erwin/nixos-config
1
0
Fork 0
Code Issues 1 Pull requests Projects 1 Releases Wiki Activity Actions

heimdall: Add Keycloak

Browse source
This commit is contained in:
Erwin Boskma 2023-06-01 16:59:19 +02:00
parent 192e722e75
commit c348b4f5eb
Signed by: erwin
SSH key fingerprint: SHA256:3F6Cm6I3erRqlBwEghZWAQl6eS5WrGTX1Vs/Evec1lQ
3 changed files with 48 additions and 7 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

9
machines/heimdall/configuration.nix
View file

@ -21,6 +21,7 @@
baseDomain = "asgard.datarift.nl"; baseDomain = "asgard.datarift.nl";
serverUrl = "https://heimdall.datarift.nl"; serverUrl = "https://heimdall.datarift.nl";
}; };
keycloak.enable = true;
nix-common = { nix-common = {
enable = true; enable = true;
}; };
@ -90,10 +91,10 @@
}; };
security.protectKernelImage = true; security.protectKernelImage = true;
# sops.defaultSopsFile = ./secrets.yaml; sops.defaultSopsFile = ./secrets.yaml;
# sops.secrets = { sops.secrets = {
# wireguard_key = { }; keycloak-db-password = { };
# }; };
system.stateVersion = "23.05"; system.stateVersion = "23.05";
} }

6
machines/heimdall/secrets.yaml
View file

@ -1,4 +1,4 @@
wireguard_key: ENC[AES256_GCM,data:A+m/91mC/FbU4k7RgElU5A2ykumoc7lXUjjkJPtX58hJoAUG644gM/91uVY=,iv:t9Bn2DCtfXXRflTHgCBVSwOKbdedGKYlDBSk1+KDChc=,tag:OweM84Wz+qXKH8tuu3iuJg==,type:str] keycloak-db-password: ENC[AES256_GCM,data:F7kYKVyra5dKixtxMhhyCKDr50BEK6OhICRCKSmpCe25bB3xXpXW4sZS+9y8LIwBpCDXeQmghOXskRRQvslHKmQpj5AxNXNDLBG4Coj+ilfoh7BUbLtDJTCNum0mHGw3haCUh1rn0PGNW7A6aI+BrlsDuiwhnJ9m2q57ggAo1Gs=,iv:hQpuzx9Q40caXXX+9XuiwqpMSeBJr9DWaQmCyZUw8X8=,tag:s4vFvz41i9wyzkBuCT9k1A==,type:str]
sops: sops:
kms: [] kms: []
gcp_kms: [] gcp_kms: []
@ -32,8 +32,8 @@ sops:
cHJwVnhySC81SEF1OU1mRDhqaHVDMVkKYHqrt7CPVW3x12Ayo4PIZIhLpjaj28tK cHJwVnhySC81SEF1OU1mRDhqaHVDMVkKYHqrt7CPVW3x12Ayo4PIZIhLpjaj28tK
ON+NGAOxvZbpB+FYCNVdyFD/geHnkR4yDfBnR9nAlILsptFZuaNVmg== ON+NGAOxvZbpB+FYCNVdyFD/geHnkR4yDfBnR9nAlILsptFZuaNVmg==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2022-09-07T21:12:26Z" lastmodified: "2023-06-01T14:11:42Z"
mac: ENC[AES256_GCM,data:BNDGUuWDLG48nph3HUKizMR0D0KJTYTpkv15Rs/3ljc3BQYdKbeLIh+zKPvKv93VOvweUXCX/7pwxv9ENdVhF9BYqwoF6gpbaM10iSOvlaEwoYMuSB+pwcDRg6/jCJoJOxJwKXggfcAU4x25Y81oJxb/xfe/KvuLougq/F4z96g=,iv:HXmtyv3ZdofjDtEHBWGOdNeDqGXO/VI1EqXzhpcmHTc=,tag:4LF5HNTG65uGpoJqQgh1cQ==,type:str] mac: ENC[AES256_GCM,data:Um2wARWNib6/9Ajo2ukXPe3duUgRsKEJqwauVNfKzHlv69TjJcb4lywmWQeyyKaRuPltkj1h9nCQBxR3GRwURG5bbMUCwBetvpWtiD3Gvj4FD2jetLbemiTUACvplajyHIa0lbV5HTtlSLb9hUpvoz33BPHuvMLeUCivHH7w5bo=,iv:iH/0jCAEi2gT4+NtndmVAk9kKuNCU3FsHA1sYEN0xS4=,tag:4zMeq7ESZ08r2kTkI7Wuuw==,type:str]
pgp: [] pgp: []
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted
version: 3.7.3 version: 3.7.3

40
modules/keycloak/default.nix Normal file
View file

@ -0,0 +1,40 @@
{ config, lib, ... }:
with lib;
let
cfg = config.eboskma.keycloak;
in
{
options.eboskma.keycloak = { enable = mkEnableOption "keycloak"; };
config = mkIf cfg.enable {
services.keycloak = {
enable = true;
database.passwordFile = config.sops.secrets.keycloak-db-password.path;
settings = {
hostname = "id.datarift.nl";
http-host = "127.0.0.1";
http-port = 8081;
proxy = "edge";
};
};
services.caddy = {
enable = true;
email = "erwin@datarift.nl";
virtualHosts = {
"${config.services.keycloak.settings.hostname}" = {
extraConfig = ''
reverse_proxy ${config.services.keycloak.settings.http-host}:${toString config.services.keycloak.settings.http-port}
'';
};
};
};
security.acme.acceptTerms = true;
networking.firewall.allowedTCPPorts = [ 80 443 ];
};
}