54 lines
1.4 KiB
Nix
54 lines
1.4 KiB
Nix
{
|
|
config,
|
|
lib,
|
|
pkgs,
|
|
...
|
|
}:
|
|
with lib; let
|
|
cfg = config.my.services.keycloak;
|
|
inherit (config.my.server) domain firewallInterface;
|
|
keycloakDomain = "auth.${domain}";
|
|
keycloakUrl = "https://${keycloakDomain}";
|
|
in {
|
|
options.my.services.keycloak = {
|
|
enable = mkEnableOption "Keycloak";
|
|
proxy = mkEnableOption "Keycloak reverse proxy entry";
|
|
port = mkOption {
|
|
type = types.port;
|
|
default = 7654;
|
|
example = 8080;
|
|
description = "HTTP port for the Keycloak service.";
|
|
};
|
|
};
|
|
|
|
config = mkMerge [
|
|
(mkIf cfg.enable {
|
|
age.secrets.keycloakDb.file = ../../secrets/keycloak-db.age;
|
|
services.keycloak = {
|
|
enable = true;
|
|
package = pkgs.keycloak;
|
|
settings = {
|
|
hostname = keycloakUrl;
|
|
hostname-admin = keycloakUrl;
|
|
hostname-strict = false;
|
|
hostname-strict-https = false;
|
|
proxy-headers = "xforwarded";
|
|
http-enabled = true;
|
|
http-port = cfg.port;
|
|
};
|
|
database.passwordFile = config.age.secrets.keycloakDb.path;
|
|
themes = with pkgs; {
|
|
keywind = keycloak-theme-keywind;
|
|
};
|
|
};
|
|
|
|
networking.firewall.interfaces."${firewallInterface}".allowedTCPPorts = [cfg.port];
|
|
})
|
|
(mkIf cfg.proxy {
|
|
services.caddy.virtualHosts."${keycloakDomain}".extraConfig = ''
|
|
reverse_proxy http://${proxyIP}:${toString cfg.port}
|
|
'';
|
|
})
|
|
];
|
|
}
|