✨ [pi4] Initial Keycloak setup

hosts/pi4/default.nix

@@ -11,6 +11,7 @@
     ./hardware.nix
     ./headscale.nix
     ./home-assitant.nix
+    ./keycloak.nix
     ./mailserver.nix
     ./nextcloud.nix
     ./nginx.nix

hosts/pi4/keycloak.nix

@@ -0,0 +1,52 @@
+{ config, common, ... }:
+let
+  port = 8086;
+  domain = "beta.auth.${common.domain}";
+  dbPassKey = "keycloak/database-pass";
+  cfg = config.services.keycloak;
+in
+{
+  services = {
+    keycloak = {
+      enable = true;
+      settings = {
+        hostname = domain;
+        http-port = port;
+        http-enabled = true;
+      };
+      database = {
+        type = "postgresql";
+        createLocally = false;
+        host = "localhost";
+        port = config.services.postgresql.settings.port;
+        name = "keycloak";
+        username = "keycloak";
+        passwordFile = config.sops.secrets.${dbPassKey}.path;
+        useSSL = false;
+      };
+    };
+
+    nginx.virtualHosts."${domain}" = {
+      forceSSL = true;
+      enableACME = true;
+      locations = {
+        "/".proxyPass = "http://localhost:${toString port}";
+      };
+    };
+
+    postgresql =
+      let
+        psql = cfg.database;
+      in
+      {
+        ensureDatabases = [ psql.name ];
+        ensureUsers = [
+          {
+            name = psql.username;
+            ensureDBOwnership = true;
+          }
+        ];
+      };
+  };
+  sops.secrets.${dbPassKey} = { };
+}

hosts/pi4/postgres.nix

@@ -4,8 +4,10 @@
   services.postgresql = {
     enable = true;
     authentication = pkgs.lib.mkOverride 10 ''
-      #type database  DBuser        auth-method
-      local all       all           trust
+      #type  database  DBuser  url            auth-method
+      local  all       all                    trust
+      # ipv4
+      host   all       all     127.0.0.1/32   trust
     '';
   };
 }