199 lines
5.5 KiB
Nix
199 lines
5.5 KiB
Nix
|
{ system, pkgs, distribution, invDistribution }:
|
||
|
|
||
|
let
|
||
|
utils = pkgs.lib.callPackageWith pkgs ./utils.nix { };
|
||
|
|
||
|
customPkgs = (pkgs.callPackage (./../../..) {}).customPkgs {
|
||
|
inherit system pkgs utils;
|
||
|
};
|
||
|
|
||
|
getTarget = name: builtins.elemAt (builtins.getAttr name distribution) 0;
|
||
|
|
||
|
getDomain = name: (getTarget name).containers.system.domain;
|
||
|
|
||
|
realm = "myrealm";
|
||
|
|
||
|
smtp = utils.recursiveMerge [
|
||
|
{
|
||
|
from = "vaultwarden@${realm}.com";
|
||
|
fromName = "vaultwarden";
|
||
|
port = 587;
|
||
|
authMechanism = "Login";
|
||
|
}
|
||
|
vaultwarden.smtp
|
||
|
];
|
||
|
|
||
|
keycloak = customPkgs.keycloak {};
|
||
|
|
||
|
KeycloakService = customPkgs.mkKeycloakService {
|
||
|
name = "KeycloakService";
|
||
|
subdomain = keycloak.subdomain;
|
||
|
|
||
|
# TODO: Get these from infrastructure.nix
|
||
|
user = "keycloak";
|
||
|
group = "keycloak";
|
||
|
|
||
|
postgresServiceName = (getTarget "KeycloakPostgresDB").containers.postgresql-database.service_name;
|
||
|
initialAdminUsername = "admin";
|
||
|
|
||
|
keys = {
|
||
|
dbPassword = "keycloakdbpassword";
|
||
|
initialAdminPassword = "keycloakinitialadmin";
|
||
|
};
|
||
|
|
||
|
# logLevel = "DEBUG,org.hibernate:info,org.keycloak.authentication:debug,org.keycloak:info,org.postgresql:info,freemarker:info";
|
||
|
logLevel = "INFO";
|
||
|
hostname = "${keycloak.subdomain}.${getDomain "KeycloakService"}";
|
||
|
listenPort = 8080;
|
||
|
|
||
|
dbType = "postgres";
|
||
|
dbDatabase = keycloak.database.name;
|
||
|
dbUsername = keycloak.database.username;
|
||
|
dbHost = {KeycloakPostgresDB}: KeycloakPostgresDB.target.properties.hostname;
|
||
|
dbPort = (getTarget "KeycloakPostgresDB").containers.postgresql-database.port;
|
||
|
|
||
|
KeycloakPostgresDB = keycloak.db;
|
||
|
};
|
||
|
|
||
|
KeycloakCliService = customPkgs.mkKeycloakCliService rec {
|
||
|
name = "KeycloakCliService";
|
||
|
|
||
|
keycloakServiceName = "keycloak.service";
|
||
|
keycloakSecretsDir = (getTarget name).containers.keycloaksecrets.rootdir;
|
||
|
keycloakUrl = "https://${keycloak.subdomain}.${(getDomain "KeycloakService")}";
|
||
|
keycloakUser = KeycloakService.initialAdminUsername;
|
||
|
keys = {
|
||
|
userpasswords = "keycloakusers";
|
||
|
};
|
||
|
|
||
|
dependsOn = {
|
||
|
inherit KeycloakService HaproxyService;
|
||
|
};
|
||
|
|
||
|
config = (utils.recursiveMerge [
|
||
|
rec {
|
||
|
inherit realm;
|
||
|
domain = getDomain name;
|
||
|
roles = {
|
||
|
user = [];
|
||
|
admin = ["user"];
|
||
|
};
|
||
|
users = {
|
||
|
me = {
|
||
|
email = "me@${domain}";
|
||
|
firstName = "Me";
|
||
|
lastName = "Me";
|
||
|
roles = ["admin"];
|
||
|
initialPassword = true;
|
||
|
};
|
||
|
friend = {
|
||
|
email = "friend@${domain}";
|
||
|
firstName = "Friend";
