From d8a1802b3ed804fb26c50a6f23036aede1ac1182 Mon Sep 17 00:00:00 2001 From: Vincent Ambo Date: Sat, 25 Dec 2021 17:06:15 +0300 Subject: [PATCH] feat(whitby): Configure initial Keycloak setup Trialing this as an alternative to CAS that is a little easier to configure and can help us delegate authentication to other OIDC services. Change-Id: Iad63724d349334910af8fed0b148e4ba428f796b Reviewed-on: https://cl.tvl.fyi/c/depot/+/4608 Tested-by: BuildkiteCI Autosubmit: tazjin Reviewed-by: lukegb --- ops/machines/whitby/default.nix | 35 ++++++++++++++++++++++++++++++- ops/modules/www/auth.tvl.fyi.nix | 24 +++++++++++++++++++++ ops/secrets/keycloak-db.age | Bin 0 -> 589 bytes ops/secrets/secrets.nix | 1 + 4 files changed, 59 insertions(+), 1 deletion(-) create mode 100644 ops/modules/www/auth.tvl.fyi.nix create mode 100644 ops/secrets/keycloak-db.age diff --git a/ops/machines/whitby/default.nix b/ops/machines/whitby/default.nix index dbd8c6164..045e037fd 100644 --- a/ops/machines/whitby/default.nix +++ b/ops/machines/whitby/default.nix @@ -23,6 +23,7 @@ in { "${depot.path}/ops/modules/tvl-slapd/default.nix" "${depot.path}/ops/modules/tvl-sso/default.nix" "${depot.path}/ops/modules/www/atward.tvl.fyi.nix" + "${depot.path}/ops/modules/www/auth.tvl.fyi.nix" "${depot.path}/ops/modules/www/b.tvl.fyi.nix" "${depot.path}/ops/modules/www/cache.tvl.su.nix" "${depot.path}/ops/modules/www/cl.tvl.fyi.nix" @@ -210,6 +211,7 @@ in { gerrit-queue.file = secretFile "gerrit-queue"; grafana.file = secretFile "grafana"; irccat.file = secretFile "irccat"; + keycloak-db.file = secretFile "keycloak-db"; nix-cache-priv.file = secretFile "nix-cache-priv"; owothia.file = secretFile "owothia"; panettone.file = secretFile "panettone"; @@ -417,8 +419,9 @@ in { services.postgresqlBackup = { enable = true; databases = [ - "tvldb" + "keycloak" "panettone" + "tvldb" ]; }; @@ -546,9 +549,39 @@ in { }]; }; }; + # Contains GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET. systemd.services.grafana.serviceConfig.EnvironmentFile = "/run/agenix/grafana"; + services.keycloak = { + enable = true; + httpPort = "5925"; # "kycl" + frontendUrl = "https://auth.tvl.fyi/auth/"; + + database = { + type = "postgresql"; + passwordFile = "/run/agenix/keycloak-db"; + createLocally = false; + }; + + # Configure Keycloak to look at forwarded headers from the reverse + # proxy. + extraConfig = { + "subsystem=undertow" = { + "server=default-server" = { + "http-listener=default" = { + proxy-address-forwarding = "true"; + }; + }; + }; + }; + }; + + # Allow Keycloak access to the LDAP module by forcing in the JVM + # configuration + systemd.services.keycloak.environment.PREPEND_JAVA_OPTS = + "--add-exports=java.naming/com.sun.jndi.ldap=ALL-UNNAMED"; + security.sudo.extraRules = [ { groups = ["wheel"]; diff --git a/ops/modules/www/auth.tvl.fyi.nix b/ops/modules/www/auth.tvl.fyi.nix new file mode 100644 index 000000000..e0c031bf7 --- /dev/null +++ b/ops/modules/www/auth.tvl.fyi.nix @@ -0,0 +1,24 @@ +{ config, ... }: + +{ + imports = [ + ./base.nix + ]; + + config = { + services.nginx.virtualHosts."auth.tvl.fyi" = { + serverName = "auth.tvl.fyi"; + enableACME = true; + forceSSL = true; + + extraConfig = '' + location / { + proxy_pass http://localhost:${config.services.keycloak.httpPort}; + proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Forwarded-Proto https; + proxy_set_header Host $host; + } + ''; + }; + }; +} diff --git a/ops/secrets/keycloak-db.age b/ops/secrets/keycloak-db.age new file mode 100644 index 0000000000000000000000000000000000000000..5942bf24c2e69052fe1aba1a3ddb1c6421404c46 GIT binary patch literal 589 zcmZ9_JB!l*003aYshMwa5F!X7M{LrjNxB^5)khx9!=!04h-nh@PV;UO5f0>j!NGwz zItgn=Y1bs) zt|^mvn@U2wUgbTU=pLz7LbN{J=$xZ`1!N4Yh$xGcw%&NQW*N6i@toxmJ}t$TU|bbd zoCO+04SWPPaf6HvR1@kU+6$DjOXVD{sstt1EPSAm{@hZH1XW;>INj_WzjS=i#Y{?C zGRL}{z?wYOO_X*L?`6ZeC{G)aV;JWPj=`BA5P|tYA~Zf5#8RcKq^E<4I7gPAYw+>5 z_M&3u)NvnTsi^6vn-nh#!3S{`_lJ-3KM%sa|S!dbB%S~4D)oE8w=p4^gv zHla#YLtADnR}$_7$C7VSwiHW-9IppVT}i%^iK=Qw@&9f0ynYJ#rDs!3yt%yp^5DnliT#V6>X)zYzFys)y}$eO50S~mTmS$7 literal 0 HcmV?d00001 diff --git a/ops/secrets/secrets.nix b/ops/secrets/secrets.nix index 825b1caf2..57cd6598f 100644 --- a/ops/secrets/secrets.nix +++ b/ops/secrets/secrets.nix @@ -24,6 +24,7 @@ in { "gerrit-queue.age" = default; "grafana.age" = default; "irccat.age" = default; + "keycloak-db.age" = default; "nix-cache-priv.age" = default; "nix-cache-pub.age" = default; "owothia.age" = default;