feat: we now have a sso/oauth server ther we can use to connect services to

Currently works with Proxmox (VE and MG) and Forgejo
2025-03-23 00:06:29 +00:00 · 2025-03-23 00:06:29 +00:00 · 69ec3abb3b
commit 69ec3abb3b
parent 70263f4b1f
4 changed files with 107 additions and 0 deletions
--- a/applications/sso.nix
+++ b/applications/sso.nix
@ -0,0 +1,77 @@
 {
  lib,
  config,
  ...
 }:
 with lib; let
  name = "sso";
  cfg = config.services.skynet."${name}";
 in {
  imports = [
  ];
  options.services.skynet."${name}" = {
    enable = mkEnableOption "Keycloak server";
    datasource = {
      name = mkOption {
        type = types.str;
      };
      url = mkOption {
        type = types.str;
      };
    };
  };
  config = mkIf cfg.enable {
    services.skynet.dns.records = [
      {
        record = "${name}";
        r_type = "CNAME";
        value = config.services.skynet.host.name;
      }
    ];
    services.skynet.acme.domains = [
      "${name}.skynet.ie"
    ];
    age.secrets.keycloak_pw.file = ../secrets/keycloak/pw.age;
    services.nginx.virtualHosts = {
      "${name}.skynet.ie" = {
        forceSSL = true;
        useACMEHost = "skynet";
        locations = {
          "/" = {
            proxyPass = "http://localhost:${toString config.services.keycloak.settings.http-port}/";
          };
        };
      };
    };
    services.postgresql.enable = true;
    services.keycloak = {
      enable = true;
      initialAdminPassword = "sharky_loves_sso";
      database = {
        type = "postgresql";
        createLocally = true;
        username = "keycloak";
        passwordFile = config.age.secrets.keycloak_pw.path;
      };
      settings = {
        hostname = "${name}.skynet.ie";
        http-port = 38080;
        proxy-headers = "xforwarded";
        http-enabled = true;
      };
    };
  };
 }
--- a/machines/kitt.nix
+++ b/machines/kitt.nix
@ -31,6 +31,7 @@ in {
    ../applications/discord.nix
    ../applications/bitwarden/vaultwarden.nix
    ../applications/bitwarden/bitwarden_sync.nix
    ../applications/sso.nix
  ];
  deployment = {
@ -54,5 +55,7 @@ in {
    # committee/admin services
    vaultwarden.enable = true;
    sso.enable = true;
  };
 }
--- a/secrets/keycloak/pw.age
+++ b/secrets/keycloak/pw.age
@ -0,0 +1,20 @@
 age-encryption.org/v1
 -> ssh-ed25519 V1pwNA /0giXND9iXet45Qdm45LbVQlIN1JYDiIJ1EFpMn+QgM
 qxCesmTuF6auI9upI0V9rJSiSfzENLLHXIMrDewjvf4
 -> ssh-ed25519 4PzZog iSvze8+tKCozFbiXcc8BGfQ0qrlVUHNEPc0E13505wY
 +queuxWzkBHBR7q1pHhBahdSqgKYmpOZ2avC+S4u2tk
 -> ssh-ed25519 dA0vRg MAQ9mfNn3wwB0hFaV/Wg6nxM1vafopAeJynREcbSvAA
 VjD1Sy41PEy1TQ5Wc/R9gh1gN/T8y/bUAdItWRz64GQ
 -> ssh-ed25519 5Nd93w RAh3fYyjUmldiUFkw59/JZDTgZ+jrVd31akiV1UgYGM
 HvoJTTxM+sCkXIDv0+FtN4ACkTy7tqr/BNeTrR8Jumo
 -> ssh-ed25519 q8eJgg c4+/61Jhm+/QyV0s3ikemMqhWBRb+ous4kl7Psx5/WU
 GUqakK0Rrsgg48U9QkcpV20zvQAswk/anoACzORuxiU
 -> ssh-ed25519 KVr8rw /mBl8ejPUBEwVsDVFcwWfW1i0tIG5JH/OWlRSrRk+TM
 K3SJpjAm6VDtsBk6HyDdLgbImh4If5Od2qu+sL8Dj9Y
 -> ssh-ed25519 fia1eQ khFHXNgPUQ39oTpd1lWycrMUin8Ii2pawwFY1vIhRSs
 2XhIsPrtN+XOBlTR/sEaaG5XCLlsIroYspOaEz+cM2U
 -> ssh-ed25519 IzAMqA u6W5klKqqGx22yCJx0yGgwPs3vs+iAeH5z36isWL8Co
 Ij4ncciynno2m9ZKtAegFy5mjAGS86jM7NrCL73LROc
 --- mINzTQYjXCu318AiJxgsF7az4LUGc9iVS7hcyfFNTQs
 m½Ö.ØÝ>iõ~‡ 8$§pB†ÀÑ<C380>zhœä:´Ôq“'S£:„LdðšÿÚ
 ¡”
ñŸQQøLÙŠ<0E>Ï{,;ÑµÙä~©#
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@ -99,6 +99,10 @@ let
  bitwarden = [
    kitt
  ];
  sso = [
    kitt
  ];
 in {
  # nix run github:ryantm/agenix -- -e secret1.age
@ -148,6 +152,9 @@ in {
  "bitwarden/secret.age".publicKeys = users ++ bitwarden;
  "bitwarden/details.age".publicKeys = users ++ bitwarden;
  # Keycloak/sso
  "keycloak/pw.age".publicKeys = users ++ sso;
  # grafana
  "grafana/pw.age".publicKeys = users ++ grafana;
 }