Compare commits
1 Commits
main
...
keycloak-r
| Author | SHA1 | Date | |
|---|---|---|---|
d72e7b957a
|
@@ -1,8 +1,14 @@
|
|||||||
{ config, common, ... }:
|
{
|
||||||
|
config,
|
||||||
|
common,
|
||||||
|
pkgs,
|
||||||
|
...
|
||||||
|
}:
|
||||||
let
|
let
|
||||||
port = 8086;
|
port = 8086;
|
||||||
domain = "beta.auth.${common.domain}";
|
domain = "beta.auth.${common.domain}";
|
||||||
dbPassKey = "keycloak/database-pass";
|
dbPassKey = "keycloak/database-pass";
|
||||||
|
forgejoClientSecretKey = "keycloak/realms/forgejo/client/secret";
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
|
|
||||||
@@ -21,6 +27,97 @@ in
|
|||||||
passwordFile = config.sops.secrets.${dbPassKey}.path;
|
passwordFile = config.sops.secrets.${dbPassKey}.path;
|
||||||
};
|
};
|
||||||
initialAdminPassword = "changeme";
|
initialAdminPassword = "changeme";
|
||||||
|
realmFiles = [
|
||||||
|
# (
|
||||||
|
# let
|
||||||
|
# name = "Default";
|
||||||
|
# in
|
||||||
|
# pkgs.writeText "${name}.json" (
|
||||||
|
# builtins.toJSON {
|
||||||
|
# realm = name;
|
||||||
|
# enabled = true;
|
||||||
|
# clients = [
|
||||||
|
# rec {
|
||||||
|
# enabled = true;
|
||||||
|
# clientId = "forgejo";
|
||||||
|
# name = "Forgejo Beta";
|
||||||
|
# description = "";
|
||||||
|
# rootUrl = "https://${config.services.forgejo.settings.server.DOMAIN}";
|
||||||
|
# adminUrl = rootUrl;
|
||||||
|
# baseUrl = rootUrl;
|
||||||
|
# surrogateAuthRequired = false;
|
||||||
|
# alwaysDisplayInConsole = true;
|
||||||
|
# clientAuthenticatorType = "client-secret";
|
||||||
|
# # secret = readFile config.sops.secrets.${forgejoClientSecretKey}.path;
|
||||||
|
# redirectUris = [ "${rootUrl}/*" ];
|
||||||
|
# webOrigins = [ rootUrl ];
|
||||||
|
# notBefore = 0;
|
||||||
|
# bearerOnly = false;
|
||||||
|
# consentRequired = false;
|
||||||
|
# standardFlowEnabled = true;
|
||||||
|
# implicitFlowEnabled = false;
|
||||||
|
# directAccessGrantsEnabled = false;
|
||||||
|
# serviceAccountsEnabled = false;
|
||||||
|
# publicClient = false;
|
||||||
|
# frontchannelLogout = true;
|
||||||
|
# protocol = "openid-connect";
|
||||||
|
# attributes = {
|
||||||
|
# "realm_client" = "false";
|
||||||
|
# "oidc.ciba.grant.enabled" = "false";
|
||||||
|
# "client.secret.creation.time" = "1758824229";
|
||||||
|
# "backchannel.logout.session.required" = "true";
|
||||||
|
# "standard.token.exchange.enabled" = "false";
|
||||||
|
# "frontchannel.logout.session.required" = "true";
|
