feat(whitby): Configure initial Keycloak setup

Trialing this as an alternative to CAS that is a little easier to
configure and can help us delegate authentication to other OIDC
services.

Change-Id: Iad63724d349334910af8fed0b148e4ba428f796b
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4608
Tested-by: BuildkiteCI
Autosubmit: tazjin <mail@tazj.in>
Reviewed-by: lukegb <lukegb@tvl.fyi>

ops/machines/whitby/default.nix

@@ -23,6 +23,7 @@ in {
     "${depot.path}/ops/modules/tvl-slapd/default.nix"
     "${depot.path}/ops/modules/tvl-sso/default.nix"
     "${depot.path}/ops/modules/www/atward.tvl.fyi.nix"
+    "${depot.path}/ops/modules/www/auth.tvl.fyi.nix"
     "${depot.path}/ops/modules/www/b.tvl.fyi.nix"
     "${depot.path}/ops/modules/www/cache.tvl.su.nix"
     "${depot.path}/ops/modules/www/cl.tvl.fyi.nix"
@@ -210,6 +211,7 @@ in {
       gerrit-queue.file = secretFile "gerrit-queue";
       grafana.file = secretFile "grafana";
       irccat.file = secretFile "irccat";
+      keycloak-db.file = secretFile "keycloak-db";
       nix-cache-priv.file = secretFile "nix-cache-priv";
       owothia.file = secretFile "owothia";
       panettone.file = secretFile "panettone";
@@ -417,8 +419,9 @@ in {
   services.postgresqlBackup = {
     enable = true;
     databases = [
-      "tvldb"
+      "keycloak"
       "panettone"
+      "tvldb"
     ];
   };
 
@@ -546,9 +549,39 @@ in {
       }];
     };
   };
+
   # Contains GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET.
   systemd.services.grafana.serviceConfig.EnvironmentFile = "/run/agenix/grafana";
 
+  services.keycloak = {
+    enable = true;
+    httpPort = "5925"; # "kycl"
+    frontendUrl = "https://auth.tvl.fyi/auth/";
+
+    database = {
+      type = "postgresql";
+      passwordFile = "/run/agenix/keycloak-db";
+      createLocally = false;
+    };
+
+    # Configure Keycloak to look at forwarded headers from the reverse
+    # proxy.
+    extraConfig = {
+      "subsystem=undertow" = {
+        "server=default-server" = {
+          "http-listener=default" = {
+            proxy-address-forwarding = "true";
+          };
+        };
+      };
+    };
+  };
+
+  # Allow Keycloak access to the LDAP module by forcing in the JVM
+  # configuration
+  systemd.services.keycloak.environment.PREPEND_JAVA_OPTS =
+    "--add-exports=java.naming/com.sun.jndi.ldap=ALL-UNNAMED";
+
   security.sudo.extraRules = [
     {
       groups = ["wheel"];

ops/modules/www/auth.tvl.fyi.nix

@@ -0,0 +1,24 @@
+{ config, ... }:
+
+{
+  imports = [
+    ./base.nix
+  ];
+
+  config = {
+    services.nginx.virtualHosts."auth.tvl.fyi" = {
+      serverName = "auth.tvl.fyi";
+      enableACME = true;
+      forceSSL = true;
+
+      extraConfig = ''
+        location / {
+          proxy_pass http://localhost:${config.services.keycloak.httpPort};
+          proxy_set_header X-Forwarded-For $remote_addr;
+          proxy_set_header X-Forwarded-Proto https;
+          proxy_set_header Host $host;
+        }
+      '';
+    };
+  };
+}

ops/secrets/secrets.nix

@@ -24,6 +24,7 @@ in {
   "gerrit-queue.age" = default;
   "grafana.age" = default;
   "irccat.age" = default;
+  "keycloak-db.age" = default;
   "nix-cache-priv.age" = default;
   "nix-cache-pub.age" = default;
   "owothia.age" = default;