cluster/services/sso: use patroni incandescence

2024-08-28 17:01:41 +02:00 · 2024-08-28 17:01:41 +02:00 · aa46d46d9d
commit aa46d46d9d
parent 272b4ddd01
3 changed files with 14 additions and 8 deletions
--- a/cluster/services/sso/default.nix
+++ b/cluster/services/sso/default.nix
@ -1,4 +1,4 @@
-{ depot, ... }:
+{ config, depot, ... }:

 {
  services.sso = {
@ -18,4 +18,12 @@
    login.target = ssoAddr;
    account.target = ssoAddr;
  };
+
+  patroni = config.lib.forService "sso" {
+    databases.keycloak = {};
+    users.keycloak.locksmith = {
+      nodes = config.services.sso.nodes.host;
+      format = "raw";
+    };
+  };
 }
--- a/cluster/services/sso/host.nix
+++ b/cluster/services/sso/host.nix
@ -8,12 +8,10 @@ in
 {
  links.keycloak.protocol = "http";

-  age.secrets.keycloak-dbpass = {
-    file = ../../../secrets/keycloak-dbpass.age;
-    owner = "root";
-    group = "root";
-    mode = "0400";
-  };
+  services.locksmith.waitForSecrets.keycloak = [
+    "patroni-keycloak"
+  ];
+
  services.nginx.virtualHosts = { 
    "${login}" = lib.recursiveUpdate (vhosts.proxy kc.url) {
      locations = {
@ -36,7 +34,7 @@ in
      host = patroni.ipv4;
      inherit (patroni) port;
      useSSL = false;
-      passwordFile = config.age.secrets.keycloak-dbpass.path;
+      passwordFile = "/run/locksmith/patroni-keycloak";
    };
    settings = {
      http-host = kc.ipv4;
--- a/secrets/keycloak-dbpass.age
+++ b/secrets/keycloak-dbpass.age