diff options
| author | Kj Tsanaktsidis <kjtsanaktsidis@groq.com> | 2026-01-10 22:22:05 +1100 |
|---|---|---|
| committer | Kj Tsanaktsidis <kjtsanaktsidis@groq.com> | 2026-01-10 22:22:05 +1100 |
| commit | e691e6b4b080ed70c2a778b8d0ddb43031cf9521 (patch) | |
| tree | 03bb8fd6de33be3ae10cf3a72b356c51255eed04 /modules | |
| parent | eca9d37810d5c29a1b0ea7f86c6b3abbb81f7c04 (diff) | |
keycloak
Diffstat (limited to 'modules')
| -rw-r--r-- | modules/keycloak.nix | 67 | ||||
| -rw-r--r-- | modules/postgres.nix | 13 |
2 files changed, 80 insertions, 0 deletions
diff --git a/modules/keycloak.nix b/modules/keycloak.nix new file mode 100644 index 0000000..8e2025d --- /dev/null +++ b/modules/keycloak.nix @@ -0,0 +1,67 @@ +{ + config, + pkgs, + lib, + ... +}: +{ + sops.secrets = { + keycloak_bootstrap_password = {}; + }; + + services.nginx = { + virtualHosts."keycloak.kjtsanaktsidis.id.au" = { + forceSSL = true; + enableACME = true; + locations = { + "/" = { + proxyPass = "http://127.0.0.1:${builtins.toString config.services.keycloak.settings.http-port}"; + }; + }; + }; + }; + + services.keycloak = { + enable = true; + database = { + type = "postgresql"; + createLocally = false; + passwordFile = "/dev/null"; + }; + settings = lib.mkOverride 10 { + db = "postgres"; + db-url = "jdbc:postgresql://localhost/keycloak?socketFactory=org.newsclub.net.unix.AFUNIXSocketFactory$FactoryArg&socketFactoryArg=/var/run/postgresql/.s.PGSQL.5432"; + db-username = "keycloak"; + http-host = "127.0.0.1"; + http-port = 3256; + hostname = "https://keycloak.kjtsanaktsidis.id.au"; + http-enabled = true; + proxy-headers = "xforwarded"; + + vault = "file"; + vault-dir = "\${CREDENTIALS_DIRECTORY}"; + + bootstrap-admin-username = "admin"; + bootstrap-admin-password = { _secret = config.sops.secrets.keycloak_bootstrap_password.path; }; + }; + plugins = [ + "${pkgs.junixsocket-common}/share/java/junixsocket-common-${pkgs.junixsocket-common.version}.jar" + "${pkgs.junixsocket-native-common}/share/java/junixsocket-native-common-${pkgs.junixsocket-native-common.version}.jar" + ]; + }; + + + + services.postgresql = { + enable = true; + ensureUsers = [{ + name = "keycloak"; + ensureDBOwnership = true; + }]; + ensureDatabases = [ "keycloak" ]; + authentication = lib.mkAfter '' + #type database DBuser auth-method + local keycloak keycloak peer + ''; + }; +} diff --git a/modules/postgres.nix b/modules/postgres.nix new file mode 100644 index 0000000..8853aaa --- /dev/null +++ b/modules/postgres.nix @@ -0,0 +1,13 @@ +{ + lib, + ... +}: +{ + services.postgresql = { + enable = true; + authentication = lib.mkBefore '' + #type database DBuser auth-method + local all postgres peer + ''; + }; +} |