nixos-configuration/hosts/pi4/keycloak.nix

{
  config,
  common,
  pkgs,
  ...
}:
let
  port = 8086;
  domain = "beta.auth.${common.domain}";
  dbPassKey = "keycloak/database-pass";
  forgejoClientSecretKey = "keycloak/realms/forgejo/client/secret";
in
{

  services = {
    keycloak = {
      enable = true;
      settings = {
        hostname = "https://${domain}";
        http-port = port;
        http-enabled = true;
      };
      database = {
        type = "postgresql";
        createLocally = true;
        port = config.services.postgresql.settings.port;
        passwordFile = config.sops.secrets.${dbPassKey}.path;
      };
      initialAdminPassword = "changeme";
      realmFiles = [
        # (
        #   let
        #     name = "Default";
        #   in
        #   pkgs.writeText "${name}.json" (
        #     builtins.toJSON {
        #       realm = name;
        #       enabled = true;
        #       clients = [
        #         rec {
        #           enabled = true;
        #           clientId = "forgejo";
        #           name = "Forgejo Beta";
        #           description = "";
        #           rootUrl = "https://${config.services.forgejo.settings.server.DOMAIN}";
        #           adminUrl = rootUrl;
        #           baseUrl = rootUrl;
        #           surrogateAuthRequired = false;
        #           alwaysDisplayInConsole = true;
        #           clientAuthenticatorType = "client-secret";
        #           # secret = readFile config.sops.secrets.${forgejoClientSecretKey}.path;
        #           redirectUris = [ "${rootUrl}/*" ];
        #           webOrigins = [ rootUrl ];
        #           notBefore = 0;
        #           bearerOnly = false;
        #           consentRequired = false;
        #           standardFlowEnabled = true;
        #           implicitFlowEnabled = false;
        #           directAccessGrantsEnabled = false;
        #           serviceAccountsEnabled = false;
        #           publicClient = false;
        #           frontchannelLogout = true;
        #           protocol = "openid-connect";
        #           attributes = {
        #             "realm_client" = "false";
        #             "oidc.ciba.grant.enabled" = "false";
        #             "client.secret.creation.time" = "1758824229";
        #             "backchannel.logout.session.required" = "true";
        #             "standard.token.exchange.enabled" = "false";
        #             "frontchannel.logout.session.required" = "true";
        #             "display.on.consent.screen" = "false";
        #             "oauth2.device.authorization.grant.enabled" = "false";
        #             "backchannel.logout.revoke.offline.tokens" = "false";
        #           };
        #           authenticationFlowBindingOverrides = { };
        #           fullScopeAllowed = true;
        #           nodeReRegistrationTimeout = -1;
        #           defaultClientScopes = [
        #             "web-origins"
        #             "offline_access"
        #             "profile"
        #             "roles"
        #             "basic"
        #             "email"
        #           ];
        #           optionalClientScopes = [
        #             "acr"
        #             "address"
        #             "phone"
        #             "organization"
        #             "microprofile-jwt"
        #           ];
        #           access = {
        #             view = true;
        #             configure = true;
        #             manage = true;
        #           };

        #         }
        #       ];
        #       users = [
        #         {
        #           enabled = true;
        #           firstName = "Christian";
        #           lastName = "Bauer";
        #           username = "cbauer";
        #           email = "cbauer@localhost";
        #           credentials = [
        #             {
        #               type = "password";
        #               temporary = false;
        #               value = "changeme";
        #             }
        #           ];
        #         }
        #       ];
        #     }
        #   )
        # )
      ];
    };

