feat(whitby): Configure initial Keycloak setup
Trialing this as an alternative to CAS that is a little easier to configure and can help us delegate authentication to other OIDC services. Change-Id: Iad63724d349334910af8fed0b148e4ba428f796b Reviewed-on: https://cl.tvl.fyi/c/depot/+/4608 Tested-by: BuildkiteCI Autosubmit: tazjin <mail@tazj.in> Reviewed-by: lukegb <lukegb@tvl.fyi>
This commit is contained in:
parent
1ee31d67fc
commit
d8a1802b3e
4 changed files with 59 additions and 1 deletions
|
@ -23,6 +23,7 @@ in {
|
|||
"${depot.path}/ops/modules/tvl-slapd/default.nix"
|
||||
"${depot.path}/ops/modules/tvl-sso/default.nix"
|
||||
"${depot.path}/ops/modules/www/atward.tvl.fyi.nix"
|
||||
"${depot.path}/ops/modules/www/auth.tvl.fyi.nix"
|
||||
"${depot.path}/ops/modules/www/b.tvl.fyi.nix"
|
||||
"${depot.path}/ops/modules/www/cache.tvl.su.nix"
|
||||
"${depot.path}/ops/modules/www/cl.tvl.fyi.nix"
|
||||
|
@ -210,6 +211,7 @@ in {
|
|||
gerrit-queue.file = secretFile "gerrit-queue";
|
||||
grafana.file = secretFile "grafana";
|
||||
irccat.file = secretFile "irccat";
|
||||
keycloak-db.file = secretFile "keycloak-db";
|
||||
nix-cache-priv.file = secretFile "nix-cache-priv";
|
||||
owothia.file = secretFile "owothia";
|
||||
panettone.file = secretFile "panettone";
|
||||
|
@ -417,8 +419,9 @@ in {
|
|||
services.postgresqlBackup = {
|
||||
enable = true;
|
||||
databases = [
|
||||
"tvldb"
|
||||
"keycloak"
|
||||
"panettone"
|
||||
"tvldb"
|
||||
];
|
||||
};
|
||||
|
||||
|
@ -546,9 +549,39 @@ in {
|
|||
}];
|
||||
};
|
||||
};
|
||||
|
||||
# Contains GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET.
|
||||
systemd.services.grafana.serviceConfig.EnvironmentFile = "/run/agenix/grafana";
|
||||
|
||||
services.keycloak = {
|
||||
enable = true;
|
||||
httpPort = "5925"; # "kycl"
|
||||
frontendUrl = "https://auth.tvl.fyi/auth/";
|
||||
|
||||
database = {
|
||||
type = "postgresql";
|
||||
passwordFile = "/run/agenix/keycloak-db";
|
||||
createLocally = false;
|
||||
};
|
||||
|
||||
# Configure Keycloak to look at forwarded headers from the reverse
|
||||
# proxy.
|
||||
extraConfig = {
|
||||
"subsystem=undertow" = {
|
||||
"server=default-server" = {
|
||||
"http-listener=default" = {
|
||||
proxy-address-forwarding = "true";
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
# Allow Keycloak access to the LDAP module by forcing in the JVM
|
||||
# configuration
|
||||
systemd.services.keycloak.environment.PREPEND_JAVA_OPTS =
|
||||
"--add-exports=java.naming/com.sun.jndi.ldap=ALL-UNNAMED";
|
||||
|
||||
security.sudo.extraRules = [
|
||||
{
|
||||
groups = ["wheel"];
|
||||
|
|
24
ops/modules/www/auth.tvl.fyi.nix
Normal file
24
ops/modules/www/auth.tvl.fyi.nix
Normal file
|
@ -0,0 +1,24 @@
|
|||
{ config, ... }:
|
||||
|
||||
{
|
||||
imports = [
|
||||
./base.nix
|
||||
];
|
||||
|
||||
config = {
|
||||
services.nginx.virtualHosts."auth.tvl.fyi" = {
|
||||
serverName = "auth.tvl.fyi";
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
|
||||
extraConfig = ''
|
||||
location / {
|
||||
proxy_pass http://localhost:${config.services.keycloak.httpPort};
|
||||
proxy_set_header X-Forwarded-For $remote_addr;
|
||||
proxy_set_header X-Forwarded-Proto https;
|
||||
proxy_set_header Host $host;
|
||||
}
|
||||
'';
|
||||
};
|
||||
};
|
||||
}
|
BIN
ops/secrets/keycloak-db.age
Normal file
BIN
ops/secrets/keycloak-db.age
Normal file
Binary file not shown.
|
@ -24,6 +24,7 @@ in {
|
|||
"gerrit-queue.age" = default;
|
||||
"grafana.age" = default;
|
||||
"irccat.age" = default;
|
||||
"keycloak-db.age" = default;
|
||||
"nix-cache-priv.age" = default;
|
||||
"nix-cache-pub.age" = default;
|
||||
"owothia.age" = default;
|
||||
|
|
Loading…
Reference in a new issue