✨ [pi4] Initial Keycloak setup

hosts/pi4/default.nix

@@ -11,6 +11,7 @@
     ./hardware.nix
     ./headscale.nix
     ./home-assitant.nix
+    ./keycloak.nix
     ./mailserver.nix
     ./nextcloud.nix
     ./nginx.nix

hosts/pi4/keycloak.nix

@@ -0,0 +1,52 @@
+{ config, common, ... }:
+let
+  port = 8086;
+  domain = "beta.auth.${common.domain}";
+  dbPassKey = "keycloak/database-pass";
+  cfg = config.services.keycloak;
+in
+{
+  services = {
+    keycloak = {
+      enable = true;
+      settings = {
+        hostname = domain;
+        http-port = port;
+        http-enabled = true;
+      };
+      database = {
+        type = "postgresql";
+        createLocally = false;
+        host = "localhost";
+        port = config.services.postgresql.settings.port;
+        name = "keycloak";
+        username = "keycloak";
+        passwordFile = config.sops.secrets.${dbPassKey}.path;
+        useSSL = false;
+      };
+    };
+
+    nginx.virtualHosts."${domain}" = {
+      forceSSL = true;
+      enableACME = true;
+      locations = {
+        "/".proxyPass = "http://localhost:${toString port}";
+      };
+    };
+
+    postgresql =
+      let
+        psql = cfg.database;
+      in
+      {
+        ensureDatabases = [ psql.name ];
+        ensureUsers = [
+          {
+            name = psql.username;
+            ensureDBOwnership = true;
+          }
+        ];
+      };
+  };
+  sops.secrets.${dbPassKey} = { };
+}

hosts/pi4/postgres.nix

@@ -4,8 +4,10 @@
   services.postgresql = {
     enable = true;
     authentication = pkgs.lib.mkOverride 10 ''
-      #type database  DBuser        auth-method
+      #type  database  DBuser  url            auth-method
-      local all       all           trust
+      local  all       all                    trust
+      # ipv4
+      host   all       all     127.0.0.1/32   trust
     '';
   };
 }

shared/secrets/secrets.yaml

@@ -4,6 +4,8 @@ forgejo:
     admin-pass: ENC[AES256_GCM,data:RGTOw0Yo5rJGEVLGsQgyk9Wc,iv:SuN770eAgFIVd4pJ6vmPIvVCMqTW/2sBUYUbqym2cHo=,tag:YlyNR/fFchdBwzCuIsWGMA==,type:str]
     #ENC[AES256_GCM,data:oMpYBQ30sdCTtgxEZvYxTd9oi9QM0bYp5NisMdQHYT/nF2k=,iv:H9/g7XttJScVXV38+yHdbgWNFDhBYyudjK5BKHTt5wo=,tag:FNfkKfkKWDBUAXiGXkDchw==,type:comment]
     runner-token: ENC[AES256_GCM,data:xbULBWrqosktW7XHViLH7Sk76upH31RFQNsBcXWWN7bpRadF3tpBA/hksMyEdg==,iv:v3vzUb5wsWeKWRYWT+ks4ZWGXQRhZ+td3N3bpuwoVc8=,tag:rEVoEw/QOSs8puujsRBxXQ==,type:str]
+keycloak:
+    database-pass: ENC[AES256_GCM,data:+1lXS/wmBg/klmRqmSW3bZiZ,iv:iFYNIrBzYPBwjusHlPJj6EKDmGgGFmDLhiL+SEq6gHE=,tag:8CoF/94nyhaTHpkij59NGQ==,type:str]
 password-hash: ENC[AES256_GCM,data:FsGHBAw/z4tcBRObVlo//UotWHyHns0+vdJVgt2lfGiIfQG+1I60g2Tzgv/O+gz3oz41NIwAYf61SR9AfXhpnc1AxiZRlCBwMQ==,iv:oiJndSVZQ+00UPz0TuJXV+T8x9mtecrNDUaablOGffU=,tag:wQuow7C8KqelJOE9KqCxMA==,type:str]
 mailserver:
     password-hash: ENC[AES256_GCM,data:H5PlCVuwUxIjtWbNsxb/ROkY2KiNhSwvWDvTLBfR596ijRTkaH0xtltsvHiiNHmfKERfcAXKO9EyGNHc,iv:qev1fs0PPydz8cm9D7hLp6ULgUEQJm+E0Pg86bor1to=,tag:zFnJ23NDCXeur+kvNSQV6w==,type:str]
@@ -38,7 +40,7 @@ sops:
             SGdNMnVlQlNEeVJkWmZEM1FRT2JJMGMKbZ/znJM6tFhzhHariRXMLgH/4CRZZKrb
             YtmSdeL/Pd5YIecCpjDHDn4vQ0TBAmLaX+zVbNbRKmMZoY7777ywfA==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-08-26T18:46:06Z"
+    lastmodified: "2025-09-06T14:03:38Z"
-    mac: ENC[AES256_GCM,data:uMwyVVzU4KFzJqMzOIZHtCbgGq7Em2KogTDZbfU/CRcl6HGF8/+wKwUp4mYLAFwPXfOoKvSaBTDUYCy76wirWxXz8Vb3JxlfkjR+dvwT7DM1SYVzP4CV6TZlOBDrht6gCG+yaLJkc77AzT7crAW5V4IB/ZaRpBOGrNhIZeS/o+E=,iv:YTOySOIEaojbSm4GmJC8NBMFMD3cuC+u0CMu/5/1wS4=,tag:qdzCZuJpIiKN3dQIDboJjA==,type:str]
+    mac: ENC[AES256_GCM,data:qqadwOj1/xlAdhnwPJZa4nE8nJ7pEFgDqPCDN2/YeJ0C0gGhJpC3Q7FyKrPYNllqTZE0ZtNbiSTltweJQ+RVPuDD/IYUI+Mp/FX4U2B9349F6CwUyFRDHVWuZLWcTOHoRL3PkVQ78xY46ZAXOf9irilWg2cYZZ6p3YSZhZX/E8Y=,iv:B6I3A4gj6qGqo5liJyrDw/N6diQihRytJ6YVPgFJPPM=,tag:zr0gXkQjNWm/FN54+unmRg==,type:str]
     unencrypted_suffix: _unencrypted
     version: 3.10.2