keycloak: use backups module

Co-authored-by: b12f <b12f@noreply.git.pub.solar>
Co-authored-by: Hendrik Sokolowski <hensoko@noreply.git.pub.solar>
This commit is contained in:
teutat3s 2024-08-27 10:08:46 +02:00
parent e857c6198b
commit 88b76beb5c
Signed by untrusted user: teutat3s
GPG key ID: 4FA1D3FA524F22C1
2 changed files with 25 additions and 16 deletions

View file

@ -48,9 +48,21 @@
owner = "root"; owner = "root";
}; };
pub-solar-os.auth.enable = true; age.secrets.keycloak-database-password = {
file = "${flake.self}/secrets/keycloak-database-password.age";
mode = "600";
#owner = "keycloak";
};
nixpkgs.config.permittedInsecurePackages = [ "keycloak-23.0.6" ]; pub-solar-os.auth = {
enable = true;
database-password-file = config.age.secrets.keycloak-database-password.path;
};
pub-solar-os.backups.repos.storagebox = {
passwordFile = config.age.secrets."restic-repo-storagebox".path;
repository = "sftp:u377325@u377325.your-storagebox.de:/backups";
};
systemd.services.postgresql = { systemd.services.postgresql = {
after = [ "var-lib-postgresql.mount" ]; after = [ "var-lib-postgresql.mount" ];

View file

@ -6,23 +6,22 @@
... ...
}: }:
{ {
options.pub-solar-os.auth = { options.pub-solar-os.auth = with lib; {
enable = lib.mkEnableOption "Enable keycloak to run on the node"; enable = mkEnableOption "Enable keycloak to run on the node";
realm = lib.mkOption { realm = mkOption {
description = "Name of the realm"; description = "Name of the realm";
type = lib.types.str; type = types.str;
default = config.pub-solar-os.networking.domain; default = config.pub-solar-os.networking.domain;
}; };
database-password-file = mkOption {
description = "Database password file path";
type = types.str;
};
}; };
config = lib.mkIf config.pub-solar-os.auth.enable { config = lib.mkIf config.pub-solar-os.auth.enable {
age.secrets.keycloak-database-password = {
file = "${flake.self}/secrets/keycloak-database-password.age";
mode = "600";
#owner = "keycloak";
};
services.nginx.virtualHosts."auth.${config.pub-solar-os.networking.domain}" = { services.nginx.virtualHosts."auth.${config.pub-solar-os.networking.domain}" = {
enableACME = true; enableACME = true;
forceSSL = true; forceSSL = true;
@ -46,7 +45,7 @@
# keycloak # keycloak
services.keycloak = { services.keycloak = {
enable = true; enable = true;
database.passwordFile = config.age.secrets.keycloak-database-password.path; database.passwordFile = config.pub-solar-os.auth.database-password-file;
settings = { settings = {
hostname = "auth.${config.pub-solar-os.networking.domain}"; hostname = "auth.${config.pub-solar-os.networking.domain}";
http-host = "127.0.0.1"; http-host = "127.0.0.1";
@ -59,14 +58,12 @@
}; };
}; };
services.restic.backups.keycloak-storagebox = { pub-solar-os.backups.backups.keycloak = {
paths = [ "/tmp/keycloak-backup.sql" ]; paths = [ "/tmp/keycloak-backup.sql" ];
timerConfig = { timerConfig = {
OnCalendar = "*-*-* 03:00:00 Etc/UTC"; OnCalendar = "*-*-* 03:00:00 Etc/UTC";
}; };
initialize = true; initialize = true;
passwordFile = config.age.secrets."restic-repo-storagebox".path;
repository = "sftp:u377325@u377325.your-storagebox.de:/backups";
backupPrepareCommand = '' backupPrepareCommand = ''
${pkgs.sudo}/bin/sudo -u postgres ${pkgs.postgresql}/bin/pg_dump -d keycloak > /tmp/keycloak-backup.sql ${pkgs.sudo}/bin/sudo -u postgres ${pkgs.postgresql}/bin/pg_dump -d keycloak > /tmp/keycloak-backup.sql
''; '';