From dcbe6871da6c71e784f599d335abde7c600a503e Mon Sep 17 00:00:00 2001 From: h7x4 Date: Sun, 7 May 2023 00:34:42 +0200 Subject: [PATCH] bekkalokk: setup keycloak --- hosts/bekkalokk/configuration.nix | 2 ++ hosts/bekkalokk/services/keycloak.nix | 24 +++++++++++++++++++ .../bekkalokk/{bekkalokk => }/bekkalokk.yaml | 5 ++-- 3 files changed, 29 insertions(+), 2 deletions(-) create mode 100644 hosts/bekkalokk/services/keycloak.nix rename secrets/bekkalokk/{bekkalokk => }/bekkalokk.yaml (88%) diff --git a/hosts/bekkalokk/configuration.nix b/hosts/bekkalokk/configuration.nix index 6b37de6..baaf086 100644 --- a/hosts/bekkalokk/configuration.nix +++ b/hosts/bekkalokk/configuration.nix @@ -5,6 +5,8 @@ ../../base.nix + ./services/keycloak.nix + # TODO: set up authentication for the following: # ./services/website/website.nix # ./services/website/nginx.nix diff --git a/hosts/bekkalokk/services/keycloak.nix b/hosts/bekkalokk/services/keycloak.nix new file mode 100644 index 0000000..1200250 --- /dev/null +++ b/hosts/bekkalokk/services/keycloak.nix @@ -0,0 +1,24 @@ +{ pkgs, config, values, ... }: +{ + sops.secrets."keys/postgres/keycloak" = { + owner = "keycloak"; + group = "keycloak"; + restartUnits = [ "keycloak.service" ]; + }; + + services.keycloak = { + enable = true; + + settings = { + hostname = "auth.pvv.ntnu.no"; + # hostname-strict-backchannel = true; + }; + + database = { + host = values.hosts.bicep.ipv4; + createLocally = false; + passwordFile = config.sops.secrets."keys/postgres/keycloak".path; + caCert = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"; + }; + }; +} diff --git a/secrets/bekkalokk/bekkalokk/bekkalokk.yaml b/secrets/bekkalokk/bekkalokk.yaml similarity index 88% rename from secrets/bekkalokk/bekkalokk/bekkalokk.yaml rename to secrets/bekkalokk/bekkalokk.yaml index 606da8f..eae9ede 100644 --- a/secrets/bekkalokk/bekkalokk/bekkalokk.yaml +++ b/secrets/bekkalokk/bekkalokk.yaml @@ -6,6 +6,7 @@ keys: postgres: gitea: ENC[AES256_GCM,data:lG4P8kzp7Zq94WftN7p1RJqM65esPuTFZ2JJWkFFXTzlid2DRZPsG2FGIA==,iv:JvHQUgwwb7wJTNMxjLjOUw5sKKWlyMJafVaUOLUu9Sk=,tag:qE0+gDFU/YtghqCv/d2Qgw==,type:str] mediawiki: ENC[AES256_GCM,data:p+s/uQ3ywQY9RpImFWTxjt1orzl905i9kTQPzsAIs6hAK5t3B00XVzKZgQ==,iv:xp3PRrjCGFxCsRZOlJGIonBOKWJ+3/1CByc4q7O3vDw=,tag:bfKlU2Pcoq0cQjbhp+UXag==,type:str] + keycloak: ENC[AES256_GCM,data:A3cbJTfP97yT35ov/yuWaD+b3wD2I8H+2GkW1ONp3YiNEsmKFjROx2rpwA==,iv:kMbuPtvy/49soEH9jxdY/X0BFDoiK7EyZ56xMkwjMUg=,tag:Ttp8BbJqfPWaeH5iaOwcQQ==,type:str] sops: kms: [] gcp_kms: [] @@ -39,8 +40,8 @@ sops: RHN4RDJWWGV2ZDJzVUo1VVorNzhlMGMKCwdWOZOnibpbB5mZSCBGhj+yUZvk/vuK hsiDo74vmsmNZ/zmN6cw60hNwhZ4NgtfXcKG8Axe+1rPUwEcrvWHIQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-01-28T23:33:14Z" - mac: ENC[AES256_GCM,data:c7YytaXdAPQmCiZHH2cojJqcZna2ilGXzpnkgxgYUOSQ0n3tryOK45uVp2JDN9OJ9gS5QsLf62AlqidE0wkYYuRC6HZnwhmlMuoY3kl2sr0/Y4kJqGeODRlZoGzUIOahHkphK1Y5GBs8GW6OYk46U54wi9+BF062pYxuOCoPwD4=,iv:ZLueZpRdaD/7uvmimDUELCAtM3e9169vmoXcHz4OKfQ=,tag:Ya8tMbUBhuypXJeZ8GQmWA==,type:str] + lastmodified: "2023-05-06T21:36:22Z" + mac: ENC[AES256_GCM,data:F9XujlDa5o0N07UfA4QTjApiJQyaT/l6jVSmekwx8exLWGKfMIVs3KKt8ZIT8MmmCg1+GPYHV1MzC+OCImj1q0uYDkqG/Of5KAKYrizz2GwmVa8pSyV/b+tFdBNKxlVjH+YWwxkMltCoZNzaYJDALAfUv07Xp8mnKaXdkS7SQBQ=,iv:LAmhmXDui8gkYKjL8gk9HPRFlcKAviQ9g9prp7yDptQ=,tag:GNffyDqt+mm3umUtnTU9hw==,type:str] pgp: - created_at: "2023-01-28T23:37:44Z" enc: |