Add keycloak host

2024-01-19 12:15:00 +01:00 · 2024-01-19 12:15:00 +01:00 · 5e7a118527
parent a16230d4a6
commit 5e7a118527
10 changed files with 180 additions and 0 deletions
--- a/config/hosts/keycloak/configuration.nix
+++ b/config/hosts/keycloak/configuration.nix
@ -0,0 +1,16 @@
 { ... }:
 {
  boot.loader.grub = {
    enable = true;
    device = "/dev/vda";
  };
  networking = {
    hostName = "keycloak";
    firewall = {
      allowedTCPPorts = [ 80 443 8443 ];
    };
  };
  system.stateVersion = "23.11";
 }
--- a/config/hosts/keycloak/default.nix
+++ b/config/hosts/keycloak/default.nix
@ -0,0 +1,8 @@
 { ... }:
 {
  imports = [
    ./configuration.nix
    ./keycloak.nix
    ./nginx.nix
  ];
 }
--- a/config/hosts/keycloak/keycloak.nix
+++ b/config/hosts/keycloak/keycloak.nix
@ -0,0 +1,15 @@
 { ... }:
 {
  services.keycloak = {
    enable = true;
    settings = {
      hostname = "id.nekover.se";
      hostname-admin = "keycloak-admin.nekover.se";
      hostname-strict-backchannel = true;
      proxy = "edge";
      http-host = "127.0.0.1";
      http-port = 8080;
    };
    database.passwordFile = "/secrets/keycloak-database-password.secret";
  };
 }
--- a/config/hosts/keycloak/nginx.nix
+++ b/config/hosts/keycloak/nginx.nix
@ -0,0 +1,109 @@
 { ... }:
 {
  services.nginx = {
    enable = true;
    virtualHosts = {
      "id.nekover.se" = {
        forceSSL = true;
        enableACME = true;
        locations = {
          # Redirect a user opening any not set location on id.nekover.se to the account management page.
          "^~ /" = {
            return = "307 https://id.nekover.se/realms/nekoverse/account/";
          };
          "/js/" = {
            proxyPass = "http://127.0.0.1:8080/js/";
          };
          "/realms/" = {
            proxyPass = "http://127.0.0.1:8080/realms/";
          };
          "/resources/" = {
            proxyPass = "http://127.0.0.1:8080/resources/";
          };
          "/robots.txt" = {
            proxyPass = "http://127.0.0.1:8080/robots.txt";
          };
        };
        extraConfig = ''
          listen 0.0.0.0:8443 http2 ssl proxy_protocol;
          set_real_ip_from 10.202.41.100;
          real_ip_header proxy_protocol;
          add_header Strict-Transport-Security "max-age=63072000" always;
          # To not have 502s sometimes when logging through PVE use bigger buffer_sizes.
          # The error seemed to occur after logging in and out and in. Maybe related
          # to Keycloak logout settings, but probably not.
          # See:
          # https://stackoverflow.com/questions/56126864/why-do-i-get-502-when-trying-to-authenticate
          # https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_buffer_size
          proxy_buffer_size 128k;
          proxy_buffers 8 128k;
          # Hide the X-Forwarded header.
          proxy_hide_header X-Forwarded;
          # Assume we are the only Reverse Proxy (well using Proxy Protocol, but that
          # is transparent).
          # Also provide "_hidden" for by, since it's not relevant.
          proxy_set_header Forwarded "for=$remote_addr;proto=https;host=$host;by=_hidden";
        '';
      };
      "keycloak-admin.nekover.se" = {
        forceSSL = true;
        enableACME = true;
        listen = [
          {
            addr = "0.0.0.0";
            port = 80;
          }
          {
            addr = "0.0.0.0";
            port = 443;
            ssl = true;
          }
        ];
        locations = {
          # Redirect a user opening any not set location on id.nekover.se to the account management page.
          "^~ /" = {
            return = "307 https://keycloak-admin.nekover.se/admin/master/console/";
          };
          "/js/" = {
            proxyPass = "http://127.0.0.1:8080/js/";
          };
          "/realms/" = {
            proxyPass = "http://127.0.0.1:8080/realms/";
          };
          "/resources/" = {
            proxyPass = "http://127.0.0.1:8080/resources/";
          };
          "/robots.txt" = {
            proxyPass = "http://127.0.0.1:8080/robots.txt";
          };
          "/admin/" = {
            proxyPass = "http://127.0.0.1:8080/admin/";
          };
        };
        extraConfig = ''
          add_header Strict-Transport-Security "max-age=63072000" always;