||||||
|
# "display.on.consent.screen" = "false";
|
||||||
|
# "oauth2.device.authorization.grant.enabled" = "false";
|
||||||
|
# "backchannel.logout.revoke.offline.tokens" = "false";
|
||||||
|
# };
|
||||||
|
# authenticationFlowBindingOverrides = { };
|
||||||
|
# fullScopeAllowed = true;
|
||||||
|
# nodeReRegistrationTimeout = -1;
|
||||||
|
# defaultClientScopes = [
|
||||||
|
# "web-origins"
|
||||||
|
# "offline_access"
|
||||||
|
# "profile"
|
||||||
|
# "roles"
|
||||||
|
# "basic"
|
||||||
|
# "email"
|
||||||
|
# ];
|
||||||
|
# optionalClientScopes = [
|
||||||
|
# "acr"
|
||||||
|
# "address"
|
||||||
|
# "phone"
|
||||||
|
# "organization"
|
||||||
|
# "microprofile-jwt"
|
||||||
|
# ];
|
||||||
|
# access = {
|
||||||
|
# view = true;
|
||||||
|
# configure = true;
|
||||||
|
# manage = true;
|
||||||
|
# };
|
||||||
|
|
||||||
|
# }
|
||||||
|
# ];
|
||||||
|
# users = [
|
||||||
|
# {
|
||||||
|
# enabled = true;
|
||||||
|
# firstName = "Christian";
|
||||||
|
# lastName = "Bauer";
|
||||||
|
# username = "cbauer";
|
||||||
|
# email = "cbauer@localhost";
|
||||||
|
# credentials = [
|
||||||
|
# {
|
||||||
|
# type = "password";
|
||||||
|
# temporary = false;
|
||||||
|
# value = "changeme";
|
||||||
|
# }
|
||||||
|
# ];
|
||||||
|
# }
|
||||||
|
# ];
|
||||||
|
# }
|
||||||
|
# )
|
||||||
|
# )
|
||||||
|
];
|
||||||
};
|
};
|
||||||
|
|
||||||
nginx.virtualHosts.${domain} = {
|
nginx.virtualHosts.${domain} = {
|
||||||
@@ -29,5 +126,8 @@ in
|
|||||||
locations."/".proxyPass = "http://localhost:${toString port}";
|
locations."/".proxyPass = "http://localhost:${toString port}";
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
sops.secrets.${dbPassKey} = { };
|
sops.secrets = {
|
||||||
|
${dbPassKey} = { };
|
||||||
|
${forgejoClientSecretKey} = { };
|
||||||
|
};
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -6,6 +6,10 @@ forgejo:
|
|||||||
runner-token: ENC[AES256_GCM,data:xbULBWrqosktW7XHViLH7Sk76upH31RFQNsBcXWWN7bpRadF3tpBA/hksMyEdg==,iv:v3vzUb5wsWeKWRYWT+ks4ZWGXQRhZ+td3N3bpuwoVc8=,tag:rEVoEw/QOSs8puujsRBxXQ==,type:str]
|
runner-token: ENC[AES256_GCM,data:xbULBWrqosktW7XHViLH7Sk76upH31RFQNsBcXWWN7bpRadF3tpBA/hksMyEdg==,iv:v3vzUb5wsWeKWRYWT+ks4ZWGXQRhZ+td3N3bpuwoVc8=,tag:rEVoEw/QOSs8puujsRBxXQ==,type:str]
|
||||||
keycloak:
|
keycloak:
|
||||||
database-pass: ENC[AES256_GCM,data:+1lXS/wmBg/klmRqmSW3bZiZ,iv:iFYNIrBzYPBwjusHlPJj6EKDmGgGFmDLhiL+SEq6gHE=,tag:8CoF/94nyhaTHpkij59NGQ==,type:str]
|
