diff --git a/machines/heimdall/configuration.nix b/machines/heimdall/configuration.nix index d85209a..221d006 100644 --- a/machines/heimdall/configuration.nix +++ b/machines/heimdall/configuration.nix @@ -21,6 +21,7 @@ baseDomain = "asgard.datarift.nl"; serverUrl = "https://heimdall.datarift.nl"; }; + keycloak.enable = true; nix-common = { enable = true; }; @@ -90,10 +91,10 @@ }; security.protectKernelImage = true; - # sops.defaultSopsFile = ./secrets.yaml; - # sops.secrets = { - # wireguard_key = { }; - # }; + sops.defaultSopsFile = ./secrets.yaml; + sops.secrets = { + keycloak-db-password = { }; + }; system.stateVersion = "23.05"; } diff --git a/machines/heimdall/secrets.yaml b/machines/heimdall/secrets.yaml index b78b3cd..c410899 100644 --- a/machines/heimdall/secrets.yaml +++ b/machines/heimdall/secrets.yaml @@ -1,4 +1,4 @@ -wireguard_key: ENC[AES256_GCM,data:A+m/91mC/FbU4k7RgElU5A2ykumoc7lXUjjkJPtX58hJoAUG644gM/91uVY=,iv:t9Bn2DCtfXXRflTHgCBVSwOKbdedGKYlDBSk1+KDChc=,tag:OweM84Wz+qXKH8tuu3iuJg==,type:str] +keycloak-db-password: ENC[AES256_GCM,data:F7kYKVyra5dKixtxMhhyCKDr50BEK6OhICRCKSmpCe25bB3xXpXW4sZS+9y8LIwBpCDXeQmghOXskRRQvslHKmQpj5AxNXNDLBG4Coj+ilfoh7BUbLtDJTCNum0mHGw3haCUh1rn0PGNW7A6aI+BrlsDuiwhnJ9m2q57ggAo1Gs=,iv:hQpuzx9Q40caXXX+9XuiwqpMSeBJr9DWaQmCyZUw8X8=,tag:s4vFvz41i9wyzkBuCT9k1A==,type:str] sops: kms: [] gcp_kms: [] @@ -32,8 +32,8 @@ sops: cHJwVnhySC81SEF1OU1mRDhqaHVDMVkKYHqrt7CPVW3x12Ayo4PIZIhLpjaj28tK ON+NGAOxvZbpB+FYCNVdyFD/geHnkR4yDfBnR9nAlILsptFZuaNVmg== -----END AGE ENCRYPTED FILE----- - lastmodified: "2022-09-07T21:12:26Z" - mac: ENC[AES256_GCM,data:BNDGUuWDLG48nph3HUKizMR0D0KJTYTpkv15Rs/3ljc3BQYdKbeLIh+zKPvKv93VOvweUXCX/7pwxv9ENdVhF9BYqwoF6gpbaM10iSOvlaEwoYMuSB+pwcDRg6/jCJoJOxJwKXggfcAU4x25Y81oJxb/xfe/KvuLougq/F4z96g=,iv:HXmtyv3ZdofjDtEHBWGOdNeDqGXO/VI1EqXzhpcmHTc=,tag:4LF5HNTG65uGpoJqQgh1cQ==,type:str] + lastmodified: "2023-06-01T14:11:42Z" + mac: ENC[AES256_GCM,data:Um2wARWNib6/9Ajo2ukXPe3duUgRsKEJqwauVNfKzHlv69TjJcb4lywmWQeyyKaRuPltkj1h9nCQBxR3GRwURG5bbMUCwBetvpWtiD3Gvj4FD2jetLbemiTUACvplajyHIa0lbV5HTtlSLb9hUpvoz33BPHuvMLeUCivHH7w5bo=,iv:iH/0jCAEi2gT4+NtndmVAk9kKuNCU3FsHA1sYEN0xS4=,tag:4zMeq7ESZ08r2kTkI7Wuuw==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.7.3 diff --git a/modules/keycloak/default.nix b/modules/keycloak/default.nix new file mode 100644 index 0000000..49dcdb1 --- /dev/null +++ b/modules/keycloak/default.nix @@ -0,0 +1,40 @@ +{ config, lib, ... }: +with lib; +let + cfg = config.eboskma.keycloak; +in +{ + options.eboskma.keycloak = { enable = mkEnableOption "keycloak"; }; + + config = mkIf cfg.enable { + services.keycloak = { + enable = true; + database.passwordFile = config.sops.secrets.keycloak-db-password.path; + + settings = { + hostname = "id.datarift.nl"; + http-host = "127.0.0.1"; + http-port = 8081; + proxy = "edge"; + }; + }; + + services.caddy = { + enable = true; + + email = "erwin@datarift.nl"; + + virtualHosts = { + "${config.services.keycloak.settings.hostname}" = { + extraConfig = '' + reverse_proxy ${config.services.keycloak.settings.http-host}:${toString config.services.keycloak.settings.http-port} + ''; + }; + }; + }; + + security.acme.acceptTerms = true; + + networking.firewall.allowedTCPPorts = [ 80 443 ]; + }; +}