History

Vincent Ambo b763f183f7 fix(ops/keycloak): redefine buildkite client, correctly this time This client definition was previously nonsense. What happened is that I accidentally imported the client as an OIDC client, which Keycloak accepted because apparently those are the same entities on the API level, and that ended up getting mangled into some broken hybrid shape by Terraform. This sets up the Buildkite provider again but with the correct SAML configuration this time. Change-Id: Id7ba318984d2fcc9e2ca91ed45ccbfd227278bbe Reviewed-on: https://cl.tvl.fyi/c/depot/+/4731 Tested-by: BuildkiteCI Reviewed-by: sterni <sternenseemann@systemli.org> Reviewed-by: grfn <grfn@gws.fyi> Autosubmit: tazjin <mail@tazj.in>		2021-12-28 17:37:22 +00:00
..
.gitignore	feat(ops/keycloak): Check in initial Keycloak configuration	2021-12-26 16:45:59 +00:00
default.nix	feat(ops/keycloak): Check in initial Keycloak configuration	2021-12-26 16:45:59 +00:00
main.tf	fix(ops/keycloak): redefine buildkite client, correctly this time	2021-12-28 17:37:22 +00:00
README.md	feat(ops/secrets): Add tf-keycloak secrets file	2021-12-27 15:53:57 +00:00

README.md

Terraform for Keycloak

This contains the Terraform configuration for deploying TVL's Keycloak instance (which lives at auth.tvl.fyi).

Secrets are needed for applying this. The encrypted file //ops/secrets/tf-keycloak.age contains export calls which should be sourced, for example via direnv, by users with the appropriate credentials.

An example direnv configuration used by tazjin is this:

# //ops/secrets/.envrc
source_up
eval $(age --decrypt -i ~/.ssh/id_ed25519 $(git rev-parse --show-toplevel)/ops/secrets/tf-keycloak.age)