diff options
| author | Vincent Ambo <mail@tazj.in> | 2021-12-25T14·06+0300 |
|---|---|---|
| committer | clbot <clbot@tvl.fyi> | 2021-12-25T21·11+0000 |
| commit | d8a1802b3ed804fb26c50a6f23036aede1ac1182 (patch) | |
| tree | 0998d2f973e81841c0034c3dd657c3062215b14d /ops/machines/whitby/default.nix | |
| parent | 1ee31d67fcf6e30e182229ceb9377c647395bfd1 (diff) | |
feat(whitby): Configure initial Keycloak setup r/3401
Trialing this as an alternative to CAS that is a little easier to configure and can help us delegate authentication to other OIDC services. Change-Id: Iad63724d349334910af8fed0b148e4ba428f796b Reviewed-on: https://cl.tvl.fyi/c/depot/+/4608 Tested-by: BuildkiteCI Autosubmit: tazjin <mail@tazj.in> Reviewed-by: lukegb <lukegb@tvl.fyi>
Diffstat (limited to 'ops/machines/whitby/default.nix')
| -rw-r--r-- | ops/machines/whitby/default.nix | 35 |
1 files changed, 34 insertions, 1 deletions
diff --git a/ops/machines/whitby/default.nix b/ops/machines/whitby/default.nix index dbd8c61640..045e037fda 100644 --- a/ops/machines/whitby/default.nix +++ b/ops/machines/whitby/default.nix @@ -23,6 +23,7 @@ in { "${depot.path}/ops/modules/tvl-slapd/default.nix" "${depot.path}/ops/modules/tvl-sso/default.nix" "${depot.path}/ops/modules/www/atward.tvl.fyi.nix" + "${depot.path}/ops/modules/www/auth.tvl.fyi.nix" "${depot.path}/ops/modules/www/b.tvl.fyi.nix" "${depot.path}/ops/modules/www/cache.tvl.su.nix" "${depot.path}/ops/modules/www/cl.tvl.fyi.nix" @@ -210,6 +211,7 @@ in { gerrit-queue.file = secretFile "gerrit-queue"; grafana.file = secretFile "grafana"; irccat.file = secretFile "irccat"; + keycloak-db.file = secretFile "keycloak-db"; nix-cache-priv.file = secretFile "nix-cache-priv"; owothia.file = secretFile "owothia"; panettone.file = secretFile "panettone"; @@ -417,8 +419,9 @@ in { services.postgresqlBackup = { enable = true; databases = [ - "tvldb" + "keycloak" "panettone" + "tvldb" ]; }; @@ -546,9 +549,39 @@ in { }]; }; }; + # Contains GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET. systemd.services.grafana.serviceConfig.EnvironmentFile = "/run/agenix/grafana"; + services.keycloak = { + enable = true; + httpPort = "5925"; # "kycl" + frontendUrl = "https://auth.tvl.fyi/auth/"; + + database = { + type = "postgresql"; + passwordFile = "/run/agenix/keycloak-db"; + createLocally = false; + }; + + # Configure Keycloak to look at forwarded headers from the reverse + # proxy. + extraConfig = { + "subsystem=undertow" = { + "server=default-server" = { + "http-listener=default" = { + proxy-address-forwarding = "true"; + }; + }; + }; + }; + }; + + # Allow Keycloak access to the LDAP module by forcing in the JVM + # configuration + systemd.services.keycloak.environment.PREPEND_JAVA_OPTS = + "--add-exports=java.naming/com.sun.jndi.ldap=ALL-UNNAMED"; + security.sudo.extraRules = [ { groups = ["wheel"]; |