feat(ops/keycloak): Check in initial Keycloak configuration

This is still missing most of the client configuration etc., in part due to bugs in the provider which are preventing resource imports. Change-Id: Ic224ffc001f8e1fe6dcd47b7d002580fdf7b0774 Reviewed-on: https://cl.tvl.fyi/c/depot/+/4628 Tested-by: BuildkiteCI Autosubmit: tazjin <mail@tazj.in> Reviewed-by: Profpatsch <mail@profpatsch.de>
2021-12-26 03:08:03 +03:00 · 2021-12-26 03:08:03 +03:00 · 7b3c0b3e2f
commit 7b3c0b3e2f
parent 8a5ccd7089
4 changed files with 55 additions and 0 deletions
--- a/bin/__dispatch.sh
+++ b/bin/__dispatch.sh
@ -65,6 +65,10 @@ case "${TARGET_TOOL}" in
    TARGET_TOOL="terraform"
    attr="ops.glesys.terraform"
    ;;
+  tf-keycloak)
+    TARGET_TOOL="terraform"
+    attr="ops.keycloak.terraform"
+    ;;
  *)
    echo "The tool '${TARGET_TOOL}' is currently not installed in this repository."
    exit 1
--- a/ops/keycloak/.gitignore
+++ b/ops/keycloak/.gitignore
@ -0,0 +1,3 @@
+.terraform*
+*.tfstate*
+.envrc
--- a/ops/keycloak/default.nix
+++ b/ops/keycloak/default.nix
@ -0,0 +1,8 @@
+{ depot, pkgs, ... }:
+
+depot.nix.readTree.drvTargets {
+  # Provide a Terraform wrapper with the right provider installed.
+  terraform = pkgs.terraform.withPlugins(p: [
+    p.keycloak
+  ]);
+}
--- a/ops/keycloak/main.tf
+++ b/ops/keycloak/main.tf
@ -0,0 +1,40 @@
+# Configure TVL Keycloak instance.
+#
+# TODO(tazjin): Configure GitHub/GitLab IDP
+
+terraform {
+  required_providers {
+    keycloak = {
+      source = "mrparkers/keycloak"
+    }
+  }
+}
+
+provider "keycloak" {
+  client_id = "terraform"
+  url       = "https://auth.tvl.fyi"
+}
+
+resource "keycloak_realm" "tvl" {
+  realm                       = "TVL"
+  enabled                     = true
+  display_name                = "The Virus Lounge"
+  default_signature_algorithm = "RS256"
+}
+
+resource "keycloak_ldap_user_federation" "tvl_ldap" {
+  name                    = "tvl-ldap"
+  realm_id                = keycloak_realm.tvl.id
+  enabled                 = true
+  connection_url          = "ldap://localhost"
+  users_dn                = "ou=users,dc=tvl,dc=fyi"
+  username_ldap_attribute = "cn"
+  uuid_ldap_attribute     = "cn"
+  rdn_ldap_attribute      = "cn"
+  full_sync_period        = 86400
+
+  user_object_classes = [
+    "inetOrgPerson",
+    "organizationalPerson",
+  ]
+}