michael/nix-dots
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Compare commits

base: michael:d273c9a5157130d70d618691d5739afd0a521d5e
Branches Tags
michael:main
..
compare: michael:86c3bbc1e6cfce814527c328e67ee1afcb5b5467
Branches Tags
michael:main

No commits in common. "d273c9a5157130d70d618691d5739afd0a521d5e" and "86c3bbc1e6cfce814527c328e67ee1afcb5b5467" have entirely different histories.
d273c9a515 ... 86c3bbc1e6

3 changed files with 5 additions and 65 deletions
Show Stats Expand all files Collapse all files

6
machines/nova/configuration.nix
View File

@ -51,12 +51,6 @@
programs.zsh.enable = true; programs.zsh.enable = true;
my.server = {
domain = "thomasfmly.org";
firewallInterface = "enp1s0";
};
my.services.keycloak.enable = true;
my.services.mealie.enable = true; my.services.mealie.enable = true;
my.services.nextcloud.enable = true; my.services.nextcloud.enable = true;

11
modules/services/mealie/default.nix
View File

@ -31,13 +31,12 @@ in {
# OIDC # OIDC
OIDC_AUTH_ENABLED = true; OIDC_AUTH_ENABLED = true;
OIDC_CONFIGURATION_URL = "https://auth.thomasfmly.org/realms/gringotts/.well-known/openid-configuration"; OIDC_CONFIGURATION_URL = "https://authentik.thomasfmly.org/application/o/mealie/.well-known/openid-configuration";
OIDC_CLIENT_ID = "mealie"; OIDC_CLIENT_ID = "FLFfJCP0nWsxGfHpAf26XfoqMaIoUuaVdODJLW28";
OIDC_CLIENT_SECRET = "cBh876vWKoMgJSWLVJkVv6kPvUoNkvxD"; OIDC_CLIENT_SECRET = "YSEfBhGQUmzAKnrAEi9413NM4m8juF8u7e8zOLzfCA1JXZdRsgj8WWXTKLqEeGhCiQsVvD1iX52sFcWqOWo2r7tpolpUUVymj8O4kfMWampO1Nn65K2aPFtuXu3soUwB";
OIDC_GROUPS_CLAIM = "roles"; OIDC_ADMIN_GROUP = "Administrators";
OIDC_ADMIN_GROUP = "admin";
OIDC_AUTO_REDIRECT = true; OIDC_AUTO_REDIRECT = true;
OIDC_PROVIDER_NAME = "Keycloak"; OIDC_PROVIDER_NAME = "Authentik";
}; };
}; };

53
nixos/keycloak/default.nix
View File

@ -1,53 +0,0 @@
{
config,
lib,
pkgs,
...
}:
with lib; let
cfg = config.my.services.keycloak;
inherit (config.my.server) domain firewallInterface;
keycloakDomain = "auth.${domain}";
keycloakUrl = "https://${keycloakDomain}";
in {
options.my.services.keycloak = {
enable = mkEnableOption "Keycloak";
proxy = mkEnableOption "Keycloak reverse proxy entry";
port = mkOption {
type = types.port;
default = 7654;
example = 8080;
description = "HTTP port for the Keycloak service.";
};
};
config = mkMerge [
(mkIf cfg.enable {
age.secrets.keycloakDb.file = ../../secrets/keycloak-db.age;
services.keycloak = {
enable = true;
package = pkgs.keycloak;
settings = {
hostname = keycloakUrl;
hostname-admin = keycloakUrl;
hostname-strict = false;
hostname-strict-https = false;
proxy-headers = "xforwarded";
http-enabled = true;
http-port = cfg.port;
};
database.passwordFile = config.age.secrets.keycloakDb.path;
themes = with pkgs; {
keywind = keycloak-theme-keywind;
};
};
networking.firewall.interfaces."${firewallInterface}".allowedTCPPorts = [cfg.port];
})
(mkIf cfg.proxy {
services.caddy.virtualHosts."${keycloakDomain}".extraConfig = ''
reverse_proxy http://${proxyIP}:${toString cfg.port}
'';
})
];
}