2022-04-27 13:24:40 +02:00
|
|
|
{ config, pkgs, lib, ... }:
|
2021-07-26 01:29:05 +02:00
|
|
|
let
|
|
|
|
|
my = config.my;
|
|
|
|
|
port = 8080;
|
2022-04-27 13:24:40 +02:00
|
|
|
keycloak-protocol-cas = pkgs.callPackage ./keycloak/keycloak-protocol-cas.nix {};
|
|
|
|
|
domain = "auth.${my.subZone}";
|
|
|
|
|
certs = config.security.acme.certs."${domain}".directory;
|
2021-07-26 01:29:05 +02:00
|
|
|
in
|
|
|
|
|
{
|
|
|
|
|
services.keycloak = {
|
|
|
|
|
enable = true;
|
2022-04-27 13:24:40 +02:00
|
|
|
/*package = pkgs.keycloak.overrideAttrs (old: rec {
|
|
|
|
|
version = "18.0.0";
|
|
|
|
|
jre = pkgs.openjdk;
|
|
|
|
|
src = pkgs.fetchzip {
|
|
|
|
|
url = "https://github.com/keycloak/keycloak/releases/download/${version}/keycloak-${version}.zip";
|
|
|
|
|
sha256 = "sha256-Tql5/yNtdctSCYgtSnz5Pa6IwZVf/HOApFdeCEpNrjs=";
|
|
|
|
|
};
|
|
|
|
|
});*/
|
|
|
|
|
package = pkgs.callPackage ./keycloak/package.nix {};
|
2021-07-26 01:29:05 +02:00
|
|
|
initialAdminPassword = "changemeasap";
|
2022-04-27 13:24:40 +02:00
|
|
|
sslCertificate = "${certs}/cert.pem";
|
|
|
|
|
sslCertificateKey = "${certs}/key.pem";
|
|
|
|
|
plugins = [ pkgs.keycloak.plugins.keycloak-metrics-spi keycloak-protocol-cas ];
|
|
|
|
|
database = {
|
|
|
|
|
type = "postgresql";
|
|
|
|
|
username = "keycloak";
|
|
|
|
|
name = "keycloak";
|
|
|
|
|
createLocally = true;
|
|
|
|
|
passwordFile = "${config.age.secrets.keycloakDatabasePasswordFile.path}";
|
|
|
|
|
};
|
|
|
|
|
settings = {
|
|
|
|
|
hostname-strict-backchannel = true;
|
|
|
|
|
http-port = port;
|
|
|
|
|
proxy = "edge";
|
|
|
|
|
http-relative-path = "/auth";
|
|
|
|
|
hostname = domain;
|
2021-07-26 01:29:05 +02:00
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
|
2022-04-27 13:24:40 +02:00
|
|
|
services.nginx.virtualHosts."${domain}" = {
|
2021-07-26 01:29:05 +02:00
|
|
|
forceSSL = true;
|
|
|
|
|
enableACME = true;
|
|
|
|
|
locations."/" = {
|
|
|
|
|
proxyPass = "http://127.0.0.1:${toString port}";
|
|
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
}
|
