2021-10-16 21:24:30 +03:00
|
|
|
{ config, lib, pkgs, tools, ... }:
|
|
|
|
with tools.nginx;
|
|
|
|
let
|
|
|
|
login = "login.${tools.meta.domain}";
|
|
|
|
cfg = config.services.keycloak;
|
|
|
|
in
|
|
|
|
{
|
2021-11-29 02:38:59 +02:00
|
|
|
reservePortsFor = [ "keycloak" ];
|
|
|
|
|
2021-10-16 21:24:30 +03:00
|
|
|
imports = [
|
|
|
|
./identity-management.nix
|
|
|
|
];
|
|
|
|
age.secrets.keycloak-dbpass = {
|
|
|
|
file = ../../../../secrets/keycloak-dbpass.age;
|
|
|
|
owner = "root";
|
|
|
|
group = "root";
|
|
|
|
mode = "0400";
|
|
|
|
};
|
|
|
|
services.nginx.virtualHosts = {
|
2021-11-29 02:38:59 +02:00
|
|
|
"${login}" = lib.recursiveUpdate (vhosts.proxy "http://${cfg.bindAddress}:${config.portsStr.keycloak}") {
|
2021-10-16 21:24:30 +03:00
|
|
|
locations."= /".return = "302 /auth/realms/master/account/";
|
|
|
|
};
|
|
|
|
"account.${domain}" = vhosts.redirect "https://${login}/auth/realms/master/account/";
|
|
|
|
};
|
|
|
|
services.keycloak = {
|
|
|
|
enable = true;
|
|
|
|
frontendUrl = "https://${login}/auth";
|
|
|
|
bindAddress = "127.0.0.1";
|
2021-11-29 02:38:59 +02:00
|
|
|
httpPort = config.portsStr.keycloak;
|
2021-10-16 21:24:30 +03:00
|
|
|
package = pkgs.keycloak.override { jre = pkgs.jdk11_headless; };
|
|
|
|
database = {
|
|
|
|
createLocally = true;
|
|
|
|
type = "postgresql";
|
|
|
|
passwordFile = config.age.secrets.keycloak-dbpass.path;
|
|
|
|
};
|
|
|
|
extraConfig = {
|
|
|
|
"subsystem=undertow" = {
|
|
|
|
"server=default-server" = {
|
|
|
|
"http-listener=default" = {
|
|
|
|
proxy-address-forwarding = true;
|
|
|
|
};
|
|
|
|
};
|
|
|
|
};
|
|
|
|
};
|
|
|
|
};
|
|
|
|
}
|