martials/nixos-configuration
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[pi4] Added Forgejo client to realmFile

Browse Source
This commit is contained in:
Martin Berg Alstad
2025-10-04 11:47:54 +00:00
parent 07bc352954
commit d72e7b957a
2 changed files with 108 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

104
hosts/pi4/keycloak.nix
View File

@@ -1,8 +1,14 @@
{ config, common, ... }: {
config,
common,
pkgs,
...
}:
let let
port = 8086; port = 8086;
domain = "beta.auth.${common.domain}"; domain = "beta.auth.${common.domain}";
dbPassKey = "keycloak/database-pass"; dbPassKey = "keycloak/database-pass";
forgejoClientSecretKey = "keycloak/realms/forgejo/client/secret";
in in
{ {
@@ -21,6 +27,97 @@ in
passwordFile = config.sops.secrets.${dbPassKey}.path; passwordFile = config.sops.secrets.${dbPassKey}.path;
}; };
initialAdminPassword = "changeme"; initialAdminPassword = "changeme";
realmFiles = [
# (
# let
# name = "Default";
# in
# pkgs.writeText "${name}.json" (
# builtins.toJSON {
# realm = name;
# enabled = true;
# clients = [
# rec {
# enabled = true;
# clientId = "forgejo";
# name = "Forgejo Beta";
# description = "";
# rootUrl = "https://${config.services.forgejo.settings.server.DOMAIN}";
# adminUrl = rootUrl;
# baseUrl = rootUrl;
# surrogateAuthRequired = false;
# alwaysDisplayInConsole = true;
# clientAuthenticatorType = "client-secret";
# # secret = readFile config.sops.secrets.${forgejoClientSecretKey}.path;
# redirectUris = [ "${rootUrl}/*" ];
# webOrigins = [ rootUrl ];
# notBefore = 0;
# bearerOnly = false;
# consentRequired = false;
# standardFlowEnabled = true;
# implicitFlowEnabled = false;
# directAccessGrantsEnabled = false;
# serviceAccountsEnabled = false;
# publicClient = false;
# frontchannelLogout = true;
# protocol = "openid-connect";
# attributes = {
# "realm_client" = "false";
# "oidc.ciba.grant.enabled" = "false";
# "client.secret.creation.time" = "1758824229";
# "backchannel.logout.session.required" = "true";
# "standard.token.exchange.enabled" = "false";
# "frontchannel.logout.session.required" = "true";
# "display.on.consent.screen" = "false";
# "oauth2.device.authorization.grant.enabled" = "false";
# "backchannel.logout.revoke.offline.tokens" = "false";
# };
# authenticationFlowBindingOverrides = { };
# fullScopeAllowed = true;
# nodeReRegistrationTimeout = -1;
# defaultClientScopes = [
# "web-origins"
# "offline_access"
# "profile"
# "roles"
# "basic"
# "email"
# ];
# optionalClientScopes = [
# "acr"
# "address"
# "phone"
# "organization"
# "microprofile-jwt"
# ];
# access = {
# view = true;
# configure = true;
# manage = true;
# };
# }
# ];
# users = [
# {
# enabled = true;
# firstName = "Christian";
# lastName = "Bauer";
# username = "cbauer";
# email = "cbauer@localhost";
# credentials = [
# {
# type = "password";
# temporary = false;
# value = "changeme";
# }
# ];
# }
# ];
# }
# )
# )
];
}; };
nginx.virtualHosts.${domain} = { nginx.virtualHosts.${domain} = {
@@ -29,5 +126,8 @@ in
locations."/".proxyPass = "http://localhost:${toString port}"; locations."/".proxyPass = "http://localhost:${toString port}";
}; };
}; };
sops.secrets.${dbPassKey} = { }; sops.secrets = {
${dbPassKey} = { };
${forgejoClientSecretKey} = { };
};
} }

