nixos-config/modules/keycloak/default.nix

98 lines
2.3 KiB
Nix
Raw Normal View History

2024-02-05 11:46:52 +01:00
{
pkgs,
config,
lib,
...
}:
2023-06-01 16:59:19 +02:00
with lib;
let
cfg = config.eboskma.keycloak;
2023-10-30 09:36:08 +01:00
keywindTheme = pkgs.stdenv.mkDerivation {
pname = "keycloak-theme-keywind";
2024-01-03 01:15:44 +01:00
version = "unstable-2023-12-13";
2023-10-30 09:36:08 +01:00
src = pkgs.fetchFromGitHub {
owner = "lukin";
repo = "keywind";
2024-01-03 01:15:44 +01:00
rev = "bdf966fdae0071ccd46dab4efdc38458a643b409";
hash = "sha256-8N+OQ6Yg9RKxqGd8kgsbvrYuVgol49bo/iJeIJXr3Sg=";
2023-10-30 09:36:08 +01:00
};
doConfigure = false;
doBuild = false;
doCheck = false;
installPhase = ''
mkdir $out
cp -r $src/theme/keywind/* $out/
'';
};
2023-06-01 16:59:19 +02:00
in
{
2024-02-05 11:46:52 +01:00
options.eboskma.keycloak = {
enable = mkEnableOption "keycloak";
};
2023-06-01 16:59:19 +02:00
config = mkIf cfg.enable {
services.keycloak = {
enable = true;
database.passwordFile = config.sops.secrets.keycloak-db-password.path;
settings = {
hostname = "id.datarift.nl";
http-host = "127.0.0.1";
http-port = 8081;
proxy = "edge";
2023-11-01 09:31:30 +01:00
features = "docker";
2023-06-01 16:59:19 +02:00
};
2023-10-30 09:36:08 +01:00
themes = {
keywind = keywindTheme;
};
2023-11-03 16:29:31 +01:00
plugins = [
(pkgs.callPackage ./keycloak-orgs.nix {
inherit (pkgs) fetchFromGitHub;
inherit (pkgs.maven) buildMavenPackage;
})
(pkgs.callPackage ./keycloak-admin-ui.nix {
inherit (pkgs) fetchFromGitHub;
inherit (pkgs.maven) buildMavenPackage;
keycloak = config.services.keycloak.package;
})
2024-02-05 11:46:52 +01:00
(pkgs.callPackage ./phasetwo-admin-ui.nix { inherit (pkgs) stdenv fetchFromGitHub; })
2023-11-03 16:29:31 +01:00
];
2023-06-01 16:59:19 +02:00
};
2024-02-05 11:46:52 +01:00
services.caddy = {
2023-06-01 16:59:19 +02:00
enable = true;
email = "erwin@datarift.nl";
virtualHosts = {
"${config.services.keycloak.settings.hostname}" = {
extraConfig = ''
@public_or_allowed_remote {
expression path('/realms/*', '/resources/*', '/js/*', '/robots.txt') || remote_ip('86.85.243.40/32', '2a02:a441:c959:1::/64', '100.64.0.0/10', 'fd7a:115c:a1e0:ab12:4843:cd96:6240:0000/106')
}
route {
reverse_proxy @public_or_allowed_remote ${config.services.keycloak.settings.http-host}:${toString config.services.keycloak.settings.http-port}
error "Nope." 401
}
2023-06-01 16:59:19 +02:00
'';
};
};
};
security.acme.acceptTerms = true;
2024-02-05 11:46:52 +01:00
networking.firewall.allowedTCPPorts = [
80
443
];
2023-06-01 16:59:19 +02:00
};
}