feat(whitby): Configure initial Keycloak setup r/3401

Trialing this as an alternative to CAS that is a little easier to configure and can help us delegate authentication to other OIDC services. Change-Id: Iad63724d349334910af8fed0b148e4ba428f796b Reviewed-on: https://cl.tvl.fyi/c/depot/+/4608 Tested-by: BuildkiteCI Autosubmit: tazjin <mail@tazj.in> Reviewed-by: lukegb <lukegb@tvl.fyi>
author: Vincent Ambo <mail@tazj.in> 2021-12-25T14·06+0300
committer: clbot <clbot@tvl.fyi> 2021-12-25T21·11+0000
commit: d8a1802b3ed804fb26c50a6f23036aede1ac1182 (patch)
tree: 0998d2f973e81841c0034c3dd657c3062215b14d /ops/modules/www/auth.tvl.fyi.nix
parent: 1ee31d67fcf6e30e182229ceb9377c647395bfd1 (diff)
1 files changed, 24 insertions, 0 deletions
diff --git a/ops/modules/www/auth.tvl.fyi.nix b/ops/modules/www/auth.tvl.fyi.nix
new file mode 100644
index 0000000000..e0c031bf70
--- /dev/null
+++ b/ops/modules/www/auth.tvl.fyi.nix
@@ -0,0 +1,24 @@
+{ config, ... }:
+
+{
+  imports = [
+    ./base.nix
+  ];
+
+  config = {
+    services.nginx.virtualHosts."auth.tvl.fyi" = {
+      serverName = "auth.tvl.fyi";
+      enableACME = true;
+      forceSSL = true;
+
+      extraConfig = ''
+        location / {
+          proxy_pass http://localhost:${config.services.keycloak.httpPort};
+          proxy_set_header X-Forwarded-For $remote_addr;
+          proxy_set_header X-Forwarded-Proto https;
+          proxy_set_header Host $host;
+        }
+      '';
+    };
+  };
+}
author	Vincent Ambo <mail@tazj.in>	2021-12-25T14·06+0300
committer	clbot <clbot@tvl.fyi>	2021-12-25T21·11+0000
commit	d8a1802b3ed804fb26c50a6f23036aede1ac1182 (patch)
tree	0998d2f973e81841c0034c3dd657c3062215b14d /ops/modules/www/auth.tvl.fyi.nix
parent	1ee31d67fcf6e30e182229ceb9377c647395bfd1 (diff)