    nginx.virtualHosts.${domain} = {
      forceSSL = true;
      enableACME = true;
      locations."/".proxyPass = "http://localhost:${toString port}";
    };
  };
  sops.secrets = {
    ${dbPassKey} = { };
    ${forgejoClientSecretKey} = { };
  };
}
[pi4] Added Forgejo client to realmFile 2025-10-04 11:47:54 +00:00			`{`
			`config,`
			`common,`
			`pkgs,`
			`...`
			`}:`
✨ [pi4] Initial Keycloak setup 2025-09-06 15:30:37 +00:00			`let`
			`port = 8086;`
			`domain = "beta.auth.${common.domain}";`
			`dbPassKey = "keycloak/database-pass";`
[pi4] Added Forgejo client to realmFile 2025-10-04 11:47:54 +00:00			`forgejoClientSecretKey = "keycloak/realms/forgejo/client/secret";`
✨ [pi4] Initial Keycloak setup 2025-09-06 15:30:37 +00:00			`in`
			`{`
✨ [pi4] Working keycloak config 2025-09-23 16:08:50 +00:00
✨ [pi4] Initial Keycloak setup 2025-09-06 15:30:37 +00:00			`services = {`
			`keycloak = {`
			`enable = true;`
			`settings = {`
✨ [pi4] Working keycloak config 2025-09-23 16:08:50 +00:00			`hostname = "https://${domain}";`
✨ [pi4] Initial Keycloak setup 2025-09-06 15:30:37 +00:00			`http-port = port;`
			`http-enabled = true;`
			`};`
			`database = {`
			`type = "postgresql";`
✨ [pi4] Working keycloak config 2025-09-23 16:08:50 +00:00			`createLocally = true;`
✨ [pi4] Initial Keycloak setup 2025-09-06 15:30:37 +00:00			`port = config.services.postgresql.settings.port;`
			`passwordFile = config.sops.secrets.${dbPassKey}.path;`
			`};`
✨ [pi4] Working keycloak config 2025-09-23 16:08:50 +00:00			`initialAdminPassword = "changeme";`
[pi4] Added Forgejo client to realmFile 2025-10-04 11:47:54 +00:00			`realmFiles = [`
			`# (`
			`# let`
			`# name = "Default";`
			`# in`
			`# pkgs.writeText "${name}.json" (`
			`# builtins.toJSON {`
			`# realm = name;`
			`# enabled = true;`
			`# clients = [`
			`# rec {`
			`# enabled = true;`
			`# clientId = "forgejo";`
			`# name = "Forgejo Beta";`
			`# description = "";`
			`# rootUrl = "https://${config.services.forgejo.settings.server.DOMAIN}";`
			`# adminUrl = rootUrl;`
			`# baseUrl = rootUrl;`
			`# surrogateAuthRequired = false;`
			`# alwaysDisplayInConsole = true;`
			`# clientAuthenticatorType = "client-secret";`
			`# # secret = readFile config.sops.secrets.${forgejoClientSecretKey}.path;`
			`# redirectUris = [ "${rootUrl}/*" ];`
			`# webOrigins = [ rootUrl ];`
			`# notBefore = 0;`
			`# bearerOnly = false;`
			`# consentRequired = false;`
			`# standardFlowEnabled = true;`
			`# implicitFlowEnabled = false;`
			`# directAccessGrantsEnabled = false;`
			`# serviceAccountsEnabled = false;`
			`# publicClient = false;`
			`# frontchannelLogout = true;`
			`# protocol = "openid-connect";`
			`# attributes = {`
			`# "realm_client" = "false";`
			`# "oidc.ciba.grant.enabled" = "false";`
			`# "client.secret.creation.time" = "1758824229";`
			`# "backchannel.logout.session.required" = "true";`
			`# "standard.token.exchange.enabled" = "false";`
			`# "frontchannel.logout.session.required" = "true";`
			`# "display.on.consent.screen" = "false";`
			`# "oauth2.device.authorization.grant.enabled" = "false";`
			`# "backchannel.logout.revoke.offline.tokens" = "false";`
			`# };`
			`# authenticationFlowBindingOverrides = { };`
			`# fullScopeAllowed = true;`
			`# nodeReRegistrationTimeout = -1;`
			`# defaultClientScopes = [`
			`# "web-origins"`
			`# "offline_access"`
			`# "profile"`
			`# "roles"`
			`# "basic"`
			`# "email"`
			`# ];`
			`# optionalClientScopes = [`
			`# "acr"`
			`# "address"`
			`# "phone"`
			`# "organization"`
			`# "microprofile-jwt"`
			`# ];`
			`# access = {`
			`# view = true;`
			`# configure = true;`
			`# manage = true;`
			`# };`

			`# }`
			`# ];`
			`# users = [`
			`# {`
			`# enabled = true;`
			`# firstName = "Christian";`
			`# lastName = "Bauer";`
			`# username = "cbauer";`
			`# email = "cbauer@localhost";`
			`# credentials = [`
			`# {`
			`# type = "password";`
			`# temporary = false;`
			`# value = "changeme";`
			`# }`
			`# ];`
			`# }`
			`# ];`
			`# }`
			`# )`
			`# )`
			`];`
✨ [pi4] Initial Keycloak setup 2025-09-06 15:30:37 +00:00			`};`

✨ [pi4] Working keycloak config 2025-09-23 16:08:50 +00:00			`nginx.virtualHosts.${domain} = {`
✨ [pi4] Initial Keycloak setup 2025-09-06 15:30:37 +00:00			`forceSSL = true;`
			`enableACME = true;`
✨ [pi4] Working keycloak config 2025-09-23 16:08:50 +00:00			`locations."/".proxyPass = "http://localhost:${toString port}";`
✨ [pi4] Initial Keycloak setup 2025-09-06 15:30:37 +00:00			`};`
			`};`
[pi4] Added Forgejo client to realmFile 2025-10-04 11:47:54 +00:00			`sops.secrets = {`
			`${dbPassKey} = { };`
			`${forgejoClientSecretKey} = { };`
			`};`
✨ [pi4] Initial Keycloak setup 2025-09-06 15:30:37 +00:00			`}`