keycloak: Limit access to management console

modules/keycloak/default.nix

@@ -27,7 +27,14 @@ in
       virtualHosts = {
         "${config.services.keycloak.settings.hostname}" = {
           extraConfig = ''
-            reverse_proxy ${config.services.keycloak.settings.http-host}:${toString config.services.keycloak.settings.http-port}
+            @public_or_allowed_remote {
+              not {
+                not path /realms/* /resources/* /js/* /robots.txt
+                not remote_ip 100.64.0.0/10 86.85.243.40/32
+              }
+            }
+
+            reverse_proxy @public_or_allowed_remote ${config.services.keycloak.settings.http-host}:${toString config.services.keycloak.settings.http-port}
           '';
         };
       };