about summary refs log tree commit diff
path: root/ops/keycloak
diff options
context:
space:
mode:
Diffstat (limited to 'ops/keycloak')
-rw-r--r--ops/keycloak/README.md2
-rw-r--r--ops/keycloak/clients.tf17
-rw-r--r--ops/keycloak/default.nix10
-rw-r--r--ops/keycloak/main.tf12
-rw-r--r--ops/keycloak/user_sources.tf23
5 files changed, 48 insertions, 16 deletions
diff --git a/ops/keycloak/README.md b/ops/keycloak/README.md
index e8ffd700b5..fd72daa87d 100644
--- a/ops/keycloak/README.md
+++ b/ops/keycloak/README.md
@@ -12,7 +12,7 @@ credentials.
 An example `direnv` configuration used by tazjin is this:
 
 ```
-# //ops/secrets/.envrc
+# //ops/keycloak/.envrc
 source_up
 eval $(age --decrypt -i ~/.ssh/id_ed25519 $(git rev-parse --show-toplevel)/ops/secrets/tf-keycloak.age)
 ```
diff --git a/ops/keycloak/clients.tf b/ops/keycloak/clients.tf
index 5f2fd21a35..178971ae36 100644
--- a/ops/keycloak/clients.tf
+++ b/ops/keycloak/clients.tf
@@ -70,23 +70,16 @@ resource "keycloak_saml_user_attribute_protocol_mapper" "buildkite_name" {
   saml_attribute_name_format = "Unspecified"
 }
 
-resource "keycloak_openid_client" "oauth2_proxy" {
+resource "keycloak_openid_client" "panettone" {
   realm_id              = keycloak_realm.tvl.id
-  client_id             = "oauth2-proxy"
-  name                  = "TVL OAuth2 Proxy"
+  client_id             = "panettone"
+  name                  = "Panettone"
   enabled               = true
   access_type           = "CONFIDENTIAL"
   standard_flow_enabled = true
 
   valid_redirect_uris = [
-    "https://login.tvl.fyi/oauth2/callback",
-    "http://localhost:4774/oauth2/callback",
+    "https://b.tvl.fyi/auth",
+    "http://localhost:6161/auth",
   ]
 }
-
-resource "keycloak_openid_audience_protocol_mapper" "oauth2_proxy_audience" {
-  realm_id                 = keycloak_realm.tvl.id
-  client_id                = keycloak_openid_client.oauth2_proxy.id
-  name                     = "oauth2-proxy-audience"
-  included_custom_audience = keycloak_openid_client.oauth2_proxy.client_id
-}
diff --git a/ops/keycloak/default.nix b/ops/keycloak/default.nix
index 5757debd1a..94ed912dc9 100644
--- a/ops/keycloak/default.nix
+++ b/ops/keycloak/default.nix
@@ -1,8 +1,14 @@
-{ depot, pkgs, ... }:
+{ depot, lib, pkgs, ... }:
 
-depot.nix.readTree.drvTargets {
+depot.nix.readTree.drvTargets rec {
   # Provide a Terraform wrapper with the right provider installed.
   terraform = pkgs.terraform.withPlugins (p: [
     p.keycloak
   ]);
+
+  validate = depot.tools.checks.validateTerraform {
+    inherit terraform;
+    name = "keycloak";
+    src = lib.cleanSource ./.;
+  };
 }
diff --git a/ops/keycloak/main.tf b/ops/keycloak/main.tf
index 819267ff96..923ac19397 100644
--- a/ops/keycloak/main.tf
+++ b/ops/keycloak/main.tf
@@ -1,6 +1,6 @@
 # Configure TVL Keycloak instance.
 #
-# TODO(tazjin): Configure GitHub/GitLab IDP
+# TODO(tazjin): Configure GitLab IDP
 
 terraform {
   required_providers {
@@ -31,4 +31,14 @@ resource "keycloak_realm" "tvl" {
   enabled                     = true
   display_name                = "The Virus Lounge"
   default_signature_algorithm = "RS256"
+
+  smtp_server {
+    from              = "tvlbot@tazj.in"
+    from_display_name = "The Virus Lounge"
+    host              = "127.0.0.1"
+    port              = "25"
+    reply_to          = "depot@tvl.su"
+    ssl               = false
+    starttls          = false
+  }
 }
diff --git a/ops/keycloak/user_sources.tf b/ops/keycloak/user_sources.tf
index 3fde6e07cc..01307fff8d 100644
--- a/ops/keycloak/user_sources.tf
+++ b/ops/keycloak/user_sources.tf
@@ -2,6 +2,10 @@
 # information (either by accessing a system like LDAP or integration
 # through protocols like OIDC).
 
+variable "github_client_secret" {
+  type = string
+}
+
 resource "keycloak_ldap_user_federation" "tvl_ldap" {
   name                    = "tvl-ldap"
   realm_id                = keycloak_realm.tvl.id
@@ -19,3 +23,22 @@ resource "keycloak_ldap_user_federation" "tvl_ldap" {
     "organizationalPerson",
   ]
 }
+
+# keycloak_oidc_identity_provider.github will be destroyed
+# (because keycloak_oidc_identity_provider.github is not in configuration)
+resource "keycloak_oidc_identity_provider" "github" {
+  alias                 = "github"
+  provider_id           = "github"
+  client_id             = "6d7f8bb2e82bb6739556"
+  client_secret         = var.github_client_secret
+  realm                 = keycloak_realm.tvl.id
+  backchannel_supported = false
+  gui_order             = "1"
+  store_token           = false
+  sync_mode             = "IMPORT"
+  trust_email           = true
+
+  # These default to built-in values for the `github` provider_id.
+  authorization_url = ""
+  token_url         = ""
+}
generated by cgit-pink 1.4.1 (git 2.44.0) at 2024-06-07T12ยท23+0000