| { config, lib, ... }: { |
| sops.secrets.keycloak_rsa_private_key = { |
| mode = "0600"; |
| owner = "keycloak"; |
| group = "keycloak"; |
| sopsFile = ../../secrets/keycloak_rsa_private_key.pem; |
| format = "binary"; |
| }; |
| |
| users.users.keycloak = { |
| isSystemUser = true; |
| createHome = true; |
| home = "/var/keycloak"; |
| group = "keycloak"; |
| }; |
| users.groups.keycloak = {}; |
| systemd.services.keycloak.serviceConfig.DynamicUser = lib.mkForce false; |
| |
| systemd.services.keycloak.requires = [ "postgresql.service" ]; |
| |
| services.keycloak = { |
| enable = true; |
| settings = { |
| http-host = "127.0.0.1"; |
| http-port = 9083; |
| https-port = 9084; |
| http-enabled = true; |
| |
| proxy = "edge"; |
| |
| # https-port = 9084; |
| hostname = "login.clicks.codes"; |
| hostname-strict = false; |
| |
| https-certificate-file = "${./keycloak/login.clicks.codes.rsa.cert.pem}"; |
| https-certificate-key-file = config.sops.secrets.keycloak_rsa_private_key.path; |
| }; |
| database = { |
| createLocally = false; |
| port = config.services.postgresql.port; |
| passwordFile = config.sops.secrets.clicks_keycloak_db_password.path; |
| }; |
| }; |
| |
| services.nginx.virtualHosts."login.clicks.codes".locations."/".extraConfig = '' |
| proxy_buffers 16 32k; |
| proxy_buffer_size 64k; |
| proxy_busy_buffers_size 64k; |
| ''; |
| } |