1
0
Fork 0
forked from pub-solar/infra

keycloak: use backups module

Co-authored-by: b12f <b12f@noreply.git.pub.solar>
Co-authored-by: Hendrik Sokolowski <hensoko@noreply.git.pub.solar>
This commit is contained in:
teutat3s 2024-08-27 10:08:46 +02:00
parent e857c6198b
commit 88b76beb5c
Signed by untrusted user: teutat3s
GPG key ID: 4FA1D3FA524F22C1
2 changed files with 25 additions and 16 deletions

View file

@ -48,9 +48,21 @@
owner = "root";
};
pub-solar-os.auth.enable = true;
age.secrets.keycloak-database-password = {
file = "${flake.self}/secrets/keycloak-database-password.age";
mode = "600";
#owner = "keycloak";
};
nixpkgs.config.permittedInsecurePackages = [ "keycloak-23.0.6" ];
pub-solar-os.auth = {
enable = true;
database-password-file = config.age.secrets.keycloak-database-password.path;
};
pub-solar-os.backups.repos.storagebox = {
passwordFile = config.age.secrets."restic-repo-storagebox".path;
repository = "sftp:u377325@u377325.your-storagebox.de:/backups";
};
systemd.services.postgresql = {
after = [ "var-lib-postgresql.mount" ];

View file

@ -6,23 +6,22 @@
...
}:
{
options.pub-solar-os.auth = {
enable = lib.mkEnableOption "Enable keycloak to run on the node";
options.pub-solar-os.auth = with lib; {
enable = mkEnableOption "Enable keycloak to run on the node";
realm = lib.mkOption {
realm = mkOption {
description = "Name of the realm";
type = lib.types.str;
type = types.str;
default = config.pub-solar-os.networking.domain;
};
database-password-file = mkOption {
description = "Database password file path";
type = types.str;
};
};
config = lib.mkIf config.pub-solar-os.auth.enable {
age.secrets.keycloak-database-password = {
file = "${flake.self}/secrets/keycloak-database-password.age";
mode = "600";
#owner = "keycloak";
};
services.nginx.virtualHosts."auth.${config.pub-solar-os.networking.domain}" = {
enableACME = true;
forceSSL = true;
@ -46,7 +45,7 @@
# keycloak
services.keycloak = {
enable = true;
database.passwordFile = config.age.secrets.keycloak-database-password.path;
database.passwordFile = config.pub-solar-os.auth.database-password-file;
settings = {
hostname = "auth.${config.pub-solar-os.networking.domain}";
http-host = "127.0.0.1";
@ -59,14 +58,12 @@
};
};
services.restic.backups.keycloak-storagebox = {
pub-solar-os.backups.backups.keycloak = {
paths = [ "/tmp/keycloak-backup.sql" ];
timerConfig = {
OnCalendar = "*-*-* 03:00:00 Etc/UTC";
};
initialize = true;
passwordFile = config.age.secrets."restic-repo-storagebox".path;
repository = "sftp:u377325@u377325.your-storagebox.de:/backups";
backupPrepareCommand = ''
${pkgs.sudo}/bin/sudo -u postgres ${pkgs.postgresql}/bin/pg_dump -d keycloak > /tmp/keycloak-backup.sql
'';