From 3eaa8360981114428ad12e987c127eb285e7c352 Mon Sep 17 00:00:00 2001
From: Martin Berg Alstad <git@martials.no>
Date: Tue, 14 Oct 2025 18:35:15 +0000
Subject: [PATCH] [nidaros] Add Keycloak

---
 hosts/nidaros/default.nix  |  1 +
 hosts/nidaros/keycloak.nix | 27 +++++++++++++++++++++++++++
 2 files changed, 28 insertions(+)
 create mode 100644 hosts/nidaros/keycloak.nix

diff --git a/hosts/nidaros/default.nix b/hosts/nidaros/default.nix
index cd48322..4c861cf 100644
--- a/hosts/nidaros/default.nix
+++ b/hosts/nidaros/default.nix
@@ -5,6 +5,7 @@
     (relativeToBase "modules")
     ./boot.nix
     ./hardware.nix
+    ./keycloak.nix
     ./postgres.nix
     ./security
   ];
diff --git a/hosts/nidaros/keycloak.nix b/hosts/nidaros/keycloak.nix
new file mode 100644
index 0000000..6bb684d
--- /dev/null
+++ b/hosts/nidaros/keycloak.nix
@@ -0,0 +1,27 @@
+{ config, common, ... }:
+let
+  port = 8081;
+  domain = "iam.${common.domain}";
+  dbPassKey = "keycloak/database-pass";
+in
+{
+
+  services = {
+    keycloak = {
+      enable = true;
+      settings = {
+        hostname = "https://${domain}";
+        http-port = port;
+        http-enabled = true;
+      };
+      database = {
+        type = "postgresql";
+        createLocally = true;
+        port = config.services.postgresql.settings.port;
+        passwordFile = config.sops.secrets.${dbPassKey}.path;
+      };
+      initialAdminPassword = "changeme";
+    };
+  };
+  sops.secrets.${dbPassKey} = { };
+}