os/hosts/nougat-2/keycloak.nix

Ignoring revisions in .git-blame-ignore-revs. Click here to bypass and see the normal blame view.

65 lines
1.5 KiB
Nix
Raw Normal View History

2023-07-02 10:48:34 +00:00
{
config,
lib,
inputs,
pkgs,
self,
...
}: let
pubsolarDomain = import ./pubsolar-domain.nix;
in {
age.secrets.keycloak-database-password = {
file = "${self}/secrets/keycloak-database-password.age";
2023-07-02 18:36:30 +00:00
mode = "770";
group = "keycloak";
2023-07-02 10:48:34 +00:00
};
2023-07-02 18:36:30 +00:00
systemd.tmpfiles.rules = [
"d '/data/keycloak/db' 0770 root postgres - -"
];
users.groups.postgres = {};
users.groups.keycloak = {};
ids.uids.keycloak = 993;
ids.gids.keycloak = 993;
2023-07-02 10:48:34 +00:00
containers.keycloak = {
autoStart = true;
privateNetwork = true;
hostAddress = "192.168.101.0";
2023-07-02 18:36:30 +00:00
localAddress = "192.168.104.0";
2023-07-02 10:48:34 +00:00
hostAddress6 = "fc00::1";
2023-07-02 18:36:30 +00:00
localAddress6 = "fc00::4";
2023-07-02 10:48:34 +00:00
bindMounts = {
"/var/lib/postgresql/14" = {
hostPath = "/data/keycloak/db";
isReadOnly = false;
};
2023-07-02 18:36:30 +00:00
"${config.age.secrets.keycloak-database-password.path}" = {
hostPath = "${config.age.secrets.keycloak-database-password.path}";
isReadOnly = true;
};
2023-07-02 10:48:34 +00:00
};
config = {
2023-07-02 18:36:30 +00:00
networking.nameservers = ["1.1.1.1"];
2023-07-02 10:48:34 +00:00
services.keycloak = {
enable = true;
database.passwordFile = config.age.secrets.keycloak-database-password.path;
settings = {
hostname = "auth.${pubsolarDomain}";
http-host = "0.0.0.0";
http-port = 8080;
proxy = "edge";
};
themes = {
"pub.solar" = inputs.keycloak-theme-pub-solar.legacyPackages.${pkgs.system}.keycloak-theme-pub-solar;
};
};
};
};
}