Add keycloak

Keycloak is a login provider that we can host to give us SSO. This is preferable
to all of our services having different authentication capabilities, logins etc.
(e.g. mailu doesn't support 2fa: <https://github.com/Mailu/Mailu/issues/2222>!)

Change-Id: Ic0a5238a03d4d0b8a270c29a270c579b00aea799
5 files changed
tree: aa28dac15ea31b57787c683940586b49a49036c8
  1. default/
  2. homes/
  3. host/
  4. modules/
  5. packages/
  6. secrets/
  7. services/
  8. variables/
  9. .editorconfig
  10. .envrc
  11. .gitignore
  12. .sops.yaml
  13. flake.lock
  14. flake.nix
  15. LICENSE
  16. README.md
README.md

Clicks' NixFiles

Deploying

To deploy these files to our server we use deploy-rs. If you've got a flakes-enabled nix installed on your system you can run

nix run github:serokell/deploy-rs

You can also install deploy-rs to your profile, at which point you'll be able to run

deploy

Updating secrets

Secrets are stored in SOPS and deployed using scalpel.

If you have a service which needs to store secrets in its config file, please set systemd reloadTriggers and restartTriggers to automatically reload/restart the service whenever the configuration changes.

It's notable that changing the secrets will not trigger a reload/restart of the service. If you want to update the secrets without updating the rest of the configuration you currently need to manually restart the service. It's possible that this could be solved by using systemd paths to watch the files (see https://superuser.com/questions/1171751/restart-systemd-service-automatically-whenever-a-directory-changes-any-file-ins) but this is not a priority