49 lines
1.4 KiB
Nix
49 lines
1.4 KiB
Nix
{ hostRegistry, config, pkgs, ... }:
|
|
let
|
|
frontendDomain = "keycloak.c3d2.de";
|
|
in
|
|
{
|
|
networking.hostName = "keycloak";
|
|
networking.useNetworkd = true;
|
|
networking.interfaces.eth0.ipv4.addresses = [{
|
|
address = hostRegistry.hosts.${config.networking.hostName}.ip4;
|
|
prefixLength = 26;
|
|
}];
|
|
networking.defaultGateway = "172.20.73.1";
|
|
|
|
# http https
|
|
networking.firewall.allowedTCPPorts = [ 77 443 ];
|
|
|
|
services.nginx = {
|
|
enable = true;
|
|
virtualHosts."keycloak.c3d2.de" = {
|
|
default = true;
|
|
forceSSL = true;
|
|
enableACME = true;
|
|
locations."/" = {
|
|
proxyPass = "https://localhost:8443";
|
|
# proxyWebsockets = true;
|
|
};
|
|
locations."/auth" = {
|
|
proxyPass = "https://localhost:8443/auth";
|
|
# proxyWebsockets = true;
|
|
};
|
|
};
|
|
};
|
|
|
|
# noXlibs breaks cairo:
|
|
environment.noXlibs = false;
|
|
services.keycloak = let
|
|
inherit (pkgs.keycloak-secrets) dbPassword;
|
|
in {
|
|
enable = true;
|
|
inherit (pkgs.keycloak-secrets) initialAdminPassword;
|
|
frontendUrl = "https://${frontendDomain}/auth";
|
|
forceBackendUrlToFrontendUrl = true;
|
|
# sslCertificate = "/var/lib/acme/${frontendDomain}/fullchain.pem";
|
|
# sslCertificateKey = "/var/lib/acme/${frontendDomain}/key.pem";
|
|
database.passwordFile = builtins.toFile "db_password" dbPassword;
|
|
};
|
|
systemd.services.keycloak.requires = [ "acme-${frontendDomain}.service" ];
|
|
}
|