From 46919ae9527c6248c994b68b99eb7a6d7eea30a4 Mon Sep 17 00:00:00 2001
From: Erwin Boskma <erwin@horus.nu>
Date: Thu, 8 Jun 2023 10:03:58 +0200
Subject: [PATCH] keycloak: Limit access to management console

---
 modules/keycloak/default.nix | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/modules/keycloak/default.nix b/modules/keycloak/default.nix
index 49dcdb1..121bd13 100644
--- a/modules/keycloak/default.nix
+++ b/modules/keycloak/default.nix
@@ -27,7 +27,14 @@ in
       virtualHosts = {
         "${config.services.keycloak.settings.hostname}" = {
           extraConfig = ''
-            reverse_proxy ${config.services.keycloak.settings.http-host}:${toString config.services.keycloak.settings.http-port}
+            @public_or_allowed_remote {
+              not {
+                not path /realms/* /resources/* /js/* /robots.txt
+                not remote_ip 100.64.0.0/10 86.85.243.40/32
+              }
+            }
+
+            reverse_proxy @public_or_allowed_remote ${config.services.keycloak.settings.http-host}:${toString config.services.keycloak.settings.http-port}
           '';
         };
       };