Add keycloak host

2024-01-19 12:15:00 +01:00 · 2024-01-19 12:15:00 +01:00 · 5a9b158608
commit 5a9b158608
parent d1057cfa52
10 changed files with 180 additions and 0 deletions
--- a/config/hosts/keycloak/configuration.nix
+++ b/config/hosts/keycloak/configuration.nix
@ -0,0 +1,16 @@
+{ ... }:
+{
+  boot.loader.grub = {
+    enable = true;
+    device = "/dev/vda";
+  };
+
+  networking = {
+    hostName = "keycloak";
+    firewall = {
+      allowedTCPPorts = [ 80 443 8443 ];
+    };
+  };
+
+  system.stateVersion = "23.11";
+}
--- a/config/hosts/keycloak/default.nix
+++ b/config/hosts/keycloak/default.nix
@ -0,0 +1,8 @@
+{ ... }:
+{
+  imports = [
+    ./configuration.nix
+    ./keycloak.nix
+    ./nginx.nix
+  ];
+}
--- a/config/hosts/keycloak/keycloak.nix
+++ b/config/hosts/keycloak/keycloak.nix
@ -0,0 +1,15 @@
+{ ... }:
+{
+  services.keycloak = {
+    enable = true;
+    settings = {
+      hostname = "id.nekover.se";
+      hostname-admin = "keycloak-admin.nekover.se";
+      hostname-strict-backchannel = true;
+      proxy = "edge";
+      http-host = "127.0.0.1";
+      http-port = 8080;
+    };
+    database.passwordFile = "/secrets/keycloak-database-password.secret";
+  };
+}
--- a/config/hosts/keycloak/nginx.nix
+++ b/config/hosts/keycloak/nginx.nix
@ -0,0 +1,109 @@
+{ ... }:
+{
+  services.nginx = {
+    enable = true;
+    virtualHosts = {
+      "id.nekover.se" = {
+        forceSSL = true;
+        enableACME = true;
+        locations = {
+          # Redirect a user opening any not set location on id.nekover.se to the account management page.
+          "^~ /" = {
+            return = "307 https://id.nekover.se/realms/nekoverse/account/";
+          };
+          "/js/" = {
+            proxyPass = "http://127.0.0.1:8080/js/";
+          };
+          "/realms/" = {
+            proxyPass = "http://127.0.0.1:8080/realms/";
+          };
+          "/resources/" = {
+            proxyPass = "http://127.0.0.1:8080/resources/";
+          };
+          "/robots.txt" = {
+            proxyPass = "http://127.0.0.1:8080/robots.txt";
+          };
+        };
+        extraConfig = ''
+          listen 0.0.0.0:8443 http2 ssl proxy_protocol;
+
+          set_real_ip_from 10.202.41.100;
+          real_ip_header proxy_protocol;
+
+          add_header Strict-Transport-Security "max-age=63072000" always;
+
+          # To not have 502s sometimes when logging through PVE use bigger buffer_sizes.
+          # The error seemed to occur after logging in and out and in. Maybe related
+          # to Keycloak logout settings, but probably not.
+          # See:
+          # https://stackoverflow.com/questions/56126864/why-do-i-get-502-when-trying-to-authenticate
+          # https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_buffer_size
+          proxy_buffer_size 128k;
+          proxy_buffers 8 128k;
+
+          # Hide the X-Forwarded header.
+          proxy_hide_header X-Forwarded;
+          # Assume we are the only Reverse Proxy (well using Proxy Protocol, but that
+          # is transparent).
+          # Also provide "_hidden" for by, since it's not relevant.
+          proxy_set_header Forwarded "for=$remote_addr;proto=https;host=$host;by=_hidden";
+        '';
+      };
+      "keycloak-admin.nekover.se" = {
+        forceSSL = true;
+        enableACME = true;
+        listen = [
+          {
+            addr = "0.0.0.0";
+            port = 80;
+          }
+          {
+            addr = "0.0.0.0";
+            port = 443;
+            ssl = true;
+          }
+        ];
+        locations = {
+          # Redirect a user opening any not set location on id.nekover.se to the account management page.
+          "^~ /" = {
+            return = "307 https://keycloak-admin.nekover.se/admin/master/console/";
+          };
+          "/js/" = {
+            proxyPass = "http://127.0.0.1:8080/js/";
+          };
+          "/realms/" = {
+            proxyPass = "http://127.0.0.1:8080/realms/";
+          };
+          "/resources/" = {
+            proxyPass = "http://127.0.0.1:8080/resources/";
+          };
+          "/robots.txt" = {
+            proxyPass = "http://127.0.0.1:8080/robots.txt";
+          };
+          "/admin/" = {
+            proxyPass = "http://127.0.0.1:8080/admin/";
+          };
+        };
+        extraConfig = ''
+          add_header Strict-Transport-Security "max-age=63072000" always;
+
+          # To not have 502s sometimes when logging through PVE use bigger buffer_sizes.
+          # The error seemed to occur after logging in and out and in. Maybe related
+          # to Keycloak logout settings, but probably not.
+          # See:
+          # https://stackoverflow.com/questions/56126864/why-do-i-get-502-when-trying-to-authenticate
+          # https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_buffer_size
+          proxy_buffer_size 128k;
+          proxy_buffers 8 128k;
+
+          # Hide the X-Forwarded header.
+          proxy_hide_header X-Forwarded;
+          # Assume we are the only Reverse Proxy (well using Proxy Protocol, but that
+          # is transparent).
+          # Also provide "_hidden" for by, since it's not relevant.
+          proxy_set_header Forwarded "for=$remote_addr;proto=https;host=$host;by=_hidden";
+        '';
+      };
+    };
+  };
+}
--- a/config/hosts/keycloak/secrets.nix
+++ b/config/hosts/keycloak/secrets.nix
@ -0,0 +1,13 @@
+{ keyCommandEnv, ... }:
+{
+  deployment.keys = {
+    "keycloak-database-password.secret" = {
+      keyCommand = keyCommandEnv ++ [ "pass" "keycloak/database-password" ];
+      destDir = "/secrets";
+      user = "root";
+      group = "systemd-network";
+      permissions = "0640";
+      uploadAt = "pre-activation";
+    };
+  };
+}