Add keycloak
Keycloak is a login provider that we can host to give us SSO. This is preferable
to all of our services having different authentication capabilities, logins etc.
(e.g. mailu doesn't support 2fa: <https://github.com/Mailu/Mailu/issues/2222>!)
Change-Id: Ic0a5238a03d4d0b8a270c29a270c579b00aea799
diff --git a/modules/postgres.nix b/modules/postgres.nix
index 7a5074a..d2844c1 100644
--- a/modules/postgres.nix
+++ b/modules/postgres.nix
@@ -13,6 +13,7 @@
ensureDatabases = [
"vaultwarden"
"privatebin"
+ "keycloak"
];
ensureUsers = [
@@ -30,6 +31,12 @@
};
}
{
+ name = "keycloak";
+ ensurePermissions = {
+ "DATABASE keycloak" = "ALL PRIVILEGES";
+ };
+ }
+ {
name = "vaultwarden";
ensurePermissions = {
"DATABASE vaultwarden" = "ALL PRIVILEGES";
@@ -72,6 +79,7 @@
)
(lib.mkAfter (lib.pipe [
{ user = "clicks_grafana"; passwordFile = config.sops.secrets.clicks_grafana_db_password.path; }
+ { user = "keycloak"; passwordFile = config.sops.secrets.clicks_keycloak_db_password.path; }
{ user = "vaultwarden"; passwordFile = config.sops.secrets.clicks_bitwarden_db_password.path; }
{ user = "privatebin"; passwordFile = config.sops.secrets.clicks_privatebin_db_password.path; }
] [
@@ -84,6 +92,7 @@
sops.secrets = lib.pipe [
"clicks_grafana_db_password"
+ "clicks_keycloak_db_password"
"clicks_bitwarden_db_password"
"clicks_privatebin_db_password"
] [