1
0
Fork 0
selfhostblocks/_disnix/docs/examples/vaultwarden/services.nix

199 lines
5.5 KiB
Nix
Raw Normal View History

2023-04-04 09:07:58 +02:00
{ system, pkgs, distribution, invDistribution }:
let
utils = pkgs.lib.callPackageWith pkgs ./utils.nix { };
customPkgs = (pkgs.callPackage (./../../..) {}).customPkgs {
inherit system pkgs utils;
};
getTarget = name: builtins.elemAt (builtins.getAttr name distribution) 0;
getDomain = name: (getTarget name).containers.system.domain;
realm = "myrealm";
smtp = utils.recursiveMerge [
{
from = "vaultwarden@${realm}.com";
fromName = "vaultwarden";
port = 587;
authMechanism = "Login";
}
vaultwarden.smtp
];
keycloak = customPkgs.keycloak {};
KeycloakService = customPkgs.mkKeycloakService {
name = "KeycloakService";
subdomain = keycloak.subdomain;
# TODO: Get these from infrastructure.nix
user = "keycloak";
group = "keycloak";
postgresServiceName = (getTarget "KeycloakPostgresDB").containers.postgresql-database.service_name;
initialAdminUsername = "admin";
keys = {
dbPassword = "keycloakdbpassword";
initialAdminPassword = "keycloakinitialadmin";
};
# logLevel = "DEBUG,org.hibernate:info,org.keycloak.authentication:debug,org.keycloak:info,org.postgresql:info,freemarker:info";
logLevel = "INFO";
hostname = "${keycloak.subdomain}.${getDomain "KeycloakService"}";
listenPort = 8080;
dbType = "postgres";
dbDatabase = keycloak.database.name;
dbUsername = keycloak.database.username;
dbHost = {KeycloakPostgresDB}: KeycloakPostgresDB.target.properties.hostname;
dbPort = (getTarget "KeycloakPostgresDB").containers.postgresql-database.port;
KeycloakPostgresDB = keycloak.db;
};
KeycloakCliService = customPkgs.mkKeycloakCliService rec {
name = "KeycloakCliService";
keycloakServiceName = "keycloak.service";
keycloakSecretsDir = (getTarget name).containers.keycloaksecrets.rootdir;
keycloakUrl = "https://${keycloak.subdomain}.${(getDomain "KeycloakService")}";
keycloakUser = KeycloakService.initialAdminUsername;
keys = {
userpasswords = "keycloakusers";
};
dependsOn = {
inherit KeycloakService HaproxyService;
};
config = (utils.recursiveMerge [
rec {
inherit realm;
domain = getDomain name;
roles = {
user = [];
admin = ["user"];
};
users = {
me = {
email = "me@${domain}";
firstName = "Me";
lastName = "Me";
roles = ["admin"];
initialPassword = true;
};
friend = {
email = "friend@${domain}";
firstName = "Friend";
lastName = "Friend";
roles = ["user"];
initialPassword = true;
};
};
}
vaultwarden.keycloakCliConfig
]);
};
KeycloakHaproxyService = customPkgs.mkKeycloakHaproxyService {
name = "KeycloakHaproxyService";
domain = "https://${keycloak.subdomain}.${getDomain "KeycloakService"}";
realms = [realm];
inherit KeycloakService;
};
vaultwarden = customPkgs.vaultwarden {
subdomain = "vaultwarden";
ingress = 18005;
sso.realm = realm;
sso.userRole = "user";
sso.adminRole = "admin";
inherit smtp;
inherit distribution HaproxyService KeycloakService KeycloakCliService;
};
HaproxyService = customPkgs.mkHaproxyService {
name = "HaproxyService";
user = "http";
group = "http";
dependsOn = {
inherit KeycloakHaproxyService;
};
config = {...}:
let
domain = getDomain "HaproxyService";
in {
certPath = "/var/lib/acme/${domain}/full.pem";
stats = {
port = 8404;
uri = "/stats";
refresh = "10s";
prometheusUri = "/metrics";
};
defaults = {
default-server = "init-addr last,none";
};
resolvers = {
default = {
nameservers = {
ns1 = "127.0.0.1:53";
};
};
};
sites = {
vaultwarden = vaultwarden.haproxy distribution.VaultwardenService;
keycloak = {
frontend = {
capture = [
"request header origin len 128"
];
acl = {
acl_keycloak = "hdr_beg(host) ${keycloak.subdomain}.";
acl_keycloak_authorized_origin = "capture.req.hdr(0) -m end .${domain}";
};
use_backend = "if acl_keycloak";
http-response = {
add-header = map (x: x + " if acl_keycloak_authorized_origin") [
"Access-Control-Allow-Origin %[capture.req.hdr(0)]"
"Access-Control-Allow-Methods GET,\\ HEAD,\\ OPTIONS,\\ POST,\\ PUT"
"Access-Control-Allow-Credentials true"
"Access-Control-Allow-Headers Origin,\\ Accept,\\ X-Requested-With,\\ Content-Type,\\ Access-Control-Request-Method,\\ Access-Control-Request-Headers,\\ Authorization"
];
};
};
backend = {
servers = [
{
name = "keycloak1";
address = "127.0.0.1:8080"; # TODO: should use the hostname
resolvers = "default";
}
];
cookie = "JSESSIONID prefix";
};
};
};
};
};
in
with pkgs.lib.attrsets;
rec {
inherit KeycloakPostgresDB KeycloakService KeycloakCliService KeycloakHaproxyService;
inherit HaproxyService;
}
// keycloak.services
// vaultwarden.services