add pp-keycloak.nix

This commit is contained in:
Histausse 2023-04-18 21:25:10 +02:00
parent 7d00638c04
commit bdca8e626c
2 changed files with 76 additions and 1 deletions

View file

@ -12,8 +12,13 @@ in {
domainName = mkOption {
type = types.str;
example = "example.com";
description = "Name of the machine, use for hostname";
description = "Domain of the machine, use for hostname";
};
admin_email = mkOption {
type = types.str;
example = "example@example.com";
description = "Email of the admin, use for ACME and stuff";
}
};
config = {
swapDevices = [

70
pp-keycloak.nix Normal file
View file

@ -0,0 +1,70 @@
{ config, pkgs, lib, ... }:
with lib;
let
cfgBase = config.base;
cfg = config.services.ppKeycloak;
in
{
options.services.ppKeycloak = {
domain = mkOption {
type = types.str;
default = "auth.${cfgBase.domainName}";
example = "auth.example.com";
description = "The domain of the server";
};
initialAdminPassword = mkOption {
type = types.str;
description = "Change on first login, the initial password for the keycloak admin";
};
dbPasswordFile = mkOption {
type = types.str;
default = "/etc/kc_db_pwd";
description = "The file containing the database password. Be sure to secure it.";
};
};
config = {
enable = true;
settings = {
hostname = cfg.domain;
http-host = "127.0.0.1";
http-port = 8080;
https-port = 8443;
proxy = "edge"; # TODO: change to reencrypt or passthrough
hostname-strict-backchannel = true;
};
initialAdminPassword = cfg.initialAdminPassword;
database.passwordFile = cfg.dbPasswordFile;
database.createLocally = true;
# TODO: enable client cert lookup: https://www.keycloak.org/server/reverseproxy#_enabling_client_certificate_lookup
# NGINX
security.acme.acceptTerms = true;
security.acme.defaults.email = cfgBase.admin_email;
services.nginx = {
enable = true;
virtualHosts = {
"${cfg.domain}" = {
forceSSL = true;
enableACME = true;
# TODO: reduce attack surface https://www.keycloak.org/server/reverseproxy#_enabling_client_certificate_lookup
locations."/" = {
proxyPass = "http://127.0.0.1:8080";
extraConfig = ''
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $host;
proxy_pass_request_headers on;
'';
};
};
};
};
networking.firewall.allowedTCPPorts = [ 80 443 ];
};
}