From e691e6b4b080ed70c2a778b8d0ddb43031cf9521 Mon Sep 17 00:00:00 2001
From: Kj Tsanaktsidis <kjtsanaktsidis@groq.com>
Date: Sat, 10 Jan 2026 22:22:05 +1100
Subject: keycloak

---
 modules/keycloak.nix | 67 ++++++++++++++++++++++++++++++++++++++++++++++++++++
 modules/postgres.nix | 13 ++++++++++
 2 files changed, 80 insertions(+)
 create mode 100644 modules/keycloak.nix
 create mode 100644 modules/postgres.nix

(limited to 'modules')

diff --git a/modules/keycloak.nix b/modules/keycloak.nix
new file mode 100644
index 0000000..8e2025d
--- /dev/null
+++ b/modules/keycloak.nix
@@ -0,0 +1,67 @@
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}:
+{
+  sops.secrets = {
+    keycloak_bootstrap_password = {};
+  };
+
+  services.nginx = {
+    virtualHosts."keycloak.kjtsanaktsidis.id.au" = {
+      forceSSL = true;
+      enableACME = true;
+      locations = {
+        "/" = {
+          proxyPass = "http://127.0.0.1:${builtins.toString config.services.keycloak.settings.http-port}";
+        };
+      };
+    };
+  };
+
+  services.keycloak = {
+    enable = true;
+    database = {
+      type = "postgresql";
+      createLocally = false;
+      passwordFile = "/dev/null";
+    };
+    settings = lib.mkOverride 10 {
+      db = "postgres";
+      db-url = "jdbc:postgresql://localhost/keycloak?socketFactory=org.newsclub.net.unix.AFUNIXSocketFactory$FactoryArg&socketFactoryArg=/var/run/postgresql/.s.PGSQL.5432";
+      db-username = "keycloak";
+      http-host = "127.0.0.1";
+      http-port = 3256;
+      hostname = "https://keycloak.kjtsanaktsidis.id.au";
+      http-enabled = true;
+      proxy-headers = "xforwarded";
+
+      vault = "file";
+      vault-dir = "\${CREDENTIALS_DIRECTORY}";
+
+      bootstrap-admin-username = "admin";
+      bootstrap-admin-password = { _secret = config.sops.secrets.keycloak_bootstrap_password.path; };
+    };
+    plugins = [
+      "${pkgs.junixsocket-common}/share/java/junixsocket-common-${pkgs.junixsocket-common.version}.jar"
+      "${pkgs.junixsocket-native-common}/share/java/junixsocket-native-common-${pkgs.junixsocket-native-common.version}.jar"
+    ];
+  };
+
+
+
+  services.postgresql = {
+    enable = true;
+    ensureUsers = [{
+      name = "keycloak";
+      ensureDBOwnership = true;
+    }];
+    ensureDatabases = [ "keycloak" ];
+    authentication = lib.mkAfter ''
+      #type database  DBuser    auth-method
+      local keycloak keycloak peer
+    '';
+  };
+}
diff --git a/modules/postgres.nix b/modules/postgres.nix
new file mode 100644
index 0000000..8853aaa
--- /dev/null
+++ b/modules/postgres.nix
@@ -0,0 +1,13 @@
+{
+  lib,
+  ...
+}:
+{
+  services.postgresql = {
+    enable = true;
+    authentication = lib.mkBefore ''
+      #type database  DBuser    auth-method
+      local all       postgres  peer
+    '';
+  };
+}
-- 
cgit v1.2.3