diff --git a/hosts/pi4/default.nix b/hosts/pi4/default.nix index 1f6932b..7d40b80 100644 --- a/hosts/pi4/default.nix +++ b/hosts/pi4/default.nix @@ -11,6 +11,7 @@ ./hardware.nix ./headscale.nix ./home-assitant.nix + ./keycloak.nix ./mailserver.nix ./nextcloud.nix ./nginx.nix diff --git a/hosts/pi4/keycloak.nix b/hosts/pi4/keycloak.nix new file mode 100644 index 0000000..73c5f04 --- /dev/null +++ b/hosts/pi4/keycloak.nix @@ -0,0 +1,52 @@ +{ config, common, ... }: +let + port = 8086; + domain = "beta.auth.${common.domain}"; + dbPassKey = "keycloak/database-pass"; + cfg = config.services.keycloak; +in +{ + services = { + keycloak = { + enable = true; + settings = { + hostname = domain; + http-port = port; + http-enabled = true; + }; + database = { + type = "postgresql"; + createLocally = false; + host = "localhost"; + port = config.services.postgresql.settings.port; + name = "keycloak"; + username = "keycloak"; + passwordFile = config.sops.secrets.${dbPassKey}.path; + useSSL = false; + }; + }; + + nginx.virtualHosts."${domain}" = { + forceSSL = true; + enableACME = true; + locations = { + "/".proxyPass = "http://localhost:${toString port}"; + }; + }; + + postgresql = + let + psql = cfg.database; + in + { + ensureDatabases = [ psql.name ]; + ensureUsers = [ + { + name = psql.username; + ensureDBOwnership = true; + } + ]; + }; + }; + sops.secrets.${dbPassKey} = { }; +} diff --git a/hosts/pi4/postgres.nix b/hosts/pi4/postgres.nix index 1709af6..6daec82 100644 --- a/hosts/pi4/postgres.nix +++ b/hosts/pi4/postgres.nix @@ -4,8 +4,10 @@ services.postgresql = { enable = true; authentication = pkgs.lib.mkOverride 10 '' - #type database DBuser auth-method - local all all trust + #type database DBuser url auth-method + local all all trust + # ipv4 + host all all 127.0.0.1/32 trust ''; }; } diff --git a/shared/secrets/secrets.yaml b/shared/secrets/secrets.yaml index c27fb45..9fe2e98 100644 --- a/shared/secrets/secrets.yaml +++ b/shared/secrets/secrets.yaml @@ -4,6 +4,8 @@ forgejo: admin-pass: ENC[AES256_GCM,data:RGTOw0Yo5rJGEVLGsQgyk9Wc,iv:SuN770eAgFIVd4pJ6vmPIvVCMqTW/2sBUYUbqym2cHo=,tag:YlyNR/fFchdBwzCuIsWGMA==,type:str] #ENC[AES256_GCM,data:oMpYBQ30sdCTtgxEZvYxTd9oi9QM0bYp5NisMdQHYT/nF2k=,iv:H9/g7XttJScVXV38+yHdbgWNFDhBYyudjK5BKHTt5wo=,tag:FNfkKfkKWDBUAXiGXkDchw==,type:comment] runner-token: ENC[AES256_GCM,data:xbULBWrqosktW7XHViLH7Sk76upH31RFQNsBcXWWN7bpRadF3tpBA/hksMyEdg==,iv:v3vzUb5wsWeKWRYWT+ks4ZWGXQRhZ+td3N3bpuwoVc8=,tag:rEVoEw/QOSs8puujsRBxXQ==,type:str] +keycloak: + database-pass: ENC[AES256_GCM,data:+1lXS/wmBg/klmRqmSW3bZiZ,iv:iFYNIrBzYPBwjusHlPJj6EKDmGgGFmDLhiL+SEq6gHE=,tag:8CoF/94nyhaTHpkij59NGQ==,type:str] password-hash: ENC[AES256_GCM,data:FsGHBAw/z4tcBRObVlo//UotWHyHns0+vdJVgt2lfGiIfQG+1I60g2Tzgv/O+gz3oz41NIwAYf61SR9AfXhpnc1AxiZRlCBwMQ==,iv:oiJndSVZQ+00UPz0TuJXV+T8x9mtecrNDUaablOGffU=,tag:wQuow7C8KqelJOE9KqCxMA==,type:str] mailserver: password-hash: ENC[AES256_GCM,data:H5PlCVuwUxIjtWbNsxb/ROkY2KiNhSwvWDvTLBfR596ijRTkaH0xtltsvHiiNHmfKERfcAXKO9EyGNHc,iv:qev1fs0PPydz8cm9D7hLp6ULgUEQJm+E0Pg86bor1to=,tag:zFnJ23NDCXeur+kvNSQV6w==,type:str] @@ -38,7 +40,7 @@ sops: SGdNMnVlQlNEeVJkWmZEM1FRT2JJMGMKbZ/znJM6tFhzhHariRXMLgH/4CRZZKrb YtmSdeL/Pd5YIecCpjDHDn4vQ0TBAmLaX+zVbNbRKmMZoY7777ywfA== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-08-26T18:46:06Z" - mac: ENC[AES256_GCM,data:uMwyVVzU4KFzJqMzOIZHtCbgGq7Em2KogTDZbfU/CRcl6HGF8/+wKwUp4mYLAFwPXfOoKvSaBTDUYCy76wirWxXz8Vb3JxlfkjR+dvwT7DM1SYVzP4CV6TZlOBDrht6gCG+yaLJkc77AzT7crAW5V4IB/ZaRpBOGrNhIZeS/o+E=,iv:YTOySOIEaojbSm4GmJC8NBMFMD3cuC+u0CMu/5/1wS4=,tag:qdzCZuJpIiKN3dQIDboJjA==,type:str] + lastmodified: "2025-09-06T14:03:38Z" + mac: ENC[AES256_GCM,data:qqadwOj1/xlAdhnwPJZa4nE8nJ7pEFgDqPCDN2/YeJ0C0gGhJpC3Q7FyKrPYNllqTZE0ZtNbiSTltweJQ+RVPuDD/IYUI+Mp/FX4U2B9349F6CwUyFRDHVWuZLWcTOHoRL3PkVQ78xY46ZAXOf9irilWg2cYZZ6p3YSZhZX/E8Y=,iv:B6I3A4gj6qGqo5liJyrDw/N6diQihRytJ6YVPgFJPPM=,tag:zr0gXkQjNWm/FN54+unmRg==,type:str] unencrypted_suffix: _unencrypted version: 3.10.2