feat(amy): add keycloak

.envrc

@@ -0,0 +1 @@
+use flake

.gitignore

@@ -1,2 +1,3 @@
 *.qcow2
 /result
+/.direnv

flake.lock

@@ -1,5 +1,26 @@
 {
   "nodes": {
+    "agenix": {
+      "inputs": {
+        "darwin": "darwin",
+        "home-manager": "home-manager",
+        "nixpkgs": "nixpkgs",
+        "systems": "systems"
+      },
+      "locked": {
+        "lastModified": 1718371084,
+        "narHash": "sha256-abpBi61mg0g+lFFU0zY4C6oP6fBwPzbHPKBGw676xsA=",
+        "owner": "ryantm",
+        "repo": "agenix",
+        "rev": "3a56735779db467538fb2e577eda28a9daacaca6",
+        "type": "github"
+      },
+      "original": {
+        "owner": "ryantm",
+        "repo": "agenix",
+        "type": "github"
+      }
+    },
     "crane": {
       "inputs": {
         "flake-compat": "flake-compat",
@@ -24,6 +45,28 @@
         "type": "github"
       }
     },
+    "darwin": {
+      "inputs": {
+        "nixpkgs": [
+          "agenix",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1700795494,
+        "narHash": "sha256-gzGLZSiOhf155FW7262kdHo2YDeugp3VuIFb4/GGng0=",
+        "owner": "lnl7",
+        "repo": "nix-darwin",
+        "rev": "4b9b83d5a92e8c1fbfd8eb27eda375908c11ec4d",
+        "type": "github"
+      },
+      "original": {
+        "owner": "lnl7",
+        "ref": "master",
+        "repo": "nix-darwin",
+        "type": "github"
+      }
+    },
     "flake-compat": {
       "flake": false,
       "locked": {
@@ -88,7 +131,7 @@
     },
     "flake-utils_3": {
       "inputs": {
-        "systems": "systems"
+        "systems": "systems_2"
       },
       "locked": {
         "lastModified": 1710146030,
@@ -126,6 +169,27 @@
         "type": "github"
       }
     },
+    "home-manager": {
+      "inputs": {
+        "nixpkgs": [
+          "agenix",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1703113217,
+        "narHash": "sha256-7ulcXOk63TIT2lVDSExj7XzFx09LpdSAPtvgtM7yQPE=",
+        "owner": "nix-community",
+        "repo": "home-manager",
+        "rev": "3bfaacf46133c037bb356193bd2f1765d9dc82c1",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "home-manager",
+        "type": "github"
+      }
+    },
     "home-manager-stable": {
       "inputs": {
         "nixpkgs": [
@@ -203,6 +267,22 @@
         "type": "github"
       }
     },
+    "nixpkgs": {
+      "locked": {
+        "lastModified": 1703013332,
+        "narHash": "sha256-+tFNwMvlXLbJZXiMHqYq77z/RfmpfpiI3yjL6o/Zo9M=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "54aac082a4d9bb5bbc5c4e899603abfb76a3f6d6",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
     "nixpkgs-stable": {
       "locked": {
         "lastModified": 1719426051,
@@ -237,6 +317,7 @@
     },
     "root": {
       "inputs": {
+        "agenix": "agenix",
         "fsh": "fsh",
         "home-manager-stable": "home-manager-stable",
         "home-manager-unstable": "home-manager-unstable",
@@ -288,6 +369,21 @@
         "type": "github"
       }
     },
+    "systems_2": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
+    },
     "vscode-extensions": {
       "inputs": {
         "flake-compat": "flake-compat_2",

flake.nix

@@ -32,9 +32,11 @@
       url = "github:nix-community/nix-vscode-extensions";
       inputs.nixpkgs.follows = "nixpkgs-unstable";
     };
+
+    agenix.url = "github:ryantm/agenix";
   };
 
