{ config, pkgs, lib, ... }: let my = config.my; port = 8080; keycloak-protocol-cas = pkgs.callPackage ./keycloak/keycloak-protocol-cas.nix {}; domain = "auth.${my.subZone}"; certs = config.security.acme.certs."${domain}".directory; in { services.keycloak = { enable = true; initialAdminPassword = "changemeasap"; plugins = [ pkgs.keycloak.plugins.keycloak-metrics-spi keycloak-protocol-cas ]; database = { type = "postgresql"; username = "keycloak"; name = "keycloak"; createLocally = true; passwordFile = "${config.age.secrets.keycloakDatabasePasswordFile.path}"; }; settings = { hostname-strict-backchannel = true; http-port = port; proxy = "edge"; http-relative-path = "/auth"; hostname = domain; }; }; services.nginx.virtualHosts."${domain}" = { forceSSL = true; enableACME = true; locations."/" = { proxyPass = "http://127.0.0.1:${toString port}"; extraConfig = '' # For large authentication-authorization headers proxy_buffer_size 128k; proxy_buffers 4 256k; proxy_busy_buffers_size 256k; ''; }; }; }