From 36cd5d3d1692c6f198b954f89f79d529c195e9f3 Mon Sep 17 00:00:00 2001
From: Michael Thomas <michaelhthomas@outlook.com>
Date: Fri, 14 Mar 2025 13:48:59 -0400
Subject: [PATCH] feat(nova): add keycloak w/ separate module

---
 machines/nova/configuration.nix |  6 ++++
 nixos/keycloak/default.nix      | 53 +++++++++++++++++++++++++++++++++
 2 files changed, 59 insertions(+)
 create mode 100644 nixos/keycloak/default.nix

diff --git a/machines/nova/configuration.nix b/machines/nova/configuration.nix
index d7286b7..252372c 100644
--- a/machines/nova/configuration.nix
+++ b/machines/nova/configuration.nix
@@ -51,6 +51,12 @@
 
   programs.zsh.enable = true;
 
+  my.server = {
+    domain = "thomasfmly.org";
+    firewallInterface = "enp1s0";
+  };
+
+  my.services.keycloak.enable = true;
   my.services.mealie.enable = true;
   my.services.nextcloud.enable = true;
 
diff --git a/nixos/keycloak/default.nix b/nixos/keycloak/default.nix
new file mode 100644
index 0000000..a7e9829
--- /dev/null
+++ b/nixos/keycloak/default.nix
@@ -0,0 +1,53 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+with lib; let
+  cfg = config.my.services.keycloak;
+  inherit (config.my.server) domain firewallInterface;
+  keycloakDomain = "auth.${domain}";
+  keycloakUrl = "https://${keycloakDomain}";
+in {
+  options.my.services.keycloak = {
+    enable = mkEnableOption "Keycloak";
+    proxy = mkEnableOption "Keycloak reverse proxy entry";
+    port = mkOption {
+      type = types.port;
+      default = 7654;
+      example = 8080;
+      description = "HTTP port for the Keycloak service.";
+    };
+  };
+
+  config = mkMerge [
+    (mkIf cfg.enable {
+      age.secrets.keycloakDb.file = ../../secrets/keycloak-db.age;
+      services.keycloak = {
+        enable = true;
+        package = pkgs.keycloak;
+        settings = {
+          hostname = keycloakUrl;
+          hostname-admin = keycloakUrl;
+          hostname-strict = false;
+          hostname-strict-https = false;
+          proxy-headers = "xforwarded";
+          http-enabled = true;
+          http-port = cfg.port;
+        };
+        database.passwordFile = config.age.secrets.keycloakDb.path;
+        themes = with pkgs; {
+          keywind = keycloak-theme-keywind;
+        };
+      };
+
+      networking.firewall.interfaces."${firewallInterface}".allowedTCPPorts = [cfg.port];
+    })
+    (mkIf cfg.proxy {
+      services.caddy.virtualHosts."${keycloakDomain}".extraConfig = ''
+        reverse_proxy http://${proxyIP}:${toString cfg.port}
+      '';
+    })
+  ];
+}