-  outputs = { self, nixpkgs-stable, nixpkgs-unstable, fsh, home-manager-stable, home-manager-unstable, nixos-generators, vscode-extensions, ... }:
+  outputs = { self, nixpkgs-stable, nixpkgs-unstable, fsh, home-manager-stable, home-manager-unstable, nixos-generators, vscode-extensions, agenix, ... }:
   let
     home-manager = home-manager-unstable;
     overlays = [
@@ -142,10 +144,12 @@
       system = "x86_64-linux";
       modules = [
         overlays-module
+        agenix.nixosModules.default
         ./hosts/amy/configuration.nix
         ./roles/conduit.nix
         ./roles/coredns
         ./roles/iceshrimp.nix
+        ./roles/keycloak.nix
         ./roles/podman.nix
         ./roles/postgres.nix
         home-manager-stable.nixosModules.home-manager
@@ -167,6 +171,7 @@
       modules = [
         overlays-module
         ./hosts/emira/configuration.nix
+        agenix.nixosModules.default
         ./common/generic-qemu.nix
       ];
     };
@@ -181,5 +186,16 @@
         format = "qcow";
       };
     };
+
+    devShells.x86_64-linux.default = let
+      pkgs = import nixpkgs-unstable {
+        system = "x86_64-linux";
+      };
+    in
+      pkgs.mkShell {
+      nativeBuildInputs = with pkgs; [
+        agenix.packages.${system}.default
+      ];
+    };
   };
 }

roles/keycloak.nix

@@ -0,0 +1,30 @@
+{ config, lib, pkgs, ... }: {
+  age.secrets.keycloakPostgres.file = ../secrets/keycloakPostgres.age;
+
+  services.keycloak = {
+    enable = true;
+    themes = {
+      shorks = pkgs.fetchgit {
+        rev = "e6c1edaf61d39227b765b873aaef126691b51d2d";
+        url = "https://git.ashhhleyyy.dev/shorks-gay/shorks-keycloak.git";
+        hash = "sha256-M5PHrqN+OneWMklr4TDg2qeX0f1b8puNVduofsr24EA=";
+      };
+    };
+    plugins = [
+      ((pkgs.fetchMavenArtifact {
+        groupId = "gay.shorks";
+        artifactId = "icecloak";
+        version = "1.0.0+kc.24";
+        repos = ["https://maven.ashhhleyyy.dev/releases/"];
+        hash = "sha256-xlyq1f12HFgVLe+RPJeo0pxIBculWgu4zODEzlRErB0=";
+      }).passthru.jar)
+    ];
+    settings = {
+      hostname = "account.shorks.gay";
+      http-port = 8008;
+      http-enabled = true;
+      proxy-headers = "xforwarded";
+    };
+    database.passwordFile = config.age.secrets.keycloakPostgres.path;
+  };
+}

secrets/keycloakPostgres.age

@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 CEw3Tw tZyGaQBbQuNTd6EcGRcDwwN/YYpWyFPP2iFz6u8Hw3w
+gYYVVvLGCFV1Hi8gZUT8UyWQVQxZ+ODw51LtCtQG3ko
+-> ssh-ed25519 8o9woQ XfrYBTG8Fq12k5ddCnJQmJ4mkstyHvtwaYUQx5KD3Ek
+YR7jJFsbKMZfduY4Buwspr8kWM8WzDvJOiaf5zsdxPQ
+--- LZWrS2TO7yGzg/joF81T+zJ8xo9gAtc2GqgYK54MElg
+”@ß}0…Þºf¶D]ðt¯{}åî-èªVt¾¹¯âNÄ!ß“WêæÔØ„#d }Œ4&’´Üó—Ò‹<C392>»f~¶YÓªK+…-–9tW

secrets/secrets.nix

@@ -0,0 +1,11 @@
+let
+  ash_fern =  "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKGLHqRBcN584SXXa7snrOs89Wy5Jjvsq+GlFXTTBYfp ash@ash-pc";
+  # ash_loona = "sk-ecdsa-sha2-nistp256@openssh.com AAAAInNrLWVjZHNhLXNoYTItbmlzdHAyNTZAb3BlbnNzaC5jb20AAAAIbmlzdHAyNTYAAABBBEhKflJMcER95s4I+c8Q6zC45LK0ztpXOR2+QWKQVYHEcElxh45hrlUXwVP1nr+OT9AQPhhs+IjNEndRHoSiqxIAAAAEc3NoOg== ash@loona";
+  users = [ ash_fern ];
+  
+  amy = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHsGEdyz3h9Xn6bmp3v8/SlinWpm7oHtljdScCYJ5iun root@amy";
+  systems = [ amy ];
+in
+{
+  "keycloakPostgres.age".publicKeys = users ++ systems;
+}