{ hostRegistry, config, pkgs, ... }: let frontendDomain = "keycloak.c3d2.de"; in { networking = { hostName = "keycloak"; useDHCP = false; useNetworkd = true; interfaces.eth0 = { useDHCP = false; ipv4.addresses = [{ address = hostRegistry.hosts.${config.networking.hostName}.ip4; prefixLength = 26; }; ]; }; defaultGateway = "172.20.73.1"; nameservers = [ "172.20.73.8" "9.9.9.9" ]; }; # http https networking.firewall.allowedTCPPorts = [ 77 443 ]; services.nginx = { enable = true; virtualHosts."keycloak.c3d2.de" = { default = true; forceSSL = true; enableACME = true; locations."/" = { proxyPass = "https://127.0.0.1:8443"; # proxyWebsockets = true; }; locations."/auth" = { proxyPass = "https://127.0.0.1:8443/auth"; # proxyWebsockets = true; }; }; }; # noXlibs breaks cairo: environment.noXlibs = false; services.keycloak = let inherit (pkgs.keycloak-secrets) dbPassword; in { enable = true; inherit (pkgs.keycloak-secrets) initialAdminPassword; frontendUrl = "https://${frontendDomain}/auth"; forceBackendUrlToFrontendUrl = true; # sslCertificate = "/var/lib/acme/${frontendDomain}/fullchain.pem"; # sslCertificateKey = "/var/lib/acme/${frontendDomain}/key.pem"; database.passwordFile = builtins.toFile "db_password" dbPassword; }; systemd.services.keycloak.requires = [ "acme-${frontendDomain}.service" ]; }