diff --git a/hosts/pi4/keycloak.nix b/hosts/pi4/keycloak.nix index 8379f7a..c434de7 100644 --- a/hosts/pi4/keycloak.nix +++ b/hosts/pi4/keycloak.nix @@ -1,8 +1,14 @@ -{ config, common, ... }: +{ + config, + common, + pkgs, + ... +}: let port = 8086; domain = "beta.auth.${common.domain}"; dbPassKey = "keycloak/database-pass"; + forgejoClientSecretKey = "keycloak/realms/forgejo/client/secret"; in { @@ -21,6 +27,97 @@ in passwordFile = config.sops.secrets.${dbPassKey}.path; }; initialAdminPassword = "changeme"; + realmFiles = [ + # ( + # let + # name = "Default"; + # in + # pkgs.writeText "${name}.json" ( + # builtins.toJSON { + # realm = name; + # enabled = true; + # clients = [ + # rec { + # enabled = true; + # clientId = "forgejo"; + # name = "Forgejo Beta"; + # description = ""; + # rootUrl = "https://${config.services.forgejo.settings.server.DOMAIN}"; + # adminUrl = rootUrl; + # baseUrl = rootUrl; + # surrogateAuthRequired = false; + # alwaysDisplayInConsole = true; + # clientAuthenticatorType = "client-secret"; + # # secret = readFile config.sops.secrets.${forgejoClientSecretKey}.path; + # redirectUris = [ "${rootUrl}/*" ]; + # webOrigins = [ rootUrl ]; + # notBefore = 0; + # bearerOnly = false; + # consentRequired = false; + # standardFlowEnabled = true; + # implicitFlowEnabled = false; + # directAccessGrantsEnabled = false; + # serviceAccountsEnabled = false; + # publicClient = false; + # frontchannelLogout = true; + # protocol = "openid-connect"; + # attributes = { + # "realm_client" = "false"; + # "oidc.ciba.grant.enabled" = "false"; + # "client.secret.creation.time" = "1758824229"; + # "backchannel.logout.session.required" = "true"; + # "standard.token.exchange.enabled" = "false"; + # "frontchannel.logout.session.required" = "true"; + # "display.on.consent.screen" = "false"; + # "oauth2.device.authorization.grant.enabled" = "false"; + # "backchannel.logout.revoke.offline.tokens" = "false"; + # }; + # authenticationFlowBindingOverrides = { }; + # fullScopeAllowed = true; + # nodeReRegistrationTimeout = -1; + # defaultClientScopes = [ + # "web-origins" + # "offline_access" + # "profile" + # "roles" + # "basic" + # "email" + # ]; + # optionalClientScopes = [ + # "acr" + # "address" + # "phone" + # "organization" + # "microprofile-jwt" + # ]; + # access = { + # view = true; + # configure = true; + # manage = true; + # }; + + # } + # ]; + # users = [ + # { + # enabled = true; + # firstName = "Christian"; + # lastName = "Bauer"; + # username = "cbauer"; + # email = "cbauer@localhost"; + # credentials = [ + # { + # type = "password"; + # temporary = false; + # value = "changeme"; + # } + # ]; + # } + # ]; + # } + # ) + # ) + ]; }; nginx.virtualHosts.${domain} = { @@ -29,5 +126,8 @@ in locations."/".proxyPass = "http://localhost:${toString port}"; }; }; - sops.secrets.${dbPassKey} = { }; + sops.secrets = { + ${dbPassKey} = { }; + ${forgejoClientSecretKey} = { }; + }; } diff --git a/shared/secrets/secrets.yaml b/shared/secrets/secrets.yaml index 9fe2e98..cf6f0f6 100644 --- a/shared/secrets/secrets.yaml +++ b/shared/secrets/secrets.yaml @@ -6,6 +6,10 @@ forgejo: runner-token: ENC[AES256_GCM,data:xbULBWrqosktW7XHViLH7Sk76upH31RFQNsBcXWWN7bpRadF3tpBA/hksMyEdg==,iv:v3vzUb5wsWeKWRYWT+ks4ZWGXQRhZ+td3N3bpuwoVc8=,tag:rEVoEw/QOSs8puujsRBxXQ==,type:str] keycloak: database-pass: ENC[AES256_GCM,data:+1lXS/wmBg/klmRqmSW3bZiZ,iv:iFYNIrBzYPBwjusHlPJj6EKDmGgGFmDLhiL+SEq6gHE=,tag:8CoF/94nyhaTHpkij59NGQ==,type:str] + realms: + forgejo: + client: + secret: ENC[AES256_GCM,data:CkjdtBemZd+JryPNoLA6MsGJKvYeoziOITJlZG1YhPA=,iv:yXi55RDYiwfwFde8W0EiNuo5T+ZNuuJdTOT2ydEpIXc=,tag:epXzDVifVGdasN6uHqmV+g==,type:str] password-hash: ENC[AES256_GCM,data:FsGHBAw/z4tcBRObVlo//UotWHyHns0+vdJVgt2lfGiIfQG+1I60g2Tzgv/O+gz3oz41NIwAYf61SR9AfXhpnc1AxiZRlCBwMQ==,iv:oiJndSVZQ+00UPz0TuJXV+T8x9mtecrNDUaablOGffU=,tag:wQuow7C8KqelJOE9KqCxMA==,type:str] mailserver: password-hash: ENC[AES256_GCM,data:H5PlCVuwUxIjtWbNsxb/ROkY2KiNhSwvWDvTLBfR596ijRTkaH0xtltsvHiiNHmfKERfcAXKO9EyGNHc,iv:qev1fs0PPydz8cm9D7hLp6ULgUEQJm+E0Pg86bor1to=,tag:zFnJ23NDCXeur+kvNSQV6w==,type:str] @@ -40,7 +44,7 @@ sops: SGdNMnVlQlNEeVJkWmZEM1FRT2JJMGMKbZ/znJM6tFhzhHariRXMLgH/4CRZZKrb YtmSdeL/Pd5YIecCpjDHDn4vQ0TBAmLaX+zVbNbRKmMZoY7777ywfA== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-09-06T14:03:38Z" - mac: ENC[AES256_GCM,data:qqadwOj1/xlAdhnwPJZa4nE8nJ7pEFgDqPCDN2/YeJ0C0gGhJpC3Q7FyKrPYNllqTZE0ZtNbiSTltweJQ+RVPuDD/IYUI+Mp/FX4U2B9349F6CwUyFRDHVWuZLWcTOHoRL3PkVQ78xY46ZAXOf9irilWg2cYZZ6p3YSZhZX/E8Y=,iv:B6I3A4gj6qGqo5liJyrDw/N6diQihRytJ6YVPgFJPPM=,tag:zr0gXkQjNWm/FN54+unmRg==,type:str] + lastmodified: "2025-09-30T16:56:04Z" + mac: ENC[AES256_GCM,data:BFdEyBs/0hhgldAKVJ/E9gldpU8nyvNuRPP/Ye/ke3aqk+oWvcXJn9oOX47sFwaDQAlrM4E97/baygzIJFH+jkOPZYhlAxLA31KumB+d5WQedPP+yWrHfzwQCIIs6ye9Hl6VljVkMP8OMjGD+oNrm2XqfUkBL+Y3Mxpi0zdksFc=,iv:WXGVtK9EBIS2F1JNr3Nk0hy2fUsNlKkhpRJFR5u/H9U=,tag:JouBIk5rK5ZDdTvw2WWW1g==,type:str] unencrypted_suffix: _unencrypted version: 3.10.2