add pp-keycloak.nix

2023-04-18 21:25:10 +02:00 · 2023-04-18 21:25:10 +02:00 · bdca8e626c
parent 7d00638c04
commit bdca8e626c
2 changed files with 76 additions and 1 deletions
--- a/base.nix
+++ b/base.nix
@ -12,8 +12,13 @@ in {
    domainName = mkOption {
      type = types.str;
      example = "example.com";
-      description = "Name of the machine, use for hostname";
+      description = "Domain of the machine, use for hostname";
    };
+    admin_email = mkOption {
+      type = types.str;
+      example = "example@example.com";
+      description = "Email of the admin, use for ACME and stuff";
+    }
  };
  config = {
    swapDevices = [
--- a/pp-keycloak.nix
+++ b/pp-keycloak.nix
@ -0,0 +1,70 @@
+{ config, pkgs, lib, ... }:
+with lib;
+let
+  cfgBase = config.base;
+  cfg = config.services.ppKeycloak;
+in
+{
+  options.services.ppKeycloak = {
+    domain = mkOption {
+      type = types.str;
+      default = "auth.${cfgBase.domainName}";
+      example = "auth.example.com";
+      description = "The domain of the server";
+    };
+    initialAdminPassword = mkOption {
+      type = types.str;
+      description = "Change on first login, the initial password for the keycloak admin";
+    };
+    dbPasswordFile = mkOption {
+      type = types.str;
+      default = "/etc/kc_db_pwd";
+      description = "The file containing the database password. Be sure to secure it.";
+    };
+    
+  };
+
+  config = {
+    enable = true;
+    settings = {
+      hostname = cfg.domain;
+      http-host = "127.0.0.1";
+      http-port = 8080;
+      https-port = 8443;
+      proxy = "edge"; # TODO: change to reencrypt or passthrough
+      hostname-strict-backchannel = true;
+    };
+    initialAdminPassword = cfg.initialAdminPassword;
+    database.passwordFile = cfg.dbPasswordFile;
+    database.createLocally = true;
+    # TODO: enable client cert lookup: https://www.keycloak.org/server/reverseproxy#_enabling_client_certificate_lookup
+
+    # NGINX
+    security.acme.acceptTerms = true;
+    security.acme.defaults.email = cfgBase.admin_email;
+   
+    services.nginx = {
+      enable = true;
+      virtualHosts = {
+        "${cfg.domain}" = {
+          forceSSL = true;
+          enableACME = true;
+          # TODO: reduce attack surface https://www.keycloak.org/server/reverseproxy#_enabling_client_certificate_lookup
+          locations."/" = {
+            proxyPass = "http://127.0.0.1:8080";
+            extraConfig = ''
+              proxy_set_header X-Forwarded-Host $host;
+              proxy_set_header X-Forwarded-Server $host;
+              proxy_set_header X-Real-IP $remote_addr;
+              proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+              proxy_set_header X-Forwarded-Proto $scheme;
+              proxy_set_header Host $host;
+              proxy_pass_request_headers on;
+            '';
+          };
+        };
+      };
+    };
+    networking.firewall.allowedTCPPorts = [ 80 443 ];
+  };
+}