Compare commits
2 Commits
86c3bbc1e6
...
d273c9a515
| Author | SHA1 | Date | |
|---|---|---|---|
| d273c9a515 | |||
| 36cd5d3d16 |
@ -51,6 +51,12 @@
|
|||||||
|
|
||||||
programs.zsh.enable = true;
|
programs.zsh.enable = true;
|
||||||
|
|
||||||
|
my.server = {
|
||||||
|
domain = "thomasfmly.org";
|
||||||
|
firewallInterface = "enp1s0";
|
||||||
|
};
|
||||||
|
|
||||||
|
my.services.keycloak.enable = true;
|
||||||
my.services.mealie.enable = true;
|
my.services.mealie.enable = true;
|
||||||
my.services.nextcloud.enable = true;
|
my.services.nextcloud.enable = true;
|
||||||
|
|
||||||
|
|||||||
@ -31,12 +31,13 @@ in {
|
|||||||
|
|
||||||
# OIDC
|
# OIDC
|
||||||
OIDC_AUTH_ENABLED = true;
|
OIDC_AUTH_ENABLED = true;
|
||||||
OIDC_CONFIGURATION_URL = "https://authentik.thomasfmly.org/application/o/mealie/.well-known/openid-configuration";
|
OIDC_CONFIGURATION_URL = "https://auth.thomasfmly.org/realms/gringotts/.well-known/openid-configuration";
|
||||||
OIDC_CLIENT_ID = "FLFfJCP0nWsxGfHpAf26XfoqMaIoUuaVdODJLW28";
|
OIDC_CLIENT_ID = "mealie";
|
||||||
OIDC_CLIENT_SECRET = "YSEfBhGQUmzAKnrAEi9413NM4m8juF8u7e8zOLzfCA1JXZdRsgj8WWXTKLqEeGhCiQsVvD1iX52sFcWqOWo2r7tpolpUUVymj8O4kfMWampO1Nn65K2aPFtuXu3soUwB";
|
OIDC_CLIENT_SECRET = "cBh876vWKoMgJSWLVJkVv6kPvUoNkvxD";
|
||||||
OIDC_ADMIN_GROUP = "Administrators";
|
OIDC_GROUPS_CLAIM = "roles";
|
||||||
|
OIDC_ADMIN_GROUP = "admin";
|
||||||
OIDC_AUTO_REDIRECT = true;
|
OIDC_AUTO_REDIRECT = true;
|
||||||
OIDC_PROVIDER_NAME = "Authentik";
|
OIDC_PROVIDER_NAME = "Keycloak";
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|||||||
53
nixos/keycloak/default.nix
Normal file
53
nixos/keycloak/default.nix
Normal file
@ -0,0 +1,53 @@
|
|||||||
|
{
|
||||||
|
config,
|
||||||
|
lib,
|
||||||
|
pkgs,
|
||||||
|
...
|
||||||
|
}:
|
||||||
|
with lib; let
|
||||||
|
cfg = config.my.services.keycloak;
|
||||||
|
inherit (config.my.server) domain firewallInterface;
|
||||||
|
keycloakDomain = "auth.${domain}";
|
||||||
|
keycloakUrl = "https://${keycloakDomain}";
|
||||||
|
in {
|
||||||
|
options.my.services.keycloak = {
|
||||||
|
enable = mkEnableOption "Keycloak";
|
||||||
|
proxy = mkEnableOption "Keycloak reverse proxy entry";
|
||||||
|
port = mkOption {
|
||||||
|
type = types.port;
|
||||||
|
default = 7654;
|
||||||
|
example = 8080;
|
||||||
|
description = "HTTP port for the Keycloak service.";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
config = mkMerge [
|
||||||
|
(mkIf cfg.enable {
|
||||||
|
age.secrets.keycloakDb.file = ../../secrets/keycloak-db.age;
|
||||||
|
services.keycloak = {
|
||||||
|
enable = true;
|
||||||
|
package = pkgs.keycloak;
|
||||||
|
settings = {
|
||||||
|
hostname = keycloakUrl;
|
||||||
|
hostname-admin = keycloakUrl;
|
||||||
|
hostname-strict = false;
|
||||||
|
hostname-strict-https = false;
|
||||||
|
proxy-headers = "xforwarded";
|
||||||
|
http-enabled = true;
|
||||||
|
http-port = cfg.port;
|
||||||
|
};
|
||||||
|
database.passwordFile = config.age.secrets.keycloakDb.path;
|
||||||
|
themes = with pkgs; {
|
||||||
|
keywind = keycloak-theme-keywind;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
networking.firewall.interfaces."${firewallInterface}".allowedTCPPorts = [cfg.port];
|
||||||
|
})
|
||||||
|
(mkIf cfg.proxy {
|
||||||
|
services.caddy.virtualHosts."${keycloakDomain}".extraConfig = ''
|
||||||
|
reverse_proxy http://${proxyIP}:${toString cfg.port}
|
||||||
|
'';
|
||||||
|
})
|
||||||
|
];
|
||||||
|
}
|
||||||
Loading…
x
Reference in New Issue
Block a user