feat(amy): add keycloak

2024-07-03 14:54:20 +01:00 · 2024-07-03 14:54:20 +01:00 · 2114f2a239
commit 2114f2a239
parent c7f88f8807
7 changed files with 164 additions and 2 deletions
--- a/.envrc
+++ b/.envrc
@ -0,0 +1 @@
+use flake
--- a/.gitignore
+++ b/.gitignore
@ -1,2 +1,3 @@
 *.qcow2
 /result
+/.direnv
--- a/flake.lock
+++ b/flake.lock
@ -1,5 +1,26 @@
 {
  "nodes": {
+    "agenix": {
+      "inputs": {
+        "darwin": "darwin",
+        "home-manager": "home-manager",
+        "nixpkgs": "nixpkgs",
+        "systems": "systems"
+      },
+      "locked": {
+        "lastModified": 1718371084,
+        "narHash": "sha256-abpBi61mg0g+lFFU0zY4C6oP6fBwPzbHPKBGw676xsA=",
+        "owner": "ryantm",
+        "repo": "agenix",
+        "rev": "3a56735779db467538fb2e577eda28a9daacaca6",
+        "type": "github"
+      },
+      "original": {
+        "owner": "ryantm",
+        "repo": "agenix",
+        "type": "github"
+      }
+    },
    "crane": {
      "inputs": {
        "flake-compat": "flake-compat",
@ -24,6 +45,28 @@
        "type": "github"
      }
    },
+    "darwin": {
+      "inputs": {
+        "nixpkgs": [
+          "agenix",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1700795494,
+        "narHash": "sha256-gzGLZSiOhf155FW7262kdHo2YDeugp3VuIFb4/GGng0=",
+        "owner": "lnl7",
+        "repo": "nix-darwin",
+        "rev": "4b9b83d5a92e8c1fbfd8eb27eda375908c11ec4d",
+        "type": "github"
+      },
+      "original": {
+        "owner": "lnl7",
+        "ref": "master",
+        "repo": "nix-darwin",
+        "type": "github"
+      }
+    },
    "flake-compat": {
      "flake": false,
      "locked": {
@ -88,7 +131,7 @@
    },
    "flake-utils_3": {
      "inputs": {
-        "systems": "systems"
+        "systems": "systems_2"
      },
      "locked": {
        "lastModified": 1710146030,
@ -126,6 +169,27 @@
        "type": "github"
      }
    },
+    "home-manager": {
+      "inputs": {
+        "nixpkgs": [
+          "agenix",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1703113217,
+        "narHash": "sha256-7ulcXOk63TIT2lVDSExj7XzFx09LpdSAPtvgtM7yQPE=",
+        "owner": "nix-community",
+        "repo": "home-manager",
+        "rev": "3bfaacf46133c037bb356193bd2f1765d9dc82c1",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "home-manager",
+        "type": "github"
+      }
+    },
    "home-manager-stable": {
      "inputs": {
        "nixpkgs": [
@ -203,6 +267,22 @@
        "type": "github"
      }
    },
+    "nixpkgs": {
+      "locked": {
+        "lastModified": 1703013332,
+        "narHash": "sha256-+tFNwMvlXLbJZXiMHqYq77z/RfmpfpiI3yjL6o/Zo9M=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "54aac082a4d9bb5bbc5c4e899603abfb76a3f6d6",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
    "nixpkgs-stable": {
      "locked": {
        "lastModified": 1719426051,
@ -237,6 +317,7 @@
    },
    "root": {
      "inputs": {
+        "agenix": "agenix",
        "fsh": "fsh",
        "home-manager-stable": "home-manager-stable",
        "home-manager-unstable": "home-manager-unstable",
@ -288,6 +369,21 @@
        "type": "github"
      }
    },
+    "systems_2": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
+    },
    "vscode-extensions": {
      "inputs": {
        "flake-compat": "flake-compat_2",
--- a/flake.nix
+++ b/flake.nix
@ -32,9 +32,11 @@
      url = "github:nix-community/nix-vscode-extensions";
      inputs.nixpkgs.follows = "nixpkgs-unstable";
    };
+
