| { config, lib, ... }: { | |
| sops.secrets.keycloak_rsa_private_key = { | |
| mode = "0600"; | |
| owner = "keycloak"; | |
| group = "keycloak"; | |
| sopsFile = ../../secrets/keycloak_rsa_private_key.pem; | |
| format = "binary"; | |
| }; | |
| users.users.keycloak = { | |
| isSystemUser = true; | |
| createHome = true; | |
| home = "/var/keycloak"; | |
| group = "keycloak"; | |
| }; | |
| users.groups.keycloak = {}; | |
| systemd.services.keycloak.serviceConfig.DynamicUser = lib.mkForce false; | |
| services.keycloak = { | |
| enable = true; | |
| settings = { | |
| http-host = "127.0.0.1"; | |
| http-port = 9083; | |
| https-port = 9084; | |
| http-enabled = true; | |
| proxy = "edge"; | |
| # https-port = 9084; | |
| hostname = "login.clicks.codes"; | |
| hostname-strict = false; | |
| https-certificate-file = "${./keycloak/login.clicks.codes.rsa.cert.pem}"; | |
| https-certificate-key-file = config.sops.secrets.keycloak_rsa_private_key.path; | |
| }; | |
| database = { | |
| createLocally = false; | |
| port = config.services.postgresql.port; | |
| passwordFile = config.sops.secrets.clicks_keycloak_db_password.path; | |
| }; | |
| }; | |
| } |