nix-infra/config/hosts/keycloak/nginx.nix

{ ... }:
{
  services.nginx = {
    enable = true;
    virtualHosts = {
      "id.nekover.se" = {
        forceSSL = true;
        enableACME = true;
        locations = {
          # Redirect a user opening any not set location on id.nekover.se to the account management page.
          "^~ /" = {
            return = "307 https://id.nekover.se/realms/nekoverse/account/";
          };
          "/js/" = {
            proxyPass = "http://127.0.0.1:8080/js/";
          };
          "/realms/" = {
            proxyPass = "http://127.0.0.1:8080/realms/";
          };
          "/resources/" = {
            proxyPass = "http://127.0.0.1:8080/resources/";
          };
          "/robots.txt" = {
            proxyPass = "http://127.0.0.1:8080/robots.txt";
          };
        };
        extraConfig = ''
          listen 0.0.0.0:8443 http2 ssl proxy_protocol;

          set_real_ip_from 10.202.41.100;
          real_ip_header proxy_protocol;

          add_header Strict-Transport-Security "max-age=63072000" always;

          # To not have 502s sometimes when logging through PVE use bigger buffer_sizes.
          # The error seemed to occur after logging in and out and in. Maybe related
          # to Keycloak logout settings, but probably not.
          # See:
          # https://stackoverflow.com/questions/56126864/why-do-i-get-502-when-trying-to-authenticate
          # https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_buffer_size
          proxy_buffer_size 128k;
          proxy_buffers 8 128k;

          # Hide the X-Forwarded header.
          proxy_hide_header X-Forwarded;
          # Assume we are the only Reverse Proxy (well using Proxy Protocol, but that
          # is transparent).
          # Also provide "_hidden" for by, since it's not relevant.
          proxy_set_header Forwarded "for=$remote_addr;proto=https;host=$host;by=_hidden";
        '';
      };
      "keycloak-admin.nekover.se" = {
        forceSSL = true;
        enableACME = true;
        listen = [
          {
            addr = "0.0.0.0";
            port = 80;
          }
          {
            addr = "0.0.0.0";
            port = 443;
            ssl = true;
          }
        ];
        locations = {
          # Redirect a user opening any not set location on id.nekover.se to the account management page.
          "^~ /" = {
            return = "307 https://keycloak-admin.nekover.se/admin/master/console/";
          };
          "/js/" = {
            proxyPass = "http://127.0.0.1:8080/js/";
          };
          "/realms/" = {
            proxyPass = "http://127.0.0.1:8080/realms/";
          };
          "/resources/" = {
            proxyPass = "http://127.0.0.1:8080/resources/";
          };
          "/robots.txt" = {
            proxyPass = "http://127.0.0.1:8080/robots.txt";
          };
          "/admin/" = {
            proxyPass = "http://127.0.0.1:8080/admin/";
          };
        };
        extraConfig = ''
          add_header Strict-Transport-Security "max-age=63072000" always;

          # To not have 502s sometimes when logging through PVE use bigger buffer_sizes.
          # The error seemed to occur after logging in and out and in. Maybe related
          # to Keycloak logout settings, but probably not.
          # See:
          # https://stackoverflow.com/questions/56126864/why-do-i-get-502-when-trying-to-authenticate
          # https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_buffer_size
          proxy_buffer_size 128k;
          proxy_buffers 8 128k;

