{ config, lib, inputs, pkgs, self, ... }: let pubsolarDomain = import ./pubsolar-domain.nix; in { age.secrets.keycloak-database-password = { file = "${self}/secrets/keycloak-database-password.age"; mode = "770"; group = "keycloak"; }; systemd.tmpfiles.rules = [ "d '/data/keycloak/db' 0770 root postgres - -" ]; users.groups.postgres = {}; users.groups.keycloak = {}; ids.uids.keycloak = 993; ids.gids.keycloak = 993; containers.keycloak = { autoStart = true; privateNetwork = true; hostAddress = "192.168.101.0"; localAddress = "192.168.104.0"; hostAddress6 = "fc00::1"; localAddress6 = "fc00::4"; bindMounts = { "/var/lib/postgresql/14" = { hostPath = "/data/keycloak/db"; isReadOnly = false; }; "${config.age.secrets.keycloak-database-password.path}" = { hostPath = "${config.age.secrets.keycloak-database-password.path}"; isReadOnly = true; }; }; config = { networking.nameservers = ["1.1.1.1"]; services.keycloak = { enable = true; database.passwordFile = config.age.secrets.keycloak-database-password.path; settings = { hostname = "auth.${pubsolarDomain}"; http-host = "0.0.0.0"; http-port = 8080; proxy = "edge"; }; themes = { "pub.solar" = inputs.keycloak-theme-pub-solar.legacyPackages.${pkgs.system}.keycloak-theme-pub-solar; }; }; }; }; }