8
shared/secrets/secrets.yaml
View File

@@ -6,6 +6,10 @@ forgejo:
runner-token: ENC[AES256_GCM,data:xbULBWrqosktW7XHViLH7Sk76upH31RFQNsBcXWWN7bpRadF3tpBA/hksMyEdg==,iv:v3vzUb5wsWeKWRYWT+ks4ZWGXQRhZ+td3N3bpuwoVc8=,tag:rEVoEw/QOSs8puujsRBxXQ==,type:str] runner-token: ENC[AES256_GCM,data:xbULBWrqosktW7XHViLH7Sk76upH31RFQNsBcXWWN7bpRadF3tpBA/hksMyEdg==,iv:v3vzUb5wsWeKWRYWT+ks4ZWGXQRhZ+td3N3bpuwoVc8=,tag:rEVoEw/QOSs8puujsRBxXQ==,type:str]
keycloak: keycloak:
database-pass: ENC[AES256_GCM,data:+1lXS/wmBg/klmRqmSW3bZiZ,iv:iFYNIrBzYPBwjusHlPJj6EKDmGgGFmDLhiL+SEq6gHE=,tag:8CoF/94nyhaTHpkij59NGQ==,type:str] database-pass: ENC[AES256_GCM,data:+1lXS/wmBg/klmRqmSW3bZiZ,iv:iFYNIrBzYPBwjusHlPJj6EKDmGgGFmDLhiL+SEq6gHE=,tag:8CoF/94nyhaTHpkij59NGQ==,type:str]
realms:
forgejo:
client:
secret: ENC[AES256_GCM,data:CkjdtBemZd+JryPNoLA6MsGJKvYeoziOITJlZG1YhPA=,iv:yXi55RDYiwfwFde8W0EiNuo5T+ZNuuJdTOT2ydEpIXc=,tag:epXzDVifVGdasN6uHqmV+g==,type:str]
password-hash: ENC[AES256_GCM,data:FsGHBAw/z4tcBRObVlo//UotWHyHns0+vdJVgt2lfGiIfQG+1I60g2Tzgv/O+gz3oz41NIwAYf61SR9AfXhpnc1AxiZRlCBwMQ==,iv:oiJndSVZQ+00UPz0TuJXV+T8x9mtecrNDUaablOGffU=,tag:wQuow7C8KqelJOE9KqCxMA==,type:str] password-hash: ENC[AES256_GCM,data:FsGHBAw/z4tcBRObVlo//UotWHyHns0+vdJVgt2lfGiIfQG+1I60g2Tzgv/O+gz3oz41NIwAYf61SR9AfXhpnc1AxiZRlCBwMQ==,iv:oiJndSVZQ+00UPz0TuJXV+T8x9mtecrNDUaablOGffU=,tag:wQuow7C8KqelJOE9KqCxMA==,type:str]
mailserver: mailserver:
password-hash: ENC[AES256_GCM,data:H5PlCVuwUxIjtWbNsxb/ROkY2KiNhSwvWDvTLBfR596ijRTkaH0xtltsvHiiNHmfKERfcAXKO9EyGNHc,iv:qev1fs0PPydz8cm9D7hLp6ULgUEQJm+E0Pg86bor1to=,tag:zFnJ23NDCXeur+kvNSQV6w==,type:str] password-hash: ENC[AES256_GCM,data:H5PlCVuwUxIjtWbNsxb/ROkY2KiNhSwvWDvTLBfR596ijRTkaH0xtltsvHiiNHmfKERfcAXKO9EyGNHc,iv:qev1fs0PPydz8cm9D7hLp6ULgUEQJm+E0Pg86bor1to=,tag:zFnJ23NDCXeur+kvNSQV6w==,type:str]
@@ -40,7 +44,7 @@ sops:
SGdNMnVlQlNEeVJkWmZEM1FRT2JJMGMKbZ/znJM6tFhzhHariRXMLgH/4CRZZKrb SGdNMnVlQlNEeVJkWmZEM1FRT2JJMGMKbZ/znJM6tFhzhHariRXMLgH/4CRZZKrb
YtmSdeL/Pd5YIecCpjDHDn4vQ0TBAmLaX+zVbNbRKmMZoY7777ywfA== YtmSdeL/Pd5YIecCpjDHDn4vQ0TBAmLaX+zVbNbRKmMZoY7777ywfA==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2025-09-06T14:03:38Z" lastmodified: "2025-09-30T16:56:04Z"
mac: ENC[AES256_GCM,data:qqadwOj1/xlAdhnwPJZa4nE8nJ7pEFgDqPCDN2/YeJ0C0gGhJpC3Q7FyKrPYNllqTZE0ZtNbiSTltweJQ+RVPuDD/IYUI+Mp/FX4U2B9349F6CwUyFRDHVWuZLWcTOHoRL3PkVQ78xY46ZAXOf9irilWg2cYZZ6p3YSZhZX/E8Y=,iv:B6I3A4gj6qGqo5liJyrDw/N6diQihRytJ6YVPgFJPPM=,tag:zr0gXkQjNWm/FN54+unmRg==,type:str] mac: ENC[AES256_GCM,data:BFdEyBs/0hhgldAKVJ/E9gldpU8nyvNuRPP/Ye/ke3aqk+oWvcXJn9oOX47sFwaDQAlrM4E97/baygzIJFH+jkOPZYhlAxLA31KumB+d5WQedPP+yWrHfzwQCIIs6ye9Hl6VljVkMP8OMjGD+oNrm2XqfUkBL+Y3Mxpi0zdksFc=,iv:WXGVtK9EBIS2F1JNr3Nk0hy2fUsNlKkhpRJFR5u/H9U=,tag:JouBIk5rK5ZDdTvw2WWW1g==,type:str]
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted
version: 3.10.2 version: 3.10.2