feat: we now have a sso/oauth server ther we can use to connect services to

Currently works with Proxmox (VE and MG) and Forgejo
2025-03-23 00:06:29 +00:00 · 2025-03-23 00:06:29 +00:00 · 69ec3abb3b
commit 69ec3abb3b
parent 70263f4b1f
4 changed files with 107 additions and 0 deletions
--- a/applications/sso.nix
+++ b/applications/sso.nix
@ -0,0 +1,77 @@
+{
+  lib,
+  config,
+  ...
+}:
+with lib; let
+  name = "sso";
+  cfg = config.services.skynet."${name}";
+in {
+  imports = [
+  ];
+
+  options.services.skynet."${name}" = {
+    enable = mkEnableOption "Keycloak server";
+
+    datasource = {
+      name = mkOption {
+        type = types.str;
+      };
+
+      url = mkOption {
+        type = types.str;
+      };
+    };
+  };
+
+  config = mkIf cfg.enable {
+    services.skynet.dns.records = [
+      {
+        record = "${name}";
+        r_type = "CNAME";
+        value = config.services.skynet.host.name;
+      }
+    ];
+
+    services.skynet.acme.domains = [
+      "${name}.skynet.ie"
+    ];
+
+    age.secrets.keycloak_pw.file = ../secrets/keycloak/pw.age;
+
+    services.nginx.virtualHosts = {
+      "${name}.skynet.ie" = {
+        forceSSL = true;
+        useACMEHost = "skynet";
+        locations = {
+          "/" = {
+            proxyPass = "http://localhost:${toString config.services.keycloak.settings.http-port}/";
+          };
+        };
+      };
+    };
+
+    services.postgresql.enable = true;
+
+    services.keycloak = {
+      enable = true;
+
+      initialAdminPassword = "sharky_loves_sso";
+
+      database = {
+        type = "postgresql";
+        createLocally = true;
+
+        username = "keycloak";
+        passwordFile = config.age.secrets.keycloak_pw.path;
+      };
+
+      settings = {
+        hostname = "${name}.skynet.ie";
+        http-port = 38080;
+        proxy-headers = "xforwarded";
+        http-enabled = true;
+      };
+    };
+  };
+}