commit 0e05d26279ddd69359eac4262c70e5d07b7e6b80
author Skyler Grey <minion@clicks.codes> Mon Oct 09 07:04:36 2023 +0000
committer Skyler Grey <minion@clicks.codes> Mon Oct 09 07:04:36 2023 +0000
tree aa28dac15ea31b57787c683940586b49a49036c8
parent c3f94d6845ffb5430683bc2ac066b7b0a75f1340

Add keycloak

Keycloak is a login provider that we can host to give us SSO. This is preferable
to all of our services having different authentication capabilities, logins etc.
(e.g. mailu doesn't support 2fa: <https://github.com/Mailu/Mailu/issues/2222>!)

Change-Id: Ic0a5238a03d4d0b8a270c29a270c579b00aea799

modules/keycloak.nix

diff --git a/modules/keycloak.nix b/modules/keycloak.nix
new file mode 100644
index 0000000..d196ac9
--- /dev/null
+++ b/modules/keycloak.nix
@@ -0,0 +1,25 @@
+{ config, ... }: {
+  services.keycloak = {
+    enable = true;
+    settings = {
+      http-host = "127.0.0.1";
+      http-port = 9083;
+      https-port = 9084;
+      http-enabled = true;
+
+      proxy = "edge";
+
+      # https-port = 9084;
+      hostname = "login.clicks.codes";
+      hostname-strict = false;
+
+      https-certificate-file = "/var/keycloak/login.clicks.codes.rsa.cert.pem";
+      https-certificate-key-file = "/var/keycloak/login.clicks.codes.rsa.private.pem";
+    };
+    database = {
+      createLocally = false;
+      port = config.services.postgresql.port;
+      passwordFile = config.sops.secrets.clicks_keycloak_db_password.path;
+    };
+  };
+}