          # Hide the X-Forwarded header.
          proxy_hide_header X-Forwarded;
          # Assume we are the only Reverse Proxy (well using Proxy Protocol, but that
          # is transparent).
          # Also provide "_hidden" for by, since it's not relevant.
          proxy_set_header Forwarded "for=$remote_addr;proto=https;host=$host;by=_hidden";
        '';
      };
    };
  };
}
Add keycloak host 2024-01-19 12:15:00 +01:00			`{ ... }:`
			`{`
			`services.nginx = {`
			`enable = true;`
			`virtualHosts = {`
			`"id.nekover.se" = {`
			`forceSSL = true;`
			`enableACME = true;`
			`locations = {`
			`# Redirect a user opening any not set location on id.nekover.se to the account management page.`
			`"^~ /" = {`
			`return = "307 https://id.nekover.se/realms/nekoverse/account/";`
			`};`
			`"/js/" = {`
			`proxyPass = "http://127.0.0.1:8080/js/";`
			`};`
			`"/realms/" = {`
			`proxyPass = "http://127.0.0.1:8080/realms/";`
			`};`
			`"/resources/" = {`
			`proxyPass = "http://127.0.0.1:8080/resources/";`
			`};`
			`"/robots.txt" = {`
			`proxyPass = "http://127.0.0.1:8080/robots.txt";`
			`};`
			`};`
			`extraConfig = ''`
			`listen 0.0.0.0:8443 http2 ssl proxy_protocol;`

			`set_real_ip_from 10.202.41.100;`
			`real_ip_header proxy_protocol;`

			`add_header Strict-Transport-Security "max-age=63072000" always;`

			`# To not have 502s sometimes when logging through PVE use bigger buffer_sizes.`
			`# The error seemed to occur after logging in and out and in. Maybe related`
			`# to Keycloak logout settings, but probably not.`
			`# See:`
			`# https://stackoverflow.com/questions/56126864/why-do-i-get-502-when-trying-to-authenticate`
			`# https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_buffer_size`
			`proxy_buffer_size 128k;`
			`proxy_buffers 8 128k;`

			`# Hide the X-Forwarded header.`
			`proxy_hide_header X-Forwarded;`
			`# Assume we are the only Reverse Proxy (well using Proxy Protocol, but that`
			`# is transparent).`
			`# Also provide "_hidden" for by, since it's not relevant.`
			`proxy_set_header Forwarded "for=$remote_addr;proto=https;host=$host;by=_hidden";`
			`'';`
			`};`
			`"keycloak-admin.nekover.se" = {`
			`forceSSL = true;`
			`enableACME = true;`
			`listen = [`
			`{`
			`addr = "0.0.0.0";`
			`port = 80;`
			`}`
			`{`
			`addr = "0.0.0.0";`
			`port = 443;`
			`ssl = true;`
			`}`
			`];`
			`locations = {`
			`# Redirect a user opening any not set location on id.nekover.se to the account management page.`
			`"^~ /" = {`
			`return = "307 https://keycloak-admin.nekover.se/admin/master/console/";`
			`};`
			`"/js/" = {`
			`proxyPass = "http://127.0.0.1:8080/js/";`
			`};`
			`"/realms/" = {`
			`proxyPass = "http://127.0.0.1:8080/realms/";`
			`};`
			`"/resources/" = {`
			`proxyPass = "http://127.0.0.1:8080/resources/";`
			`};`
			`"/robots.txt" = {`
			`proxyPass = "http://127.0.0.1:8080/robots.txt";`
			`};`
			`"/admin/" = {`
			`proxyPass = "http://127.0.0.1:8080/admin/";`
			`};`
			`};`
			`extraConfig = ''`
			`add_header Strict-Transport-Security "max-age=63072000" always;`

			`# To not have 502s sometimes when logging through PVE use bigger buffer_sizes.`
			`# The error seemed to occur after logging in and out and in. Maybe related`
			`# to Keycloak logout settings, but probably not.`
			`# See:`
			`# https://stackoverflow.com/questions/56126864/why-do-i-get-502-when-trying-to-authenticate`
			`# https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_buffer_size`
			`proxy_buffer_size 128k;`
			`proxy_buffers 8 128k;`

			`# Hide the X-Forwarded header.`
			`proxy_hide_header X-Forwarded;`
			`# Assume we are the only Reverse Proxy (well using Proxy Protocol, but that`
			`# is transparent).`
			`# Also provide "_hidden" for by, since it's not relevant.`
			`proxy_set_header Forwarded "for=$remote_addr;proto=https;host=$host;by=_hidden";`
			`'';`
			`};`
			`};`
			`};`
			`}`