From d90a4fb372134acdbcd7eeec07d62c46eb9683aa Mon Sep 17 00:00:00 2001
From: Michael Thomas <michaelhthomas@outlook.com>
Date: Tue, 16 Apr 2024 17:11:04 -0400
Subject: [PATCH] feat(venus): add keycloak

---
 machines/thinkcentre/configuration.nix | 23 +++++++++++++++++++++++
 secrets/keycloak-db.age                |  6 ++++++
 secrets/secrets.nix                    |  4 ++++
 3 files changed, 33 insertions(+)
 create mode 100644 secrets/keycloak-db.age

diff --git a/machines/thinkcentre/configuration.nix b/machines/thinkcentre/configuration.nix
index a163b73..71b39ea 100644
--- a/machines/thinkcentre/configuration.nix
+++ b/machines/thinkcentre/configuration.nix
@@ -10,6 +10,12 @@
 
   networking.hostName = "venus"; # Define your hostname.
   networking.nameservers = ["1.1.1.1" "8.8.8.8"];
+  networking.firewall = {
+    enable = true;
+    interfaces."wg0" = {
+      allowedTCPPorts = [7654];
+    };
+  };
 
   # Wireguard tunnel to oracle
   age.secrets.wireguardThinkcentre.file = ../../secrets/wireguard-thinkcentre.age;
@@ -63,6 +69,23 @@
     };
   };
 
+  age.secrets.keycloakDb.file = ../../secrets/keycloak-db.age;
+  services.keycloak = {
+    enable = true;
+    settings = {
+      hostname-url = "https://auth.s.michaelt.xyz";
+      hostname-admin-url = "https://auth.s.michaelt.xyz";
+      hostname-strict = false;
+      hostname-strict-https = false;
+      # proxy-headers = "xforwarded";
+      proxy = "edge";
+      http-enabled = true;
+      http-port = 7654;
+      # https-port = -1;
+    };
+    database.passwordFile = config.age.secrets.keycloakDb.path;
+  };
+
   swapDevices = [
     {
       device = "/swapfile";
diff --git a/secrets/keycloak-db.age b/secrets/keycloak-db.age
new file mode 100644
index 0000000..0d2f771
--- /dev/null
+++ b/secrets/keycloak-db.age
@@ -0,0 +1,6 @@
+age-encryption.org/v1
+-> ssh-ed25519 jBnYqQ 0cD5v5l7JGQmlnM0q7J8VDWrObgphnv3OqSu94BWKUk
+XcFJF3Z7bJq87/dbwejxvNWlyXCpXAG8zFsdccP25/Y
+--- HfE3zlQE++CyJhcsZ2v9u+lwgdUmNq07ujxK9fqHEfk
+° ?¬ÓÎ–ZÝ»Ðåu¬·v|ñV‹@»µsÔcÚ}Ø¯IišrìˆgäâÓ¦í”ÎáÜFËô
+{­¾ˆ³c@™[$ªË
\ No newline at end of file
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index 04b852a..90b4180 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -3,6 +3,10 @@ let
   oracle = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ0vHE/b6tKk6I6DwEemIF5VdS/JBXW8eiYIBmnbv5LI root@oracle";
   # systems = [system1];
 in {
+  # Venus
   "wireguard-thinkcentre.age".publicKeys = [venus];
+  "keycloak-db.age".publicKeys = [venus];
+
+  # Oracle
   "wireguard-oracle.age".publicKeys = [oracle];
 }