From aa46d46d9dee7fad76af0f2a720274416551eef7 Mon Sep 17 00:00:00 2001
From: Max <max@privatevoid.net>
Date: Wed, 28 Aug 2024 17:01:41 +0200
Subject: [PATCH] cluster/services/sso: use patroni incandescence

---
 cluster/services/sso/default.nix |  10 +++++++++-
 cluster/services/sso/host.nix    |  12 +++++-------
 secrets/keycloak-dbpass.age      | Bin 559 -> 0 bytes
 3 files changed, 14 insertions(+), 8 deletions(-)
 delete mode 100644 secrets/keycloak-dbpass.age

diff --git a/cluster/services/sso/default.nix b/cluster/services/sso/default.nix
index 5171ff9..3fe4f52 100644
--- a/cluster/services/sso/default.nix
+++ b/cluster/services/sso/default.nix
@@ -1,4 +1,4 @@
-{ depot, ... }:
+{ config, depot, ... }:
 
 {
   services.sso = {
@@ -18,4 +18,12 @@
     login.target = ssoAddr;
     account.target = ssoAddr;
   };
+
+  patroni = config.lib.forService "sso" {
+    databases.keycloak = {};
+    users.keycloak.locksmith = {
+      nodes = config.services.sso.nodes.host;
+      format = "raw";
+    };
+  };
 }
diff --git a/cluster/services/sso/host.nix b/cluster/services/sso/host.nix
index 0b3bf25..31628b8 100644
--- a/cluster/services/sso/host.nix
+++ b/cluster/services/sso/host.nix
@@ -8,12 +8,10 @@ in
 {
   links.keycloak.protocol = "http";
 
-  age.secrets.keycloak-dbpass = {
-    file = ../../../secrets/keycloak-dbpass.age;
-    owner = "root";
-    group = "root";
-    mode = "0400";
-  };
+  services.locksmith.waitForSecrets.keycloak = [
+    "patroni-keycloak"
+  ];
+
   services.nginx.virtualHosts = { 
     "${login}" = lib.recursiveUpdate (vhosts.proxy kc.url) {
       locations = {
@@ -36,7 +34,7 @@ in
       host = patroni.ipv4;
       inherit (patroni) port;
       useSSL = false;
-      passwordFile = config.age.secrets.keycloak-dbpass.path;
+      passwordFile = "/run/locksmith/patroni-keycloak";
     };
     settings = {
       http-host = kc.ipv4;
diff --git a/secrets/keycloak-dbpass.age b/secrets/keycloak-dbpass.age
deleted file mode 100644
index 6d237471de59bdfb3664a611768542d83d838879..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 559
zcmZ9_yNlCs003YIxgm>_qeoCtB$uXnwpkAHXq)CP&!$ZiAK3o#x?GyHNqcRAgM;Yc
z=z5a~3JwP%f^xHiPI?F~qIftf;(UthegD8W3Vqa1L0(ShJ6T%G@(|m@A#@WiiU{>R
zf~Ij6RyCR-ICxB#OnulRg3;K?m!K1Y9xlxoreDvCK;0b%tVJx;ByP1sNSm9^j)AMp
zP->YC6%Q>wVMI$WyS+?gBAFVj!f?;orIPIQMq`y#U&1qDI5w+bz;{<HMTdGm$H<Zz
z@s!2cJY7UW+o>ngs+}Y)NJiwTjVmTyxs)*nieZ3aQaPpQnyCe1wd-V^hR}#W!JXbb
z((WucxI5t^-{uTjV~q#_9a5xyzN_}CI6wlu9kRxDIkRH3GW!tVR+LDpg<xdDmh25E
z#7e!E8-UayW3AFwLc~t|Y`bGE|8I(fhPgi~d`Oq)NQ3k-W~Nm-+XNc7AbR|AF0FWp
z$n!}wQ8<N}`gk7*x*&`o6h&cofk~w}^V%&tP@*!o2*k;f)E*lp<py-yL#(l@<D*Jf
zpk(7~{B7;mN%3RtV(akP^;eJj$@%JP`tinvT6633J@fZ*^NhIv>B;wV51$@huH9OH
zfA+rf;ONioD+g~3@LE@|-8tI)d1-(B?w9F@<C~99-f43F9NTyyvu|G>=zsqK+&RH)