lix-project/keycloak-allowban-plugin
17
0
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity
keycloak-allowban-plugin/test-nixos.nix
jade 6573c8fbdc finish
2024-03-23 20:30:47 -07:00

157 lines
4.7 KiB
Nix
Raw Blame History

{ pkgs, lib, ... }:
let
# Server we're hosting on.
host = "identity.test.lix.systems";
# Realm used for services.
realm = "lix-project";
in
{
users.users.root.password = "";
services.openssh.enable = true;
services.openssh.settings.PermitRootLogin = "yes";
services.keycloak = {
enable = true;
settings = {
hostname = host;
# Always talk through our reverse proxy.
http-port = 9091;
proxy = "edge";
};
# This will be immediately changed, so no harm in having it here.
initialAdminPassword = "Password1";
# Automatically manage our database.
database = {
createLocally = true;
# DO NOT DO THIS IN PROD
passwordFile = builtins.toFile "bad-db-password" "Password1";
};
settings = {
log-level = "INFO";
spi-authenticator-allow-ban-check-authenticator-dbpath = "/var/keycloak-allow-bans";
};
};
# Postgres server for the storage backend.
services.postgresql.enable = true;
# Create a static user, so we can set up our keys beforehand.
# This overrides the dynamic user creation in the base module config.
users.users.keycloak = {
isSystemUser = true;
group = "keycloak";
};
users.groups.keycloak = { };
# Reverse proxy our data over https.
networking.firewall.allowedTCPPorts = [ 80 443 ];
services.nginx = {
enable = true;
virtualHosts = {
"${host}" = {
forceSSL = true;
sslCertificate = "/var/lib/nginx/nc-selfsigned.crt";
sslCertificateKey = "/var/lib/nginx/nc-selfsigned.key";
locations."/" = {
proxyPass = "http://127.0.0.1:9091";
extraConfig = ''
proxy_ssl_server_name on;
proxy_pass_header Authorization;
proxy_set_header X-Forwarded-For $proxy_protocol_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $host;
proxy_busy_buffers_size 512k;
proxy_buffers 4 512k;
proxy_buffer_size 256k;
# Allow clients with Auth hardcoded to use our base path.
#
# XXX: ok so this is horrible. For some reason gerrit explodes if
# it receives a redirect when doing auth. But we need to redirect
# the browser to reuse sessions. Thus, user agent scanning.
if ($http_user_agent ~* "^Java.*$") {
rewrite ^/auth/(.*)$ /$1 last;
}
rewrite ^/auth/(.*)$ /$1 redirect;
# Hacks to make us compatible with authenticators that expect GitLab's format.
rewrite ^/realms/${realm}/protocol/openid-connect/api/v4/user$ /realms/${realm}/protocol/openid-connect/userinfo;
rewrite ^/realms/${realm}/protocol/openid-connect/oauth/authorize$ /realms/${realm}/protocol/openid-connect/auth?scope=openid%20email%20profile;
rewrite ^/realms/${realm}/protocol/openid-connect/oauth/token$ /realms/${realm}/protocol/openid-connect/token;
'';
};
# Forward our admin address to our default realm.
locations."= /admin".extraConfig = "return 302 https://${host}/admin/lix-project/console/;";
locations."= /superadmin".extraConfig = "return 302 https://${host}/admin/master/console/;";
# Forward our root address to the account management portal.
locations."= /".extraConfig = "return 302 https://${host}/realms/${realm}/account;";
};
};
};
systemd.services.cert-setup = {
wantedBy = [ "nginx.service" ];
before = [ "nginx.service" ];
serviceConfig = {
ConditionFileExists = "!/var/lib/nginx/nc-selfsigned.crt";
ExecStart = [
"${lib.getBin pkgs.openssl}/bin/openssl req -x509 -nodes -days 365 -newkey rsa:2048 -subj /CN=identity.test.lix.systems/ -keyout /var/lib/nginx/nc-selfsigned.key -out /var/lib/nginx/nc-selfsigned.crt"
"${lib.getBin pkgs.coreutils}/bin/chown nginx:nginx /var/lib/nginx/nc-selfsigned.key /var/lib/nginx/nc-selfsigned.crt"
];
};
};
systemd.tmpfiles.rules = [
"d /var/lib/nginx 755 nginx nginx -"
];
microvm = {
hypervisor = "qemu";
mem = 1024;
interfaces = [{
type = "user";
id = "microvm";
mac = "02:00:00:00:00:01";
}];
forwardPorts = [
{
from = "host";
guest.port = 443;
host.port = 4043;
proto = "tcp";
}
{
from = "host";
guest.port = 22;
host.port = 2022;
proto = "tcp";
}
];
volumes = [{
mountPoint = "/var";
image = "var.img";
size = 256;
}];
shares = [{
proto = "9p";
tag = "ro-store";
source = "/nix/store";
mountPoint = "/nix/.ro-store";
}];
};
}
Reference in a new issue View git blame Copy permalink