|
||
|
lastName = "Friend";
|
||
|
roles = ["user"];
|
||
|
initialPassword = true;
|
||
|
};
|
||
|
};
|
||
|
}
|
||
|
vaultwarden.keycloakCliConfig
|
||
|
]);
|
||
|
};
|
||
|
|
||
|
KeycloakHaproxyService = customPkgs.mkKeycloakHaproxyService {
|
||
|
name = "KeycloakHaproxyService";
|
||
|
|
||
|
domain = "https://${keycloak.subdomain}.${getDomain "KeycloakService"}";
|
||
|
realms = [realm];
|
||
|
|
||
|
inherit KeycloakService;
|
||
|
};
|
||
|
|
||
|
vaultwarden = customPkgs.vaultwarden {
|
||
|
subdomain = "vaultwarden";
|
||
|
ingress = 18005;
|
||
|
sso.realm = realm;
|
||
|
sso.userRole = "user";
|
||
|
sso.adminRole = "admin";
|
||
|
|
||
|
inherit smtp;
|
||
|
|
||
|
inherit distribution HaproxyService KeycloakService KeycloakCliService;
|
||
|
};
|
||
|
|
||
|
HaproxyService = customPkgs.mkHaproxyService {
|
||
|
name = "HaproxyService";
|
||
|
|
||
|
user = "http";
|
||
|
group = "http";
|
||
|
|
||
|
dependsOn = {
|
||
|
inherit KeycloakHaproxyService;
|
||
|
};
|
||
|
|
||
|
config = {...}:
|
||
|
let
|
||
|
domain = getDomain "HaproxyService";
|
||
|
in {
|
||
|
certPath = "/var/lib/acme/${domain}/full.pem";
|
||
|
stats = {
|
||
|
port = 8404;
|
||
|
uri = "/stats";
|
||
|
refresh = "10s";
|
||
|
prometheusUri = "/metrics";
|
||
|
};
|
||
|
defaults = {
|
||
|
default-server = "init-addr last,none";
|
||
|
};
|
||
|
resolvers = {
|
||
|
default = {
|
||
|
nameservers = {
|
||
|
ns1 = "127.0.0.1:53";
|
||
|
};
|
||
|
};
|
||
|
};
|
||
|
sites = {
|
||
|
vaultwarden = vaultwarden.haproxy distribution.VaultwardenService;
|
||
|
keycloak = {
|
||
|
frontend = {
|
||
|
capture = [
|
||
|
"request header origin len 128"
|
||
|
];
|
||
|
acl = {
|
||
|
acl_keycloak = "hdr_beg(host) ${keycloak.subdomain}.";
|
||
|
acl_keycloak_authorized_origin = "capture.req.hdr(0) -m end .${domain}";
|
||
|
};
|
||
|
use_backend = "if acl_keycloak";
|
||
|
http-response = {
|
||
|
add-header = map (x: x + " if acl_keycloak_authorized_origin") [
|
||
|
"Access-Control-Allow-Origin %[capture.req.hdr(0)]"
|
||
|
"Access-Control-Allow-Methods GET,\\ HEAD,\\ OPTIONS,\\ POST,\\ PUT"
|
||
|
"Access-Control-Allow-Credentials true"
|
||
|
"Access-Control-Allow-Headers Origin,\\ Accept,\\ X-Requested-With,\\ Content-Type,\\ Access-Control-Request-Method,\\ Access-Control-Request-Headers,\\ Authorization"
|
||
|
];
|
||
|
};
|
||
|
};
|
||
|
backend = {
|
||
|
servers = [
|
||
|
{
|
||
|
name = "keycloak1";
|
||
|
address = "127.0.0.1:8080"; # TODO: should use the hostname
|
||
|
resolvers = "default";
|
||
|
}
|
||
|
];
|
||
|
cookie = "JSESSIONID prefix";
|
||
|
};
|
||
|
};
|
||
|
};
|
||
|
};
|
||
|
};
|
||
|
in
|
||
|
|
||
|
with pkgs.lib.attrsets;
|
||
|
rec {
|
||
|
inherit KeycloakPostgresDB KeycloakService KeycloakCliService KeycloakHaproxyService;
|
||
|
|
||
|
inherit HaproxyService;
|
||
|
}
|
||
|
// keycloak.services
|
||
|
// vaultwarden.services
|