From 4a4bfd38c87f7c72f7007f0eff661dcfa6af8918 Mon Sep 17 00:00:00 2001
From: buffet <dev@buffet.sh>
Date: Sat, 25 May 2024 17:19:54 +0200
Subject: [PATCH] feat: setup keycloak

---
 hosts/ami/default.nix        |  1 +
 hosts/ami/keycloak.nix       | 41 ++++++++++++++++++++++++++++++++++++
 secrets.nix                  |  1 +
 secrets/keycloak-db-pass.age |  5 +++++
 4 files changed, 48 insertions(+)
 create mode 100644 hosts/ami/keycloak.nix
 create mode 100644 secrets/keycloak-db-pass.age

diff --git a/hosts/ami/default.nix b/hosts/ami/default.nix
index a03b0a3..e8ffa08 100644
--- a/hosts/ami/default.nix
+++ b/hosts/ami/default.nix
@@ -15,6 +15,7 @@
     ./borg.nix
     ./disk-config.nix
     ./forgejo.nix
+    ./keycloak.nix
     ./murmur.nix
     ./msmtp.nix
     ./upgrade.nix
diff --git a/hosts/ami/keycloak.nix b/hosts/ami/keycloak.nix
new file mode 100644
index 0000000..d214a9f
--- /dev/null
+++ b/hosts/ami/keycloak.nix
@@ -0,0 +1,41 @@
+{
+  config,
+  pkgs,
+  ...
+}: let
+  port = 11328;
+in {
+  age.secrets.keycloak-db-pass.file = ../../secrets/keycloak-db-pass.age;
+
+  services.keycloak = {
+    enable = true;
+    package = pkgs.unstable.keycloak;
+    database.passwordFile = config.age.secrets.keycloak-db-pass.path;
+
+    settings = {
+      hostname = "https://kc.buffet.sh/";
+      http-port = port;
+      proxy = "edge";
+    };
+  };
+
+  services.nginx = {
+    enable = true;
+
+    recommendedGzipSettings = true;
+    recommendedOptimisation = true;
+    recommendedProxySettings = true;
+    recommendedTlsSettings = true;
+
+    virtualHosts."kc.buffet.sh" = {
+      useACMEHost = "buffet.sh";
+      forceSSL = true;
+
+      locations = {
+        "/" = {
+          proxyPass = "http://localhost:${toString port}";
+        };
+      };
+    };
+  };
+}
diff --git a/secrets.nix b/secrets.nix
index f478d4d..e15fbb6 100644
--- a/secrets.nix
+++ b/secrets.nix
@@ -4,6 +4,7 @@ in {
   "secrets/bitwarden.age".publicKeys = [buffet];
   "secrets/borgpassword.age".publicKeys = [buffet];
   "secrets/hetzner-dns.age".publicKeys = [buffet];
+  "secrets/keycloak-db-pass.age".publicKeys = [buffet];
   "secrets/kitchen-runner-token.age".publicKeys = [buffet];
   "secrets/msmtppassword.age".publicKeys = [buffet];
 }
diff --git a/secrets/keycloak-db-pass.age b/secrets/keycloak-db-pass.age
new file mode 100644
index 0000000..43ed0d5
--- /dev/null
+++ b/secrets/keycloak-db-pass.age
@@ -0,0 +1,5 @@
+age-encryption.org/v1
+-> ssh-ed25519 zRvPWg dBE7+zBtxSbFggJdrs22PDU/rMaVJ8tV6FLPmSwOzA0
+mAmmY0WFFzntI+uVOFaDZixtBPkAflllANFlcupM8sc
+--- 8rVOupXTyOinTaMRntA+rBjr2xZ9FT0xzmNQReEZb1Q
+Ñr84¦y„ó%	Ó„ÑÓLkº|½ª®]è~£:œö–‹n¬ëÇÞÂd½mC2£\­‘‘$¯Áör†#‹u°ì•D)PöBàÀm-R¹Ukƒ°0Æ…Cò$`ê|U
\ No newline at end of file