feat(venus): add keycloak

machines/thinkcentre/configuration.nix

@@ -10,6 +10,12 @@
 
   networking.hostName = "venus"; # Define your hostname.
   networking.nameservers = ["1.1.1.1" "8.8.8.8"];
+  networking.firewall = {
+    enable = true;
+    interfaces."wg0" = {
+      allowedTCPPorts = [7654];
+    };
+  };
 
   # Wireguard tunnel to oracle
   age.secrets.wireguardThinkcentre.file = ../../secrets/wireguard-thinkcentre.age;
@@ -63,6 +69,23 @@
     };
   };
 
+  age.secrets.keycloakDb.file = ../../secrets/keycloak-db.age;
+  services.keycloak = {
+    enable = true;
+    settings = {
+      hostname-url = "https://auth.s.michaelt.xyz";
+      hostname-admin-url = "https://auth.s.michaelt.xyz";
+      hostname-strict = false;
+      hostname-strict-https = false;
+      # proxy-headers = "xforwarded";
+      proxy = "edge";
+      http-enabled = true;
+      http-port = 7654;
+      # https-port = -1;
+    };
+    database.passwordFile = config.age.secrets.keycloakDb.path;
+  };
+
   swapDevices = [
     {
       device = "/swapfile";

secrets/keycloak-db.age

@@ -0,0 +1,6 @@
+age-encryption.org/v1
+-> ssh-ed25519 jBnYqQ 0cD5v5l7JGQmlnM0q7J8VDWrObgphnv3OqSu94BWKUk
+XcFJF3Z7bJq87/dbwejxvNWlyXCpXAG8zFsdccP25/Y
+--- HfE3zlQE++CyJhcsZ2v9u+lwgdUmNq07ujxK9fqHEfk
+盃?<3F>螙Z莼绣u<E7BBA3>v|馰婡坏s詂趠丿滻i歳靾g溻应頂吾蹻唆
+{<7B><>砪@橻$<24>

secrets/secrets.nix

@@ -3,6 +3,10 @@ let
   oracle = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ0vHE/b6tKk6I6DwEemIF5VdS/JBXW8eiYIBmnbv5LI root@oracle";
   # systems = [system1];
 in {
+  # Venus
   "wireguard-thinkcentre.age".publicKeys = [venus];
+  "keycloak-db.age".publicKeys = [venus];
+
+  # Oracle
   "wireguard-oracle.age".publicKeys = [oracle];
 }