database-pass: ENC[AES256_GCM,data:+1lXS/wmBg/klmRqmSW3bZiZ,iv:iFYNIrBzYPBwjusHlPJj6EKDmGgGFmDLhiL+SEq6gHE=,tag:8CoF/94nyhaTHpkij59NGQ==,type:str]
|
||||||
|
realms:
|
||||||
|
forgejo:
|
||||||
|
client:
|
||||||
|
secret: ENC[AES256_GCM,data:CkjdtBemZd+JryPNoLA6MsGJKvYeoziOITJlZG1YhPA=,iv:yXi55RDYiwfwFde8W0EiNuo5T+ZNuuJdTOT2ydEpIXc=,tag:epXzDVifVGdasN6uHqmV+g==,type:str]
|
||||||
password-hash: ENC[AES256_GCM,data:FsGHBAw/z4tcBRObVlo//UotWHyHns0+vdJVgt2lfGiIfQG+1I60g2Tzgv/O+gz3oz41NIwAYf61SR9AfXhpnc1AxiZRlCBwMQ==,iv:oiJndSVZQ+00UPz0TuJXV+T8x9mtecrNDUaablOGffU=,tag:wQuow7C8KqelJOE9KqCxMA==,type:str]
|
password-hash: ENC[AES256_GCM,data:FsGHBAw/z4tcBRObVlo//UotWHyHns0+vdJVgt2lfGiIfQG+1I60g2Tzgv/O+gz3oz41NIwAYf61SR9AfXhpnc1AxiZRlCBwMQ==,iv:oiJndSVZQ+00UPz0TuJXV+T8x9mtecrNDUaablOGffU=,tag:wQuow7C8KqelJOE9KqCxMA==,type:str]
|
||||||
mailserver:
|
mailserver:
|
||||||
password-hash: ENC[AES256_GCM,data:H5PlCVuwUxIjtWbNsxb/ROkY2KiNhSwvWDvTLBfR596ijRTkaH0xtltsvHiiNHmfKERfcAXKO9EyGNHc,iv:qev1fs0PPydz8cm9D7hLp6ULgUEQJm+E0Pg86bor1to=,tag:zFnJ23NDCXeur+kvNSQV6w==,type:str]
|
password-hash: ENC[AES256_GCM,data:H5PlCVuwUxIjtWbNsxb/ROkY2KiNhSwvWDvTLBfR596ijRTkaH0xtltsvHiiNHmfKERfcAXKO9EyGNHc,iv:qev1fs0PPydz8cm9D7hLp6ULgUEQJm+E0Pg86bor1to=,tag:zFnJ23NDCXeur+kvNSQV6w==,type:str]
|
||||||
@@ -40,7 +44,7 @@ sops:
|
|||||||
SGdNMnVlQlNEeVJkWmZEM1FRT2JJMGMKbZ/znJM6tFhzhHariRXMLgH/4CRZZKrb
|
SGdNMnVlQlNEeVJkWmZEM1FRT2JJMGMKbZ/znJM6tFhzhHariRXMLgH/4CRZZKrb
|
||||||
YtmSdeL/Pd5YIecCpjDHDn4vQ0TBAmLaX+zVbNbRKmMZoY7777ywfA==
|
YtmSdeL/Pd5YIecCpjDHDn4vQ0TBAmLaX+zVbNbRKmMZoY7777ywfA==
|
||||||
-----END AGE ENCRYPTED FILE-----
|
-----END AGE ENCRYPTED FILE-----
|
||||||
lastmodified: "2025-09-06T14:03:38Z"
|
lastmodified: "2025-09-30T16:56:04Z"
|
||||||
mac: ENC[AES256_GCM,data:qqadwOj1/xlAdhnwPJZa4nE8nJ7pEFgDqPCDN2/YeJ0C0gGhJpC3Q7FyKrPYNllqTZE0ZtNbiSTltweJQ+RVPuDD/IYUI+Mp/FX4U2B9349F6CwUyFRDHVWuZLWcTOHoRL3PkVQ78xY46ZAXOf9irilWg2cYZZ6p3YSZhZX/E8Y=,iv:B6I3A4gj6qGqo5liJyrDw/N6diQihRytJ6YVPgFJPPM=,tag:zr0gXkQjNWm/FN54+unmRg==,type:str]
|
mac: ENC[AES256_GCM,data:BFdEyBs/0hhgldAKVJ/E9gldpU8nyvNuRPP/Ye/ke3aqk+oWvcXJn9oOX47sFwaDQAlrM4E97/baygzIJFH+jkOPZYhlAxLA31KumB+d5WQedPP+yWrHfzwQCIIs6ye9Hl6VljVkMP8OMjGD+oNrm2XqfUkBL+Y3Mxpi0zdksFc=,iv:WXGVtK9EBIS2F1JNr3Nk0hy2fUsNlKkhpRJFR5u/H9U=,tag:JouBIk5rK5ZDdTvw2WWW1g==,type:str]
|
||||||
unencrypted_suffix: _unencrypted
|
unencrypted_suffix: _unencrypted
|
||||||
version: 3.10.2
|
version: 3.10.2
|
||||||
|
|||||||
Reference in New Issue
Block a user