From 7b3c0b3e2f672ba2547827105b9f14d003d16267 Mon Sep 17 00:00:00 2001
From: Vincent Ambo <mail@tazj.in>
Date: Sun, 26 Dec 2021 03:08:03 +0300
Subject: feat(ops/keycloak): Check in initial Keycloak configuration

This is still missing most of the client configuration etc., in part
due to bugs in the provider which are preventing resource imports.

Change-Id: Ic224ffc001f8e1fe6dcd47b7d002580fdf7b0774
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4628
Tested-by: BuildkiteCI
Autosubmit: tazjin <mail@tazj.in>
Reviewed-by: Profpatsch <mail@profpatsch.de>
---
 ops/keycloak/.gitignore  |  3 +++
 ops/keycloak/default.nix |  8 ++++++++
 ops/keycloak/main.tf     | 40 ++++++++++++++++++++++++++++++++++++++++
 3 files changed, 51 insertions(+)
 create mode 100644 ops/keycloak/.gitignore
 create mode 100644 ops/keycloak/default.nix
 create mode 100644 ops/keycloak/main.tf

(limited to 'ops/keycloak')

diff --git a/ops/keycloak/.gitignore b/ops/keycloak/.gitignore
new file mode 100644
index 0000000000..017878c614
--- /dev/null
+++ b/ops/keycloak/.gitignore
@@ -0,0 +1,3 @@
+.terraform*
+*.tfstate*
+.envrc
diff --git a/ops/keycloak/default.nix b/ops/keycloak/default.nix
new file mode 100644
index 0000000000..96f0c40e5e
--- /dev/null
+++ b/ops/keycloak/default.nix
@@ -0,0 +1,8 @@
+{ depot, pkgs, ... }:
+
+depot.nix.readTree.drvTargets {
+  # Provide a Terraform wrapper with the right provider installed.
+  terraform = pkgs.terraform.withPlugins(p: [
+    p.keycloak
+  ]);
+}
diff --git a/ops/keycloak/main.tf b/ops/keycloak/main.tf
new file mode 100644
index 0000000000..312e8ac61f
--- /dev/null
+++ b/ops/keycloak/main.tf
@@ -0,0 +1,40 @@
+# Configure TVL Keycloak instance.
+#
+# TODO(tazjin): Configure GitHub/GitLab IDP
+
+terraform {
+  required_providers {
+    keycloak = {
+      source = "mrparkers/keycloak"
+    }
+  }
+}
+
+provider "keycloak" {
+  client_id = "terraform"
+  url       = "https://auth.tvl.fyi"
+}
+
+resource "keycloak_realm" "tvl" {
+  realm                       = "TVL"
+  enabled                     = true
+  display_name                = "The Virus Lounge"
+  default_signature_algorithm = "RS256"
+}
+
+resource "keycloak_ldap_user_federation" "tvl_ldap" {
+  name                    = "tvl-ldap"
+  realm_id                = keycloak_realm.tvl.id
+  enabled                 = true
+  connection_url          = "ldap://localhost"
+  users_dn                = "ou=users,dc=tvl,dc=fyi"
+  username_ldap_attribute = "cn"
+  uuid_ldap_attribute     = "cn"
+  rdn_ldap_attribute      = "cn"
+  full_sync_period        = 86400
+
+  user_object_classes = [
+    "inetOrgPerson",
+    "organizationalPerson",
+  ]
+}
-- 
cgit 1.4.1