_ip('10.64.0.0/10', '86.85.243.40/32', '2a02:a441:c959:1::/64')`
keycloak: Limit access to management console 2023-06-08 10:03:58 +02:00			`}`

Tweak some stuff, clean up some other stuff 2023-07-04 20:29:59 +02:00			`route {`
			`reverse_proxy @public_or_allowed_remote ${config.services.keycloak.settings.http-host}:${toString config.services.keycloak.settings.http-port}`

			`error "Nope." 401`
			`}`
heimdall: Add Keycloak 2023-06-01 16:59:19 +02:00			`'';`
			`};`
			`};`
			`};`

			`security.acme.acceptTerms = true;`

			`networking.firewall.allowedTCPPorts = [ 80 443 ];`
			`};`
			`}`