nixos-config/modules/keycloak/default.nix

62 lines
1.4 KiB
Nix

{
config,
lib,
...
}:
with lib;
let
cfg = config.eboskma.keycloak;
in
{
options.eboskma.keycloak = {
enable = mkEnableOption "keycloak";
};
config = mkIf cfg.enable {
services.keycloak = {
enable = true;
database.passwordFile = config.sops.secrets.keycloak-db-password.path;
settings = {
hostname = "id.datarift.nl";
http-host = "127.0.0.1";
http-port = 8081;
http-enabled = true;
proxy-headers = "xforwarded";
features = "docker";
};
};
services.caddy = {
enable = true;
email = "erwin@datarift.nl";
virtualHosts = {
"${config.services.keycloak.settings.hostname}" = {
extraConfig = ''
@public_or_allowed_remote {
expression path('/realms/*', '/resources/*', '/js/*', '/robots.txt') || remote_ip('86.85.243.40/32', '2a02:a441:c959:1::/64', '100.64.0.0/10', 'fd7a:115c:a1e0:ab12:4843:cd96:6240:0000/106')
}
route {
reverse_proxy @public_or_allowed_remote ${config.services.keycloak.settings.http-host}:${toString config.services.keycloak.settings.http-port}
respond 403 {
body "Nope."
close
}
}
'';
};
};
};
security.acme.acceptTerms = true;
networking.firewall.allowedTCPPorts = [
80
443
];
};
}