dotfiles/system/hosts/server/keycloak.nix

112 lines
3.8 KiB
Nix
Raw Normal View History

2023-08-28 00:46:51 +07:00
{ config
, lib
, pkgs
, ... }:
let
cfg = config.server;
in {
services.keycloak = {
enable = true;
database.passwordFile = "/secrets/keycloak_db_pass";
settings = {
hostname = "keycloak.${cfg.domainName}";
http-enabled = true;
http-host = "127.0.0.1";
http-port = 5739;
https-port = 5740;
proxy = "edge";
};
};
services.nginx.virtualHosts."keycloak.${cfg.domainName}" = {
quic = true;
enableACME = true;
forceSSL = true;
locations."/".proxyPass = "http://${lib.quoteListenAddr config.services.keycloak.settings.http-host}:${toString config.services.keycloak.settings.http-port}/";
};
services.gitea.settings.openid = {
ENABLE_OPENID_SIGNIN = true;
ENABLE_OPENID_SIGNUP = true;
};
systemd.services.gitea.after = [ "keycloak.service" ];
2023-08-28 00:46:51 +07:00
2024-03-19 15:30:38 +07:00
services.nextcloud.settings.allow_local_remote_servers = true;
systemd.services.nextcloud.after = [ "keycloak.service" ];
2023-08-28 00:46:51 +07:00
# a crude way to make some python packages available for synapse
services.matrix-synapse.plugins = with pkgs.python3.pkgs; [ authlib ];
2024-06-06 23:20:08 +07:00
# i'm managing this manually in a stateful way
# services.matrix-synapse.settings.password_config.enabled = false;
systemd.services.matrix-synapse.after = [ "keycloak.service" ];
2023-08-28 00:46:51 +07:00
# See also https://meta.akkoma.dev/t/390
# https://<pleroma>/oauth/keycloak?scope=openid+profile
# ...but this doesnt even work, the callback fails with %OAuth2.Error{reason: :invalid_request}
2023-08-28 00:46:51 +07:00
# oh well
2023-09-13 17:20:18 +07:00
/*
2023-08-28 00:46:51 +07:00
services.akkoma.config = {
":ueberauth" = let
url = "https://keycloak.${cfg.domainName}";
realm = cfg.keycloakRealm;
format = pkgs.formats.elixirConf { };
in {
"Ueberauth.Strategy.Keycloak.OAuth" = {
client_id = "akkoma";
client_secret = format.lib.mkRaw ''System.get_env("KEYCLOAK_CLIENT_SECRET")'';
site = url;
authorize_url = "${url}/realms/${realm}/protocol/openid-connect/auth";
token_url = "${url}/realms/${realm}/protocol/openid-connect/token";
userinfo_url = "${url}/realms/${realm}/protocol/openid-connect/userinfo";
token_method = format.lib.mkRaw ":post";
};
Ueberauth.providers = {
keycloak = format.lib.mkTuple [ (format.lib.mkRaw "Ueberauth.Strategy.Keycloak") {
default_scope = "openid profile";
uid_field = format.lib.mkRaw ":preferred_username";
} ];
};
};
};
services.akkoma.package = pkgs.akkoma.overrideAttrs (old: {
buildInputs = let
inherit (pkgs.beamPackages) fetchHex buildMix;
oldDeps = old.buildInputs or [];
tesla = builtins.head (builtins.filter (x: x.packageName == "tesla") oldDeps);
ueberauth = builtins.head (builtins.filter (x: x.packageName == "ueberauth") oldDeps);
in oldDeps ++ builtins.attrValues rec {
# TODO: nothing, this is just a reminder to relock these every once in a while
oauth2 = buildMix rec {
name = "oauth2";
version = "2.1.0";
src = fetchHex {
2023-09-13 17:20:18 +07:00
pkg = name;
inherit version;
2023-08-28 00:46:51 +07:00
sha256 = "0h9bps7gq7bac5gc3q0cgpsj46qnchpqbv5hzsnd2z9hnf2pzh4a";
};
beamDeps = [ tesla ];
};
ueberauth_keycloak_strategy = buildMix rec {
name = "ueberauth_keycloak_strategy";
version = "0.4.0";
src = fetchHex {
2023-09-13 17:20:18 +07:00
pkg = name;
inherit version;
2023-08-28 00:46:51 +07:00
sha256 = "06r10w0azlpypjgggar1lf7h2yazn2dpyicy97zxkjyxgf9jfc60";
};
beamDeps = [ oauth2 ueberauth ];
};
};
OAUTH_CONSUMER_STRATEGIES = "keycloak:ueberauth_keycloak_strategy";
});
systemd.services.akkoma = {
after = [ "keycloak.service" ];
2023-08-28 00:46:51 +07:00
environment.OAUTH_CONSUMER_STRATEGIES = "keycloak:ueberauth_keycloak_strategy";
serviceConfig.EnvironmentFile = "/secrets/akkoma/envrc";
2023-09-13 17:20:18 +07:00
};*/
2023-08-28 00:46:51 +07:00
}