heimdall: Add Keycloak
This commit is contained in:
parent
192e722e75
commit
c348b4f5eb
SSH key fingerprint:
SHA256:3F6Cm6I3erRqlBwEghZWAQl6eS5WrGTX1Vs/Evec1lQ
3 changed files with 48 additions and 7 deletions
|
|
@ -21,6 +21,7 @@
|
|||
baseDomain = "asgard.datarift.nl";
|
||||
serverUrl = "https://heimdall.datarift.nl";
|
||||
};
|
||||
keycloak.enable = true;
|
||||
nix-common = {
|
||||
enable = true;
|
||||
};
|
||||
|
|
@ -90,10 +91,10 @@
|
|||
};
|
||||
security.protectKernelImage = true;
|
||||
|
||||
# sops.defaultSopsFile = ./secrets.yaml;
|
||||
# sops.secrets = {
|
||||
# wireguard_key = { };
|
||||
# };
|
||||
sops.defaultSopsFile = ./secrets.yaml;
|
||||
sops.secrets = {
|
||||
keycloak-db-password = { };
|
||||
};
|
||||
|
||||
system.stateVersion = "23.05";
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
wireguard_key: ENC[AES256_GCM,data:A+m/91mC/FbU4k7RgElU5A2ykumoc7lXUjjkJPtX58hJoAUG644gM/91uVY=,iv:t9Bn2DCtfXXRflTHgCBVSwOKbdedGKYlDBSk1+KDChc=,tag:OweM84Wz+qXKH8tuu3iuJg==,type:str]
|
||||
keycloak-db-password: ENC[AES256_GCM,data:F7kYKVyra5dKixtxMhhyCKDr50BEK6OhICRCKSmpCe25bB3xXpXW4sZS+9y8LIwBpCDXeQmghOXskRRQvslHKmQpj5AxNXNDLBG4Coj+ilfoh7BUbLtDJTCNum0mHGw3haCUh1rn0PGNW7A6aI+BrlsDuiwhnJ9m2q57ggAo1Gs=,iv:hQpuzx9Q40caXXX+9XuiwqpMSeBJr9DWaQmCyZUw8X8=,tag:s4vFvz41i9wyzkBuCT9k1A==,type:str]
|
||||
sops:
|
||||
kms: []
|
||||
gcp_kms: []
|
||||
|
|
@ -32,8 +32,8 @@ sops:
|
|||
cHJwVnhySC81SEF1OU1mRDhqaHVDMVkKYHqrt7CPVW3x12Ayo4PIZIhLpjaj28tK
|
||||
ON+NGAOxvZbpB+FYCNVdyFD/geHnkR4yDfBnR9nAlILsptFZuaNVmg==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2022-09-07T21:12:26Z"
|
||||
mac: ENC[AES256_GCM,data:BNDGUuWDLG48nph3HUKizMR0D0KJTYTpkv15Rs/3ljc3BQYdKbeLIh+zKPvKv93VOvweUXCX/7pwxv9ENdVhF9BYqwoF6gpbaM10iSOvlaEwoYMuSB+pwcDRg6/jCJoJOxJwKXggfcAU4x25Y81oJxb/xfe/KvuLougq/F4z96g=,iv:HXmtyv3ZdofjDtEHBWGOdNeDqGXO/VI1EqXzhpcmHTc=,tag:4LF5HNTG65uGpoJqQgh1cQ==,type:str]
|
||||
lastmodified: "2023-06-01T14:11:42Z"
|
||||
mac: ENC[AES256_GCM,data:Um2wARWNib6/9Ajo2ukXPe3duUgRsKEJqwauVNfKzHlv69TjJcb4lywmWQeyyKaRuPltkj1h9nCQBxR3GRwURG5bbMUCwBetvpWtiD3Gvj4FD2jetLbemiTUACvplajyHIa0lbV5HTtlSLb9hUpvoz33BPHuvMLeUCivHH7w5bo=,iv:iH/0jCAEi2gT4+NtndmVAk9kKuNCU3FsHA1sYEN0xS4=,tag:4zMeq7ESZ08r2kTkI7Wuuw==,type:str]
|
||||
pgp: []
|
||||
unencrypted_suffix: _unencrypted
|
||||
version: 3.7.3
|
||||
|
|
|
|||
40
modules/keycloak/default.nix
Normal file
40
modules/keycloak/default.nix
Normal file
|
|
@ -0,0 +1,40 @@
|
|||
{ config, lib, ... }:
|
||||
with lib;
|
||||
let
|
||||
cfg = config.eboskma.keycloak;
|
||||
in
|
||||
{
|
||||
options.eboskma.keycloak = { enable = mkEnableOption "keycloak"; };
|
||||
|
||||
config = mkIf cfg.enable {
|
||||
services.keycloak = {
|
||||
enable = true;
|
||||
database.passwordFile = config.sops.secrets.keycloak-db-password.path;
|
||||
|
||||
settings = {
|
||||
hostname = "id.datarift.nl";
|
||||
http-host = "127.0.0.1";
|
||||
http-port = 8081;
|
||||
proxy = "edge";
|
||||
};
|
||||
};
|
||||
|
||||
services.caddy = {
|
||||
enable = true;
|
||||
|
||||
email = "erwin@datarift.nl";
|
||||
|
||||
virtualHosts = {
|
||||
"${config.services.keycloak.settings.hostname}" = {
|
||||
extraConfig = ''
|
||||
reverse_proxy ${config.services.keycloak.settings.http-host}:${toString config.services.keycloak.settings.http-port}
|
||||
'';
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
security.acme.acceptTerms = true;
|
||||
|
||||
networking.firewall.allowedTCPPorts = [ 80 443 ];
|
||||
};
|
||||
}
|
||||
Loading…
Reference in a new issue