[pi4] Added Forgejo client to realmFile
This commit is contained in:
@@ -1,8 +1,14 @@
|
||||
{ config, common, ... }:
|
||||
{
|
||||
config,
|
||||
common,
|
||||
pkgs,
|
||||
...
|
||||
}:
|
||||
let
|
||||
port = 8086;
|
||||
domain = "beta.auth.${common.domain}";
|
||||
dbPassKey = "keycloak/database-pass";
|
||||
forgejoClientSecretKey = "keycloak/realms/forgejo/client/secret";
|
||||
in
|
||||
{
|
||||
|
||||
@@ -21,6 +27,97 @@ in
|
||||
passwordFile = config.sops.secrets.${dbPassKey}.path;
|
||||
};
|
||||
initialAdminPassword = "changeme";
|
||||
realmFiles = [
|
||||
# (
|
||||
# let
|
||||
# name = "Default";
|
||||
# in
|
||||
# pkgs.writeText "${name}.json" (
|
||||
# builtins.toJSON {
|
||||
# realm = name;
|
||||
# enabled = true;
|
||||
# clients = [
|
||||
# rec {
|
||||
# enabled = true;
|
||||
# clientId = "forgejo";
|
||||
# name = "Forgejo Beta";
|
||||
# description = "";
|
||||
# rootUrl = "https://${config.services.forgejo.settings.server.DOMAIN}";
|
||||
# adminUrl = rootUrl;
|
||||
# baseUrl = rootUrl;
|
||||
# surrogateAuthRequired = false;
|
||||
# alwaysDisplayInConsole = true;
|
||||
# clientAuthenticatorType = "client-secret";
|
||||
# # secret = readFile config.sops.secrets.${forgejoClientSecretKey}.path;
|
||||
# redirectUris = [ "${rootUrl}/*" ];
|
||||
# webOrigins = [ rootUrl ];
|
||||
# notBefore = 0;
|
||||
# bearerOnly = false;
|
||||
# consentRequired = false;
|
||||
# standardFlowEnabled = true;
|
||||
# implicitFlowEnabled = false;
|
||||
# directAccessGrantsEnabled = false;
|
||||
# serviceAccountsEnabled = false;
|
||||
# publicClient = false;
|
||||
# frontchannelLogout = true;
|
||||
# protocol = "openid-connect";
|
||||
# attributes = {
|
||||
# "realm_client" = "false";
|
||||
# "oidc.ciba.grant.enabled" = "false";
|
||||
# "client.secret.creation.time" = "1758824229";
|
||||
# "backchannel.logout.session.required" = "true";
|
||||
# "standard.token.exchange.enabled" = "false";
|
||||
# "frontchannel.logout.session.required" = "true";
|
||||
# "display.on.consent.screen" = "false";
|
||||
# "oauth2.device.authorization.grant.enabled" = "false";
|
||||
# "backchannel.logout.revoke.offline.tokens" = "false";
|
||||
# };
|
||||
# authenticationFlowBindingOverrides = { };
|
||||
# fullScopeAllowed = true;
|
||||
# nodeReRegistrationTimeout = -1;
|
||||
# defaultClientScopes = [
|
||||
# "web-origins"
|
||||
# "offline_access"
|
||||
# "profile"
|
||||
# "roles"
|
||||
# "basic"
|
||||
# "email"
|
||||
# ];
|
||||
# optionalClientScopes = [
|
||||
# "acr"
|
||||
# "address"
|
||||
# "phone"
|
||||
# "organization"
|
||||
# "microprofile-jwt"
|
||||
# ];
|
||||
# access = {
|
||||
# view = true;
|
||||
# configure = true;
|
||||
# manage = true;
|
||||
# };
|
||||
|
||||
# }
|
||||
# ];
|
||||
# users = [
|
||||
# {
|
||||
# enabled = true;
|
||||
# firstName = "Christian";
|
||||
# lastName = "Bauer";
|
||||
# username = "cbauer";
|
||||
# email = "cbauer@localhost";
|
||||
# credentials = [
|
||||
# {
|
||||
# type = "password";
|
||||
# temporary = false;
|
||||
# value = "changeme";
|
||||
# }
|
||||
# ];
|
||||
# }
|
||||
# ];
|
||||
# }
|
||||
# )
|
||||
# )
|
||||
];
|
||||
};
|
||||
|
||||
nginx.virtualHosts.${domain} = {
|
||||
@@ -29,5 +126,8 @@ in
|
||||
locations."/".proxyPass = "http://localhost:${toString port}";
|
||||
};
|
||||
};
|
||||
sops.secrets.${dbPassKey} = { };
|
||||
sops.secrets = {
|
||||
${dbPassKey} = { };
|
||||
${forgejoClientSecretKey} = { };
|
||||
};
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user