From 69ec3abb3b131cb03b7928ccb280acdde9d124a1 Mon Sep 17 00:00:00 2001
From: Brendan Golden <git@brendan.ie>
Date: Sun, 23 Mar 2025 00:06:29 +0000
Subject: [PATCH] feat: we now have a sso/oauth server ther we can use to
connect services to
Currently works with Proxmox (VE and MG) and Forgejo
---
applications/sso.nix | 77 +++++++++++++++++++++++++++++++++++++++++
machines/kitt.nix | 3 ++
secrets/keycloak/pw.age | 20 +++++++++++
secrets/secrets.nix | 7 ++++
4 files changed, 107 insertions(+)
create mode 100644 applications/sso.nix
create mode 100644 secrets/keycloak/pw.age
diff --git a/applications/sso.nix b/applications/sso.nix
new file mode 100644
index 0000000..3bae2c2
--- /dev/null
+++ b/applications/sso.nix
@@ -0,0 +1,77 @@
+{
+ lib,
+ config,
+ ...
+}:
+with lib; let
+ name = "sso";
+ cfg = config.services.skynet."${name}";
+in {
+ imports = [
+ ];
+
+ options.services.skynet."${name}" = {
+ enable = mkEnableOption "Keycloak server";
+
+ datasource = {
+ name = mkOption {
+ type = types.str;
+ };
+
+ url = mkOption {
+ type = types.str;
+ };
+ };
+ };
+
+ config = mkIf cfg.enable {
+ services.skynet.dns.records = [
+ {
+ record = "${name}";
+ r_type = "CNAME";
+ value = config.services.skynet.host.name;
+ }
+ ];
+
+ services.skynet.acme.domains = [
+ "${name}.skynet.ie"
+ ];
+
+ age.secrets.keycloak_pw.file = ../secrets/keycloak/pw.age;
+
+ services.nginx.virtualHosts = {
+ "${name}.skynet.ie" = {
+ forceSSL = true;
+ useACMEHost = "skynet";
+ locations = {
+ "/" = {
+ proxyPass = "http://localhost:${toString config.services.keycloak.settings.http-port}/";
+ };
+ };
+ };
+ };
+
+ services.postgresql.enable = true;
+
+ services.keycloak = {
+ enable = true;
+
+ initialAdminPassword = "sharky_loves_sso";
+
+ database = {
+ type = "postgresql";
+ createLocally = true;
+
+ username = "keycloak";
+ passwordFile = config.age.secrets.keycloak_pw.path;
+ };
+
+ settings = {
+ hostname = "${name}.skynet.ie";
+ http-port = 38080;
+ proxy-headers = "xforwarded";
+ http-enabled = true;
+ };
+ };
+ };
+}
diff --git a/machines/kitt.nix b/machines/kitt.nix
index 71a0fe0..93298ac 100644
--- a/machines/kitt.nix
+++ b/machines/kitt.nix
@@ -31,6 +31,7 @@ in {
../applications/discord.nix
../applications/bitwarden/vaultwarden.nix
../applications/bitwarden/bitwarden_sync.nix
+ ../applications/sso.nix
];
deployment = {
@@ -54,5 +55,7 @@ in {
# committee/admin services
vaultwarden.enable = true;
+
+ sso.enable = true;
};
}
diff --git a/secrets/keycloak/pw.age b/secrets/keycloak/pw.age
new file mode 100644
index 0000000..7792aed
--- /dev/null
+++ b/secrets/keycloak/pw.age
@@ -0,0 +1,20 @@
+age-encryption.org/v1
+-> ssh-ed25519 V1pwNA /0giXND9iXet45Qdm45LbVQlIN1JYDiIJ1EFpMn+QgM
+qxCesmTuF6auI9upI0V9rJSiSfzENLLHXIMrDewjvf4
+-> ssh-ed25519 4PzZog iSvze8+tKCozFbiXcc8BGfQ0qrlVUHNEPc0E13505wY
++queuxWzkBHBR7q1pHhBahdSqgKYmpOZ2avC+S4u2tk
+-> ssh-ed25519 dA0vRg MAQ9mfNn3wwB0hFaV/Wg6nxM1vafopAeJynREcbSvAA
+VjD1Sy41PEy1TQ5Wc/R9gh1gN/T8y/bUAdItWRz64GQ
+-> ssh-ed25519 5Nd93w RAh3fYyjUmldiUFkw59/JZDTgZ+jrVd31akiV1UgYGM
+HvoJTTxM+sCkXIDv0+FtN4ACkTy7tqr/BNeTrR8Jumo
+-> ssh-ed25519 q8eJgg c4+/61Jhm+/QyV0s3ikemMqhWBRb+ous4kl7Psx5/WU
+GUqakK0Rrsgg48U9QkcpV20zvQAswk/anoACzORuxiU
+-> ssh-ed25519 KVr8rw /mBl8ejPUBEwVsDVFcwWfW1i0tIG5JH/OWlRSrRk+TM
+K3SJpjAm6VDtsBk6HyDdLgbImh4If5Od2qu+sL8Dj9Y
+-> ssh-ed25519 fia1eQ khFHXNgPUQ39oTpd1lWycrMUin8Ii2pawwFY1vIhRSs
+2XhIsPrtN+XOBlTR/sEaaG5XCLlsIroYspOaEz+cM2U
+-> ssh-ed25519 IzAMqA u6W5klKqqGx22yCJx0yGgwPs3vs+iAeH5z36isWL8Co
+Ij4ncciynno2m9ZKtAegFy5mjAGS86jM7NrCL73LROc
+--- mINzTQYjXCu318AiJxgsF7az4LUGc9iVS7hcyfFNTQs
+�m��.��>i�~��8�$�pB���ѐzh��:��q��'S�:�Ld�����
+���
�Q�Q�Lي���{,;ѵ��~��#
\ No newline at end of file
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index cad986a..9757a3f 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -99,6 +99,10 @@ let
bitwarden = [
kitt
];
+
+ sso = [
+ kitt
+ ];
in {
# nix run github:ryantm/agenix -- -e secret1.age
@@ -148,6 +152,9 @@ in {
"bitwarden/secret.age".publicKeys = users ++ bitwarden;
"bitwarden/details.age".publicKeys = users ++ bitwarden;
+ # Keycloak/sso
+ "keycloak/pw.age".publicKeys = users ++ sso;
+
# grafana
"grafana/pw.age".publicKeys = users ++ grafana;
}