2023-06-01 16:59:19 +02:00
|
|
|
{ config, lib, ... }:
|
|
|
|
with lib;
|
|
|
|
let
|
|
|
|
cfg = config.eboskma.keycloak;
|
|
|
|
in
|
|
|
|
{
|
|
|
|
options.eboskma.keycloak = { enable = mkEnableOption "keycloak"; };
|
|
|
|
|
|
|
|
config = mkIf cfg.enable {
|
|
|
|
services.keycloak = {
|
|
|
|
enable = true;
|
|
|
|
database.passwordFile = config.sops.secrets.keycloak-db-password.path;
|
|
|
|
|
|
|
|
settings = {
|
|
|
|
hostname = "id.datarift.nl";
|
|
|
|
http-host = "127.0.0.1";
|
|
|
|
http-port = 8081;
|
|
|
|
proxy = "edge";
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
|
|
services.caddy = {
|
|
|
|
enable = true;
|
|
|
|
|
|
|
|
email = "erwin@datarift.nl";
|
|
|
|
|
|
|
|
virtualHosts = {
|
|
|
|
"${config.services.keycloak.settings.hostname}" = {
|
|
|
|
extraConfig = ''
|
2023-06-08 10:03:58 +02:00
|
|
|
@public_or_allowed_remote {
|
2023-10-23 08:09:38 +02:00
|
|
|
expression path('/realms/*', '/resources/*', '/js/*', '/robots.txt') || remote_ip('86.85.243.40/32', '2a02:a441:c959:1::/64', '100.64.0.0/10', 'fd7a:115c:a1e0:ab12:4843:cd96:6240:0000/106')
|
2023-06-08 10:03:58 +02:00
|
|
|
}
|
|
|
|
|
2023-07-04 20:29:59 +02:00
|
|
|
route {
|
|
|
|
reverse_proxy @public_or_allowed_remote ${config.services.keycloak.settings.http-host}:${toString config.services.keycloak.settings.http-port}
|
|
|
|
|
|
|
|
error "Nope." 401
|
|
|
|
}
|
2023-06-01 16:59:19 +02:00
|
|
|
'';
|
|
|
|
};
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
|
|
security.acme.acceptTerms = true;
|
|
|
|
|
|
|
|
networking.firewall.allowedTCPPorts = [ 80 443 ];
|
|
|
|
};
|
|
|
|
}
|