{ config, common, pkgs, ... }: let port = 8086; domain = "beta.auth.${common.domain}"; dbPassKey = "keycloak/database-pass"; forgejoClientSecretKey = "keycloak/realms/forgejo/client/secret"; in { services = { keycloak = { enable = true; settings = { hostname = "https://${domain}"; http-port = port; http-enabled = true; }; database = { type = "postgresql"; createLocally = true; port = config.services.postgresql.settings.port; passwordFile = config.sops.secrets.${dbPassKey}.path; }; initialAdminPassword = "changeme"; realmFiles = [ # ( # let # name = "Default"; # in # pkgs.writeText "${name}.json" ( # builtins.toJSON { # realm = name; # enabled = true; # clients = [ # rec { # enabled = true; # clientId = "forgejo"; # name = "Forgejo Beta"; # description = ""; # rootUrl = "https://${config.services.forgejo.settings.server.DOMAIN}"; # adminUrl = rootUrl; # baseUrl = rootUrl; # surrogateAuthRequired = false; # alwaysDisplayInConsole = true; # clientAuthenticatorType = "client-secret"; # # secret = readFile config.sops.secrets.${forgejoClientSecretKey}.path; # redirectUris = [ "${rootUrl}/*" ]; # webOrigins = [ rootUrl ]; # notBefore = 0; # bearerOnly = false; # consentRequired = false; # standardFlowEnabled = true; # implicitFlowEnabled = false; # directAccessGrantsEnabled = false; # serviceAccountsEnabled = false; # publicClient = false; # frontchannelLogout = true; # protocol = "openid-connect"; # attributes = { # "realm_client" = "false"; # "oidc.ciba.grant.enabled" = "false"; # "client.secret.creation.time" = "1758824229"; # "backchannel.logout.session.required" = "true"; # "standard.token.exchange.enabled" = "false"; # "frontchannel.logout.session.required" = "true"; # "display.on.consent.screen" = "false"; # "oauth2.device.authorization.grant.enabled" = "false"; # "backchannel.logout.revoke.offline.tokens" = "false"; # }; # authenticationFlowBindingOverrides = { }; # fullScopeAllowed = true; # nodeReRegistrationTimeout = -1; # defaultClientScopes = [ # "web-origins" # "offline_access" # "profile" # "roles" # "basic" # "email" # ]; # optionalClientScopes = [ # "acr" # "address" # "phone" # "organization" # "microprofile-jwt" # ]; # access = { # view = true; # configure = true; # manage = true; # }; # } # ]; # users = [ # { # enabled = true; # firstName = "Christian"; # lastName = "Bauer"; # username = "cbauer"; # email = "cbauer@localhost"; # credentials = [ # { # type = "password"; # temporary = false; # value = "changeme"; # } # ]; # } # ]; # } # ) # ) ]; }; nginx.virtualHosts.${domain} = { forceSSL = true; enableACME = true; locations."/".proxyPass = "http://localhost:${toString port}"; }; }; sops.secrets = { ${dbPassKey} = { }; ${forgejoClientSecretKey} = { }; }; }