+    agenix.url = "github:ryantm/agenix";
  };

-  outputs = { self, nixpkgs-stable, nixpkgs-unstable, fsh, home-manager-stable, home-manager-unstable, nixos-generators, vscode-extensions, ... }:
+  outputs = { self, nixpkgs-stable, nixpkgs-unstable, fsh, home-manager-stable, home-manager-unstable, nixos-generators, vscode-extensions, agenix, ... }:
  let
    home-manager = home-manager-unstable;
    overlays = [
@ -142,10 +144,12 @@
      system = "x86_64-linux";
      modules = [
        overlays-module
+        agenix.nixosModules.default
        ./hosts/amy/configuration.nix
        ./roles/conduit.nix
        ./roles/coredns
        ./roles/iceshrimp.nix
+        ./roles/keycloak.nix
        ./roles/podman.nix
        ./roles/postgres.nix
        home-manager-stable.nixosModules.home-manager
@ -167,6 +171,7 @@
      modules = [
        overlays-module
        ./hosts/emira/configuration.nix
+        agenix.nixosModules.default
        ./common/generic-qemu.nix
      ];
    };
@ -181,5 +186,16 @@
        format = "qcow";
      };
    };
+
+    devShells.x86_64-linux.default = let
+      pkgs = import nixpkgs-unstable {
+        system = "x86_64-linux";
+      };
+    in
+      pkgs.mkShell {
+      nativeBuildInputs = with pkgs; [
+        agenix.packages.${system}.default
+      ];
+    };
  };
 }
--- a/roles/keycloak.nix
+++ b/roles/keycloak.nix
@ -0,0 +1,30 @@
+{ config, lib, pkgs, ... }: {
+  age.secrets.keycloakPostgres.file = ../secrets/keycloakPostgres.age;
+
+  services.keycloak = {
+    enable = true;
+    themes = {
+      shorks = pkgs.fetchgit {
+        rev = "e6c1edaf61d39227b765b873aaef126691b51d2d";
+        url = "https://git.ashhhleyyy.dev/shorks-gay/shorks-keycloak.git";
+        hash = "sha256-M5PHrqN+OneWMklr4TDg2qeX0f1b8puNVduofsr24EA=";
+      };
+    };
+    plugins = [
+      ((pkgs.fetchMavenArtifact {
+        groupId = "gay.shorks";
+        artifactId = "icecloak";
+        version = "1.0.0+kc.24";
+        repos = ["https://maven.ashhhleyyy.dev/releases/"];
+        hash = "sha256-xlyq1f12HFgVLe+RPJeo0pxIBculWgu4zODEzlRErB0=";
+      }).passthru.jar)
+    ];
+    settings = {
+      hostname = "account.shorks.gay";
+      http-port = 8008;
+      http-enabled = true;
+      proxy-headers = "xforwarded";
+    };
+    database.passwordFile = config.age.secrets.keycloakPostgres.path;
+  };
+}
--- a/secrets/keycloakPostgres.age
+++ b/secrets/keycloakPostgres.age
@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 CEw3Tw tZyGaQBbQuNTd6EcGRcDwwN/YYpWyFPP2iFz6u8Hw3w
+gYYVVvLGCFV1Hi8gZUT8UyWQVQxZ+ODw51LtCtQG3ko
+-> ssh-ed25519 8o9woQ XfrYBTG8Fq12k5ddCnJQmJ4mkstyHvtwaYUQx5KD3Ek
+YR7jJFsbKMZfduY4Buwspr8kWM8WzDvJOiaf5zsdxPQ
+--- LZWrS2TO7yGzg/joF81T+zJ8xo9gAtc2GqgYK54MElg
+”@ß}0…Þºf¶D]ðt¯{}åî-èÂªVt¾¹¯âNÄ!ß“WêæÔØ„#d }Œ4&’´Üó—Ò‹<C392>»f~¶YÓªK+…-–9tW
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@ -0,0 +1,11 @@
+let
+  ash_fern =  "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKGLHqRBcN584SXXa7snrOs89Wy5Jjvsq+GlFXTTBYfp ash@ash-pc";
+  # ash_loona = "sk-ecdsa-sha2-nistp256@openssh.com AAAAInNrLWVjZHNhLXNoYTItbmlzdHAyNTZAb3BlbnNzaC5jb20AAAAIbmlzdHAyNTYAAABBBEhKflJMcER95s4I+c8Q6zC45LK0ztpXOR2+QWKQVYHEcElxh45hrlUXwVP1nr+OT9AQPhhs+IjNEndRHoSiqxIAAAAEc3NoOg== ash@loona";
+  users = [ ash_fern ];
+  
+  amy = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHsGEdyz3h9Xn6bmp3v8/SlinWpm7oHtljdScCYJ5iun root@amy";
+  systems = [ amy ];
+in
+{
+  "keycloakPostgres.age".publicKeys = users ++ systems;
+}