forked from pub-solar/infra
keycloak: use backups module
Co-authored-by: b12f <b12f@noreply.git.pub.solar> Co-authored-by: Hendrik Sokolowski <hensoko@noreply.git.pub.solar>
This commit is contained in:
parent
e857c6198b
commit
88b76beb5c
|
@ -48,9 +48,21 @@
|
||||||
owner = "root";
|
owner = "root";
|
||||||
};
|
};
|
||||||
|
|
||||||
pub-solar-os.auth.enable = true;
|
age.secrets.keycloak-database-password = {
|
||||||
|
file = "${flake.self}/secrets/keycloak-database-password.age";
|
||||||
|
mode = "600";
|
||||||
|
#owner = "keycloak";
|
||||||
|
};
|
||||||
|
|
||||||
nixpkgs.config.permittedInsecurePackages = [ "keycloak-23.0.6" ];
|
pub-solar-os.auth = {
|
||||||
|
enable = true;
|
||||||
|
database-password-file = config.age.secrets.keycloak-database-password.path;
|
||||||
|
};
|
||||||
|
|
||||||
|
pub-solar-os.backups.repos.storagebox = {
|
||||||
|
passwordFile = config.age.secrets."restic-repo-storagebox".path;
|
||||||
|
repository = "sftp:u377325@u377325.your-storagebox.de:/backups";
|
||||||
|
};
|
||||||
|
|
||||||
systemd.services.postgresql = {
|
systemd.services.postgresql = {
|
||||||
after = [ "var-lib-postgresql.mount" ];
|
after = [ "var-lib-postgresql.mount" ];
|
||||||
|
|
|
@ -6,23 +6,22 @@
|
||||||
...
|
...
|
||||||
}:
|
}:
|
||||||
{
|
{
|
||||||
options.pub-solar-os.auth = {
|
options.pub-solar-os.auth = with lib; {
|
||||||
enable = lib.mkEnableOption "Enable keycloak to run on the node";
|
enable = mkEnableOption "Enable keycloak to run on the node";
|
||||||
|
|
||||||
realm = lib.mkOption {
|
realm = mkOption {
|
||||||
description = "Name of the realm";
|
description = "Name of the realm";
|
||||||
type = lib.types.str;
|
type = types.str;
|
||||||
default = config.pub-solar-os.networking.domain;
|
default = config.pub-solar-os.networking.domain;
|
||||||
};
|
};
|
||||||
|
|
||||||
|
database-password-file = mkOption {
|
||||||
|
description = "Database password file path";
|
||||||
|
type = types.str;
|
||||||
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
config = lib.mkIf config.pub-solar-os.auth.enable {
|
config = lib.mkIf config.pub-solar-os.auth.enable {
|
||||||
age.secrets.keycloak-database-password = {
|
|
||||||
file = "${flake.self}/secrets/keycloak-database-password.age";
|
|
||||||
mode = "600";
|
|
||||||
#owner = "keycloak";
|
|
||||||
};
|
|
||||||
|
|
||||||
services.nginx.virtualHosts."auth.${config.pub-solar-os.networking.domain}" = {
|
services.nginx.virtualHosts."auth.${config.pub-solar-os.networking.domain}" = {
|
||||||
enableACME = true;
|
enableACME = true;
|
||||||
forceSSL = true;
|
forceSSL = true;
|
||||||
|
@ -46,7 +45,7 @@
|
||||||
# keycloak
|
# keycloak
|
||||||
services.keycloak = {
|
services.keycloak = {
|
||||||
enable = true;
|
enable = true;
|
||||||
database.passwordFile = config.age.secrets.keycloak-database-password.path;
|
database.passwordFile = config.pub-solar-os.auth.database-password-file;
|
||||||
settings = {
|
settings = {
|
||||||
hostname = "auth.${config.pub-solar-os.networking.domain}";
|
hostname = "auth.${config.pub-solar-os.networking.domain}";
|
||||||
http-host = "127.0.0.1";
|
http-host = "127.0.0.1";
|
||||||
|
@ -59,14 +58,12 @@
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
services.restic.backups.keycloak-storagebox = {
|
pub-solar-os.backups.backups.keycloak = {
|
||||||
paths = [ "/tmp/keycloak-backup.sql" ];
|
paths = [ "/tmp/keycloak-backup.sql" ];
|
||||||
timerConfig = {
|
timerConfig = {
|
||||||
OnCalendar = "*-*-* 03:00:00 Etc/UTC";
|
OnCalendar = "*-*-* 03:00:00 Etc/UTC";
|
||||||
};
|
};
|
||||||
initialize = true;
|
initialize = true;
|
||||||
passwordFile = config.age.secrets."restic-repo-storagebox".path;
|
|
||||||
repository = "sftp:u377325@u377325.your-storagebox.de:/backups";
|
|
||||||
backupPrepareCommand = ''
|
backupPrepareCommand = ''
|
||||||
${pkgs.sudo}/bin/sudo -u postgres ${pkgs.postgresql}/bin/pg_dump -d keycloak > /tmp/keycloak-backup.sql
|
${pkgs.sudo}/bin/sudo -u postgres ${pkgs.postgresql}/bin/pg_dump -d keycloak > /tmp/keycloak-backup.sql
|
||||||
'';
|
'';
|
||||||
|
|
Loading…
Reference in a new issue