diff options
Diffstat (limited to 'ops/keycloak')
-rw-r--r-- | ops/keycloak/README.md | 2 | ||||
-rw-r--r-- | ops/keycloak/clients.tf | 17 | ||||
-rw-r--r-- | ops/keycloak/default.nix | 10 | ||||
-rw-r--r-- | ops/keycloak/main.tf | 12 | ||||
-rw-r--r-- | ops/keycloak/user_sources.tf | 23 |
5 files changed, 48 insertions, 16 deletions
diff --git a/ops/keycloak/README.md b/ops/keycloak/README.md index e8ffd700b5..fd72daa87d 100644 --- a/ops/keycloak/README.md +++ b/ops/keycloak/README.md @@ -12,7 +12,7 @@ credentials. An example `direnv` configuration used by tazjin is this: ``` -# //ops/secrets/.envrc +# //ops/keycloak/.envrc source_up eval $(age --decrypt -i ~/.ssh/id_ed25519 $(git rev-parse --show-toplevel)/ops/secrets/tf-keycloak.age) ``` diff --git a/ops/keycloak/clients.tf b/ops/keycloak/clients.tf index 5f2fd21a35..178971ae36 100644 --- a/ops/keycloak/clients.tf +++ b/ops/keycloak/clients.tf @@ -70,23 +70,16 @@ resource "keycloak_saml_user_attribute_protocol_mapper" "buildkite_name" { saml_attribute_name_format = "Unspecified" } -resource "keycloak_openid_client" "oauth2_proxy" { +resource "keycloak_openid_client" "panettone" { realm_id = keycloak_realm.tvl.id - client_id = "oauth2-proxy" - name = "TVL OAuth2 Proxy" + client_id = "panettone" + name = "Panettone" enabled = true access_type = "CONFIDENTIAL" standard_flow_enabled = true valid_redirect_uris = [ - "https://login.tvl.fyi/oauth2/callback", - "http://localhost:4774/oauth2/callback", + "https://b.tvl.fyi/auth", + "http://localhost:6161/auth", ] } - -resource "keycloak_openid_audience_protocol_mapper" "oauth2_proxy_audience" { - realm_id = keycloak_realm.tvl.id - client_id = keycloak_openid_client.oauth2_proxy.id - name = "oauth2-proxy-audience" - included_custom_audience = keycloak_openid_client.oauth2_proxy.client_id -} diff --git a/ops/keycloak/default.nix b/ops/keycloak/default.nix index 5757debd1a..94ed912dc9 100644 --- a/ops/keycloak/default.nix +++ b/ops/keycloak/default.nix @@ -1,8 +1,14 @@ -{ depot, pkgs, ... }: +{ depot, lib, pkgs, ... }: -depot.nix.readTree.drvTargets { +depot.nix.readTree.drvTargets rec { # Provide a Terraform wrapper with the right provider installed. terraform = pkgs.terraform.withPlugins (p: [ p.keycloak ]); + + validate = depot.tools.checks.validateTerraform { + inherit terraform; + name = "keycloak"; + src = lib.cleanSource ./.; + }; } diff --git a/ops/keycloak/main.tf b/ops/keycloak/main.tf index 819267ff96..923ac19397 100644 --- a/ops/keycloak/main.tf +++ b/ops/keycloak/main.tf @@ -1,6 +1,6 @@ # Configure TVL Keycloak instance. # -# TODO(tazjin): Configure GitHub/GitLab IDP +# TODO(tazjin): Configure GitLab IDP terraform { required_providers { @@ -31,4 +31,14 @@ resource "keycloak_realm" "tvl" { enabled = true display_name = "The Virus Lounge" default_signature_algorithm = "RS256" + + smtp_server { + from = "tvlbot@tazj.in" + from_display_name = "The Virus Lounge" + host = "127.0.0.1" + port = "25" + reply_to = "depot@tvl.su" + ssl = false + starttls = false + } } diff --git a/ops/keycloak/user_sources.tf b/ops/keycloak/user_sources.tf index 3fde6e07cc..01307fff8d 100644 --- a/ops/keycloak/user_sources.tf +++ b/ops/keycloak/user_sources.tf @@ -2,6 +2,10 @@ # information (either by accessing a system like LDAP or integration # through protocols like OIDC). +variable "github_client_secret" { + type = string +} + resource "keycloak_ldap_user_federation" "tvl_ldap" { name = "tvl-ldap" realm_id = keycloak_realm.tvl.id @@ -19,3 +23,22 @@ resource "keycloak_ldap_user_federation" "tvl_ldap" { "organizationalPerson", ] } + +# keycloak_oidc_identity_provider.github will be destroyed +# (because keycloak_oidc_identity_provider.github is not in configuration) +resource "keycloak_oidc_identity_provider" "github" { + alias = "github" + provider_id = "github" + client_id = "6d7f8bb2e82bb6739556" + client_secret = var.github_client_secret + realm = keycloak_realm.tvl.id + backchannel_supported = false + gui_order = "1" + store_token = false + sync_mode = "IMPORT" + trust_email = true + + # These default to built-in values for the `github` provider_id. + authorization_url = "" + token_url = "" +} |