          # To not have 502s sometimes when logging through PVE use bigger buffer_sizes.
          # The error seemed to occur after logging in and out and in. Maybe related
          # to Keycloak logout settings, but probably not.
          # See:
          # https://stackoverflow.com/questions/56126864/why-do-i-get-502-when-trying-to-authenticate
          # https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_buffer_size
          proxy_buffer_size 128k;
          proxy_buffers 8 128k;
          # Hide the X-Forwarded header.
          proxy_hide_header X-Forwarded;
          # Assume we are the only Reverse Proxy (well using Proxy Protocol, but that
          # is transparent).
          # Also provide "_hidden" for by, since it's not relevant.
          proxy_set_header Forwarded "for=$remote_addr;proto=https;host=$host;by=_hidden";
        '';
      };
    };
  };
 }
--- a/config/hosts/keycloak/secrets.nix
+++ b/config/hosts/keycloak/secrets.nix
@ -0,0 +1,13 @@
 { keyCommandEnv, ... }:
 {
  deployment.keys = {
    "keycloak-database-password.secret" = {
      keyCommand = keyCommandEnv ++ [ "pass" "keycloak/database-password" ];
      destDir = "/secrets";
      user = "root";
      group = "systemd-network";
      permissions = "0640";
      uploadAt = "pre-activation";
    };
  };
 }
--- a/config/hosts/mail-1/secrets.nix
+++ b/config/hosts/mail-1/secrets.nix
@ -81,5 +81,13 @@
      permissions = "0640";
      uploadAt = "pre-activation";
    };
    "mail-id-nekover-se.secret" = {
      keyCommand = keyCommandEnv ++ [ "pass" "mail/id-nekover-se" ];
      destDir = "/secrets";
      user = "root";
      group = "root";
      permissions = "0640";
      uploadAt = "pre-activation";
    };
  };
 }
--- a/config/hosts/mail-1/simple-nixos-mailserver.nix
+++ b/config/hosts/mail-1/simple-nixos-mailserver.nix
@ -51,6 +51,11 @@
            sendOnly = true;
            aliases = [ "nyareply@nekover.se" ];
          };
          "id@nekover.se" = {
            hashedPasswordFile = "/secrets/mail-id-nekover-se.secret";
            sendOnly = true;
            aliases = [ "nyareply@nekover.se" ];
          };
        };
        certificateScheme = "acme-nginx";
      };
--- a/config/hosts/web-public-2/nginx.nix
+++ b/config/hosts/web-public-2/nginx.nix
@ -23,6 +23,7 @@
          gameserver.grzb.de 127.0.0.1:8443;
          git.grzb.de 127.0.0.1:8443;
          hydra.nekover.se 10.202.41.121:8443;
          id.nekover.se 10.202.41.124:8443;
          matrix.nekover.se 10.202.41.112:8443;
          mewtube.nekover.se 127.0.0.1:8443;
          nekover.se 127.0.0.1:8443;
--- a/config/hosts/web-public-2/virtualHosts/acme-challenge.nix
+++ b/config/hosts/web-public-2/virtualHosts/acme-challenge.nix
@ -8,6 +8,7 @@ let
    "grafana.grzb.de" = "metrics.vs.grzb.de";
    "jackett.grzb.de" = "torrent.vs.grzb.de";
    "jellyseerr.grzb.de" = "jellyseerr.vs.grzb.de";
    "keycloak-admin.nekover.se" = "keycloak.vs.grzb.de";
    "radarr.grzb.de" = "torrent.vs.grzb.de";
    "searx.nekover.se" = "searx.vs.grzb.de";
    "social.nekover.se" = "mastodon.vs.grzb.de";
--- a/hosts.nix
+++ b/hosts.nix
@ -45,6 +45,10 @@ in
      site = "vs";
      environment = "proxmox";
    };
    keycloak = {
      site = "vs";
      environment = "proxmox";
    };
    lifeline = {
      site = "io";
    };