selfhostblocks/_disnix/docs/examples/vaultwarden/services.nix

{ system, pkgs, distribution, invDistribution }:

let
  utils = pkgs.lib.callPackageWith pkgs ./utils.nix { };

  customPkgs = (pkgs.callPackage (./../../..) {}).customPkgs {
    inherit system pkgs utils;
  };

  getTarget = name: builtins.elemAt (builtins.getAttr name distribution) 0;

  getDomain = name: (getTarget name).containers.system.domain;

  realm = "myrealm";

  smtp = utils.recursiveMerge [
    {
      from = "vaultwarden@${realm}.com";
      fromName = "vaultwarden";
      port = 587;
      authMechanism = "Login";
    }
    vaultwarden.smtp
  ];

  keycloak = customPkgs.keycloak {};

  KeycloakService = customPkgs.mkKeycloakService {
    name = "KeycloakService";
    subdomain = keycloak.subdomain;

    # TODO: Get these from infrastructure.nix
    user = "keycloak";
    group = "keycloak";

    postgresServiceName = (getTarget "KeycloakPostgresDB").containers.postgresql-database.service_name;
    initialAdminUsername = "admin";

    keys = {
      dbPassword = "keycloakdbpassword";
      initialAdminPassword = "keycloakinitialadmin";
    };

    # logLevel = "DEBUG,org.hibernate:info,org.keycloak.authentication:debug,org.keycloak:info,org.postgresql:info,freemarker:info";
    logLevel = "INFO";
    hostname = "${keycloak.subdomain}.${getDomain "KeycloakService"}";
    listenPort = 8080;

    dbType = "postgres";
    dbDatabase = keycloak.database.name;
    dbUsername = keycloak.database.username;
    dbHost = {KeycloakPostgresDB}: KeycloakPostgresDB.target.properties.hostname;
    dbPort = (getTarget "KeycloakPostgresDB").containers.postgresql-database.port;

    KeycloakPostgresDB = keycloak.db;
  };

  KeycloakCliService = customPkgs.mkKeycloakCliService rec {
    name = "KeycloakCliService";

    keycloakServiceName = "keycloak.service";
    keycloakSecretsDir = (getTarget name).containers.keycloaksecrets.rootdir;
    keycloakUrl = "https://${keycloak.subdomain}.${(getDomain "KeycloakService")}";
    keycloakUser = KeycloakService.initialAdminUsername;
    keys = {
      userpasswords = "keycloakusers";
    };

    dependsOn = {
      inherit KeycloakService HaproxyService;
    };

    config = (utils.recursiveMerge [
      rec {
        inherit realm;
        domain = getDomain name;
        roles = {
          user = [];
          admin = ["user"];
        };
        users = {
          me = {
            email = "me@${domain}";
            firstName = "Me";
            lastName = "Me";
            roles = ["admin"];
            initialPassword = true;
          };
          friend = {
            email = "friend@${domain}";
            firstName = "Friend";
            lastName = "Friend";
            roles = ["user"];
            initialPassword = true;
          };
        };
      }
      vaultwarden.keycloakCliConfig
    ]);
  };

  KeycloakHaproxyService = customPkgs.mkKeycloakHaproxyService {
    name = "KeycloakHaproxyService";

    domain = "https://${keycloak.subdomain}.${getDomain "KeycloakService"}";
    realms = [realm];

    inherit KeycloakService;
  };

  vaultwarden = customPkgs.vaultwarden {
    subdomain = "vaultwarden";
    ingress = 18005;
    sso.realm = realm;
    sso.userRole = "user";
    sso.adminRole = "admin";

    inherit smtp;

    inherit distribution HaproxyService KeycloakService KeycloakCliService;
  };

  HaproxyService = customPkgs.mkHaproxyService {
    name = "HaproxyService";

    user = "http";
    group = "http";

    dependsOn = {
      inherit KeycloakHaproxyService;
    };

    config = {...}:
      let
        domain = getDomain "HaproxyService";
      in {
        certPath = "/var/lib/acme/${domain}/full.pem";
        stats = {
          port = 8404;
          uri = "/stats";
          refresh = "10s";
          prometheusUri = "/metrics";
        };
        defaults = {
          default-server = "init-addr last,none";
        };
        resolvers = {
          default = {
            nameservers = {
              ns1 = "127.0.0.1:53";
            };
          };
        };
        sites = {
          vaultwarden = vaultwarden.haproxy distribution.VaultwardenService;
          keycloak = {
            frontend = {
              capture = [
                "request header origin len 128"
              ];
              acl = {
                acl_keycloak = "hdr_beg(host) ${keycloak.subdomain}.";
                acl_keycloak_authorized_origin = "capture.req.hdr(0) -m end .${domain}";
              };
              use_backend = "if acl_keycloak";
              http-response = {
                add-header = map (x: x + " if acl_keycloak_authorized_origin") [
                  "Access-Control-Allow-Origin %[capture.req.hdr(0)]"
                  "Access-Control-Allow-Methods GET,\\ HEAD,\\ OPTIONS,\\ POST,\\ PUT"
                  "Access-Control-Allow-Credentials true"
                  "Access-Control-Allow-Headers Origin,\\ Accept,\\ X-Requested-With,\\ Content-Type,\\ Access-Control-Request-Method,\\ Access-Control-Request-Headers,\\ Authorization"
                ];
              };
            };
            backend = {
              servers = [
                {
                  name = "keycloak1";
                  address = "127.0.0.1:8080"; # TODO: should use the hostname
                  resolvers = "default";
                }
              ];
              cookie = "JSESSIONID prefix";
            };
          };
        };
      };
  };
in

with pkgs.lib.attrsets;
rec {
  inherit KeycloakPostgresDB KeycloakService KeycloakCliService KeycloakHaproxyService;

  inherit HaproxyService;
}
// keycloak.services
// vaultwarden.services